User Tools
Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl
First, we need to have Termux installed and the “Run ADB as Root” developer option enabled on your Android “Developer Options”. Make sure you have that option, otherwise you won't be able to use this method of root shell running.
This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (openssl) as it happens, for example, when using netcat for reverse shell spawning.
Install Termux dependencies
pkg update pkg install openssl pkg install openssl-tool pkg install python3
Generate a random key for your openssl reverse shell setup
openssl rand -hex 48 # we will use "9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" as an example but it is recommended to use your own key
Save this scripts in your Termux home (~) and give them execution permissions (chmod +x)
- "shserver"
export LHOST="*" export LPORT="4242" export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT
- "shclient"
#!/data/data/com.termux/files/usr/bin/bash mkdir -p /data/cache/tmp rm /data/cache/tmp/* >/dev/null 2>&1 export RHOST="127.0.0.1" export RPORT="4242" export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e" export PIPE="/data/cache/tmp/`/data/data/com.termux/files/usr/bin/openssl rand -hex 4`" mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | \ /data/data/com.termux/files/usr/bin/openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
Once you run adb shell on your Android, from any other device connected by usb to it, make sure you are root (run whoami, id or similar), otherwise you might need to run adb root first, but sometimes you only need to enable the “ADB as Root” option in developer options.
As it is a reverse shell, we need to bind the “server” first, on our Termux Android terminal. Open Termux and run the “shserver” script:
~ $ ./shserver # (nothing will show up at first, until we run the next steps)
Now, do as follows on your host device (the ones running adb to the Android system)
$ adb shell devname:/ # cd /data/data/com.termux/files/home devname:/data/data/com.termux/files/home # setsid -d ./shclient # (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable)
Return again to the Termux Android terminal and run the following things to have a neat and usable shell (capture ctrl+c, enable tab completion, use bash… etc)
# (something like this should show up in your Termux terminal after previous adb shell commands)
devname:/data/data/com.termux/files/home #
# Run the following commands:
devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")'
.../files/home #
# now ctrl+z the terminal (stop the job)
~ $ stty raw -echo
~ $ fg
# now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell!
.../files/home # whoami
root
To run the Termux apps as root on your new fancy root shell, you will need to add usr/bin of the Termux installation on your PATH variable on the shell.
$ export PATH=$PATH:/data/data/com.termux/files/usr/bin
Enjoy!
Sources:
- (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c
- (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl
