Try to get an interactive shell
/bin/bash -i
/bin/sh -i
Try to get a root bash
sudo -u root /bin/bash
List shells available
chsh -l
cat /etc/shells
Technique 1:
Upgrading shell
- Uses Python to spawn a better featured bash shell; #flashcard
python3 -c 'import pty;pty.spawn("/bin/bash")'
some targets may need replace python with python2 or python3
- access to term commands such as
clear. #flashcard
export TERM=xterm
- Background the shell using
Ctrl + Z and then. #flashcard
stty raw -echo; fg
This does two things:
- First, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes).
- then foregrounds the shell, thus completing the process.
- Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type
reset and press enter.
Technique 2:
- Rlwrap is a program which, in simple terms, gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell.
Launch an r*** listener #flashcard
rlwrap nc -lnvp <port>
- particularly useful when dealing with Windows shells
- On Linux target, it's possible to completely stabilise,
- using Ctrl + Z.
stty raw -echo; fg
Technique 3: Socat
Technique 4: SSH
- On my machine to get info from stty
stty -a
- Next, in your reverse/bind shell, type in:
stty rows <number>
and
stty cols <number>