GTFOBins

Apr 28, 2026 · systems · Source ↗

TLDR

Curated reference of 300+ Unix binaries with tagged bypass capabilities – shell escape, file read/write, privilege escalation, and reverse shells in misconfigured systems.

Capabilities are tagged per binary: Shell, Reverse shell, Bind shell, File read, File write, Upload, Download, Library load, Privilege escalation, Inherit, Command.
Privilege escalation entries include chmod, chown, cp, install, ln, mount, mv, passwd, setcap, setfacl – standard admin tools that become attack surface when writable by low-privilege users.
Dev toolchain binaries carry full shell or file-access tags: git, npm, pip, cargo, docker, kubectl, python, ruby, perl – relevant for container and CI escape scenarios.
The Inherit tag marks binaries that pass elevated privileges to child processes, enabling privilege chain attacks through otherwise-innocuous launchers.
Network egress is covered via curl, wget, openssl, nc, socat, ssh, rsync, and ftp – useful for both exfil modeling and egress filtering reviews.

One commenter flagged a gap: dd writes into the /proc hierarchy to disable KASLR or patch shellcode into a live process – a kernel-level technique GTFOBins does not currently document.
No broader consensus discussion yet given low comment volume at time of fetch.

@stackghost: notes dd + /proc can disable KASLR or inject shellcode into a running process, a vector absent from the GTFOBins list.