Differences

This shows you the differences between two versions of the page.

--- docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 20:35]
admin
+++ docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 21:17] (current)
admin
@@ Line 1: / Line 1: @@
 ==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ====
-First, we need to have Termux installed and the "Run ADB as Root" developer option enabled.
+First, we need to have **Termux** installed and the "**Run ADB as Root"** developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell running.
+This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (**openssl**) as it happens, for example, when using netcat for reverse shell spawning.
 \\
@@ Line 8: / Line 10: @@
 pkg update
 pkg install openssl
+pkg install openssl-tool
+pkg install python3
 </code>
@@ Line 16: / Line 20: @@
 </code>
-Save this scripts in your Termux home
+Save this scripts in your Termux home (**~**) and give them execution permissions (chmod +x)
 <file bash "shserver">
 export LHOST="*"
@@ Line 35: / Line 39: @@
   /data/data/com.termux/files/usr/bin/openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
 </file>
+\\
+Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root (run **whoami**, **id** or similar), otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
+As it is a reverse shell, we need to bind the "server" first, on our Termux Android terminal. Open Termux and run the "shserver" script:
+<code>
+~ $ ./shserver
+# (nothing will show up at first, until we run the next steps)
+</code>
+Now, do as follows on your **host device** (the ones running adb to the Android system)
+<code>
+$ adb shell
+devname:/ # cd /data/data/com.termux/files/home
+devname:/data/data/com.termux/files/home # setsid -d ./shclient
+# (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable)
+</code>
+Return again to the Termux Android terminal and run the following things to have a neat and usable shell (capture ctrl+c, enable tab completion, use bash... etc)
+<code>
+# (something like this should show up in your Termux terminal after previous adb shell commands)
+devname:/data/data/com.termux/files/home #
+# Run the following commands:
+devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")'
+.../files/home #
+# now ctrl+z the terminal (stop the job)
+~ $ stty raw -echo
+~ $ fg
+# now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell!
+.../files/home # whoami
+root
+</code>
+To run the Termux apps as root on your new fancy root shell, you will need to add **usr/bin** of the Termux installation on your **PATH** variable on the shell.
+<code bash>
+$ export PATH=$PATH:/data/data/com.termux/files/usr/bin
+</code>
+Enjoy!
+Sources:
+  * (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c
+  * (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl

NoBIGTech Wiki Técnico

User Tools

Site Tools

Differences

Page Tools