Skip to content

[REVIEW-64] Add GTFOBins validation skill and pentest tests for all builtins#34

Open
kathy-dd wants to merge 1 commit intomainfrom
kathy.nguyen/review-64-gtfo-pentest
Open

[REVIEW-64] Add GTFOBins validation skill and pentest tests for all builtins#34
kathy-dd wants to merge 1 commit intomainfrom
kathy.nguyen/review-64-gtfo-pentest

Conversation

@kathy-dd
Copy link

@kathy-dd kathy-dd commented Mar 10, 2026
edited
Loading

Validate that every shell builtin with a GTFOBins entry is protected against documented attack patterns. Adds 11 tests across cat, head, tail, and wc confirming sandbox enforcement, flag rejection, and path traversal prevention block all known file-read techniques.

Summary

  ┌──────────┬────────────────┬───────────┬─────────────┐
  │ Command  │ GTFOBins Entry │ Functions │   Status    │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ cat      │ Yes            │ File Read │ All blocked │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ echo     │ No             │ N/A       │ Not listed  │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ head     │ Yes            │ File Read │ All blocked │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ tail     │ Yes            │ File Read │ All blocked │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ wc       │ Yes            │ File Read │ All blocked │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ true     │ No             │ N/A       │ Not listed  │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ false    │ No             │ N/A       │ Not listed  │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ exit     │ No             │ N/A       │ Not listed  │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ break    │ No             │ N/A       │ Not listed  │
  ├──────────┼────────────────┼───────────┼─────────────┤
  │ continue │ No             │ N/A       │ Not listed  │
  └──────────┴────────────────┴───────────┴─────────────┘

 Notable finding: head -c-0 behavior

  The GTFOBins technique head -c-0 is interesting. In GNU head, -c-0 means "output all bytes except the last 0" = the entire file. In rshell, pflag parses -c-0 as flag -c with value "-0",
   and strconv.ParseInt("-0", 10, 64) returns 0 (not negative). So the command outputs 0 bytes — safely producing no output. The attack is neutralized because rshell doesn't implement
  GNU's negative-count "elide from tail" mode. This is safer than GNU.

11 GTFOBins validation tests written across 4 builtins, all passing. No exploitable attack vectors found — the shell's AllowedPaths sandbox and flag rejection handle every
  documented GTFOBins technique.

@kathy-dd @claude
Add GTFOBins validation skill and pentest tests for all builtins
b0638e2 
Validate that every shell builtin with a GTFOBins entry is protected
against documented attack patterns. Adds 11 tests across cat, head,
tail, and wc confirming sandbox enforcement, flag rejection, and
path traversal prevention block all known file-read techniques.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thieman thieman thieman approved these changes

@matt-dz matt-dz matt-dz approved these changes

@AlexandreYang AlexandreYang Awaiting requested review from AlexandreYang AlexandreYang is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kathy-dd @thieman @matt-dz