Usage :: goshs Documentation

Basic usage

Thu, 04 Jul 2024 15:36:18 +0200

Run it You can simply run it and it will start from the current working directory on port 8000. $ goshs INFO [2024-07-04 18:01:46] Download embedded file at: /example.txt?embedded INFO [2024-07-04 18:01:46] Serving on interface lo bound to 127.0.0.1:8000 INFO [2024-07-04 18:01:46] Serving on interface eth0 bound to 10.137.0.27:8000 INFO [2024-07-04 18:01:46] Serving HTTP from /home/user Port To change the port you use -p. $ goshs -p 8080 INFO [2024-07-04 18:01:46] Download embedded file at: /example.txt?embedded INFO [2024-07-04 18:01:46] Serving on interface lo bound to 127.0.0.1:8080 INFO [2024-07-04 18:01:46] Serving on interface eth0 bound to 10.137.0.27:8080 INFO [2024-07-04 18:01:46] Serving HTTP from /home/user IP You can choose to run it listening on a specific ip address or interface using -i.

Config File

Thu, 04 Jul 2024 15:36:18 +0200

Use a config file to control how goshs behaves It is possible to control goshs via a JSON config file. You just need to create the config and provide all parameters. Info The config file will overwrite all provided config flags. You can use this config struct as an example. { "interface": "0.0.0.0", "port": 8000, "directory": ".", "upload_folder": ".", "ssl": false, "self_signed": false, "private_key": "", "certificate": "", "p12": "", "p12_no_pass": false, "letsencrypt": false, "letsencrypt_domain": "", "letsencrypt_email": "", "letsencrypt_http_port": "80", "letsencrypt_tls_port": "443", "auth_username": "", "auth_password": "", "certificate_auth": "", "webdav": false, "webdav_port": 8001, "upload_only": false, "read_only": false, "no_clipboard": false, "no_delete": false, "verbose": false, "silent": false, "invisible": false, "running_user": "", "cli": false, "embedded": false, "output": "", "webhook_enabled": false, "webhook_url": "", "webhook_provider": "discord", "webhook_events": [ "all" ], "sftp": false, "sftp_port": 2022, "sftp_keyfile": "", "sftp_host_keyfile": "", "whitelist": "", "trusted_proxies": "", "tunnel": false, "dns_server": false, "dns_port": 8053, "dns_ip": "127.0.0.1", "smtp_server": false, "smtp_port": 2525, "smtp_domain": "", "smb_server": false, "smb_port": 445, "smb_domain": "", "smb_share": "", "smb_wordlist": "" }Or you use the one here or you can even print and redirect one by running:

File handling

Fri, 05 Jul 2024 09:10:41 +0200

goshs lets you download and upload files. And you can also delete files, as well.

Authentication

Thu, 04 Jul 2024 15:57:29 +0200

There are two options for authentication that can be used exclusively or combined: Basic Authentication Certificate Based Authentication

Transport Layer Security (TLS) / HTTPS

Thu, 04 Jul 2024 15:42:45 +0200

Use TLS to secure the connection You can use TLS in a variety of ways. Self-signed Certificate Provide own key and cert Let’s encrypt

Tunnel via localhost.run

Thu, 04 Jul 2024 15:42:45 +0200

Use localhost.run to tunnel goshs to the internet You can use localhost.run to tunnel goshs to the internet. For this to work it is important not to use -s but keep it plaintext. Then use -t or --tunnel to start goshs with tunneling enabled. $ goshs --tunnel INFO [2024-07-07 15:21:32] You are running the newest version (v1.1.4) of goshs INFO [2024-07-07 15:21:32] Download embedded file at: /example.txt?embedded INFO [2024-07-07 15:21:33] Public tunnel URL: https://e8dae599c7b6ac.lhr.life INFO [2024-07-07 15:21:33] Serving on interface eth0 bound to 10.137.0.25:8000 INFO [2024-07-07 15:21:33] Serving on interface docker0 bound to 172.17.0.1:8000 INFO [2024-07-07 15:21:33] Serving on interface lo bound to 127.0.0.1:8000 INFO [2024-07-07 15:21:33] Serving HTTP from /home/user If you now visit https://e8dae599c7b6ac.lhr.life, as shown in the log line above, you should see your goshs content.

Restricting functions

Thu, 04 Jul 2024 16:03:47 +0200

Restricting functions You can restrict the goshs functions, for example if you want to block download or upload of files. You can also activate silent mode, so that the UI is omitted. Block uploads (read-only) You can block the upload function by using the read only mode with -ro. Uploads will not be possible anymore. Block downloads (upload-only) You can also block the downloads and use goshs as a file dropping service by utilizing the upload only mode with -uo. Downloading files will not be possible anymore.

