As penetration testers/security researchers you often come across firewalls configured with egress/ingress filtering that makes it difficult to spawn a shell. In this blog, we will discuss and demonstrate the concept of “Forward Shells”, a method that can be used to evade firewall rules and spawn an interactive shell.
What is a Shell?
To achieve control of a compromised system, an attacker usually aims to exploit a vulnerability that would award them with Remote Code Execution (RCE). The next logical step is to spawn a shell, which is basically an interactive TTY. With such access, the attacker may increase their privileges and gain influential control over the system, which may hamper the organization.
What does “Spawning a Shell” mean?
“Spawning a shell” simply means spawning an interactive TTY, by exploiting the RCE vulnerability, or gaining access to a protocol like SSH. Speaking specifically in terms of abusing RCE vulnerabilities, shells are traditionally spawned using two methods:
Spawning Reverse Shells
A Reverse Shell is an RCE exploit where the attacker gets the victim machine to connect and provides them access to an interactive TTY. This usually involves the attacker sending a command to the victim, which, when executed, will get the victim to connect to a specific port on the attacker’s machine and provide them access to a TTY.
Here’s an example with netcat. On the right side, there’s Attacker’s kali machine, listening on port 9001. The Victim’s Ubuntu machine on the left connects to this port and gives the attacker access to the bash shell.
Spawning Bind Shells
A Bind Shell is an RCE exploit where the attacker connects to the victim machine to get access to an interactive TTY. This usually involves the attacker sending a command to the victim, which, when executed, will open a port on the victim’s server. The attacker is greeted with an interactive TTY when they connect to the newly opened port.
Here’s an example explained with netcat. On the left side is the Victim’s Ubuntu machine, listening on port 9001. The Attacker’s kali machine on the right connects to this port and gains access to the bash shell.
What is a Forward Shell?
Sometimes spawning a shell via traditional methods is not easy. There can be egress/ingress firewall rules or iptables rules that can block an attacker’s attempt to spawn a shell. In such cases, an attacker may use a concept called a “Forward Shell.” Forward Shell is the brainchild of IppSec; you can find the script on his GitHub repository. Let us understand some other terminology before diving into how a forward shell works.
Pipes and Named Pipes
A pipe is a form of redirection, that sends the output of one command, program, or process to another command, program, or process. A named pipe, also known as a FIFO, is a file like a pipe but with a name. Commands, programs, and processes can use this name to read and write to and from the pipe. Named pipes can be created by using the mkfifo command.
TTY and PTY
A TTY (teletype) is a terminal. It’s a user interface that uses text to manage input and output. A PTY (pseudo teletype) is a software implementation that appears to other processes as a TTY, but it’s a program that communicates directly with a TTY, acting as a mediator between the terminal and the program.
How does Spawning an Interactive Forward Shell work?
The Forward Shell creates a named pipe and writes commands to it. The commands are then read from the pipe and executed, and the output is written to a file. A background thread then reads the output file, prints the output, and then clears the file. This does not require any persistent network connection, meaning we can spawn an interactive PTY circumventing a firewall that has egress/ingress filtering to block reverse/bind shells.
Understanding the Script
The script, as it sits on Ippsec’s GitHub repository, is hard coded for exploiting shellshock vulnerabilities. Here’s how the entire thing works:
- The constructor __init__ defines the command string, which when run will set up named pipes on the server. The command string looks like this:
“mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}”.
- self.stdin is the named pipe, created with mkfifo
- tail –f self.stdin | /bin/sh continuously reads the end of the named pipe and passes its contents to the sh shell to run
- 2>&1> self.stdout writes the output and erros produced by /bin/sh self.stdout, which is the output file.
- RunRawCmd function writes commands to self.stdin pipe, which is then run, and the output redirected to self.stdout
- WriteCmd function converts user supplied commands to base64 to avoid ambiguous characters and then passes the final string to RunRawCmd().
- ReadThread runs as a daemon which reads the command output from the self.stdout file, every 1.3s. This interval can be easily changed.
- The UpgradeShell function upgrades your web shell to a fully interactive PTY, using either python3, python, or script command, whichever is available.
I modified the script a little bit, so that it now:
- Reads and setups the request from a file
- Finds the “INJECT” keyword in the script and replaces it with user provided/script generated commands.
This allows us to use the forward-shell against both web shells, and RCE vulnerabilities. You can find my version of the script over here.
Using the Upgraded Script in a Real Scenario
In order to test the script and look at it from the victim’s point of view, we set up a ubuntu VM and deployed a simple PHP web shell on it. For the sake of demonstration, let’s assume that a firewall exists and blocks all bind/reverse shells on both TCP and UDP ports. Let us use the forward shell to spawn an interactive PTY:
That timeout error occurs because the server does not respond after setting the named pipes. To avoid waiting and receiving a timeout anyway, we set the timeout to 0.1s to get an instant shell. Increasing the timeout for requests can resolve this error. This shell is a fully interactive PTY and allows us to do everything a regular shell would do. You can change directories, switch users, and even clear the screen.
Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystems, Web applications & Networks with a proven track record of securing applications and infrastructure for customers across 20+ countries.
