Spawning a TTY Shell

When obtaining a reverse shell with a Netcat listener, it is by default non-interactive and you cannot pass keyboard shortcuts or special characters such as tab.

It is quite simple to work around. For starters, in your shell, run

python -c 'import pty;pty.spawn("/bin/bash");'

to obtain a partially interactive bash shell.

After that, do CTRL+Zto background Netcat. Enter stty raw -echo in your terminal, which will tell your terminal to pass keyboard shortcuts etc. through. Once that is done, run the command fg to bring Netcat back to the foreground. Note you will not be able to see what you are typing in terminal after you change your stty setting. You should now have tab autocomplete as well as be able to use interactive commands such as

su and nano

Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Shell Spawning

python -c'import pty; pty.spawn("/bin/sh")'

echo os.system('/bin/bash')

/bin/sh-i

perl —e 'exec "/bin/sh";'

perl: exec"/bin/sh";

ruby: exec"/bin/sh"

lua: os.execute('/bin/sh')

exec"/bin/sh"

(from within vi)
:!bash

(from within vi)
:set shell=/bin/bash:shell

(from within NMAP)
!sh

Many of these will also allow you to escape jail shells. The top 3 would be my most successful in general for spawning from the command line.

Editors

One of the most well documented techniques is to spawn a shell from within an editor such as 'vi' or 'vim'. Open any file using one of these editors and type the following and execute it from within the editor:

:set shell=/bin/bash

Next, type and execute:

:shell

Another method is to type:

:! /bin/bash

If either of these works, you will have an unrestricted shell from within the editor.