Using tmux for automating interactive reverse shells
- Odysseus
- Offensive security
- July 2, 2021
I’ve recently read a great post about using the “expect” command line utility for automating the process of converting a non-interactive reverse shell to a fully interactive TTY, which means that by doing that, it’s possible to use features like tab completion, history navigation, clear the screen and, among others, being able to hit Ctrl-c without losing your access, which makes me really happy.
I’ve found the post very interesting because it uses a completely different approach that I had never seen before. So, since I also have a technique for automating this process, I decided to share it because it’s a different perspective, which also relies on a command line utility: tmux .
The manual process
The above gif shows how you can convert a non-interactive reverse shell into a interactive one. Although it’s a fairly simple process, if you have the need to do it very often, it becomes a pain.
Enter tmux
Tmux is a terminal multiplexer command line utility that lets you create/control multiple shells from a single screen. One of its most powerful features is the ability to send keystrokes combinations into the shells automatically. Added to that is the feature that lets me create internal environment variables that I can use as short versions of big commands:
Now I can simply open tmux command prompt and send one of those strings into the currently active tmux pane:
The magic of tmux automation
Now that we know all of the features we need to use from tmux, we can build tmux shortcuts, or key bindings, in order to trigger actions of sending keystrokes to the currently active pane.
The “tmux.conf” lines above consist of two environment variables that hold two strings that will be send to the terminal later and two key bindings that will first send the key sequence python3 -c ‘import pty;pty.spawn(\”/bin/bash\”)’ followed by a <Enter>, and then send the sequence C-z “stty raw -echo” Enter fg Enter reset Enter $shellexports Enter. Note that “Enter” is not the word itself, but the *keystroke*, that is, a newline character. Tmux has a set of words that it recognizes as certain keyboard keys and “Enter” is one of them.
The first bind command has to be executed after the prefix key combination, which in standard tmux is Ctrl-b, but in my case is Ctrl-a. The second bind command, which has the flag -n can be executed without the prefix combination.
Here you might be thinking: “but why are you using two shortcuts instead of just one that sends everything at once?” The answer for that is simple: I wasn’t able to get it working by using only one key binding. If you find a way, please contact me because I’d love to know what I’ve missed.
The final result
Now every time you get a non-interactive shell, you can simply hit Ctrl-aqq in order to trigger the first binding (Ctrl-aq) and then sending the second part (Ctrl-q). Enjoy:
