gtfobins.org

What It Is

GTFOBins is a curated catalog of executables for Unix-like systems, focused on legitimate system program features that can be abused to bypass local security restrictions. It is not a vulnerability database; rather, it is a practical “living off the land” guide that helps security practitioners use existing programs in restricted environments for post-exploitation tasks such as shell escapes, privilege escalation, and file transfer.

Core Dimension Analysis

• Protection type: GTFOBins does not provide defensive capabilities itself. It is best understood as an “attack reference library” within offensive and defensive security operations. It covers key abuse techniques including shell spawning, file read/write, upload/download, and privilege escalation.
• Deployment model: As an open-source project, it is mainly accessed online through its website, or integrated into automation tools via its JSON API. No local client deployment is required.
• Integration capabilities: The project natively supports MITRE ATT&CK® Navigator mappings and provides an open JSON API, making it easy for security teams to integrate its data into automated penetration testing frameworks or asset management systems.
• Suitable scale: Suitable for security teams and individual researchers of all sizes, and especially valuable in red team exercises and system baseline audits.

Pricing

A completely free, community-driven open-source project.

Pros and Cons

Pros: Extremely detailed categorization. It is organized not only by function, such as reverse shells and file reading, but also by execution context, such as Sudo, SUID, and Capabilities, with tailored payloads for each. It is also deeply aligned with the MITRE ATT&CK framework and offers strong practical guidance.
Cons: Covers only Unix/Linux systems; for Windows, refer to LOLBAS. As a knowledge base, it lacks automated scanning or defensive blocking capabilities. For beginners, understanding and applying these payloads requires solid low-level Linux knowledge.

Who It’s For

Penetration testers, red team specialists, blue team threat hunters, and system administrators. Red teams can use it to break out of restricted shells and escalate privileges, while blue teams can use it to identify risky system configurations, such as improper SUID settings.

Access from China

• Network: The project code and website are hosted on GitHub, so access from mainland China may be unstable or require a proxy.
• Payment: Free project; no payment required.
• Alternatives: For Windows environments, refer to the LOLBAS project. Some Chinese security communities also maintain similar privilege-escalation helper scripts.