Differences

This shows you the differences between two versions of the page.

--- docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 21:01]
admin
+++ docu:tutos:android:adb_root_reverse_shell_openssl [2024/01/06 21:17] (current)
admin
@@ Line 1: / Line 1: @@
 ==== Spawn a usable root shell on your Android, without su, using "ADB as Root" developer option and Termux with openssl ====
-First, we need to have Termux installed and the "Run ADB as Root" developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell executing.
+First, we need to have **Termux** installed and the "**Run ADB as Root"** developer option enabled on your Android "Developer Options". Make sure you have that option, otherwise you won't be able to use this method of root shell running.
+This method creates a secure connection (using TLS/SSL) to your root shell and does not have compatibility problems on the tool used (**openssl**) as it happens, for example, when using netcat for reverse shell spawning.
 \\
@@ Line 18: / Line 20: @@
 </code>
-Save this scripts in your Termux home and give them execution permissions (chmod +x)
+Save this scripts in your Termux home (**~**) and give them execution permissions (chmod +x)
 <file bash "shserver">
 export LHOST="*"
@@ Line 40: / Line 42: @@
 \\
-Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root, otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
+Once you run **adb shell** on your Android, from any other device connected by usb to it, make sure you are root (run **whoami**, **id** or similar), otherwise you might need to run **adb root** first, but sometimes you only need to enable the "ADB as Root" option in developer options.
-As it is a reverse shell, we need first to bind the "server" on our Termux Android terminal. Open Termux and run the "shserver" script:
+As it is a reverse shell, we need to bind the "server" first, on our Termux Android terminal. Open Termux and run the "shserver" script:
 <code>
 ~ $ ./shserver
@@ Line 54: / Line 56: @@
 devname:/ # cd /data/data/com.termux/files/home
 devname:/data/data/com.termux/files/home # setsid -d ./shclient
-# (now you can exit the adb shell)
+# (now you can exit the adb shell. If "exit" hangs, just run ctrl+c a few times or just disconect the USB cable)
 </code>
@@ Line 64: / Line 66: @@
 # Run the following commands:
 devname:/data/data/com.termux/files/home # ../usr/bin/python3 -c 'import pty;pty.spawn("../usr/bin/bash")'
-../files/home #
+.../files/home #
 # now ctrl+z the terminal (stop the job)
 ~ $ stty raw -echo
 ~ $ fg
 # now terminal seems unusable, but press "Enter" 2 times and you will have your complete feature-rich shell!
+.../files/home # whoami
+root
 </code>
+To run the Termux apps as root on your new fancy root shell, you will need to add **usr/bin** of the Termux installation on your **PATH** variable on the shell.
+<code bash>
+$ export PATH=$PATH:/data/data/com.termux/files/usr/bin
+</code>
+Enjoy!
+Sources:
+  * (Usable fancy shell on reverse shell) https://infosecwriteups.com/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2?gi=ec043af6e60c
+  * (Openssl PKI-based reverse shell and other useful stuff) https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl

NoBIGTech Wiki Técnico

User Tools

Site Tools

Differences

Page Tools