DEV.co
Open-Source Security · Frissi0n

GTFONow

GTFONow is an automated privilege escalation tool for Unix systems that exploits misconfigurations in sudo, setuid/setgid binaries, and capabilities. It is purpose-built for CTF environments and penetration testing, offering payload automation based on the GTFOBins database with no external dependencies.

Source: GitHub — github.com/Frissi0n/GTFONow
636
GitHub stars
74
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryFrissi0n/GTFONow
OwnerFrissi0n
Primary languagePython
LicenseMIT — OSI-approved
Stars636
Forks74
Open issues45
Latest releasev0.3.0 (2024-06-26)
Last updated2026-07-03
Sourcehttps://github.com/Frissi0n/GTFONow

What GTFONow is

A Python-based post-exploitation utility that automatically identifies and exploits privilege escalation vectors including misconfigured sudo rules, setuid/setgid binaries, and Linux capabilities. It runs as a stdlib-only script compatible with Python 2 and 3 across Unix variants and architectures, supporting risk-tiered exploitation modes and file read/write primitive conversions.

Quickstart

Get the GTFONow source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Frissi0n/GTFONow.gitcd GTFONow# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Capture The Flag (CTF) Competitions

Designed explicitly for CTF environments where time efficiency and automated privilege escalation are critical. Rapidly identifies and exploits common misconfigurations without manual enumeration.

Authorized Penetration Testing & Post-Exploitation

Accelerates the post-exploitation phase in authorized red team engagements by automating privilege escalation discovery and exploitation once initial access is established.

Security Research & Training

Educational tool for understanding privilege escalation vectors and misconfiguration patterns on Unix systems in controlled lab environments.

Implementation considerations

  • Requires Python runtime on target system; no pre-compiled binaries reduce deployment friction but tie execution to interpreter availability.
  • Single-file design enables fileless execution via curl pipe; verify hash and source authenticity before running over network.
  • Compatibility with Python 2 and 3 across architectures (x86, ARM64) is broad but Python 2 reached EOL in 2020; validate environment support.
  • Risk level 2 modes perform destructive filesystem operations; staging in isolated lab environments with snapshots is critical before any live engagement.
  • Relies on GTFOBins payloads; ensure local GTFOBins database is current or tool fetches fresh data to avoid false negatives from outdated exploit paths.

When to avoid it — and what to weigh

  • Production System Hardening — Not designed for system administrators or security teams securing production environments. Use hardening tools and compliance frameworks instead.
  • Unauthorized Access Scenarios — This tool is explicitly offensive. Legal authority and written permission are mandatory; unauthorized use violates computer fraud and cybercrime laws in most jurisdictions.
  • Risk Level 2 on Live Systems Without Full Understanding — Risk level 2 performs aggressive file modifications (cron writes, SSH key drops, LD_PRELOAD injection). Documentation warns this is CTF-oriented; live engagement use requires deep knowledge of consequences.
  • Supply Chain or Software Development Contexts — Not applicable to application development, CI/CD security, or DevOps contexts. It is a post-exploitation tool for Unix system compromise scenarios only.

License & commercial use

Licensed under MIT (MIT License), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and no warranty.

MIT license permits commercial use in products and services provided original copyright notice is retained and no warranty is offered. However, this tool is explicitly offensive; commercial use in penetration testing requires client authorization. Redistribution in commercial security tools must include attribution and license text. Review your engagement agreement and terms of service.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

This is an offensive exploitation tool; security considerations center on operational security and authorization. No claims about tool security posture are made in data. Key concerns: (1) Requires Python execution on target—verify interpreter is trustworthy; (2) Risk level 2 performs destructive writes (cron, SSH, LD_PRELOAD)—test in isolated labs first; (3) Fileless execution via curl pipes increases supply chain risk—verify script hash and source; (4) Relies on GTFOBins payload database—outdated payloads may fail silently; (5) No obfuscation or evasion features—detection by endpoint tools is likely in hardened environments. Use only in authorized engagements with explicit scoping.

Alternatives to consider

LinPEAS / PEASS-ng

Comprehensive privilege escalation enumeration tool covering more vectors but requires interpretation and manual exploitation; less automation but more information density.

Exploit Suggester (linux-exploit-suggester, kernel-exploits databases)

Focuses on kernel and known CVE exploitation; complements GTFONow for environment-specific vulnerabilities but requires separate payload delivery.

Metasploit Framework (post-exploitation modules)

Full-featured framework with automated exploitation, staged payloads, and multi-protocol support; higher complexity but richer integration with red team workflows.

Software development agency

Build on GTFONow with DEV.co software developers

If you are running authorized penetration tests or CTF competitions, review GTFONow's automated privilege escalation capabilities. Test in isolated labs first, validate risk level 2 impacts, and ensure client authorization is documented. For production hardening, consider LinPEAS enumeration or Metasploit integration instead.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

GTFONow FAQ

Can I run GTFONow on production systems?
No. This is an offensive exploitation tool designed for authorized penetration tests and CTFs. Production use without explicit authorization is illegal. On authorized engagements, use risk level 1 first and isolate changes via snapshots.
Does GTFONow require internet access?
Not explicitly stated in data. The tool references GTFOBins payloads but documentation does not clarify if it fetches live data or includes cached payloads. Verify network requirements before deployment in air-gapped environments.
What is the difference between risk levels 1 and 2?
Risk level 1 (default) performs safe read-only checks (sudo, setuid, capabilities enumeration). Risk level 2 performs aggressive writes including cron modifications, SSH key injection, and LD_PRELOAD drops. Use level 2 only in CTFs or test labs where changes are acceptable.
Will GTFONow be detected by antivirus or EDR tools?
Unknown. The tool has no obfuscation or evasion features. Hardened environments with behavioral monitoring are likely to flag or block Python-based post-exploitation activity. Test in target environment simulation before live use.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If GTFONow is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate GTFONow for Your Security Program

If you are running authorized penetration tests or CTF competitions, review GTFONow's automated privilege escalation capabilities. Test in isolated labs first, validate risk level 2 impacts, and ensure client authorization is documented. For production hardening, consider LinPEAS enumeration or Metasploit integration instead.