mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
41 lines
1.3 KiB
Markdown
41 lines
1.3 KiB
Markdown
|
# Full TTYs
|
||
|
|
|
||
|
|
## Full TTY
|
||
|
|
|
||
|
|
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file
|
||
|
|
This incident has been reported`.
|
||
|
|
|
||
|
|
```bash
|
||
|
|
python -c 'import pty; pty.spawn("/bin/bash")'
|
||
|
|
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
||
|
|
```
|
||
|
|
|
||
|
|
```bash
|
||
|
|
script -qc /bin/bash /dev/null
|
||
|
|
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
||
|
|
```
|
||
|
|
|
||
|
|
### **Spawn shells**
|
||
|
|
|
||
|
|
* `python -c 'import pty; pty.spawn("/bin/sh")'`
|
||
|
|
* `echo os.system('/bin/bash')`
|
||
|
|
* `/bin/sh -i`
|
||
|
|
* `script -qc /bin/bash /dev/null`
|
||
|
|
* `perl -e 'exec "/bin/sh";'`
|
||
|
|
* perl: `exec "/bin/sh";`
|
||
|
|
* ruby: `exec "/bin/sh"`
|
||
|
|
* lua: `os.execute('/bin/sh')`
|
||
|
|
* IRB: `exec "/bin/sh"`
|
||
|
|
* vi: `:!bash`
|
||
|
|
* vi: `:set shell=/bin/bash:shell`
|
||
|
|
* nmap: `!sh`
|
||
|
|
|
||
|
|
## No TTY
|
||
|
|
|
||
|
|
If for some reason you cannot obtain a full TTY you **still can interact with programs** that expects user input. In the following example, the password is passed to `sudo` to read a file:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
|
||
|
|
```
|
||
|
|
|