Initial setup (paths are assuming an Android target but you can obviously modify it)
cat << EOF > /data/local/tmp/shell1.sh
echo echo START >> /data/local/tmp/shell/infile
tail -n 1 -f /data/local/tmp/shell/infile | sh -i >> /data/local/tmp/shell/outfile 2>>/data/local/tmp/shell/outfile
EOF
chmod +x /data/local/tmp/shell1.sh
mkdir /data/local/tmp/shell
touch /data/local/tmp/shell/infile
touch /data/local/tmp/shell/outfile
Now with your privesc, run
sh /data/local/tmp/shell1.sh
And in another window, establish some kind of shell, and run
cd /data/local/tmp/shell
tail -f -n 1 outfile & cat >> infile
- You can wrap this in https://github.com/hanslub42/rlwrap to get a fully functional shell experience
-
- Something like
rlwrap -pcyan -H privescshell.log adb shell 'tail -f -n 1 /data/local/tmp/shell/outfile & cat >> /data/local/tmp/shell/infile'
- Something like
If you end up with a duplicate shell by mistake, run the following
mkdir /data/local/tmp/dedup$(date +%Y%m%d_%H%M%S) 2>/dev/null || exit
And all but one should exit