How to stabilize a simple reverse shell to a fully interactive terminal

How to stabilize a simple reverse shell to a fully interactive terminal

Maxat Akbanov's photo
Maxat Akbanov
·

2 min read

Problem:

In CTFs (Capture the Flag) competitions when you get back the reverse shell from target machine, usually it comes without autocompletion and symbol deletion options. This limits your effectiveness in capturing the flags on the target machine.

Example of reverse shell terminal:
shell.png

Prerequisite:

  1. Target machine must have Python 2 or 3 installed

Stabilize your shell:

  1. Import pty module and spawn bash shell:
    python3 -c 'import pty;pty.spawn("/bin/bash")'
  2. Press CTRL + Z to background process and get back to your host machine
  3. Use stty command to set terminal line settings and foreground back the target terminal:
    stty raw -echo; fg
  4. Set the terminal emulator to xterm:
    export TERM=xterm
  5. Press Enter

Explanation:

  1. The pty module defines operations for handling the pseudo-terminal concept: starting another process and being able to write to and read from its controlling terminal programmatically.
  2. The pty.spawn() - spawns a process, and connect its controlling terminal with the current process’s standard io.
  3. stty is a tool used to set the input and output settings for the terminal interface. Basically, this command shows or changes terminal characteristics.
  4. stty raw - activates raw mode, where instead of reading a whole line, characters are read one at a time. In addition to that, some special characters such as the # will not work. The # character is used to erase the last typed character. With stty raw you can't hit Ctrl-C to end a process. Reference.
  5. stty -echo the dash means "disable" a setting. In this case, we are disabling echo to not echo back our typing.
  6. The export TERM=xterm command sets the terminal emulator to xterm. In other words, it just tells the system what kind of terminal you're supposedly using and how the text on the screen should be adapted. The default TERM setting for Ubuntu is xterm. You can check your TERM setting by running echo $TERM

Other solutions:

Another way to get stabilized terminal window is to use socat command-line tool. One disadvantage of that method is that the target machine may not have this tool installed by default. You need to make extra steps to install it.

Reference:

  1. Upgrading Simple Shells to Fully Interactive TTYs
shell#cybersecurity