frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

GTFOBins

https://gtfobins.org/
97•StefanBatory•1h ago

Comments

stackghost•1h ago
These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.
saagarjha•1h ago
I don't think I've used any of these in a CTF tbh
stackghost•46m ago
I've definitely used one or two in the last 6 months
saagarjha•34m ago
For what kind of challenge? Most of these are not even available in CTF environments
mna_•24m ago
I've used them for pwncollege CTFs but pwncollege is way below your level (I've seen some of your write ups before).
dominicq•59m ago
Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.
stackghost•48m ago
Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.
dominicq•45m ago
:(

Sounds super 1337 and I hope it's actually possible somehow.

aa-jv•18m ago
Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of:

    $ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...
See also: DDExec

https://github.com/arget13/DDexec

PhilipRoman•17m ago
If you have /proc available, you don't even need to disable ASLR (all mappings are available to you)
mpeg•22m ago
You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it
jstrebel•1h ago
But you would already have to have shell access to the system to execute those commands, right?
ifh-hn•1h ago
But that sort of access is only a social engineer away. People still click on stuff in emails, or run commands because a computer says so.
DaSHacka•53m ago
Not just shell access, but the server would need to be configured to also enable your user to run any of these binaries as root (such as an administrator putting them in the sudoers file).

So they're a pretty niche attack vector, and oftentimes crop up as a result of lazy/incompetent sysadmins.

aa-jv•24m ago
Like it says in the preamble on the site, don't think of this as a collection of exploits, but rather as a compendium of knowledge about escalation techniques for use in emergencies.

I can't tell you how many times I burned my fingers as a young Unix developer in the 80's by untar'ing things wrongly, or fat-fingering an 'rm -rf /' and thus having a running system that will be catastrophic if I don't fix it before reboot, shell still active and .. what do? Consult this list of great advice and use it to rebuild the system and/or do things that need to be done that otherwise wouldn't be possible ..

GTFOBins is not just for hacking. Its also for system repair and recovery. I'd be as likely to consult this knowledge base after a hacker attack as before, if not more ..

npodbielski•1h ago
Ok. It have hundrends o example for all sort of tools, 7z, dig, git. Those are very popular.

Question from security newbie. Why it is not used to hack all sort of servers all the time then?

pech0rin•1h ago
Because you have to have shell access to the server to use any of these.
dominicq•1h ago
You need initial access. This is just a list of tools you can use if you can't spawn a standard interactive shell, for whatever reason.

It doesn't make it easier to "hack" servers, it's just a list of things that you could use once you're already inside.

DaSHacka•59m ago
It's only relevant as a privilege escalation vector when you're able to execute those programs as root, but don't otherwise have root access on the server.

It's a pretty niche circumstance. Unless an admin allows users on a server to execute some of these random types of binaries as root, it's not going to be a concern. And, if it wasn't already obvious, distros are almost never configured this way OOTB

arcfour•25m ago
I've seen plenty of servers in companies configured to allow sudoers to run a restricted subset of binaries as root, usually without a password. Some of them were GTFObins that the admins were not aware of until I reached out to let them know. I've also seen a couple of restricted shell setups where users could only run a handful of commands. Can't recall if I checked to see if any of them were GTFObins.

I wouldn't say this is the most useful h4x0r tool ever, but I wouldn't say it's particularly niche, either. This kinda stuff is definitely relevant in older large enterprise-type Linux/Unix environments.

olmo23•46m ago
In certain circumstances, they might be :-)

But you can't "hack a server" using just these techniques: they would be a (small) part of a chain of exploits.

asimovDev•1m ago
I think docker was used for these things before. I remember some big service had secrets in env vars and a shell access inside the docker image from a npm post install script let them evacuate these secrets
laserbeam•1h ago
I am confused. Is this saying that if you don't have access to `cat`, instead of `cat /path/to/input-file` you can use `base64 /path/to/input-file | base64 --decode`?