Command Prompt

Thu, 04 Jul 2024 16:03:30 +0200

Use interactive terminal You can start goshs with a command line (-c). Then you will be able to run arbitrary commands on the host running goshs as the user it is running. Warning Please be aware that this mode is dangerous. Therefore it is required to at least use it with -s and -b.

Webdav

Thu, 04 Jul 2024 16:03:00 +0200

How to use goshs as webdav server You can use goshs to also provide the files using the webdav protocol by using -w. The default webdav port is 8001 and can be changed using -wp. The following screenshots will show an example usage on Microsoft Windows.

SFTP

Thu, 04 Jul 2024 16:03:00 +0200

How to use goshs as SFTP server You can use goshs to also provide the files using SFTP by using -sftp. The default SFTP port is 2022 and can be changed using -sp. Authentication is required using SFTP. You can use either username and password authentication with the flag -b user:pass or you can use an authorized keys file with -skf . The options can be used exclusively or together.

Clipboard

Thu, 04 Jul 2024 15:57:29 +0200

Use the clipboard goshs is providing a non-persistent clipboard that is synchronized via a websocket connection throughout all browsers visiting the goshs page. The clipboard can be cleared and can be downloaded in json format. [ { "ID": 0, "Content": "This is a test", "Time": "Wed May 31 16:03:26 2023" }, { "ID": 1, "Content": "goshs is awesome", "Time": "Wed May 31 16:03:30 2023" } ]

Embed files at compile time

Thu, 04 Jul 2024 09:49:21 +0200

How to embed files into goshs Info For this to work you will have to compile goshs yourself. See the section Build yourself for instructions. You can embed files at compile time and ship them with your version of goshs. Any file that is in the folder embedded in the project root will be compiled into the binary and will be available while running. There is already a file called example.txt in the folder by default to demonstrate the feature.

File based ACLs

Thu, 04 Jul 2024 15:42:45 +0200

Use file based access control lists You can apply file based access control lists per folder by placing a file called .goshs in that folder. The files content is like: { "auth":":", "block":[ "file1", "file2", "folder/" ] }Custom Basic Authentication The setting auth lets you define a custom basic authentication for the corresponding folder. The hash you need to enter as a password replacement can be generated using goshs as well using --hash:

Webhook Notifications

Thu, 04 Jul 2024 15:42:45 +0200

You can have goshs send notifications using webhooks. The following webhook providers are supported: Discord Mattermost Slack Use the following combination of arguments to use webhooks: Webhook options: -W, --webhook Enable webhook support (default: false) -Wu, --webhook-url URL to send webhook requests to -We, --webhook-events Comma separated list of events to notify [all, upload, delete, download, view, webdav, sftp, smb, dns, smtp, verbose] (default: all) -Wp, --webhook-provider Webhook provider [Discord, Mattermost, Slack] (default: Discord)An example for Discord would be:

IP Whitelisting

Thu, 04 Jul 2024 15:42:45 +0200

You can restrict access for Web, WebDAV and SFTP using IP whitelisting. The whitelist is also proxy aware and will parse X-Forwarded-For and X-Real-IP header for trusted proxies. You can define whitelists in CIDR notation for IPv4 and IPv6 using the flags -ipw --ip-whitelist and -tpw --trusted-proxy-whitelist. goshs -ipw 127.0.0.1,192.168.0.1/24,217.147.137.129 -tpw 192.168.0.1/24,217.147.137.1This will accept connections from 127.0.0.1, 192.168.0.1/24, 217.147.137.129 and trust proxies 192.168.0.1/24, 217.147.137.1.

Share Links

Thu, 04 Jul 2024 15:42:45 +0200

When using authentication with -b (Basic Authentication) or -ca (Certificate Authentication) you can share files with someone without giving them credentials. Now you can set a time limit in minutes and if you like a download limit. The defaults are 60 minutes and unlimited downloads.

Collaboration / CTF

Mon, 13 Apr 2026 00:00:00 +0000

goshs includes a set of server capabilities tailored for penetration testing, red team operations, and CTF challenges. These features let you receive and inspect traffic from targets — DNS queries, emails, SMB authentication attempts, and HTTP redirects — all from within the same binary. SMB Server — capture NTLM hashes and optionally crack them against a wordlist DNS Server — log all incoming DNS lookups and reply with a configurable IP SMTP Server — receive emails and attachments sent to your server LDAP Server — capture bind credentials and NTLM hashes; JNDI mode for Log4Shell exploitation Redirect Endpoint — serve HTTP 3xx redirects with custom headers Reverse Shell Catcher & Generator — catch and interact with reverse shells, generate payloads Domain setup To receive real-world DNS callbacks and emails you need a registered domain with a few DNS records in place. The setup below uses Namecheap as an example, but the record types are the same with any registrar.