Differences

This shows you the differences between two versions of the page.

--- docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 20:46]
admin
+++ docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 21:17] (current)
admin
@@ Line 1: / Line 1: @@
 ==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ====
-First, we need to have Termux installed and the "Run ADB as Root" developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell executing.
+First, we need to have **Termux** installed and the "**Run ADB as Root"** developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell running.
+This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (**openssl**) as it happens, for example, when using netcat for reverse shell spawning.
 \\
@@ Line 8: / Line 10: @@
 pkg update
 pkg install openssl
+pkg install openssl-tool
+pkg install python3
 </code>
@@ Line 16: / Line 20: @@
 </code>
-Save this scripts in your Termux home and give them execution permissions (chmod +x)
+Save this scripts in your Termux home (**~**) and give them execution permissions (chmod +x)
 <file bash "shserver">
 export LHOST="*"
@@ Line 38: / Line 42: @@
 \\
-Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root, otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
+Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root (run **whoami**, **id** or similar), otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
+As it is a reverse shell, we need to bind the "server" first, on our Termux Android terminal. Open Termux and run the "shserver" script:
+<code>
+~ $ ./shserver
+# (nothing will show up at first, until we run the next steps)
+</code>
+Now, do as follows on your **host device** (the ones running adb to the Android system)
+<code>
+$ adb shell
+devname:/ # cd /data/data/com.termux/files/home
+devname:/data/data/com.termux/files/home # setsid -d ./shclient
+# (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable)
+</code>
+Return again to the Termux Android terminal and run the following things to have a neat and usable shell (capture ctrl+c, enable tab completion, use bash... etc)
+<code>
+# (something like this should show up in your Termux terminal after previous adb shell commands)
+devname:/data/data/com.termux/files/home #
+# Run the following commands:
+devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")'
+.../files/home #
+# now ctrl+z the terminal (stop the job)
+~ $ stty raw -echo
+~ $ fg
+# now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell!
+.../files/home # whoami
+root
+</code>
+To run the Termux apps as root on your new fancy root shell, you will need to add **usr/bin** of the Termux installation on your **PATH** variable on the shell.
+<code bash>
+$ export PATH=$PATH:/data/data/com.termux/files/usr/bin
+</code>
+Enjoy!
+Sources:
+  * (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c
+  * (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl

NoBIGTech Wiki Técnico

User Tools

Site Tools

Differences

Page Tools