#!/usr/bin/env python3# -*- coding: utf-8 -*-# Made by AGS on 24/06/19 i

1. #!/usr/bin/env python3
2. # -*- coding: utf-8 -*-
3. # Made by AGS on 24/06/19
4.  
5. import sys
6. import subprocess
7. # This script is used to tell if bash cmd on the target could be
8. # used in order to escalate priviledge
9. # Cf website https://gtfobins.github.io/#
10.  
11. # List cmd available from gtfobins.github.io
12. lst_cmd_gtfobin=["apt-get","apt","aria2c","arp","ash","awk","base64","bash","busybox","cancel","cat","chmod","chown","cpan","cp","cpulimit","crontab","csh","curl","cut","dash","date","dd","diff","dmesg","dmsetup","dnf","docker","dpkg","easy_install","ed","emacs","env","expand","expect","facter","file","find","finger","flock","fmt","fold","ftp","gdb","gimp","git","grep","head","ionice","ip","irb","jjs","journalctl","jq","jrunscript","ksh","ld","less","logsave","ltrace","lua","mail","make","man","more","mount","mtr","mv","mysql","nano","nc","nice","nl","nmap","node","od","openssl","perl","pg","php","pic","pico","pip","puppet","python","readelf","red","rlogin","rlwrap","rpm","rpmquery","rsync","ruby","run-mailcap","run-parts","rvim","scp","screen","script","sed","service","setarch","sftp","shuf","smbclient","socat","sort","sqlite3","ssh","start-stop-daemon","stdbuf","strace","systemctl","tail","tar","taskset","tclsh","tcpdump","tee","telnet","tftp","time","timeout","tmux","ul","unexpand","uniq","unshare","vi","vim","watch","wget","whois","wish","xargs","xxd","yum","zip","zsh","zypper"]
13.  
14. # If mode = 0
15. # Read avlb local cmd from ls output
16. # Usage exemple:
17. # python3 gtfobins_checker.py 0
18.  
19. # If mode = 1
20. # Read avlb local cmd from a file (cmd stored line by line)
21. # Usage exemple:
22. # python3 gtfobins_checker.py 1 list_function.txt
23.  
24. if sys.len < 2:
25. print("Usage: ./" + str(sys.argv[0]) + " " + "MODE" + "FILE"))
26.  
27. if str(sys.argv[1]) == "0":
28. print("mode Zero")
29. # Get local available cmd
30. result=subprocess.run(['ls', '/bin', '/sbin', '/usr/bin', 'usr/sbin', 'usr/local/bin'], stdout=subprocess.PIPE)
31. list_cmd_avlb_local=result.stdout.decode('utf-8') # Convert into exploitable
32. list_cmd_avlb_local=list_cmd_avlb_local.split('\n') # Make a list
33. list_cmd_avlb_local=list(sorted(set(list_cmd_avlb_local))) # Order and Uniqness
34.  
35. elif str(sys.argv[1]) == "1":
36. print("Mode 1")
37.  
38. file=str(sys.argv[2])
39. list_cmd_avlb_local=[]
40. for i in open(file, 'r'):
41. list_cmd_avlb_local.append(i.rstrip())
42. list_cmd_avlb_local=list(sorted(set(list_cmd_avlb_local)))
43.  
44. for lcl_cmd in list_cmd_avlb_local:
45. if lcl_cmd in lst_cmd_gtfobin:
46. print("It's a match: " +str(lcl_cmd))