Full TTYs
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Note that the shell you set in the SHELL
variable must be listed inside /etc/shells or The value for the SHELL variable was not found in the /etc/shells file This incident has been reported
. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running bash
.
You can get the number of rows and columns executing stty -a
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
script -qc /bin/bash /dev/null
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
IRB: exec "/bin/sh"
vi: :!bash
vi: :set shell=/bin/bash:shell
nmap: !sh
A convenient way for interactive shell access, as well as file transfers and port forwarding, is dropping the statically-linked ssh server ReverseSSH onto the target.
Below is an example for x86
with upx-compressed binaries. For other binaries, check releases page.
Prepare locally to catch the ssh port forwarding request:
(2a) Linux target:
(2b) Windows 10 target (for earlier versions, check project readme):
If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password letmeinbrudipls
in the context of the user running reverse-ssh(.exe)
:
Penelope automatically upgrades Linux reverse shells to TTY, handles the terminal size, logs everything and much more. Also it provides readline support for Windows shells.
If for some reason you cannot obtain a full TTY you still can interact with programs that expect user input. In the following example, the password is passed to sudo
to read a file:
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)