If you have successfully exploited a vulnerability on a system and you got Remote Code Execution (RCE), you could obtain a shell from the remote system.
Types of shell
Depending on the type of connection with the shell, whether it is interactive and whether the payload is staged, we can classify a shell in the following categories.
Reverse & bind shell
Reverse shells are when the target is forced to execute code that connects back to your computer. Reverse shells are an excellent way to bypass firewall rules that may prevent you from connecting to arbitrary ports on the target. However, when receiving a reverse shell from a machine across the Internet, you must configure your own network or use third-party tools to obtain the shell.
Bind shells are when the code executed is used to start a listener port attached to a shell directly on the target. In some cases, this port would be accessible through the Internet or would require configuring the target network to allow port forwarding for that specific port. Then, you can connect to the port gaining remote code execution. This has the advantage of not requiring any local network configuration but may be prevented by firewalls protecting the target.
Staged & Stageless
Staged payloads are sent in two parts:
The first part is called the stager, which does not contain any shellcode, is executed directly on the target and connects back to the attacker for downloading the actual payload.
The second part is the actual payload, which is executed directly, preventing it from being stored on the disk caught by traditional anti-virus.
Staged payloads require a particular, usually would be the Metasploit multi/handler, capable of sending different staged payloads and retrieving the final reverse shell.
Stageless payloads are entirely self-contained in one piece of code, that sends a shell back immediately to the waiting listener when executed.
Note: To differentiate between staged and stageless payloads on Metasploit and Msfvenom, staged payloads look like windows/shell/reverse_tcp, meanwhile stageless look like windows/shell_reverse_tcp.
Interactive & non-Interactive
Interactive shells allow you to interact with programs like vim, nano, sudo and execute keywords like [Ctrl]+c, [Ctrl]+l. Examples of interactive shells would be Powershell, Bash, Zsh and sh.
Non-Interactive shells limit the attacker to only interact with programs that do not require user interaction like grep, whoami, cat... Unfortunately, the majority of simple reverse and bind shells are this type of shell, making further exploitation trickier.
Nonetheless, we can upgrade a non-interactive shell into a full TTY one depending on the environment.
In this subsection, you can find a list of web pages with payloads for obtaining reverse or web shells.