QB 10 – Half Shells and Full Shells

QB 10 – Half Shells and Full Shells
Aaron Moss
Author: Aaron Moss
Share:

I wanted to share a really cool technique that I found out about recently.  Now I will say this is probably more useful to other pentesters than anyone else, but I love sharing information like this when I get a chance.  I learned about this technique when working through a retired HackTheBox (HTB) system (Broker) and watching some YouTube videos on attacking it.  If you’re not familiar with HTB, check out Quick Bites 9 for more information.  It’s a great platform for attacking all sorts of different types of system setups and software, and helps us pentesters to hone our skills.  And big thanks to IppSec for creating the video. 🙂

If you’re like me, you’ve been on tests before where, after hours of recon and research, you finally find a way to exploit an elusive vulnerability, compromise a system, and are granted with that amazing feeling of popping that shell.  But then, after working in the shell for a bit, you go to find a previous command by hitting the up button, or simply hit a backspace, and you’re greeted with the oh-so-irritating control characters of ^A,^D,^H, etc.  There’s something about seeing those characters pop up on the screen that just dampens the exhilaration of popping that shell, right? 

No? Just me? 

Anyway…when I first learned about this great new (to me) technique to upgrade that simple shell, let’s call it a half shell, into a FULL shell, I had to try it out and share with others. The best part? It’s super quick with minimal commands. Let’s take a look. 

Below is a screenshot of a Netcat listener on TCP 9001.  The listener is on my device, waiting for something to come connect to that port.  When I trigger an exploit containing a reverse shell, the system I am attacking reaches out and connects to that Netcat listener. 

Netcat listener on TCP 9001

Now, this shell is a simple bash shell (or half shell), and we can run commands in it which is good. But it doesn’t respond as if we’re sitting directly at the terminal, which would be better. Notice the control characters when pressing the keyboard up, down, left and right keys. 

simple bash shell not responding

I love getting a shell on a system, but this is still annoying. How do we fix it? Simple!! 

There's no trick to it, it's just a simple trick.

First, spin up a pseudo-terminal (PTY) of your choice in the half shell. I prefer to use Python3 for this. 

python3 -c ‘import pty; pty.spawn(“/bin/bash”);’

Then, while in the active half shell, suspend it with Control+z

Suspended active half shell using Control+z

Once the Netcat process has been suspended, use stty (a *nix utility that changes terminal line settings) to change the settings to raw mode (meaning what is sent should be exactly what is received), adding the -echo switch will echo the input characters being submitted. Then bring the Netcat process back to the foreground with fg

Here’s the command: 

stty raw -echo; fg

Netcat shell

Now that you’re back in the Netcat shell, export the TERM variable to xterm

export TERM=xterm

Export the TERM variable to xterm

Voila! We have a full interactive shell!  As an example, here’s the ls command in the half shell:

Full interactive shell

And here’s the ls command in the same directory with the full shell:

ls command in the same directory with the full shell

Have any other tips or tricks you would like to share? Email me at aaron.moss@secureideas.com.

If you’re interested in security fundamentals, we have a Professionally Evil Fundamentals YouTube channel that covers a variety of technology topics.  Finally, if you’re looking for a penetration test, training for your organization, or just have general security questions please Contact Us.

Join the Professionally Evil newsletter