From 99a572b7d9c400c2080b1b4e04f8a2ad649db3b2 Mon Sep 17 00:00:00 2001 From: SleestakOverflow <75267249+sleestakoverflow@users.noreply.github.com> Date: Mon, 15 Feb 2021 21:49:13 -0600 Subject: [PATCH 1/3] Create sg.md Adding the "sg" binary which allows command execution under a "different" group ID. However, it can be used to break out of restricted environments by using a user's own group ID. --- _gtfobins/sg.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 _gtfobins/sg.md diff --git a/_gtfobins/sg.md b/_gtfobins/sg.md new file mode 100644 index 0000000..553d4eb --- /dev/null +++ b/_gtfobins/sg.md @@ -0,0 +1,19 @@ +--- +functions: + shell: + - description: Commands can be run if the current user's group is specified, therefore no additional permissions are needed. + code: | + GROUPNAME=users + sg $GROUPNAME -c "/bin/sh" + command: + - description: Commands can be run if the current user's group is specified, therefore no additional permissions are needed. + code: | + COMMAND=whoami + GROUPNAME=users + sg $GROUPNAME -c $COMMAND + sudo: + - description: Any group can be specified as the user will have root permissions. + code: | + GROUPNAME=users + sudo sg $GROUPNAME -c "/bin/sh" +--- From ec7633d6bc0246e449d8525b98ef7585a2901bd0 Mon Sep 17 00:00:00 2001 From: SleestakOverflow <75267249+sleestakoverflow@users.noreply.github.com> Date: Mon, 15 Feb 2021 21:57:15 -0600 Subject: [PATCH 2/3] Update sg.md --- _gtfobins/sg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_gtfobins/sg.md b/_gtfobins/sg.md index 553d4eb..449c712 100644 --- a/_gtfobins/sg.md +++ b/_gtfobins/sg.md @@ -1,6 +1,6 @@ --- functions: - shell: + shell: - description: Commands can be run if the current user's group is specified, therefore no additional permissions are needed. code: | GROUPNAME=users @@ -8,7 +8,7 @@ functions: command: - description: Commands can be run if the current user's group is specified, therefore no additional permissions are needed. code: | - COMMAND=whoami + COMMAND=whoami GROUPNAME=users sg $GROUPNAME -c $COMMAND sudo: From 09c2605f84598aea998a5d29f66dcdbafbcce087 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Tue, 16 Feb 2021 09:01:05 +0100 Subject: [PATCH 3/3] Simplify sg --- _gtfobins/sg.md | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/_gtfobins/sg.md b/_gtfobins/sg.md index 449c712..c0d1150 100644 --- a/_gtfobins/sg.md +++ b/_gtfobins/sg.md @@ -3,17 +3,8 @@ functions: shell: - description: Commands can be run if the current user's group is specified, therefore no additional permissions are needed. code: | - GROUPNAME=users - sg $GROUPNAME -c "/bin/sh" - command: - - description: Commands can be run if the current user's group is specified, therefore no additional permissions are needed. - code: | - COMMAND=whoami - GROUPNAME=users - sg $GROUPNAME -c $COMMAND + sg $(id -ng) sudo: - - description: Any group can be specified as the user will have root permissions. - code: | - GROUPNAME=users - sudo sg $GROUPNAME -c "/bin/sh" + - code: | + sudo sg root ---