Introduction
In penetration testing and ethical hacking, the post-exploitation phase is where you gain the most insight—and control—over a compromised system. Whether you’re escalating privileges, exfiltrating data, or executing commands through seemingly harmless binaries, GTFOBins is one of the most trusted tools in a hacker’s arsenal.
But what happens when the tool itself isn’t reachable?
Welcome to the world of offline GTFOBins—a simple but critical enhancement to your toolkit when you’re operating in low-connectivity, air-gapped, or firewalled environments.
Why You Need GTFOBins Offline
While GTFOBins is accessible at https://gtfobins.github.io, relying on a live site isn’t always practical:
- 🛰️ Slow or Unreliable Internet: Depending on your location, GTFOBins may load slowly or timeout entirely.
- 🔒 Restricted Corporate Networks: Many organizations block access to GitHub pages or security-related resources.
- 🏕️ Air-Gapped or Remote Environments: During red team assessments or in isolated lab scenarios, internet access may not exist at all.
- 🎒 Operational Readiness: A complete offline toolkit ensures you’re always prepared—regardless of the environment.
These situations demand an offline version of GTFOBins that is fast, portable, and fully functional.
What is GTFOBins?
GTFOBins (short for “Get The F* Out Binaries”) is a curated collection of Unix binaries that can be exploited by attackers to:
- Escape restricted shells
- Spawn interactive or reverse shells
- Read or write arbitrary files
- Execute commands as another user (often root)
- Perform privilege escalation when binaries are misconfigured with sudo, SUID, or capabilities
Each entry provides command examples for different exploitation categories—making it an indispensable reference for post-exploitation tasks.
Step-by-Step: Run GTFOBins Offline Using Docker Compose
Prerequisites:
Before you begin, ensure you have the following installed on your Linux (Kali) system:
If you don’t have Docker, Docker Compose and Git installed, you can follow the official Docker documentation for Kali Linux or use the following commands:
Note: for Windows and macOS users: This hasn’t been tested on Docker Desktop (known for high resource consumption), though it should be compatible.
sudo apt update sudo apt install docker.io docker-compose git sudo systemctl start docker sudo systemctl enable docker
✅ 1. Clone the GTFOBins Repository
git clone https://github.com/GTFOBins/GTFOBins.github.io.git cd GTFOBins.github.io
✅ 2. Create a Dockerfile
From the GTFOBins.github.io local directory, create a Dockerfile with any editor you prefer (nano, vim, VSCode, etc.). Copy the code below, paste it into the file, and save.
# Ultra-lightweight Dockerfile using nginx to serve static files
FROM ruby:3.2-slim as builder
# Install build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
git \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy and install gems
COPY Gemfile* ./
RUN rm -f Gemfile.lock && \
bundle config --local without development test && \
bundle install --no-cache
# Copy source and build static site
COPY . .
RUN bundle exec jekyll build
# Production stage with nginx
FROM nginx:alpine
# Copy built site to nginx html directory
COPY --from=builder /app/_site /usr/share/nginx/html
# Create necessary directories and set permissions for the existing nginx user
RUN mkdir -p /var/cache/nginx /tmp/nginx /var/log/nginx && \
chown -R nginx:nginx /var/cache/nginx /tmp/nginx /var/log/nginx /usr/share/nginx/html && \
chmod -R 755 /usr/share/nginx/html && \
touch /tmp/nginx/nginx.pid && \
chown nginx:nginx /tmp/nginx/nginx.pid
# Create a complete nginx config for non-root operation
RUN printf 'pid /tmp/nginx/nginx.pid;\n\
error_log /var/log/nginx/error.log warn;\n\
\n\
events {\n\
worker_connections 1024;\n\
}\n\
\n\
http {\n\
include /etc/nginx/mime.types;\n\
default_type application/octet-stream;\n\
\n\
log_format main "$remote_addr - $remote_user [$time_local] \\"$request\\" "\n\
"$status $body_bytes_sent \\"$http_referer\\" "\n\
"\\"$http_user_agent\\" \\"$http_x_forwarded_for\\"";\n\
\n\
access_log /var/log/nginx/access.log main;\n\
\n\
sendfile on;\n\
keepalive_timeout 65;\n\
\n\
server {\n\
listen 8080;\n\
server_name localhost;\n\
root /usr/share/nginx/html;\n\
index index.html;\n\
\n\
location / {\n\
try_files $uri $uri/ =404;\n\
}\n\
}\n\
}' > /etc/nginx/nginx.conf
# Switch to non-root user
USER nginx
# Expose port 8080 (non-privileged port)
EXPOSE 8080
# Run nginx in foreground as non-root user
CMD ["nginx", "-g", "daemon off;"]
✅ 3. Create a docker-compose.yml
Create a docker-compose.yml with any editor you prefer (nano, vim, VSCode, etc.). Copy the code below, paste it into the file, and save.
