Reverse shell

For compromising a machine, a working exploit and a working shell are required (to execute commands). That may not be a truly interactive shell (yet).

  • A shell is an intermediary between a user and the kernel. It provides the user an interface which provides access to the kernel services. A system with a public IP can be connected to and possibly exploited.
  • A shell (cmd.exe or /bin/bash) can be bound to a specific port of a system. It then listens for connections. If that is the case and the port number and other details are known, that machine can be connected to. It acts as server. A local machine that connects to it is called the client.
  • On a machine with a private IP, a shell can be sent to a machine with a public IP that then listens for connections (and acts as a server). The machine that sent the shell is the client. This is a reverse shell.

Creating an interactive shell on a remote machine can be done in several ways. One possibility is to try to upload a script or binary to the remote machine in order to have it send a shell to a small public VPS. Binding a shell to a TCP port may take a bit of extra effort when all available ports have been taken already.

Many articles mention netcat with the -e (GAPING_SECURITY_HOLE) option enabled and that is certainly worth a try, but most sensible administrators have disabled that. Try a reverse shell with bash (doesn't work on remote machine with Debian on it, but apparently does work on Ubuntu), or perhaps try something completely different.

  • The options for creating a reverse shell with a script are, of course, limited by the scripting languages installed on the remote system, and their configurations.
  • Connections can be cut when a script is timed-out by a server. Make it a daemon.
  • Use exec instead of system where possible to minimise chances of discovery, and rename /bin/sh -i.
  • Pick a port that’s allowed through the firewall, if any.
  • If the only regions on disk on the remote machine that you have write access to are mounted with the noexec option, a binary won't work.