Usage :: goshs Documentation

Basic usage

Thu, 04 Jul 2024 15:36:18 +0200

Run it You can simply run it and it will start from the current working directory on port 8000. $ goshs INFO [2024-07-04 18:01:46] Download embedded file at: /example.txt?embedded INFO [2024-07-04 18:01:46] Serving on interface lo bound to 127.0.0.1:8000 INFO [2024-07-04 18:01:46] Serving on interface eth0 bound to 10.137.0.27:8000 INFO [2024-07-04 18:01:46] Serving HTTP from /home/user Port To change the port you use -p.

Config File

Thu, 04 Jul 2024 15:36:18 +0200

Use a config file to control how goshs behaves It is possible to control goshs via a JSON config file. You just need to create the config and provide all parameters. Info The config file will overwrite all provided config flags. You can use this config struct as an example.

File handling

Fri, 05 Jul 2024 09:10:41 +0200

goshs lets you download and upload files. And you can also delete files, as well.

Authentication

Thu, 04 Jul 2024 15:57:29 +0200

There are two options for authentication that can be used exclusively or combined: Basic Authentication Certificate Based Authentication

Transport Layer Security (TLS) / HTTPS

Thu, 04 Jul 2024 15:42:45 +0200

Use TLS to secure the connection You can use TLS in a variety of ways. Self-signed Certificate Provide own key and cert Let’s encrypt

Tunnel via localhost.run

Thu, 04 Jul 2024 15:42:45 +0200

Use localhost.run to tunnel goshs to the internet You can use localhost.run to tunnel goshs to the internet. For this to work it is important not to use -s but keep it plaintext. Then use -t or --tunnel to start goshs with tunneling enabled. $ goshs --tunnel INFO [2024-07-07 15:21:32] You are running the newest version (v1.1.4) of goshs INFO [2024-07-07 15:21:32] Download embedded file at: /example.txt?embedded INFO [2024-07-07 15:21:33] Public tunnel URL: https://e8dae599c7b6ac.lhr.life INFO [2024-07-07 15:21:33] Serving on interface eth0 bound to 10.137.0.25:8000 INFO [2024-07-07 15:21:33] Serving on interface docker0 bound to 172.17.0.1:8000 INFO [2024-07-07 15:21:33] Serving on interface lo bound to 127.0.0.1:8000 INFO [2024-07-07 15:21:33] Serving HTTP from /home/user If you now visit https://e8dae599c7b6ac.lhr.life, as shown in the log line above, you should see your goshs content.

Restricting functions

Thu, 04 Jul 2024 16:03:47 +0200

Restricting functions You can restrict the goshs functions, for example if you want to block download or upload of files. You can also activate silent mode, so that the UI is omitted. Block uploads (read-only) You can block the upload function by using the read only mode with -ro. Uploads will not be possible anymore.

Command Prompt

Thu, 04 Jul 2024 16:03:30 +0200

Use interactive terminal You can start goshs with a command line (-c). Then you will be able to run arbitrary commands on the host running goshs as the user it is running. Warning Please be aware that this mode is dangerous. Therefore it is required to at least use it with -s and -b.

Webdav

Thu, 04 Jul 2024 16:03:00 +0200

How to use goshs as webdav server You can use goshs to also provide the files using the webdav protocol by using -w. The default webdav port is 8001 and can be changed using -wp. The following screenshots will show an example usage on Microsoft Windows.

FTP / SFTP

Thu, 04 Jul 2024 16:03:00 +0200

How to use goshs as FTP or SFTP server goshs can serve files over FTP or SFTP using the -ftp flag. By default -ftp activates a plain FTP server on port 2121. Adding -ftp-sftp switches to SFTP mode instead. Plain FTP # Start plain FTP server on default port 2121 goshs -ftp # Start on a custom port goshs -ftp -ftp-port 2121 Connect with any standard FTP client:

Clipboard

Thu, 04 Jul 2024 15:57:29 +0200

Use the clipboard goshs is providing a non-persistent clipboard that is synchronized via a websocket connection throughout all browsers visiting the goshs page. The clipboard can be cleared and can be downloaded in json format. [ { "ID": 0, "Content": "This is a test", "Time": "Wed May 31 16:03:26 2023" }, { "ID": 1, "Content": "goshs is awesome", "Time": "Wed May 31 16:03:30 2023" } ]

Embed files at compile time

Thu, 04 Jul 2024 09:49:21 +0200

How to embed files into goshs Info For this to work you will have to compile goshs yourself. See the section Build yourself for instructions. You can embed files at compile time and ship them with your version of goshs. Any file that is in the folder embedded in the project root will be compiled into the binary and will be available while running. There is already a file called example.txt in the folder by default to demonstrate the feature.

