Reverse Shells 101

Introduction

While doing pentest, challenges or Capture The Flag, you often need to get a shell access to a compromised machine. In classical shell access like SSH, your machine (acting as the client) connect to another machine (acting as a server).

Classical shell connection scheme

A reverse shell is … well, the opposite. Instead of you connecting to a machine, you will make the target machine connect back to you. This allows getting a shell access on machines in a local network behind a router with internet access for example !

Reverse shell connection scheme

Components

A reverse shell can be decomposed into several components :

Components of a reverse shell

We will explore the following blocks more in depth in the next sections.

Block Functionality
Launcher The launcher is the block starting the payload. It can be considered as the reverse shell’s entrypoint.
Payload The payload is the full exploit code used to create the reverse shell. It is different from the launcher which starts the payload.
Downlink The downlink is used by the target machine to receive the commands to execute from the attacker.
Uplink The uplink is used by the target machine to send the command results back to the attacker.
Executor The executor is the element running commands received from the downlink.

Analysing a python2 reverse shell

Launcher and payload :

Launcher and payload

In this reverse shell, the launcher is python2, whereas the payload is import ... subprocess.call(["/bin/sh","-i"]);.

Components in the payload :

Components in the payload