Or is it saying that `base64 /path/to/input-file | base64 --decode` can bypass read file permission flags?

dominicq•56m ago
The first thing. Invoked processes inherit the permissions of the user who invoked them (unless they have the setuid bit). It's just in case you land access to a computer which has all the standard Unix tools disabled to stop attackers from lateral movement.
DaSHacka•55m ago
If there's a file your user does not have read access to, but you have the ability to run the `base64` binary as root, you can run `base64` as root, (thus encoding the file contents as base64), then pipe the output to another base64 process to decode the file contents.

So yes, the end result is just `cat` with extra steps.

tgv•1h ago
I'm not sure I get it. base64 is on the list. That can't do anything but read a file to which the user already has access, I think. Am I mistaken or does "a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems" not mean what I think it does?
david_shaw•57m ago
I think the idea is that if you're given an improperly configured restricted shell/command access, you can use any of the listed tools to gain access to some subset of what that user would normally have access to in an unrestricted environment.

A very simple version of this would be if you set a user's default shell to "rbash" but the user can just run "bash" to get a real shell.

arcfour•33m ago
Maybe sudoers is configured to allow you to run base64 as root. Why would someone do this? No idea. But if you are in such a situation, now you know how to bypass the intended permissions and read any file on the system.

Or maybe you give Claude Code permission to run `base64` without review without realizing this lets it read any file, including maybe your secrets in .env or something.

RagingCactus•57m ago
Seeing the confusion in the comments I want to provide some examples of situations where this might come up in a security or CTF context:

* You have a restricted shell or other way to execute a restricted set of commands or binaries, often with arbitrary parameters. You can use GTFOBins in interesting ways to read files, write files, or even execute commands and ultimately break out of your restricted context into a shell.

* Someone allowed sudo access or set the SUID bit on a GTFOBin. Using these tricks, you may be able to read or write sensitive files or execute privileged commands in a way the person configuring sudo did not know about.

eterm•36m ago
This is pretty relevant for things like claude-code, which has a fairly rudimentary way of dealing with permissions with block-lists and allow-lists.

I once accidentally gave my claude "powershell" permissions in one session, and after that any time it found it was blocked from using a tool, e.g. git, it would write a powershell script that did the same thing and execute the script to work around the blocked permission.

Obviously no sane system would have "powershell" in a generic allow-list, but you could imagine some discrepancy in allowed levels between tools which can be worked around with the techniques on this page.

troupo•27m ago
Power Shell or Python scripts to work around restrictions are the go to for LLMs.

And it doesn't stip there.

Yesterday I was trying to figure out some icons issue in KDE plasma (I know nothing about KDE). Both Claude and Cidex would run complex bus and debug queries and write and execute QML scripts with more and more tools thrown into the mix.

There's no way to properly block them with just allow- and block lists

ebonnafoux•10m ago
In a previous employer, they block the chmod command. I took the habit to python -c "import os; os.chmod('my_file',744)".

Glad to see LLM re-discover this trick.

DaSHacka•43m ago
See also:

LOLBAS (https://lolbas-project.github.io/)

regecks•25m ago
Haha, as a former maintainer to one of these tools, it makes me laugh to see someone pop a shell. Creative, nice work, nice resource.
alex-moon•5m ago
As someone who has had to do some grub editing on the computer in an AirBnB because peripherals were all messed up on the guest account (no internet, no sound, you could only see a tiny part of the screen, I honestly don't know how they had managed to do it) I am super pleased to see this resource. Stuff like this is a bit, you know, hopefully you never need this, but when you do, it is so useful to have it.

GTFOBins

https://gtfobins.org/
97•StefanBatory•1h ago•36 comments

Talkie: a 13B vintage language model from 1930

https://talkie-lm.com/introducing-talkie
322•jekude•10h ago•107 comments

Microsoft and OpenAI end their exclusive and revenue-sharing deal

https://www.bloomberg.com/news/articles/2026-04-27/microsoft-to-stop-sharing-revenue-with-main-ai...
862•helsinkiandrew•18h ago•735 comments

Is my blue your blue?

https://ismy.blue/
498•theogravity•11h ago•342 comments

Pgrx: Build Postgres Extensions with Rust

https://github.com/pgcentralfoundation/pgrx
66•luu•3d ago•3 comments

Scraping 241 UK council planning portals – 2.6M decisions so far

28•mebkorea•43m ago•28 comments

Can You Find the Comet?

https://apod.nasa.gov/apod/ap260427.html
9•ColinWright•1d ago•1 comments

High Performance Git

https://gitperf.com/
112•gnabgib•7h ago•17 comments

Mo RAM, Mo Problems (2025)

https://fabiensanglard.net/curse/
117•blfr•2d ago•17 comments

Three men are facing charges in Toronto SMS Blaster arrests

https://www.tps.ca/media-centre/stories/unprecedented-sms-blaster-arrests/
152•gnabgib•11h ago•71 comments

How I leared what a decoupling capacitor is for, the hard way

https://nbelakovski.substack.com/p/how-i-learned-what-a-decoupling-capacitor
87•actinium226•2d ago•46 comments

4TB of voice samples just stolen from 40k AI contractors at Mercor

https://app.oravys.com/blog/mercor-breach-2026
514•Oravys•22h ago•183 comments

Men who stare at walls

https://www.alexselimov.com/posts/men_who_stare_at_walls/
560•aselimov3•21h ago•248 comments

WASM is not quite a stack machine

https://purplesyringa.moe/blog/wasm-is-not-quite-a-stack-machine/
10•signa11•3h ago•1 comments

First G-SHOCK with a heart rate monitor, also featuring Smartphone Link

https://gshock.casio.com/intl/products/g-lide/gbx-h5600/
20•luispa•4d ago•19 comments

LingBot-Map: Streaming 3D reconstruction with geometric context transformer

https://technology.robbyant.com/lingbot-map
23•nateb2022•4h ago•2 comments

The quiet resurgence of RF engineering

https://atempleton.bearblog.dev/quiet-resurgence-of-rf-engineering/
188•merlinq•2d ago•103 comments

Easyduino: Open Source PCB Devboards for KiCad

https://github.com/Hanqaqa/Easyduino
204•Hanqaqa•14h ago•31 comments

Meetings are forcing functions

https://www.mooreds.com/wordpress/archives/3734
112•zdw•2d ago•50 comments

Networking changes coming in macOS 27

https://eclecticlight.co/2026/04/23/networking-changes-coming-in-macos-27/
226•pvtmert•16h ago•199 comments

The woes of sanitizing SVGs

https://muffin.ink/blog/scratch-svg-sanitization/
213•varun_ch•16h ago•89 comments

Integrated by Design

https://vivianvoss.net/blog/integrated-by-design-launch
92•vermaden•9h ago•40 comments

Fully Featured Audio DSP Firmware for the Raspberry Pi Pico

https://github.com/WeebLabs/DSPi
286•BoingBoomTschak•2d ago•79 comments

Lessons from building multiplayer browsers

https://www.alejandro.pe/writing/sail-muddy-lessons
44•alejandrohacks•1d ago•14 comments

Radar Laboratory – Interactive Radar Phenomenology

https://radarlaboratory.com/
52•jonbaer•2d ago•2 comments

FDA approves first gene therapy for treatment of genetic hearing loss

https://www.fda.gov/news-events/press-announcements/fda-approves-first-ever-gene-therapy-treatmen...
238•JeanKage•22h ago•88 comments

Spanish archaeologists discover trove of ancient shipwrecks in Bay of Gibraltar

https://www.theguardian.com/science/2026/apr/15/hidden-treasures-spanish-archaeologists-discover-...
98•1659447091•2d ago•25 comments

Pgbackrest is no longer being maintained

https://github.com/pgbackrest/pgbackrest
417•c0l0•21h ago•220 comments

GitHub Copilot is moving to usage-based billing

https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/
636•frizlab•16h ago•473 comments

Quarkdown – Markdown with Superpowers

https://quarkdown.com/
303•amai•23h ago•108 comments