1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-24 17:45:40 +01:00
pwncat/docs/source/privesc.rst

56 lines
2.5 KiB
ReStructuredText
Raw Normal View History

Automated Privilege Escalation
==============================
``pwncat`` has the ability to attempt automated privilege escalation methods. A number of methods are implemented by
default such as:
* Set UID Binaries
* Sudo (with and without password)
* screen (CVE-2017-5618)
* DirtyCOW
Each of these methods utilize the capabilities of the GTFOBins module. The GTFOBins module provides a programmatic
interface to gtfobins_. Each privilege escalation module implements shell, file read or file write capabilities.
``pwncat`` will leverage these to get shell access as the specified user. ``pwncat`` does this by trying the following
methods with the provided capabilities:
* Executing a shell (the simplest option)
* Reading user private keys and ssh-ing to localhost
* Writing private keys
* Implanting a backdoor user in /etc/passwd (if file-write as root is available)
If ``pwncat`` does not find a method of gaining access as the specified user directly, it will attempt to escalate to
any other user it can recursively to attempt to find a path to the requested user.
Invoking Privilege Escalation
-----------------------------
Privilege escalation is implemented utilizing ``pwncat`` modules. These modules can be run individually
if desired or you can utilize the ``escalate.auto`` module which will recursively search for a path
to a desired user.
The ``escalate.auto`` module by default simply lists the escalation techniques which were found for the
current user. To actually escalate to a new user, you can use the ``exec`` option. This option will
go through every possible user and attempt to escalate. It then keeps attempting escalation until it finds
a path to the requested user recursively.
Escalation modules also implement ``read`` and ``write`` modes which attempt to read or write a file
as the specified user. All three of ``read``, ``write``, and ``exec`` are also supported by every
individual escalation module.
.. code-block:: bash
# Locate and list available techniques as the current user
(local) pwncat$ run escalate.auto
# Attempt automated escalation to the specified user
(local) pwncat$ run escalate.auto exec user=root shell=/bin/bash
# Attempt automated escalation to root with the current shell
(local) pwncat$ run escalate.auto exec
# Read /etc/shadow with the escalate.sudo module
(local) pwncat$ run escalate.sudo read user=root path=/etc/shadow
# Write a file as root
(local) pwncat$ run escalate.auto write user=root path=/tmp/test data="hello world!"
.. _gtfobins: https://gtfobins.github.io