{"id":25836,"date":"2020-04-03T15:28:59","date_gmt":"2020-04-03T09:58:59","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=25836"},"modified":"2020-04-06T17:44:36","modified_gmt":"2020-04-06T12:14:36","slug":"spawning-interactive-reverse-shell","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/","title":{"rendered":"Spawning Interactive Reverse Shell"},"content":{"rendered":"

Often during pentests, you\u00a0have a non-tty-shell<\/strong> there are certain commands and stuff you can’t do. This can happen if you upload reverse shells on a web server, so that the shell you get is by the user www-data, or similar. These users are not meant to have shells as they don’t interact with the system as humans do. So if you don’t have a tty-shell<\/strong> you can’t run su<\/code><\/strong>, sudo<\/code><\/strong> etc. This can be annoying if you manage to get a root password but you can’t use it. Here are some commands which will allow you to spawn a tty shell<\/strong>. Obviously some of this will depend on the system environment and installed packages. So, let’s start with Spawning Interactive Reverse Shell.<\/p>\n

Shell Spawning<\/strong><\/h2>\n

Python pty Module<\/p>\n

python -c 'import pty; pty.spawn(\"\/bin\/sh\")'<\/pre>\n
Perl<\/p>\n
perl -e 'exec \"\/bin\/sh\";'\r\n<\/pre>\n
Simple Shells to Fully Interactive TTYs<\/h3>\n
1. Python to spawn a PTY<\/p>\n
$ python -c 'import pty; pty.spawn(\"\/bin\/bash\")'\r\n        or\r\n$ python3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'\r\n<\/pre>\n
2. Put the shell in to background with Ctrl-Z<\/p>\n
$ Ctrl-Z<\/pre>\n
3. Examine the current terminal and STTY info and match it<\/p>\n
# echo $TERM\r\n# stty -a<\/pre>\n
The information needed is the TERM type (\u201cxterm-256color\u201d<\/em>) and the size of the current TTY (\u201crows 37; columns 146\u201d<\/em>)<\/p>\n
4. Set the current STTY to type raw and tell it to echo the input characters<\/p>\n
 # stty raw -echo<\/pre>\n
5. Foreground the shell with fg and re-open the shell with reset<\/p>\n
# fg\r\n   reset<\/pre>\n
6. stty size to match our current window<\/p>\n
$ export SHELL=bash\r\n$ export TERM=xterm256-color\r\n$ stty rows 37 columns 146\r\n$ bash -i<\/pre>\n
7. Set PATH TERM and SHELL if missing<\/p>\n
$ export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\r\n$ export TERM=xterm\r\n$ export SHELL=bash\r\n$ cat \/etc\/profile; cat \/etc\/bashrc; cat ~\/.bash_profile; cat ~\/.bashrc; cat ~\/.bash_logout; env; set\r\n$ export PS1='[\\u@\\h \\W]\\$ '<\/pre>\n","protected":false},"excerpt":{"rendered":"
Often during pentests, you\u00a0have a non-tty-shell there are certain commands and stuff you can’t do. This can happen if you…<\/p>\n","protected":false},"author":1,"featured_media":846,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,90],"tags":[],"yoast_head":"\nSpawning Interactive Reverse Shell - Armour Infosec<\/title>\n<meta name=\"description\" content=\"Here are some commands which will allow you spawning a tty shell. So, let's start with Spawning Interactive Reverse Shell.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spawning Interactive Reverse Shell - Armour Infosec\" \/>\n<meta property=\"og:description\" content=\"Here are some commands which will allow you spawning a tty shell. So, let's start with Spawning Interactive Reverse Shell.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/\" \/>\n<meta property=\"og:site_name\" content=\"Armour Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ArmourInfosec\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-03T09:58:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-06T12:14:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2015\/08\/CH932.png\" \/>\n\t<meta property=\"og:image:width\" content=\"450\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Armour Infosec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:site\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Armour Infosec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/\",\"url\":\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/\",\"name\":\"Spawning Interactive Reverse Shell - Armour Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#website\"},\"datePublished\":\"2020-04-03T09:58:59+00:00\",\"dateModified\":\"2020-04-06T12:14:36+00:00\",\"author\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\"},\"description\":\"Here are some commands which will allow you spawning a tty shell. So, let's start with Spawning Interactive Reverse Shell.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.armourinfosec.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Spawning Interactive Reverse Shell\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.armourinfosec.com\/#website\",\"url\":\"https:\/\/www.armourinfosec.com\/\",\"name\":\"Armour Infosec\",\"description\":\"Do Your Part - Be Security Smart\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.armourinfosec.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\",\"name\":\"Armour Infosec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"caption\":\"Armour Infosec\"},\"sameAs\":[\"https:\/\/www.armourinfosec.com\/\"],\"url\":\"https:\/\/www.armourinfosec.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spawning Interactive Reverse Shell - Armour Infosec","description":"Here are some commands which will allow you spawning a tty shell. So, let's start with Spawning Interactive Reverse Shell.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/","og_locale":"en_US","og_type":"article","og_title":"Spawning Interactive Reverse Shell - Armour Infosec","og_description":"Here are some commands which will allow you spawning a tty shell. So, let's start with Spawning Interactive Reverse Shell.","og_url":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/","og_site_name":"Armour Infosec","article_publisher":"https:\/\/www.facebook.com\/ArmourInfosec","article_published_time":"2020-04-03T09:58:59+00:00","article_modified_time":"2020-04-06T12:14:36+00:00","og_image":[{"width":450,"height":300,"url":"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2015\/08\/CH932.png","type":"image\/png"}],"author":"Armour Infosec","twitter_card":"summary_large_image","twitter_creator":"@ArmourInfosec","twitter_site":"@ArmourInfosec","twitter_misc":{"Written by":"Armour Infosec","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/","url":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/","name":"Spawning Interactive Reverse Shell - Armour Infosec","isPartOf":{"@id":"https:\/\/www.armourinfosec.com\/#website"},"datePublished":"2020-04-03T09:58:59+00:00","dateModified":"2020-04-06T12:14:36+00:00","author":{"@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308"},"description":"Here are some commands which will allow you spawning a tty shell. So, let's start with Spawning Interactive Reverse Shell.","breadcrumb":{"@id":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.armourinfosec.com\/spawning-interactive-reverse-shell\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.armourinfosec.com\/"},{"@type":"ListItem","position":2,"name":"Spawning Interactive Reverse Shell"}]},{"@type":"WebSite","@id":"https:\/\/www.armourinfosec.com\/#website","url":"https:\/\/www.armourinfosec.com\/","name":"Armour Infosec","description":"Do Your Part - Be Security Smart","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.armourinfosec.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308","name":"Armour Infosec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","caption":"Armour Infosec"},"sameAs":["https:\/\/www.armourinfosec.com\/"],"url":"https:\/\/www.armourinfosec.com\/author\/admin\/"}]}},"menu_order":0,"_links":{"self":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/25836"}],"collection":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/comments?post=25836"}],"version-history":[{"count":0,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/25836\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media\/846"}],"wp:attachment":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media?parent=25836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/categories?post=25836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/tags?post=25836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}