GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions on a target system. GTFOBins documents various legitimate binaries that can be abused to achieve tasks such as file read/write, code execution, or privilege escalation, often without triggering security alerts. One practical application of GTFOBins is using tools like Nmap to escalate privileges on a compromised system.
One of the paths we see on this machine is a potential SUID breakout with an older version of nmap installed on the machine:
We can visit GTFOBins at https://gtfobins.github.io/ and do a search for nmap:
Visiting the page, we can see that there is a potential for us to breakout of the shell and gain root access to the target. This is due to the nmap binary having a sticky bit that allows the binary to be executed as the root user.
From the instructions on the page we run the following commands:
nmap --interactive
!sh
Running whoami we verify that we are the root user.