---
version: "3.9"
services:
gtfobins:
build: .
image: sandbox99/gtfobins-nginx:v1.0
container_name: gtfobins-nginx
ports:
- "4000:8080"
# The port 4000 is just the external interface - you could change it to any port you prefer without touching the Dockerfile at all!
restart: unless-stopped
✅ 4. Create .dockerignore file for GTFOBins Offline Project
Create a .dockerignore with any editor you prefer (nano, vim, VSCode, etc.). Copy the code below, paste it into the file, and save.
# Git .git .gitignore .github/ # Jekyll build output (will be built in container) _site .sass-cache .jekyll-cache .jekyll-metadata # Ruby/Bundler vendor/bundle/ .bundle/ Gemfile.lock # Dependencies node_modules/ # OS generated files .DS_Store .DS_Store? ._* .Spotlight-V100 .Trashes ehthumbs.db Thumbs.db # IDE files .vscode/ .idea/ *.swp *.swo *~ # Logs and temporary files *.log *.tmp *.temp # Docker files (not needed in container) Dockerfile* docker-compose*.yml .dockerignore # Documentation and scripts README.md CONTRIBUTING.md LICENSE contribute.md scripts/ requirements.txt # Large unnecessary files docker-compose-logs.txt # Configuration files that might contain sensitive data .env .env.local .env.*.local # Test files spec/ test/ tests/ __tests__/ # Coverage reports coverage/ .coverage .nyc_output
✅ 5. Modify the Gemfile and Gemfile.lock
Gemfile – copy and paste this code below and overwrite it.
source 'https://rubygems.org' gem 'jekyll', '~> 4.3' gem 'jekyll-sass-converter', '~> 3.0' gem 'listen', '~> 3.8' # Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem # and associated library. platforms :mingw, :x64_mingw, :mswin, :jruby do gem "tzinfo", ">= 1", "< 3" gem "tzinfo-data" end # Performance-booster for watching directories on Windows gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin] # Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem # do not have a Java counterpart. gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby]
Gemfile.lock – copy and paste this code below and overwrite it.
