Skip to content
reverseshell

The Reverse Shell Workflow for OSCP and CTFs

A repeatable reverse shell workflow for exams and CTFs: listener first, enumerate interpreters, pick the payload, catch on 443, upgrade the TTY, and note it for the report.

Published on 3 min read
oscpctfreverse-shell

In an OSCP lab or a CTF, the reverse shell is not the hard part — the hard part is doing it fast and reliably under time pressure, on a box you have never seen, without burning your one good execution attempt on a payload that was never going to run. This is the repeatable workflow. None of the individual steps are new; the value is the order.

1. Listener First, Always

Before you fire anything, be listening:

nc -lvnp 443

Use 443 (or 80) from the start — see step 4 for why. Firing a payload with no listener up is the most common self-inflicted failure.

2. Enumerate What the Box Has

You cannot pick a payload until you know what runs. Once you have any code execution — even blind — check the interpreters in rough order of preference:

which python3 python bash nc ncat socat perl ruby php node 2>/dev/null

This one command decides everything that follows. A box with python3 gets the python payload; a bare box might only have perl or awk; a web box points you at php.

3. Pick the Payload to Match

Map the interpreter to the payload and mind the footguns that cost exam time:

  • bash — only if /bin/sh is actually bash, not dash (why).
  • python — confirm python vs python3 (why).
  • nc — expect no -e; have the mkfifo form ready (why).
  • php — watch disable_functions (why).

Grab the exact one-liner from the reverse shell generator so quoting is correct the first time — fumbling quotes mid-exam is exactly what the tool removes.

4. Use Port 443

Set LPORT to 443. Lab and CTF networks are friendlier than production, but the habit costs nothing and saves you the entire class of egress-filtering failures where an odd high port is silently dropped. 443 and 80 look like normal web traffic and get out.

5. Upgrade the TTY Immediately

The shell that lands is raw. Before you do anything else, upgrade it — otherwise the first sudo or ssh prompt hangs and you lose the session:

python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl-Z
stty raw -echo; fg
export TERM=xterm

Full explanation in upgrading a reverse shell. On macOS or Windows the equivalent differs slightly — see macOS and windows.

6. Note It for the Report

OSCP is won or lost on the report. The moment the shell lands, record the exact payload, the listener command, the LHOST/LPORT, and a screenshot of id/whoami. You will not remember the precise one-liner three machines later, and reconstructing it afterwards wastes time you do not have.

When It Fails

Work the checklist in order — interpreter, quoting, egress, listener — laid out in why reverse shells fail. Resisting the urge to randomly retry is itself a skill.

Authorized Testing Only

Exam labs and CTFs are authorized environments by definition. Apply this workflow only there or on systems you own or are explicitly permitted to test.

Related articles

What Is a Reverse Shell? A Practical Guide for Authorized Testing
A plain-English explanation of how reverse shells work, why they beat bind shells through firewalls, and how a reverse shell generator saves you from copy-paste mistakes.
reverse-shellfundamentalsgenerator
Bash Reverse Shell One-Liners: How /dev/tcp Actually Works
The common bash reverse shell one-liners explained line by line, why they need bash (not sh), and how to fall back when /dev/tcp is missing.
bashreverse-shelllinux
Python Reverse Shell: One-Liners That Survive python vs python3
How the python reverse shell one-liner works with socket and pty, why the python/python3 split breaks payloads, and a version-agnostic fallback.
pythonreverse-shelllinux