Daniel Velez

We all love the feeling of getting a connection on a Netcat listener from a reverse shell — let’s go over the process of fully upgrading them in Zsh.

The first thing we’ll do is check which version of Python is available on the target machine (if any):

which python python3

Then we can execute the following Python one-liner, appending “3” to the first word if necessary:

python -c "import pty;pty.spawn('bash')"

Let’s break this command down:

  • First, we state that we want to execute Python commands within our terminal with “python -c”

  • Then we add quotation marks and insert the Python commands we want to execute

  • “import pty” imports a Python module that lets us spawn a pseudo-terminal which tricks commands like su (substitute user) into thinking they’re being executed inside of a proper terminal

  • The semicolon marks the end of the first command

  • The second Python command uses a function called “spawn” from the pty module to spawn a bash shell

After executing the command, you’ll see the name of the user you’re logged in as, the hostname of the machine you’re connected to, and your current directory.

image

Much better!

Obtaining an Interactive TTY in Zsh

If we want to use a text editor, take advantage of tab-complete, or move through our command history,

We’d run into some problems if we only used the Python one-liner we just went over.

Thankfully, there’s a way to obtain an interactive TTY shell using STTY options.

If you’ve followed popular guides on this topic in the past, you likely ran into a few issues as a user of Kali’s default shell, Z Shell.

For Zsh in particular, there’s a specific way the commands have to be executed in order to fully upgrade your Netcat shell.

After executing the Python one-liner, let’s put our Netcat session in the background with:

<CTRL+Z>

147170816-adbc8a06-0953-4f21-ab51-52011b776e34

With our session pushed to the background, we can obtain some info on the size of our terminal window (in rows and columns):

stty size

image

In this example, my terminal window has 40 rows and 150 columns.

Now comes the critical part that is unique to Zsh!

In order to ignore our local terminal’s hotkeys and return to the reverse shell, we have to run the following:

stty raw -echo;fg

As Zsh users, we must execute “stty raw -echo” and “fg” in one line.

After returning to your Netcat session, press Enter to refresh it.

The last task is to assign the shell, terminal type, and STTY size (based on the info we gathered earlier).

export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <num>

image

That’s it!

We now have a fully-interactive TTY shell that supports tab-complete, job control, text editors, command history, etc.

Reference Sheet

python -c "import pty;pty.spawn('bash')"
<CTRL+Z>
stty size
stty raw -echo;fg
<Enter>
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <num>

Categories:

Updated:

You Might Also Enjoy

Valentine HackTheBox Write-Up

Valentine is a Linux machine on HackTheBox that focuses on the Heartbleed vulnerability, which was a severe flaw in the OpenSSL cryptography library.

Active HackTheBox Write-Up

Active is a Windows machine on HackTheBox centered around common vulnerabilities associated with Active Directory.