GTFOcli
it's a Command Line Interface for easy binaries search commands that can be used to bypass local security restrictions in misconfigured systems.
Installation
Using go
:
go install github.com/cmd-tools/gtfocli@latest
Using homebrew
:
brew tap cmd-tools/homebrew-tap
brew install gtfocli
Using docker
:
docker pull cmdtoolsowner/gtfocli
Usage
Search for unix binaries
Search for binary tar
:
gtfocli search tar
Search for binary tar
from stdin
:
echo "tar" | gtfocli search
Search for binaries located into file;
cat myBinaryList.txt
/bin/bash
/bin/sh
tar
arp
/bin/tail
gtfocli search -f myBinaryList.txt
Search for windows binaries
Search for binary Winget.exe
:
gtfocli search Winget --os windows
Search for binary Winget
from stdin
:
echo "Winget" | gtfocli search --os windows
Search for binaries located into file:
cat windowsExecutableList.txt
Winget
c:\\Users\\Desktop\\Ssh
Stordiag
Bash
c:\\Users\\Runonce.exe
Cmdkey
c:\dir\subDir\Users\Certreq.exe
gtfocli search -f windowsExecutableList.txt --os windows
Search for binary Winget
and print output in yaml
format (see -h
for available formats):
gtfocli search Winget -o yaml --os windows
Search using dockerized solution
Examples:
Search for binary Winget
and print output in yaml
format:
docker run -i cmdtoolsowner/gtfocli search Winget -o yaml --os windows
Search for binary tar
and print output in json
format:
echo 'tar' | docker run -i cmdtoolsowner/gtfocli search -o json
Search for binaries located into file mounted as volume in the container:
cat myBinaryList.txt
/bin/bash
/bin/sh
tar
arp
/bin/tail
docker run -i -v $(pwd):/tmp cmdtoolsowner/gtfocli search -f /tmp/myBinaryList.txt
CTF
An example of common use case for gtfocli
is together with find
:
find / -type f \( -perm 04000 -o -perm -u=s \) -exec gtfocli search {} \; 2>/dev/null
or
find / -type f \( -perm 04000 -o -perm -u=s \) 2>/dev/null | gtfocli search
Credits
Thanks to GTFOBins and LOLBAS, without these projects gtfocli
would never have come to light.
Contributing
You want to contribute to this project? Wow, thanks! So please just fork it and send a pull request.