Reverse shell. Extrange characters when pressing ESC, arrow, etc. '^[[A'

Hi guys,

I realised that I have a problem when I am working on a reverse shell. Some keys are not working as expected and are sending extrange characters to the shell instead of their usual behaviour in a usual terminal on Linux. This is only happening on reverse shells.

For example. When I press [UP ARROW] it writes ^[[A on the terminal.

OS: Kali Linux
Terminal: Native Linux terminal.

I googled for it but nothing.

Why is this happening?

Thank you very much!

The simple explanation is normally, when you press up, your shell captures that keystroke and does the appropriate action. In a reverse shell, NC is set to (for whatever reason) send that escape sequence when you press up.

Type your comment> @clubby789 said:

Upgrading Simple Shells to Fully Interactive TTYs - ropnop blog
The simple explanation is normally, when you press up, your shell captures that keystroke and does the appropriate action. In a reverse shell, NC is set to (for whatever reason) send that escape sequence when you press up.

Yeah, I have always been a fan of:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
or
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

:slight_smile:

Thank you very much! I supposed it could be something related to that.

@mfvazquezr said:

Thank you very much! I supposed it could be something related to that.

I am 99.99999999999% confident it is this.

If it wasn’t, it wouldn’t only happen on reverse shells.

rlwrap nc -lvnp 7777 (or whichever port you like)

adds a little bit comfort to your netcat reverse shell.

python … spawn … is great, but if there is no python on client’s machine, upload a static socat binary and establishe a socat shell, google for ropnop socat upgrade if you need more details.

That’s just how ‘dumb’ rev shells work. If you want a fully interactive shell you’re gonna have to upgrade it with:

python -c 'import pty; pty.spawn("/bin/bash")'

or

python3 -c 'import pty; pty.spawn("/bin/bash")'

And then the standard:

Ctl+Z
stty raw -echo
fg
reset
xterm-256color
export $TERM=xterm
export $SHELL=bash

and then set the correct terminal dimensions

Hi everyone.
I can’t upgrade simple shells to fully interactive shell.
python,perl, and socat are not installed on the target machine.
binary files cannot be run.
when I try to use this method:
Ctl+Z
stty raw -echo
fg
reset
xterm-256color
export $TERM=xterm
export $SHELL=bash

then after returning to the reverse shell session (using the “fg” command), I can only type text, but the ‘enter’ key does not work.
perhaps someone has encountered such a situation, I would be very grateful for any advice.
also, taking this opportunity, I would like to ask about a way to elevate rights using unux2dox, which has a SETUID bit.
Thank you so much in advance for your help)

@3TON said:

Hi everyone.
I can’t upgrade simple shells to fully interactive shell.
python,perl, and socat are not installed on the target machine.
binary files cannot be run.
when I try to use this method:
Ctl+Z
stty raw -echo
fg
reset
xterm-256color
export $TERM=xterm
export $SHELL=bash

then after returning to the reverse shell session (using the “fg” command), I can only type text, but the ‘enter’ key does not work.
perhaps someone has encountered such a situation, I would be very grateful for any advice.

I’ve found that shell upgrades can be a bit tempermental. Not every box facilitates them because it can be down to a lot of factors.

Most of the time I find its quicker to just work with a less than perfect shell.

also, taking this opportunity, I would like to ask about a way to elevate rights using unux2dox, which has a SETUID bit.

Normally if something has SETUID set and runs as root its a case of working out what it does, then subverting that to get it to give you root access. If that binary is a text file converter you might be able to use it to read content that is otherwise restricted - for example: root flags; shadow files etc.

TazWake, thank you for your answer.
I will listen to him and will not waste time on switching to a full-fledged shell, but will work from a simple shell.
I also thank you for your advice on dos2unix.
I was looking for the ability to transfer control to another program or write inaccessible files, and did not pay attention to the ability to read the file at all)

@3TON said:

TazWake, thank you for your answer.
I will listen to him and will not waste time on switching to a full-fledged shell, but will work from a simple shell.
I also thank you for your advice on dos2unix.
I was looking for the ability to transfer control to another program or write inaccessible files, and did not pay attention to the ability to read the file at all)

Just to be clear, there is no guarantee my suggestion will work. If it is a CTF then it is likely that the creator has configured things in a specific way that may, or may not, include that approach.

Its always worth trying things though.