Fully Interactive TTY (Linux)
Post

Fully Interactive TTY (Linux)

Python

Once we get access to the victim machine we proceed to stabilize the shell: First we need to Ctrl + Z the shell as follows:

1
2
tom@epsilon:/var/www/app$ ^Z
zsh: suspended  nc -lvnp 1235

Then type the following command (stty raw -echo; fg) to get the shell back but with a threatment that allows us to for example delete a character, we will receive a message “continued” after that we type reset xterm in order to continue with the shell that was previously backgrounded:

1
2
3
stty raw -echo; fg
[1]  + continued  nc -lvnp 1235
                               reset xterm

Afterwards we’ll see that the shell is still pretty akward to work with because its output is staggered, in order to fix this, python3 is always a great tool to do it by executing the following command:

1
python3 -c 'import pty; pty.spawn("/bin/bash")'

Finally modify some environment variables to get the same shell as our attack machine, by first looking into the content of such variables:

1
2
3
4
5
6
7
echo $TERM
unknown
export TERM=xterm

echo $SHELL
/bin/zsh
export SHELL=/bin/bash

Examples: Epsilon [[Antique#^267c9b]]

Script /dev/null

First we run the following command:

1
SHELL=/bin/bash script -q /dev/null

Then, we need to Ctrl + Z the shell as follows:

1
2
root@smtp:/home# ^Z
zsh: suspended  nc -lvnp 443

Then type the following command (stty raw -echo; fg) to get the shell back but with a threatment that allows us to for example delete a character, we will receive a message “continued” after that we type reset xterm in order to continue with the shell that was previously backgrounded:

1
2
3
stty raw -echo; fg
[1]  + continued  nc -lvnp 1235
                               reset xterm

Finally export the environment variables with commands:

1
2
root@smtp:/home# export TERM=xterm
root@smtp:/home# export SHELL=bash

Examples: Tentacle