==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ====
First, we need to have **Termux** installed and the "**Run ADB as Root"** developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell running.
This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (**openssl**) as it happens, for example, when using netcat for reverse shell spawning.
\\
Install Termux dependencies
pkg update
pkg install openssl
pkg install openssl-tool
pkg install python3
Generate a random key for your openssl reverse shell setup
openssl rand -hex 48
# we will use "9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" as an example but it is recommended to use your own key
Save this scripts in your Termux home (**~**) and give them execution permissions (chmod +x)
export LHOST="*"
export LPORT="4242"
export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e"
openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT
#!/data/data/com.termux/files/usr/bin/bash
mkdir -p /data/cache/tmp
rm /data/cache/tmp/* >/dev/null 2>&1
export RHOST="127.0.0.1"
export RPORT="4242"
export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e"
export PIPE="/data/cache/tmp/`/data/data/com.termux/files/usr/bin/openssl rand -hex 4`"
mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | \
/data/data/com.termux/files/usr/bin/openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
\\
Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root (run **whoami**, **id** or similar), otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
As it is a reverse shell, we need to bind the "server" first, on our Termux Android terminal. Open Termux and run the "shserver" script:
~ $ ./shserver
# (nothing will show up at first, until we run the next steps)
Now, do as follows on your **host device** (the ones running adb to the Android system)
$ adb shell
devname:/ # cd /data/data/com.termux/files/home
devname:/data/data/com.termux/files/home # setsid -d ./shclient
# (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable)
Return again to the Termux Android terminal and run the following things to have a neat and usable shell (capture ctrl+c, enable tab completion, use bash... etc)
# (something like this should show up in your Termux terminal after previous adb shell commands)
devname:/data/data/com.termux/files/home #
# Run the following commands:
devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")'
.../files/home #
# now ctrl+z the terminal (stop the job)
~ $ stty raw -echo
~ $ fg
# now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell!
.../files/home # whoami
root
To run the Termux apps as root on your new fancy root shell, you will need to add **usr/bin** of the Termux installation on your **PATH** variable on the shell.
$ export PATH=$PATH:/data/data/com.termux/files/usr/bin
Enjoy!
Sources:
* (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c
* (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl