A deliberately minimal and misleading HTTPS file sharing service inspired by Pomf-style (catbox) uploaders and has an 'anti-recon' feature replicating CDN edge failures.

This repository contains two implementations of the same idea:

• Sync (BaseHTTPRequestHandler) — highly portable and only uses standard lib
• Async (aiohttp) — event-driven, non-blocking, more reliable but requires aiohttp package

Demo (YouTube)

Requires Python 3.10+

git clone https://github.com/superswan/stash-server.git
cd stash-server

Install async dependencies (only needed for async version)

pip install aiohttp

Generate a self-signed certificate or provide your own

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

python stash_server.py

python stash_server_async.py

Default listener:

https://0.0.0.0:8081

curl -k -X POST --data-binary @file.png https://host:8081/file.png

or

curl -k --upload-file file.txt https://host:8081/file.txt

Response:

https://host:8081/abc123.png

• Filename is randomized
• Extension is preserved

Invoke-WebRequest `
  -Uri https://host:8081/file.png `
  -Method Post `
  -InFile file.png `
  -SkipCertificateCheck

PowerShell 5.1 and below:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

curl -k https://host:8081/abc123.png -o file.png

A unique 8 digit key can be generated by the server and provided to the user which will allow a user to save a list uploaded files that they can later retrieve.

curl -i -k -X STSH https://10.201:8090/register

Response:

Include -H "X-STASH-KEY:abcd1234" header to upload with key
Use `/list` to view files associated with key

curl -k -H "X-Stash-Key:abcd1234" --upload-file file.txt https://host:8081/

Response:

UPLOADER: abcd1234
https://host:8081/file.txt

curl -k -H "X-STASH-KEY:abcd1234" https://host:8081/list

Doesn't require key* Downloading is globally accessible for client convenience.

• Browser visit returns fake Cloudflare-style error page
• Responses are delayed and chunked
• Chunk sizes and timing jitter vary to simulate degraded connection
• Geo-IP lookup is used to display the nearest Cloudflare PoP to the requester

This behavior is intentional and designed to:

1. Imply the service is behind Cloudflare
2. Suggest network or server instability
3. Waste time during reconnaissance

Cloudflare error pages can be generated here:

https://virt.moe/cferr/editor/

Edit values in the server files:

PORT = 8081
UPLOAD_DIR = "./uploads"
MAX_FILE_SIZE_MB = 512

If a file named banner exists, it will be printed on startup.

This software is provided for educational and demonstration purposes only.

You are responsible for how you use it.