HRShell v1.7 releases: HTTPS/HTTP reverse shell built with flask with advanced features

by do son · Published August 21, 2019 · Updated May 1, 2024

HRShell is an HTTPS/HTTP reverse shell built with flask. It’s compatible with python 3.x and has been successfully tested on:

It’s stealthy
TLS support 🔑
- Either using on-the-fly certificates or
- By specifying a cert/key pair (more details below…)
Proxy 🦊 support on the client.
Directory navigation (cd command and variants).
download/upload/screenshot commands available.
shellcode injection 💉 (for the time it is available only for windows x86 systems but support for other OSs and ARCHs will be added soon!)
- Either shellcode injection into another process by specifying its PID
- or shellcode injection in the current running process
Pipelining (|) & chained commands (;) are supported
Support for every non-interactive (like gdb, top etc…) command
Server is both HTTP & HTTPS capable.
It comes with two built-in servers 🌐 so far… flask built-in & tornado-WSGI while it’s also compatible with other production servers like gunicorn and Nginx.
Both server.py and client.py are easily extensible.
Since most functionality comes from the server’s endpoint-design it’s very easy to write a client in any other language e.g. Java, GO, etc…