Posted on 29th October 2018 by Paul Ritchie
This is release three of three tools from my talk "Hacking with git" which I delivered at Glasgow BSides in 2018. The video of that talk is available at the URL below:
The pace of the talk was structured to build to the crescendo where a reverse shell was delivered over GitHub. This post is about a proof-of-concept (PoC) tool which was generated to do that.
The code for this is available over at GitHub here:
If you have any questions then you can ping me on Twitter @cornerpirate or raise a ticket on GitHub.
While I had this idea many moons ago I realised I wasn't the first to implement a reverse shell over GitHub by the time of my talk in April 2018. There was at least one I could find. I am a fan of implementing my own stuff when I have the time available. Give someone a fish and they will say "why are you giving me raw fish?" and "can you cook this for me too?". Make your own fishing net, and go catch fish and you have learned a lot of stuff. You will now be in the business of selling fish instead of just being a consumer. I urge you to make your own nets folks.
To be clear this is me not claiming ownership or even first implementation rights over the idea. Also saying you should live a little and implement your own stuff more :D.
I am assuming that pretty much everyone reading this knows what a reverse shell is. Sometimes it is nice to start simple though so:
When an attacker establishes a reverse shell they have established remote interactive command execution on their target and it is definitely with malicious intent. Any traffic which traverses between network boundaries can be used for this so they are common over: TCP, UDP, ICMP, DNS, HTTP/HTTPS etc. Whatever a firewall allows out and in can be used.
A command prompt or shell is made of three so-called "standard" communication streams:
The following image (by Danielpr85) plots out how a process interacts with these streams:
The trick for a reverse shell is to map these input and output streams to a network communication channel.
In the git shell PoC the channel is a commit over HTTPS to GitHub.com into a repository.
The communication channel is a GitHub.com hosted repository. To prep yours follow these steps:
Nobody said this would be complicated! You should have something that looks like this:
That is all you need.
The "in.txt" file becomes the "stdin" stream meaning that an attacker places commands to execute in this file. While the "out.txt" file is a merge of both "stdout" and "stderr" and is updated by the victim. For the coders in the room the algorithms are simple on both sides:
As I had limited time to develop the PoC the encryption parts of the shell have not been implemented yet. This is bleeding edge because it means the command output and history will remain in your repository, A MAJOR RISK IF YOU STICK CUSTOMER DATA IN THERE.
I would not suggest using this on engagements without implementing cryptography.
The PoC is configured to work on Windows targets with .Net 4.6.2 or newer installed.
GitHub removed support for TLS 1.1 or lower meaning that older clients can no longer connect. Well done to GitHub for stamping out older protocols but it does limit the effectiveness of the PoC somewhat. A fully patched Windows 7 or supported Server version would work for sure.
Generate an authentication token. To do this when logged into GitHub visit this URL:
As a minimum the token needs commit access to your respository so simply enable those:
You need to obtain the PoC from GitHub here and upload the code to your victim by whatever means and then execute it. Once it is running it will prompt you for the URL to your repository, and your authentication token.
The attacker needs to run the "gitshell-attacker.py" script with command line arguments for the repo URL, token, and path to an empty folder such as "/tmp/something". They will then be able to execute commands and with a bit of patience get the responses:
The output is a bit over the top at the moment but you can see what is going on.
While several have been stated throughout it makes sense to just be clear:
This demonstrates that a reverse shell over GitHub is absolutely possible. It is at least the second tool to do this. This is not a vulnerability in GitHub, a Zero day or in anyway anything which should tarnish the reputation of GitHub. An attacker with any access to the Internet from inside your network can find some means of establishing remote control. This is just a fun way of doing it using git's commands to do so.
This is my final post in the series of tools on "Hacking with Git". It is also my final submission to SecarmaLabs because I have chosen to seek pastures new. It leaves me with a tear in my eye since I have been involved in all aspects of SecarmaLabs since it was founded. It was my whimsy to plaster this code all over the place:
10 Print "Research" 20 Print "Share" 30 Goto 10
I believe in research, sharing that and passing things on. That also means passing on the reigns to the next generation when it comes time to do so. I leave SecarmaLabs in excellent hands and they will do fantastic things with it!
Share this post: