GTFOBins

76•StefanBatory•1h ago

Comments

stackghost•1h ago

These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.

saagarjha•51m ago

I don't think I've used any of these in a CTF tbh

stackghost•25m ago

I've definitely used one or two in the last 6 months

saagarjha•13m ago

For what kind of challenge? Most of these are not even available in CTF environments

dominicq•38m ago

Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.

stackghost•27m ago

Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.

dominicq•24m ago

Sounds super 1337 and I hope it's actually possible somehow.

jstrebel•55m ago

But you would already have to have shell access to the system to execute those commands, right?

ifh-hn•52m ago

But that sort of access is only a social engineer away. People still click on stuff in emails, or run commands because a computer says so.

DaSHacka•32m ago

Not just shell access, but the server would need to be configured to also enable your user to run any of these binaries as root (such as an administrator putting them in the sudoers file).

So they're a pretty niche attack vector, and oftentimes crop up as a result of lazy/incompetent sysadmins.

npodbielski•47m ago

Ok. It have hundrends o example for all sort of tools, 7z, dig, git. Those are very popular.

Question from security newbie. Why it is not used to hack all sort of servers all the time then?

pech0rin•41m ago

Because you have to have shell access to the server to use any of these.

dominicq•39m ago

You need initial access. This is just a list of tools you can use if you can't spawn a standard interactive shell, for whatever reason.

It doesn't make it easier to "hack" servers, it's just a list of things that you could use once you're already inside.

DaSHacka•38m ago

It's only relevant as a privilege escalation vector when you're able to execute those programs as root, but don't otherwise have root access on the server.

It's a pretty niche circumstance. Unless an admin allows users on a server to execute some of these random types of binaries as root, it's not going to be a concern. And, if it wasn't already obvious, distros are almost never configured this way OOTB

olmo23•25m ago

In certain circumstances, they might be :-)

But you can't "hack a server" using just these techniques: they would be a (small) part of a chain of exploits.

laserbeam•42m ago

I am confused. Is this saying that if you don't have access to `cat`, instead of `cat /path/to/input-file` you can use `base64 /path/to/input-file | base64 --decode`?

Or is it saying that `base64 /path/to/input-file | base64 --decode` can bypass read file permission flags?

dominicq•35m ago

The first thing. Invoked processes inherit the permissions of the user who invoked them (unless they have the setuid bit). It's just in case you land access to a computer which has all the standard Unix tools disabled to stop attackers from lateral movement.

DaSHacka•34m ago

If there's a file your user does not have read access to, but you have the ability to run the `base64` binary as root, you can run `base64` as root, (thus encoding the file contents as base64), then pipe the output to another base64 process to decode the file contents.

So yes, the end result is just `cat` with extra steps.

tgv•40m ago

I'm not sure I get it. base64 is on the list. That can't do anything but read a file to which the user already has access, I think. Am I mistaken or does "a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems" not mean what I think it does?

david_shaw•36m ago

I think the idea is that if you're given an improperly configured restricted shell/command access, you can use any of the listed tools to gain access to some subset of what that user would normally have access to in an unrestricted environment.

A very simple version of this would be if you set a user's default shell to "rbash" but the user can just run "bash" to get a real shell.

arcfour•12m ago

Maybe sudoers is configured to allow you to run base64 as root. Why would someone do this? No idea. But if you are in such a situation, now you know how to bypass the intended permissions and read any file on the system.

Or maybe you give Claude Code permission to run `base64` without review without realizing this lets it read any file, including maybe your secrets in .env or something.

RagingCactus•36m ago

Seeing the confusion in the comments I want to provide some examples of situations where this might come up in a security or CTF context:

* You have a restricted shell or other way to execute a restricted set of commands or binaries, often with arbitrary parameters. You can use GTFOBins in interesting ways to read files, write files, or even execute commands and ultimately break out of your restricted context into a shell.

* Someone allowed sudo access or set the SUID bit on a GTFOBin. Using these tricks, you may be able to read or write sensitive files or execute privileged commands in a way the person configuring sudo did not know about.

eterm•15m ago

This is pretty relevant for things like claude-code, which has a fairly rudimentary way of dealing with permissions with block-lists and allow-lists.

I once accidentally gave my claude "powershell" permissions in one session, and after that any time it found it was blocked from using a tool, e.g. git, it would write a powershell script that did the same thing and execute the script to work around the blocked permission.

Obviously no sane system would have "powershell" in a generic allow-list, but you could imagine some discrepancy in allowed levels between tools which can be worked around with the techniques on this page.

troupo•6m ago

Power Shell or Python scripts to work around restrictions are the go to for LLMs.

And it doesn't stip there.

Yesterday I was trying to figure out some icons issue in KDE plasma (I know nothing about KDE). Both Claude and Cidex would run complex bus and debug queries and write and execute QML scripts with more and more tools thrown into the mix.

There's no way to properly block them with just allow- and block lists

DaSHacka•22m ago

Come From

Steal Claude Code Architecture

How to build advanced features for AI chatbots on SSE

Show HN: VibeBrowser – Give your AI agent your real logged-in browser via MCP

Show HN: Financial Database API for Vibe Coders

Hotta GameDriverX64.sys shipping in Neverness to Everness preload

Anthropic Claude Code HERMES.md billing flaw

Scraping 241 UK council planning portals – 2.6M decisions so far

Show HN: BeVisible.app - Blog that runs itself

Xiaomi MiMo Orbit: 100T Token Grant for Builders

SwiftBash: Pure-Swift, sandboxed bash interpreter

Text Is the New Binary

Bugs in the original 1977 Cave Adventure Fortran source

A case report of someone who self-managed Fatal Familial Insomnia

Asimov v1: Open-Source Humanoid Robot

I built a coach for people who are tired of being yelled at by Stockfish

Set a Meeting Budget

Ask HN: When might we not have to do laundry or fold clothes or cook

Google signs classified AI deal with Pentagon

The 278k language running 20% of the Internet

Unitree G1 humanoid robot roller skating [video]

Humanoid robots to become baggage handlers in Japan airport experiment

Japan awakens to Radio Taiso exercise tradition. One face of country's longevity

The Fallen Apple

Show HN: An Agent-First Collaboration Platform Inspired by Karpathy's AgentHub

Will AI destroy the economy? [video]

Elon Musk and Sam Altman are going to court over OpenAI's future

There's no such thing as the petrodollar

EU tells Google to open up AI on Android; Google says "unwarranted intervention"

Show HN: Built a local-first way to make AI context reusable across tools