From 3c131d0d7d4d8f48e338cefad4593b3f2b45b389 Mon Sep 17 00:00:00 2001
From: Blayne Dreier <blayne.dreier@praetorian.com>
Date: Fri, 12 Jan 2024 08:13:06 +1300
Subject: [PATCH] Added file-write using tcpdump

---
 _gtfobins/tcpdump.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/_gtfobins/tcpdump.md b/_gtfobins/tcpdump.md
index e57de31..49786f1 100644
--- a/_gtfobins/tcpdump.md
+++ b/_gtfobins/tcpdump.md
@@ -4,6 +4,12 @@ description: |
 
   In recent distributions (e.g., Debian 10 and Ubuntu 18) AppArmor limits the `postrotate-command` to a small subset of predefined commands thus preventing the execution of the following.
 functions:
+  file-write:
+    - description: It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.
+      code: |
+        LFILE=file_to_write
+        USER=output_file_owner
+        tcpdump -ln -i lo -w $LFILE -c 1 -Z $USER
   command:
     - code: |
         COMMAND='id'