577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

Spawning Interactive Reverse Shell

Often during pentests, you have a non-tty-shell there are certain commands and stuff you can’t do. This can happen if you upload reverse shells on a web server, so that the shell you get is by the user www-data, or similar. These users are not meant to have shells as they don’t interact with the system as humans do. So if you don’t have a tty-shell you can’t run su, sudo etc. This can be annoying if you manage to get a root password but you can’t use it. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. So, let’s start with Spawning Interactive Reverse Shell.

Shell Spawning

Python pty Module

python -c 'import pty; pty.spawn("/bin/sh")'

Perl

perl -e 'exec "/bin/sh";'

Simple Shells to Fully Interactive TTYs

1. Python to spawn a PTY

$ python -c 'import pty; pty.spawn("/bin/bash")'
        or
$ python3 -c 'import pty; pty.spawn("/bin/bash")'

2. Put the shell in to background with Ctrl-Z

$ Ctrl-Z

3. Examine the current terminal and STTY info and match it

# echo $TERM
# stty -a

The information needed is the TERM type (“xterm-256color”) and the size of the current TTY (“rows 37; columns 146”)

4. Set the current STTY to type raw and tell it to echo the input characters

 # stty raw -echo

5. Foreground the shell with fg and re-open the shell with reset

# fg
   reset

6. stty size to match our current window

$ export SHELL=bash
$ export TERM=xterm256-color
$ stty rows 37 columns 146
$ bash -i

7. Set PATH TERM and SHELL if missing

$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
$ export TERM=xterm
$ export SHELL=bash
$ cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
$ export PS1='[\[email protected]\h \W]\$ '

Leave a comment

WhatsApp us