NoBIGTech Wiki Técnico

User Tools

Site Tools

Trace: adb_root_reverse_shell_openssl
docu:tutos:android:adb_root_reverse_shell_openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 20:33]
admin 		docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 21:17] (current)
admin
Line 1: Line 1:
 ==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ==== ==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ====
  
-First, we need to have Termux installed and the "Run ADB as Root" developer option enabled.+First, we need to have **Termux** installed and the "**Run ADB as Root"** developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell running. 
 + 
 +This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (**openssl**) as it happens, for example, when using netcat for reverse shell spawning.
 \\ \\
  
Line 8: Line 10:
 pkg update pkg update
 pkg install openssl pkg install openssl
 +pkg install openssl-tool
 +pkg install python3
 </code> </code>
  
Line 16: Line 20:
 </code> </code>
  
-Save this scripts in your Termux home+Save this scripts in your Termux home (**~**) and give them execution permissions (chmod +x)
 <file bash "shserver"> <file bash "shserver">
 export LHOST="*" export LHOST="*"
Line 23: Line 27:
 openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT
 </file> </file>
 +
 +<file bash "shclient">
 +#!/data/data/com.termux/files/usr/bin/bash
 +mkdir -p /data/cache/tmp
 +rm /data/cache/tmp/* >/dev/null 2>&1
 +export RHOST="127.0.0.1"
 +export RPORT="4242"
 +export PSK="9c951d7c50b2480d19f0e538ca8da1efd8639d87846cf054478fa8bf472c9b9f3c62d6ee69e2aa6b5afdefb771ba041e"
 +export PIPE="/data/cache/tmp/`/data/data/com.termux/files/usr/bin/openssl rand -hex 4`"
 +mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | \
 +  /data/data/com.termux/files/usr/bin/openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
 +</file>
 +
 +\\
 +
 +Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root (run **whoami**, **id** or similar), otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
 +
 +As it is a reverse shell, we need to bind the "server" first, on our Termux Android terminal. Open Termux and run the "shserver" script:
 +<code>
 +~ $ ./shserver
 +
 +# (nothing will show up at first, until we run the next steps)
 +</code>
 +
 +Now, do as follows on your **host device** (the ones running adb to the Android system)
 +<code>
 +$ adb shell
 +devname:/ # cd /data/data/com.termux/files/home
 +devname:/data/data/com.termux/files/home # setsid -d ./shclient
 +# (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable)
 +</code>
 +
 +Return again to the Termux Android terminal and run the following things to have a neat and usable shell (capture ctrl+c, enable tab completion, use bash... etc)
 +<code>
 +# (something like this should show up in your Termux terminal after previous adb shell commands)
 +devname:/data/data/com.termux/files/home #
 +
 +# Run the following commands:
 +devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")'
 +.../files/home #
 +# now ctrl+z the terminal (stop the job)
 +~ $ stty raw -echo
 +~ $ fg
 +# now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell!
 +.../files/home # whoami
 +root
 +</code>
 +
 +To run the Termux apps as root on your new fancy root shell, you will need to add **usr/bin** of the Termux installation on your **PATH** variable on the shell.
 +<code bash>
 +$ export PATH=$PATH:/data/data/com.termux/files/usr/bin
 +</code>
 +
 +Enjoy!
 +
 +Sources:
 +  * (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c
 +  * (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl
docu/tutos/android/adb_root_reverse_shell_openssl.1704573238.txt.gz · Last modified: 2024/01/06 20:33 by admin

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki