#150 – Thinking of ways to get a pseudo-tty with a web shell

Hi, today I’ll do a quick article that’s talking primarly about security but I won’t enter it into the pentest category since the question I didn’t develop a solution yet.

 

The need for a pseudo-tty

Why should we need a pseudo-tty? During a pentest, there are a lot of cases where you would need a tty, such as when you want to use sudo and setup a password, or use ssh without a key. The problem is that generally, the method to get a pseudo-tty is to get a reverse-shell (or bind, whatever) then call for a pseudo-tty, for example by using python.

python -c 'import pty; pty.spawn("/bin/bash")'

However, getting a reverse shell means having the possibility to do a direct TCP connection between a machine you control and the victim, that’s not always the case if the firewall rules have been properly set-up.

 

The idea

Alright, so now that the problem has been laid out, I’m not sure my solution has been implemented yet, but the idea is to do a shell emulator in a language that can support a pseudo-tty, such as python or c, launch it, save the output to a file and setup a client which will translate the file.

I have two choices, either I do something custom to get a pseudo-tty (example: a file with the stdout and another file with the stdin I’ll write into with a web shell), or I could do a kind of covert channel tool which will translate TCP (binding on 127.0.0.1) to file and vice-versa (binding on my client, and translating the transaction to a file write).

I’m not sure yet if my idea is doable but that’s probably something I’ll work on for the next few days.

Leave a Reply

Your email address will not be published.