Linux exec vs reverse TCP: pick the payload that matches the primitive

New operators reach for reverse TCP because it feels like "real" post-exploitation. Exec shellcode is boring. Boring is often correct.

What exec shellcode is good at

Exec-style payloads run a command with minimal surrounding infrastructure. Useful when:

you already have outbound connectivity unrelated to your callback
the exercise measures local command execution, not C2
network egress is heavily filtered but local process creation is allowed

The shellcodes "Exec command" preset maps to Linux / X64 / Exec. Fast way to test a short command string without opening a socket.

What reverse TCP is good at

Reverse TCP shines when you need a interactive channel and egress to your listener is reliable. It is also heavier: embedded network metadata, larger templates, more chances for bad chars in sockaddr bytes.

Decision table I use

Situation	I pick
Buffer under 200 bytes	exec or staged loader
Strict egress allow-list	exec plus existing channel
Dedicated lab VLAN with open egress	reverse TCP
Need repeatable non-interactive proof	exec with fixed argv

Attacker mindset

Reverse TCP announces you. Exec can be quieter depending on logging. Neither is stealth by default. Your detections live in EDR, DNS, and proxy logs.

Common lab mistakes

Reverse TCP to a listener IP that works on VPN but not from the target container network
Exec payload with a long command string that blows the buffer after encoding
Switching payload families mid-engagement without retesting bad chars

Defender mindset

Exec and reverse TCP produce different telemetry. Reverse TCP creates egress to an unusual IP. Exec creates process ancestry anomalies. Tune detections for the primitive, not for the word "shellcode".

Practical note

If your report needs a screenshot of whoami, exec gets you there faster. If your report needs a sustained session for file exfiltration drills, reverse TCP is fine. Match the deliverable.