Often when we get a shell by exploiting vulnerabilities, the shell that we getting is a dumb terminal or not and interactive shell. This means that you cannot ctrl+c
when accidentally run command such as ping
where you need to terminate the process. If you do ctrl+c
this not only kills the ping
process, but also your shell.
To overcome this, I made a guide here where you can follow to convert your non-interactive shell to fully interactive shell.
Step 1
Get victim shell connection from your exploit either reverse or bind shell.
Step 2
On victim shell, upgrade the shell to tty shell. The most common is you can use python to spawn tty shell by using the pty built-in library. Make sure to spawn /bin/bash
not /bin/sh
. Read more here to see other methods of upgrading shell to tty shell.
$ python -c 'import pty;pty.spawn("/bin/bash")'
Step 3
Export some vars to the victim shell session. The best is to check your local terminal $TERM
vars so that it same on the target terminal session.
echo $TERM
xterm-256color
Export that value on the target shell session.
export TERM=xterm-256color
export SHELL=/bin/bash
Step 4
On your local terminal, check for terminal rows and columns.
stty size
24 103
what you need to take note here is the current terminal rows and columns which is for me rows 24 and columns 103. You might be different.
On the victim shell, fork the shell to background by pressing ctrl+z
and you’ll bring back to your local terminal.
^Z
[1]+ Stopped nc -lvp 9091
Execute the following command to set the terminal to echo the input characters so that it catch by the victim terminal session. Follow with the command fg
to bring back the victim shell to foreground.
stty raw -echo;fg
After that, your cursor might be somewhere on the middle of the terminal, type reset
to reset the victim terminal session.
stty raw -echo;fg
nc -lvp 9091
reset
Your victim terminal is now interactive, but it is not done yet. You need to specify the “new” terminal with rows and columns to make it display properly.
stty rows 24 columns 103
Now you’re happy with the fully interactive shell on victim.
If you do not have Python on the box
export TERM=xterm SHELL=/bin/bash script -q /dev/null
.