I try to inject to victim through

./injector -c 192.168.192.16

but cannot spawn a shell from victim

could I get any help from you?

It looks like the initial handshake between the backdoor and the client is not being completed correctly.
Some things you may check are whether:

1. Both VMs can communicate between themselves
2. You are first installing the rootkit with the script, then running the client
3. An initial TCP packet with payload CC_SYN is being delivered at the machine with the rootkit (using wireshark or similar)
4. A TCP packet with payload CC_ACK is being sent from the machine with the rootkit.

Thanks for your reply~
You are right, it's the initial handshake between the backdoor and the client.

1. Both VMs can communicate between themselves

attacker: 192.168.192.168
victim: 192.168.192.169

2. I try to install the rootkit through

git clone https://github.com/h3xduck/TripleCross
cd TripleCross/src
make all
cd ../client
make
cd ../helpers
./packager.sh

And all goes well, but I can't receive a shell from victim

3. CC_SYN can send to the victim machine

4. Attacker can't receive CC_ACK from victim machine

It seems like the initial handshake is dial to 9000 port, Do I need to listen on 9000 port with nc?

I try to listen on 9000 port with nc, but I can't get any response

What may the problem? Looking forward to your reply~

Oh, I just realised. If you look at the README you'll see that I prepared this client mode (using -c) to only work after activating the execution hijacking module (you'll need to configure the parameters described at https://github.com/h3xduck/TripleCross#execution-hijacking-module for the attack to happen and thus start to listen for connections).

If you just want test the backdoor and spawn a shell, use the -e or -s flags, those definitely work out of the box.

Yeah! -e and -s flags can spawn a shell well~ Thanks for your patience.
I want to use -c flag to spawn a shell according to README.

Maybe it is my misunderstanding using, It can't work.