Privilege Escalation · Term

What is GTFOBins?

GTFOBins is a community list of how ordinary Unix binaries can be misused to escalate privileges, read files, or get a shell. It turns a SUID or sudo finding into a working exploit in seconds. Here is what it is and how defenders should use it.

Privilege Escalation · TermAll services
TL;DR

GTFOBins is a curated, community reference that documents how legitimate Unix binaries can be abused to break out of restricted environments, escalate privileges, read or write files, or spawn a shell. For each binary it lists the exact technique under contexts like SUID, sudo, and capabilities. Attackers use it to turn a privesc finding into a working exploit instantly; defenders use the same list to know which binaries are dangerous to leave SUID or sudo-allowed.

By John Dill, Red Team Lead, SecureLayer7Updated

What GTFOBins is

Many standard Unix programs can do more than their obvious job, an editor can run shell commands, a file tool can read any file. GTFOBins catalogues those behaviours: for each binary, it shows how to abuse it under different conditions.

The contexts that matter for privilege escalation are SUID (the binary is SUID-root), sudo (you are allowed to run it via sudo), and capabilities (it carries a powerful capability). For each, GTFOBins gives the exact command that escalates.

How it is used and payload

After enumeration reveals a SUID binary or a sudo-allowed command, the attacker looks it up:

  • Found a SUID find? GTFOBins gives: find . -exec /bin/sh -p \; -quit
  • Allowed sudo awk? GTFOBins gives: sudo awk 'BEGIN {system("/bin/sh")}'
  • A binary with cap_setuid? GTFOBins gives the interpreter one-liner.

It converts "this binary is privileged" into "here is the root shell." Shown for defensive context, since the same list tells defenders exactly what to lock down.

How defenders use it

  • Cross-check every SUID binary and sudo rule against GTFOBins; remove or restrict anything that appears.
  • Avoid SUID and sudo on GTFOBins-listed interpreters and tools (find, awk, python, vim, tar, and many more).
  • Prefer purpose-built, minimal binaries for privileged tasks.
  • Re-audit after changes, since new SUID files or sudo rules can introduce a listed binary.
  • Treat a GTFOBins match as a finding, not a maybe.

References

  1. [1]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: setuid(2)(man7.org)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.