At Vonage, we love seeing developers push boundaries, and during our latest company-wide hackathon, Sina Madani did just that. His project, Remote Code Execution, is a game-changer—enabling remote access to a machine without SSH or a remote desktop client.
Think about it: What if you needed to send commands to a machine across the globe but couldn’t use SSH? Sina’s solution makes that possible using Vonage APIs, Java, and networking techniques. His project is also available on GitHub.
Secure Shell (SSH) and remote desktop clients are the go-to for remote access, but they come with limitations:
Firewall Restrictions – Some networks block SSH.
User Complexity – Setting up SSH keys and access rules isn’t always straightforward.
Security Concerns – Open ports can be a risk.
Sina’s approach bypasses these issues by using Vonage’s messaging and authentication APIs to send and execute commands securely.
At its core, the project allows a user to send a command via SMS, WhatsApp, Viber, or Messenger using the Messages API, and if authenticated, the command is executed on the remote system. The output is then sent back through the same messaging channel.
Vonage developer account with a Vonage phone number
To buy a virtual phone number, go to your API dashboard and follow the steps shown below.
Go to your API dashboard
Navigate to BUILD & MANAGE > Numbers > Buy Numbers.
Choose the attributes needed and then click Search
Click the Buy button next to the number you want and validate your purchase
To confirm you have purchased the virtual number, go to the left-hand navigation menu, under BUILD & MANAGE, click Numbers, then Your Numbers
Vonage Java SDK & APIs
Messages (SMS, WhatsApp, Viber, Messenger)
Verify (for authentication)
Application & Numbers (for programmatic number management)
SIM Swap (security check)
Ngrok (to expose the local server securely)
Here’s the “magic” behind Sina’s project:
Before executing any command, the system verifies the user via SMS authentication.
A one-time authentication link is sent via Silent Authentication.
If mobile data verification fails, a backup voice-based PIN authentication kicks in.
Unauthorized numbers are automatically blocklisted.
If a user attempts to authenticate again before timeout, they receive a wait time notification.
Once authenticated, the user can send a command via SMS, WhatsApp, or another supported channel. The system:
Receives the command
Runs it in a restricted shell
Sends back the output
The application dynamically assigns an available Vonage number to handle messages.
If needed, a new number is purchased and linked automatically.
Webhook URLs are updated dynamically via Vonage’s Application API.
If you want to try this out yourself, clone the repo and set up your .env file with:
VONAGE_API_KEY: Vonage account API key.
VONAGE_API_SECRET: Vonage account API secret.
VONAGE_APPLICATION_ID: Vonage application UUID.
VONAGE_PRIVATE_KEY_PATH: Absolute path to the private key associated with your Vonage application.
TO_NUMBER: Client phone number that is allowed to run commands.
VONAGE_HACKATHON_SERVER_URL: External URL of the server. Typically, this would be an ngrok.app URL.
VCR_PORT: Port to run the demo on. By default, this is 8080.If you have IntelliJ IDEA installed, you can import this project and run it through the IDE, where the entry point is the Application class (src/main/java/com/vonage/hackathon/rce/Application.java).
To run the demo standalone from the command line, do:
mvn install spring-boot:runNeed help finding your API key and API Secret?
Open your API dashboard to access your Vonage API Key and Secret. Both are found on the homepage, as shown in the screenshot below.
API Key and API Secret
For convenience, you can add the following to your environment variables (~/.bashrc or ~/.zshrc):
export VCR_PORT=9080
export NGROK_URL="https://[id].ngrok.app"
export VONAGE_HACKATHON_SERVER_URL=$NGROK_URL
function ngrokUrl() {
local url=$(curl -s localhost:4040/api/tunnels | jq -r '.tunnels[0].public_url')
sed -i '' "s|\(^export NGROK_URL=\).*|\1\"$url\"|" ~/.zshrc
source ~/.zshrc && echo $NGROK_URL
}Then start the service:
ngrok http $VCR_PORTYour Vonage webhooks will automatically update to point to your new Ngrok URL.
And that’s it! By using Vonage’s Java SDK, messaging capabilities, and authentication workflows, developers can build solutions that go beyond what most people do without traditional SSH or remote desktop tools – just like Sina did! If this sparked some ideas, try it out yourself! You can also join our Vonage Developer Community on Slack or follow me and/or the DevEx team on X (formerly Twitter). Let us know what you’re building—we’d love to feature your project next!
){kind=small}