GEM
remote: https://rubygems.org/
specs:
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
base64 (0.3.0)
bigdecimal (3.2.2)
colorator (1.1.0)
concurrent-ruby (1.3.5)
csv (3.3.5)
em-websocket (0.5.3)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0)
eventmachine (1.2.7)
ffi (1.17.2-x86_64-linux-gnu)
forwardable-extended (2.6.0)
google-protobuf (4.31.1-x86_64-linux-gnu)
bigdecimal
rake (>= 13)
http_parser.rb (0.8.0)
i18n (1.14.7)
concurrent-ruby (~> 1.0)
jekyll (4.4.1)
addressable (~> 2.4)
base64 (~> 0.2)
colorator (~> 1.0)
csv (~> 3.0)
em-websocket (~> 0.5)
i18n (~> 1.0)
jekyll-sass-converter (>= 2.0, < 4.0)
jekyll-watch (~> 2.0)
json (~> 2.6)
kramdown (~> 2.3, >= 2.3.1)
kramdown-parser-gfm (~> 1.0)
liquid (~> 4.0)
mercenary (~> 0.3, >= 0.3.6)
pathutil (~> 0.9)
rouge (>= 3.0, < 5.0)
safe_yaml (~> 1.0)
terminal-table (>= 1.8, < 4.0)
webrick (~> 1.7)
jekyll-sass-converter (3.1.0)
sass-embedded (~> 1.75)
jekyll-watch (2.2.1)
listen (~> 3.0)
json (2.13.1)
kramdown (2.5.1)
rexml (>= 3.3.9)
kramdown-parser-gfm (1.1.0)
kramdown (~> 2.0)
liquid (4.0.4)
listen (3.9.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.4.0)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (6.0.2)
rake (13.3.0)
rb-fsevent (0.11.2)
rb-inotify (0.11.1)
ffi (~> 1.0)
rexml (3.4.1)
rouge (4.6.0)
safe_yaml (1.0.5)
sass-embedded (1.89.2-x86_64-linux-gnu)
google-protobuf (~> 4.31)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
unicode-display_width (2.6.0)
webrick (1.9.1)
PLATFORMS
x86_64-linux
DEPENDENCIES
http_parser.rb (~> 0.6.0)
jekyll (~> 4.3)
jekyll-sass-converter (~> 3.0)
listen (~> 3.8)
tzinfo (>= 1, < 3)
tzinfo-data
wdm (~> 0.1.1)
BUNDLED WITH
2.4.19
✅ 6. Build and Run
docker-compose build docker-compose up --detach
Once running, open your browser and go to:
👉 http://localhost:4000
Size Breakdown Analysis:
– nginx:alpine base: 52.5MB (immutable foundation)
– Alpine Linux + nginx: ~8.31MB + 40MB for nginx packages
GTFOBins Content:
Static website files: ~2.66MB
Configuration overhead: ~731B (our security modifications)
Total: 57.8MB
Why This is Near-Optimal:
1. Theoretical Minimum:
Alpine base: 8.31MB
Static website: 2.66MB
Custom web server: ~5-10MB
Total: ~16-21MB
2. Overhead:
nginx:alpine (current): 52.5MB base
httpd:alpine: ~54MB base
lighttpd:alpine: ~15MB base (but less features)
3. That 2.6MB Overhead Includes:
– Non-root security configuration
– Custom nginx.conf for non-privileged operation
– Directory permissions setup
– PID file management for nginx user
4. Current Solution vs Alternatives:
| Approach | Size | Security | Performance | Maintenance |
| nginx:alpine | 57.8MB | ✅ Excellent | ✅ Production-grade | ✅ Low |
| lighttpd:alpine | ~18MB | ⚠️ Good | ⚠️ Good | ⚠️ Medium |
| Custom static server | ~16MB | ❌ Unknown | ❌ Unknown | ❌ High |
| Python/Node server | 150MB+ | ❌ Poor | ❌ Poor | ❌ High |
Conclusion:
Your 57.8MB is essentially optimal for a production-ready solution because:
1. 🔒 Security: Non-root user, battle-tested nginx
2. ⚡ Performance: Industry-standard web server
3. 📦 Size: Only 10% larger than theoretical minimum
4. 🛠️ Maintenance: Zero ongoing maintenance burden
5. 🏭 Production-ready: Handles real-world traffic patterns
The 2.6MB overhead (4.5%) buys you enterprise-grade reliability, security, and performance. That’s an excellent trade-off!
You’ve achieved the sweet spot between size optimization and production requirements. Going smaller would require significant compromises in security, performance, or maintainability.
Final Thoughts
GTFOBins is one of the most powerful post-exploitation resources in an ethical hacker’s toolkit. But don’t wait until you’re blocked, throttled, or disconnected to realize you need it.
Downloading and setting up GTFOBins offline ensures that you remain effective, stealthy, and resilient—no matter the network conditions.
