Skip to content
Orsted C2 Documentation

shell

General

Section titled “General”

shell allows you to start a shell and interact with it.

It is not Opsec.

[Session 9: haroun@DESKTOP-DU89UIV] » shell --help


start and interact with shell (not opsec)


Usage:
  shell [flags]


Flags:
  -h, --help     display help


Sub Commands:
  interact  interact with interactive shell
  list      list all interactive shell
  start     start interactive shell

It requires you to load the shell SO with load-module shell.

Shell Start

Section titled “Shell Start”

You can start a shell with

Terminal window
[Session 9: haroun@DESKTOP-DU89UIV] » shell start

List Shells

Section titled “List Shells”

You can list shells with

Terminal window
[Session 9: haroun@DESKTOP-DU89UIV] » shell list

You will receive the list of PIDs of the shells

[Session 9: haroun@DESKTOP-DU89UIV] » shell list
+--------+-----------+---------+------------+
| TASKID | SESSIONID |  STATE  |  COMMAND   |
+--------+-----------+---------+------------+
|     73 |         9 | pending | shell list |
+--------+-----------+---------+------------+
[Session 9: haroun@DESKTOP-DU89UIV] »
Started Shells
--------------
1540

Interact with Shell

Section titled “Interact with Shell”

You can interact with a specific shell with

Terminal window
[Session 9: haroun@DESKTOP-DU89UIV] » shell interact 6596

The result will be something like

[Session 15: haroun@DESKTOP-DU89UIV] » shell interact 1540
+--------+-----------+---------+---------------------------+
| TASKID | SESSIONID |  STATE  |          COMMAND          |
+--------+-----------+---------+---------------------------+
|    157 |        15 | pending | shell interact-start 1540 |
+--------+-----------+---------+---------------------------+
< Will Interact with Shell >
haroun@DESKTOP-DU89UIV:/mnt/c/Users/haroun$ whoami
whoami
haroun
haroun@DESKTOP-DU89UIV:/mnt/c/Users/haroun$ sudo -l
sudo -l
[sudo] password for haroun: haroun


Matching Defaults entries for haroun on DESKTOP-DU89UIV:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty


User haroun may run the following commands on DESKTOP-DU89UIV:
    (ALL : ALL) ALL
haroun@DESKTOP-DU89UIV:/mnt/c/Users/haroun$

To go back the menu just press <CTRL+C> then <Enter>

PS:

  • It is recommended to decrease sleep of the beacon (see - sleep)
  • The shell is a pty - You can do sudo -l, use less, but don’t try to super abuse it :p