alt Hacker NewsGTFOBins
Comments
> restic - Shell, Command, Upload
Well, now I feel a little vindicated tinkering so that my backup wouldn't run as root. Instead it runs as a regular user with read-all-files capabilities [0] and no login shell.
Of course, that's still probably overkill on my desktop, and any attacker that got that far would still be able to read basically every file on the computer and sneak backdoors into the backup...
[0] https://man7.org/linux/man-pages/man7/capabilities.7.html
I am confused. Is this saying that if you don't have access to `cat`, instead of `cat /path/to/input-file` you can use `base64 /path/to/input-file | base64 --decode`?
Or is it saying that `base64 /path/to/input-file | base64 --decode` can bypass read file permission flags?
The last time I used anything similar to this was circa 1995 at secondary school, using Windows 3.11 computers, that has been set up so you could only launch a small number of authorised applications.
One of those was Word.
In Word you could write macros and use shell to launch other applications.
Suddenly the locked down computer that exposed a handful of applications could run anything (well anything a Windows 3.11 machine in 1995 could run).
It was quite exciting at the time, I don't feel like I have hit the same sort of issues since. Ocassionally I see people say that some touch screen information displays (in shops/shopping centres etc) have ways to escape from kiosk mode (locked to an app) so you can use them for anything, I guess that is similar.
Haha, as a former maintainer to one of these tools, it makes me laugh to see someone pop a shell. Creative, nice work, nice resource.
Wouldn't it be useful to show ways to mitigate these bypasses?
For example getting a shell with more:
- Setting SHELL to /bin/false before invoking more
- Switching to less in secure mode
- if using more with sudo: NOEXEC flag
Very neat, definitely some creative approaches in there I didn't expect like `yt-dlp`. Maybe I shouldn't have that just sitting around :)
I have used this extensively while playing on hackthebox.eu
I'm not sure I get it. base64 is on the list. That can't do anything but read a file to which the user already has access, I think. Am I mistaken or does "a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems" not mean what I think it does?
But you would already have to have shell access to the system to execute those commands, right?
As someone who has had to do some grub editing on the computer in an AirBnB because peripherals were all messed up on the guest account (no internet, no sound, you could only see a tiny part of the screen, I honestly don't know how they had managed to do it) I am super pleased to see this resource. Stuff like this is a bit, you know, hopefully you never need this, but when you do, it is so useful to have it.
Ok. It have hundrends o example for all sort of tools, 7z, dig, git. Those are very popular.
Question from security newbie. Why it is not used to hack all sort of servers all the time then?
The problem is ambient security, UNIX's security model.
Systems with capability-based security, such as seL4[0], do not suffer from this category of problem.
These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.
See also:
LOLBAS (https://lolbas-project.github.io/)
[dead]
Seeing the confusion in the comments I want to provide some examples of situations where this might come up in a security or CTF context:
* You have a restricted shell or other way to execute a restricted set of commands or binaries, often with arbitrary parameters. You can use GTFOBins in interesting ways to read files, write files, or even execute commands and ultimately break out of your restricted context into a shell.
* Someone allowed sudo access or set the SUID bit on a GTFOBin. Using these tricks, you may be able to read or write sensitive files or execute privileged commands in a way the person configuring sudo did not know about.