==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ==== First, we need to have **Termux** installed and the "**Run ADB as Root"** developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell running. This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (**openssl**) as it happens, for example, when using netcat for reverse shell spawning. \\ Install Termux dependencies pkg update pkg install openssl pkg install openssl-tool pkg install python3 Generate a random key for your openssl reverse shell setup openssl rand -hex 48 # we will use "9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" as an example but it is recommended to use your own key Save this scripts in your Termux home (**~**) and give them execution permissions (chmod +x) export LHOST="*" export LPORT="4242" export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT #!/data/data/com.termux/files/usr/bin/bash mkdir -p /data/cache/tmp rm /data/cache/tmp/* >/dev/null 2>&1 export RHOST="127.0.0.1" export RPORT="4242" export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" export PIPE="/data/cache/tmp/`/data/data/com.termux/files/usr/bin/openssl rand -hex 4`" mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | \ /data/data/com.termux/files/usr/bin/openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE \\ Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root (run **whoami**, **id** or similar), otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options. As it is a reverse shell, we need to bind the "server" first, on our Termux Android terminal. Open Termux and run the "shserver" script: ~ $ ./shserver # (nothing will show up at first, until we run the next steps) Now, do as follows on your **host device** (the ones running adb to the Android system) $ adb shell devname:/ # cd /data/data/com.termux/files/home devname:/data/data/com.termux/files/home # setsid -d ./shclient # (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable) Return again to the Termux Android terminal and run the following things to have a neat and usable shell (capture ctrl+c, enable tab completion, use bash... etc) # (something like this should show up in your Termux terminal after previous adb shell commands) devname:/data/data/com.termux/files/home # # Run the following commands: devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")' .../files/home # # now ctrl+z the terminal (stop the job) ~ $ stty raw -echo ~ $ fg # now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell! .../files/home # whoami root To run the Termux apps as root on your new fancy root shell, you will need to add **usr/bin** of the Termux installation on your **PATH** variable on the shell. $ export PATH=$PATH:/data/data/com.termux/files/usr/bin Enjoy! Sources: * (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c * (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl