Skip to main content
  1. Posts/

Living off the land in Linux!

·2 mins

Last year a coworker shared with me the excellent https://gtfobins.github.io/ website, a compendium of techniques to abuse misconfigurations in Linux binaries. It’s an open source project and its code can be found on GitHub at https://github.com/GTFOBins/GTFOBins.github.io.

I wanted to build a discovery tool leveraging this data set. I had some time on a week-end and created https://github.com/juliendoutre/gogtfobins/ to do so. It’s a Go CLI built with the cobra library exposing three commands:

  • gogtfobins list to list all binaries available on the host and the functions they can eventually allow to obtain
  • gogtfobins describe BINARY to print some details about a specific binary
  • gogtfobins exploit BINARY FUNCTION to run an exploit for a binary

Here is a more concrete example:

# List all available binaries allowing for opening a reverse shell on the current host.
gogtfobins list --function reverse-shell
# Print possible exploits for the docker binary.
gogtfobins describe docker
# Get a reverse-shell using the docker binary.
gogtfobins exploit docker reverse-shell

You can install it easily with homebrew:

brew tap juliendoutre/gogtfobins https://github.com/juliendoutre/gogtfobins
brew install gogtfobins

or download a built binary from the available releases.

The gtfobins data is embedded thanks to a go embed directive that is then used to build both an index and a reverse index. Commands simply query this index. You can actually reuse this data structure in your own project as it is exposed in a Go module:

go get github.com/juliendoutre/gogtfobins

Let me know if anything is missing or you found a bug by opening an issue.

See you next time 👋