Introduction

In the real world, it is extremely rare to find yourself with direct shell access to your target environment, even an unprivileged one.

After gaining an initial foothold through various vulnerabilities, you typically need a reliable means of achieving remote code execution.

Usually, you have two main options: bind shells and reverse shell. A bind shell opens a port on the target machine and waits for you to connect, but this approach has severe limitations. Firewalls typically block incoming connections, NAT makes direct connections impossible, and monitoring tools easily detect open ports.

A reverse shell, however, instead of you trying to connect TO the target, the target connects to YOU. The compromised system reaches out through the firewall (outbound connections are usually allowed), bypasses NAT restrictions, and establishes the connection from the inside out.

It's like having the fortress call you with the keys, rather than trying to break down the front gate.

Challenge Environment

In this challenge, the server is automatically started; you can access the website at: https://challenge.internal

The server is listening for a request at https://challenge.internal/reverse endpoint in order to trigger a reverse shell connecting to localhost on port 1337.

Resources

• What Is a Reverse Shell?
• Reverse Shell vs Bind Shell
• Reverse Shell Generator

Now that we learned about reverse shell, understanding bind shells is equally important for your foundational knowledge.

For bind shell, instead of having the target reach out to you, you connect to a listening port on the target machine.

This technique has its place in specific scenarios, perhaps you're already inside a trusted network where firewalls aren't blocking internal connections, or you're working in an environment where outbound connections are heavily monitored but internal traffic flows freely.

Challenge Environment

In this challenge, the server is automatically started; you can access the website at: https://challenge.internal

The server is listening for a request at https://challenge.internal/bind endpoint in order to bind and start a shell at localhost on port 1337.

Resources

• Reverse Shell vs Bind Shell

Some characters are data. Some characters are delimiters.

When parsers see characters like & and =, they often split parameters instead of keeping them inside your payload. Reliable exploitation means controlling when special characters are interpreted and when they are preserved.

Challenge Environment

In this challenge, the server is automatically started; you can access the website at: https://challenge.internal

The server is listening for a request at https://challenge.internal endpoint accepting payload argument.

Read the server's source code at /challenge/server, preserve delimiter bytes inside payload, and retrieve the flag.

Web payloads are not limited to strings. Encode an entire ELF executable into a query parameter and have the server execute it.

Challenge Environment

In this challenge, the server is automatically started; you can access the website at: https://challenge.internal

The server accepts a request at https://challenge.internal/?elf=... where elf is a URL-safe base64 encoding of the ELF bytes.

Read the server's source code at /challenge/server, build an ELF payload, encode it, send it over HTTP, and use the resulting execution primitive to retrieve the flag.