Often during pentests, you have a non-tty-shell there are certain commands and stuff you can’t do. This can happen if you upload reverse shells on a web server, so that the shell you get is by the user www-data, or similar. These users are not meant to have shells as they don’t interact with the system as humans do. So if you don’t have a tty-shell you can’t run su, sudo etc. This can be annoying if you manage to get a root password but you can’t use it. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. So, let’s start with Spawning Interactive Reverse Shell.
Shell Spawning
Python pty Module
python -c 'import pty; pty.spawn("/bin/sh")'
Perl
perl -e 'exec "/bin/sh";'
Simple Shells to Fully Interactive TTYs
1. Python to spawn a PTY
$ python -c 'import pty; pty.spawn("/bin/bash")'
or
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
2. Put the shell in to background with Ctrl-Z
$ Ctrl-Z
3. Examine the current terminal and STTY info and match it
# echo $TERM # stty -a
The information needed is the TERM type (“xterm-256color”) and the size of the current TTY (“rows 37; columns 146”)
4. Set the current STTY to type raw and tell it to echo the input characters
# stty raw -echo
5. Foreground the shell with fg and re-open the shell with reset
# fg reset
6. stty size to match our current window
$ export SHELL=bash $ export TERM=xterm256-color $ stty rows 37 columns 146 $ bash -i
7. Set PATH TERM and SHELL if missing
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ export TERM=xterm $ export SHELL=bash $ cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set $ export PS1='[\u@\h \W]\$ '
