Skip to content

New GTFOBin: getent for extracting privileged NSS entries via SUID #503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

thegreatmhn wants to merge 1 commit into GTFOBins:master

from thegreatmhn:thegreatmhn-patch-1

Open

New GTFOBin: getent for extracting privileged NSS entries via SUID #503

Changes from all commits

Commits

Show all changes

Select commit

Create getent.md

thegreatmhn Jun 10, 2025

File filter

Filter by extension

Conversations

Jump to

Jump to file

Failed to load files.

Loading

Diff view

Diff view

18 changes: 18 additions & 0 deletions _gtfobins/getent.md

Show comments View file Open in desktop

Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,18 @@
	---
	description: \|
	`getent` is a utility that retrieves entries from administrative databases configured
	via the Name Service Switch (NSS). If misconfigured with the SUID bit, it can be abused
	to access sensitive databases such as `shadow`, which contains user password hashes,
	including root's.

	This can lead to local privilege escalation by leaking password hashes for offline cracking.

	functions:
	suid:
	- code: \|
	# Leak root hash from /etc/shadow via getent SUID binary
	./getent shadow root
	- code: \|
	# Dump all hashes
	./getent shadow
	---