How to Upgrade a Shell
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> How to upgrade a shell.
00:00
Our learning objectives are to
00:00
understand why we try to upgrade
00:00
a shell and demonstrate
00:00
the various ways to upgrade a shell.
00:00
I hope the last lesson didn't get you down.
00:00
There are ways to go from a bad shell to a good shell,
00:00
and I'm going to tell you how
00:00
you can do that. We're hackers.
00:00
We're going to think outside the box.
00:00
If we're stuck with a bad shell,
00:00
there has to be a good way to get a good shell.
00:00
Some of those ways are in Meterpreter,
00:00
you can go from a command shell and you'll
00:00
see here I used multi managed shell_to_Meterpreter.
00:00
Again, this is going be something even more in
00:00
PWK and CTFs and actually OSCP because again,
00:00
this is a module here.
00:00
You will migrate from a command shell,
00:00
which has limited functionality,
00:00
to a Meterpreter shell where we can do things
00:00
like set up a pivot point.
00:00
That's to say that when you are in CTFs and PWK
00:00
and you're using Metasploit and you do
00:00
get a command shell off the bat,
00:00
there is a module that you can go from getting
00:00
just a command shell to
00:00
a Meterpreter shell with a lot more functionality.
00:00
[NOISE] In some cases
00:00
you'll find you have a restricted shell.
00:00
On the top image or SSH,
00:00
in which I did say is great to get
00:00
an SSH session into a box,
00:00
but you'll see here we're in a restricted rbash shell.
00:00
We're trying to change directory to route,
00:00
it says restricted, whoamI?
00:00
It's not letting us specify a forward slash.
00:00
You can get around that,
00:00
I've seen some CTFs or boxes that are tailored
00:00
around escaping these types of restricted shells.
00:00
One way to do that is I've taught you tack -t,
00:00
and you can do bin/bash or bin/sh.
00:00
In some cases you can do bash tack tack no profile,
00:00
and in this case it worked for me,
00:00
and you can see now I can change directory to
00:00
etc and etc password,
00:00
so I have a whole lot more functionality than I
00:00
did in this rbash shell.
00:00
That's how to escape an rbash shell,
00:00
is to try this tack -t bash no profile.
00:00
Sometimes it works, sometimes it doesn't,
00:00
but this is a tool to put in your toolbar.
00:00
Also, here you'll see that I have
00:00
a PHP shell and
00:00
you can see I'm issuing
00:00
commands and I don't get any output,
00:00
I don't see anything.
00:00
What I want to do is I want to
00:00
upgrade to a Meterpreter shell,
00:00
if possible, a multi-handler.
00:00
I said, multi-handler when I'm recording this now,
00:00
you can use multi-handler on any box you want.
00:00
That's what I typically do,
00:00
is once I have a PHP shell,
00:00
normally through a web shell
00:00
or I get RCE through a web server,
00:00
is I'll get on the box for the Netcat shell,
00:00
and then I will download,
00:00
you'll see curl and Wget which you should recognize
00:00
as ways to get the shell from my box,
00:00
and I'm making it executable and
00:00
ultimately I am executing this shell.elf,
00:00
which is something that I created with Msfvenom.
00:00
If you're on a Linux box, you can use Msfvenom to create
00:00
this elf file and ultimately have it
00:00
execute and you see here now I have
00:00
a nice Meterpreter session open.
00:00
Here's a cheat sheet. If you do get on
00:00
a box and you do see a limited functionality,
00:00
you can do this Python import pty.
00:00
Importing basically having Python use
00:00
this library and this language to create its own shell,
00:00
which is very stable, I found.
00:00
You can do echo os.system bin/bash or even bin/shell in
00:00
some cases and bin/sh -i. Give those a try.
00:00
If you don't see anything,
00:00
if you're on the box and you don't see
00:00
any type of prompt,
00:00
give each of those a try.
00:00
[NOISE] Also note that with Python,
00:00
sometimes it's Python 3,
00:00
and not Python that will work because
00:00
the box will only recognize when you write Python 3.
00:00
Also note, like I said,
00:00
sometimes it's not /bin/sh -i,
00:00
sometime it's /bin/bash -i,
00:00
or echo os.system bin/shell that will work.
00:00
So switch those around.
00:00
I think in more modern boxes,
00:00
/user/bin/bash is a link to /bin/bash.
00:00
But in some of these older boxes,
00:00
I think they were different.
00:00
Try to switch them up.
00:00
Sometimes the binaries are for
00:00
the user and not just in /bin/bash,
00:00
so look for those as well.
00:00
There could be other places where
00:00
that binary is that will work for you.
00:00
Here's a tale of two terminals.
00:00
I'm doing the Dirty COW
00:00
exploit and you'll see on the left,
00:00
I don't see any output and I was just sitting there.
00:00
It says enter the new password: evil,
00:00
I entered evil, and it's just sitting there.
00:00
That's why I also said with these exploits, I have GCC,
00:00
I'm trying to compile it, pthread,
00:00
dcow, output dcow, lcrypt.
00:00
That was a nice script because it told me how
00:00
to compile that exploit,
00:00
but ultimately I'm just sitting
00:00
there because of a bad shell.
00:00
On the right-hand side,
00:00
I'm using that python -c import pty,
00:00
so I have that nice Python shell,
00:00
and you can see all this output and at the end,
00:00
a password, evil.
00:00
Firefarts, the guy that made the exploit,
00:00
so that's why it's Firefart.
00:00
But you'll see ultimately I'm root.
00:00
So using that upgrade
00:00
ultimately led me to privilege escalation,
00:00
whereas if I didn't do that,
00:00
I'm just sitting there indefinitely and
00:00
hoping that somehow I become root.
00:00
[NOISE] Here is a link.
00:00
I suggest you take a look at it,
00:00
ways to upgrade your shell.
00:00
I will note that the author, Ropnop,
00:00
does have a portion
00:00
that you can upgrade shells with magic,
00:00
and it really is cool and it's
00:00
worked for me some of the time.
00:00
That's to say sometimes I completely
00:00
wreck my terminal and I
00:00
have no idea what's going on and I ultimately have
00:00
to close it and I've lost that foothold,
00:00
and when you're taking OSCP, you're nervous enough.
00:00
If you have to exit out of
00:00
your shell or exit out of your terminal,
00:00
that's like very, very nerve racking.
00:00
That's to say be careful with his upgrade with
00:00
magic technique because it's very
00:00
possible that it may not work for you.
00:00
I know when I took OSCP, I didn't use it.
00:00
When I was in Hack the Box and things like that,
00:00
I was more than happy to give it a
00:00
try and see that it worked.
00:00
When it did, it was really cool because I attacked
00:00
completion and I could hit the up arrow for history,
00:00
and it was very, very useful.
00:00
So use that at your discretion.
00:00
[NOISE] So in summary,
00:00
we should now understand why we
00:00
tried to upgrade a shell and
00:00
we should be able to demonstrate
00:00
the various ways to upgrade a shell.
00:00
[NOISE]
Up Next
Transferring Files to and from Kali Linux
Transferring Files Demo
Linux Privilege Escalation
Windows Privilege Escalation
A Word on Privilege Escalation Enumeration Scripts
Instructed By
Similar Content
