Fully (auto) interactive TTY shells

30.06.2021 01:59

Introduction

During penetration tests or red teaming exercises, one of the most recurring tasks is gaining an remote shell, whether it be a bind or a reverse one. Once some kind of injection command vulnerability is exploited, for instance, using one of the widely tested snippets is enough to get a reverse shell on the attacker’s machine.

Usually the received shell is a non-interactive one, which precludes the execution of processes that demand a higher level of terminal control, such as visual text editors and programs that deal with login information, for instance. Thus, in order to run those programs, one needs to run a program that, from that shell, will force the allocation of a pseudoterminal (pty) and execute, by means of a fork/exec, a new shell. This new shell will inherit the same file alocation table from the one which allocated the pty, thus being able to run interactive processes.