In some of our pentesting assessments we have been able to get a reverse shell as a result of the execution of an exploit. As pentesters this is one of the goals we achieve when assessing a system as this gives us access to the OS. Most of the times (when we are not using Metasploit for this task) we probably get a non-interactive shell, meaning that some actions are not feasible – like executing commands like su – making our lives a little more complicated as this shells are very limited, without full functionality.
linux interactive shell
With python
The easiest way to accomplish this is by using python, although there are other ways to get an interactive shell. The first thing we are going to do is to spawn an interactive shell using the command:
python -c "import pty; pty.spawn('/bin/bash')"With this command it would be enough in some cases. But we can still upgrade our shell. Let’s define the TERM variable as xterm to get better compatibility and some colors.
export TERM=xtermFinally, let’s pass our keyboard events to the shell. To do this just press the key shortcut CTRL+Z to put the shell in the background.
[CTRL+z]
stty raw -echo;fgWith the script command
And what happens if there is no python installed? Well, there are other alternatives like the command script.
script -O /dev/null -q /bin/bashHere we are telling the command to run in quiet mode and sending the log output to /dev/null as we don’t want our commands to be stored in the log file. Now we can execute the bash command.
bashAnd finally just as we did in the python command we put the shell in the background and use stay to send us the keystrokes.
[CTRL+z]
stty raw -echo;fgFinal concerns
It is always a good idea to upgrade our reverse shell. For example, it is easier to execute mysql commands directly into the database engine that in a one-liner. Also commands like su that need interaction with the user can now be feasible and therefore privesc will now be an option.
Remember to check every now and then our blog which you can find in our homepage.