A minimal, web-based shell page for Next.js — built for CTFs and authorized penetration testing.
- 🔐 Password-gated access via query parameter (
?pw=...) - ⚡ Command execution using
node:child_process - 📁 Working directory persistence between commands
- 🧾 Command + output history stored in cookies
Copy page.tsx into your target app, for example:
/app/shell/page.tsx
Replace SECRET with the SHA-256 hash of your password:
const SECRET = "your_sha256_hash_here";Visit the route with your password:
http://target.local/shell?pw=your-password
Type commands into the UI and execute them. ✅
- ⏱️ Command timeout: 60s
- 📦 Max output buffer: 10MB
- 🐧 Shell used:
/bin/bash
This software is intended for lawful security testing and educational purposes only. Use it only on systems you own or where you have explicit written permission to test. Unauthorized use may be illegal and is strictly prohibited.
NO WARRANTY: This software is provided “AS IS”, without warranties of any kind. You assume all risk. The author is not responsible for any misuse or damage caused by this software.
✅ Stay legal.