gtfo is the local CLI for the GTFOBins database (461 Unix binaries). Use it to look up privilege escalation, shell spawning, file read/write, SUID/sudo abuse, and reverse shell techniques. It works offline, reads fast, and outputs ready-to-use bash.
gtfo <binary> # All techniques for a binary
gtfo <binary> -f <type> # Filter to one technique type
gtfo -s <partial> # Fuzzy search by name
gtfo -s <partial> -f <type> # Fuzzy search + filter
gtfo -l # List all 461 binaries
gtfo -l -f <type> # List all binaries with a specific technique
gtfo -i # Interactive mode with tab-complete| Type | When to use |
|---|---|
shell |
Spawn interactive shell from restricted context |
command |
Execute arbitrary OS commands |
sudo |
Binary is in sudoers — look up the escape |
suid |
Binary has SUID bit set |
limited-suid |
SUID but restricted (e.g., drops privs in some cases) |
capabilities |
Binary has Linux capabilities (e.g., cap_setuid) |
reverse-shell |
Interactive reverse shell |
non-interactive-reverse-shell |
Non-interactive reverse shell (useful when tty is unavailable) |
bind-shell |
Bind shell listener on target |
non-interactive-bind-shell |
Non-interactive bind shell |
file-read |
Read arbitrary files |
file-write |
Write arbitrary files |
file-upload |
Exfiltrate files |
file-download |
Pull files to target |
library-load |
Load a shared library (.so) — useful for privesc via LD_PRELOAD paths |
Start with the unfiltered lookup. gtfo <binary> shows everything — don't pre-filter until you know what context you're working in.
gtfo python3Once you know the scenario, filter. If python3 is in sudoers:
gtfo python3 -f sudoIf it has the SUID bit:
gtfo python3 -f suidFor capability abuse, first confirm with getcap:
getcap -r / 2>/dev/null
# if you see python3 = cap_setuid+ep → gtfo python3 -f capabilitiesDon't know the exact binary name? Fuzzy search it:
gtfo -s perl # matches perl, perl5, etc.
gtfo -s ruby -f sudoDiscovering what's exploitable on a box:
# cross-reference sudo -l output against:
gtfo -l -f sudo
# cross-reference find / -perm -4000 output against:
gtfo -l -f suidOutput is sectioned by technique type:
---------- [ SUDO ] ----------
sudo python3 -c 'import os; os.system("/bin/sh")'
Placeholders to substitute:
| Placeholder | Meaning |
|---|---|
$RHOST |
Attacker IP |
$RPORT |
Listener port on attacker |
$LFILE |
Target file path (for read/write) |
$LPORT |
Local port (bind shells) |
Some techniques have a comment block above the code describing prerequisites — read it. For reverse shells it often tells you what to run on the attacker side first (e.g., socat, nc).
- Run
sudo -l→ any binaries listed? →gtfo <binary> -f sudo - Run
find / -perm -4000 -type f 2>/dev/null→ SUID binaries? →gtfo <binary> -f suid - Run
getcap -r / 2>/dev/null→ capabilities? →gtfo <binary> -f capabilities - Writable path with a known binary? →
gtfo <binary> -f file-write
gtfo <binary> -f shellCommon escapes: vi, vim, less, man, awk, find, nmap (older versions), python, perl, ruby, lua, gcc.
If cat is blocked or you need to avoid leaving obvious logs:
gtfo -l -f file-read # see what's available
gtfo less -f file-read
gtfo tee -f file-readWriting to /etc/passwd, cron files, or writable sudoers:
gtfo tee -f file-write
gtfo dd -f file-write- Output is display-only —
gtfoshows techniques, it doesn't execute them. - Code is bash. On targets with only
/bin/sh, drop bash-specific syntax ($(),[[ ]]). - Multiple techniques for the same type are separated by dashes — try them in order; some require specific binary versions.
- For reverse shells,
gtfoshows attacker-side setup in comments. Don't skip that part. - When a technique uses
import ptyor similar — that's for shell stabilization, not the exploit itself.