File based ACLs

Thu, 04 Jul 2024 15:42:45 +0200

Use file based access control lists You can apply file based access control lists per folder by placing a file called .goshs in that folder. The files content is like: { "auth":":", "block":[ "file1", "file2", "folder/" ] } Custom Basic Authentication The setting auth lets you define a custom basic authentication for the corresponding folder. The hash you need to enter as a password replacement can be generated using goshs as well using --hash:

Webhook Notifications

Thu, 04 Jul 2024 15:42:45 +0200

You can have goshs send notifications using webhooks. The following webhook providers are supported: Discord Mattermost Slack Use the following combination of arguments to use webhooks: Webhook options: -W, --webhook Enable webhook support (default: false) -Wu, --webhook-url URL to send webhook requests to -We, --webhook-events Comma separated list of events to notify [all, upload, delete, download, view, webdav, ftp, sftp, smb, dns, smtp, redirect, verbose] (default: all) -Wp, --webhook-provider Webhook provider [Discord, Mattermost, Slack] (default: Discord) An example for Discord would be:

IP Whitelisting

Thu, 04 Jul 2024 15:42:45 +0200

You can restrict access for Web, WebDAV and SFTP using IP whitelisting. The whitelist is also proxy aware and will parse X-Forwarded-For and X-Real-IP header for trusted proxies. You can define whitelists in CIDR notation for IPv4 and IPv6 using the flags -ipw --ip-whitelist and -tpw --trusted-proxy-whitelist. goshs -ipw 127.0.0.1,192.168.0.1/24,217.147.137.129 -tpw 192.168.0.1/24,217.147.137.1 This will accept connections from 127.0.0.1, 192.168.0.1/24, 217.147.137.129 and trust proxies 192.168.0.1/24, 217.147.137.1.

Share Links

Thu, 04 Jul 2024 15:42:45 +0200

When using authentication with -b (Basic Authentication) or -ca (Certificate Authentication) you can share files with someone without giving them credentials. Now you can set a time limit in minutes and if you like a download limit. The defaults are 60 minutes and unlimited downloads. After submitting with the button Generate Share Links you will be presented with the links that you could provide to someone and with QR Codes for mobile devices. The number of links that will be generated will depend on the interface you chose to run goshs on, if any.

Collaboration / CTF

Mon, 13 Apr 2026 00:00:00 +0000

goshs includes a set of server capabilities tailored for penetration testing, red team operations, and CTF challenges. These features let you receive and inspect traffic from targets — DNS queries, emails, SMB authentication attempts, and HTTP redirects — all from within the same binary. SMB Server — capture NTLM hashes and optionally crack them against a wordlist DNS Server — log all incoming DNS lookups and reply with a configurable IP SMTP Server — receive emails and attachments sent to your server LDAP Server — capture bind credentials and NTLM hashes; JNDI mode for Log4Shell exploitation Redirect Endpoint — serve HTTP 3xx redirects with custom headers Reverse Shell Catcher & Generator — catch and interact with reverse shells, generate payloads Domain setup To receive real-world DNS callbacks and emails you need a registered domain with a few DNS records in place. The setup below uses Namecheap as an example, but the record types are the same with any registrar.

TUI Dashboard

Wed, 17 Jun 2026 00:00:00 +0000

goshs ships with an optional interactive terminal dashboard built on Bubble Tea. Enable it with --tui and you get a live full-screen view of all server activity — no browser, no port-forwarding required. This is especially useful when running goshs headless over SSH. goshs --tui goshs --tui -s -ss -b admin:secret --catcher -dns -dns-ip 10.10.14.5 Overview The TUI subscribes to the same WebSocket broadcast stream as the browser Collaboration tab, so every event that would appear in the web UI also appears in the terminal in real time. All 7 activity panes are available:

TTL (Self-Destruct)

Wed, 17 Jun 2026 00:00:00 +0000

The --ttl flag arms a self-destruct timer. When the duration elapses, goshs shuts down gracefully — exactly as if you had pressed Ctrl+C. # Shut down automatically after 2 hours goshs --ttl 2h # Combined with other flags goshs -s -ss -b admin:secret --catcher --ttl 4h Duration syntax The flag accepts any Go duration string:

Payload Templating

Tue, 23 Jun 2026 09:00:00 +0200

goshs can render placeholders inside served text files at download time, so you host a payload once and let goshs fill in your callback host and port instead of editing and re-uploading the file every time your interface or listener changes. Templating is opt-in twice: it must be enabled with --template, and it only runs for a request that explicitly asks for it with the ?tpl query parameter. Every other request serves the file verbatim.