2020-10-03 04:28:47 +02:00
|
|
|
Automated Privilege Escalation
|
|
|
|
==============================
|
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
pwncat has the ability to locate and exploit privilege escalation vulnerabilities. The vulnerabilities
|
|
|
|
are identified through enumeration, and can be exploited through the ``escalate`` command. Internally,
|
|
|
|
pwncat has two types of escalation objects. Firstly, there are abilities. These are actions
|
|
|
|
which we are able to perform with the permissions of a different user on the target. The second type
|
|
|
|
of objects are escalations. Escalations utilize one or more abilities to achieve a session as the
|
|
|
|
targeted user.
|
2020-10-03 04:28:47 +02:00
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
As an example, abilities could be things such as:
|
2020-10-03 04:28:47 +02:00
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
* File Write
|
|
|
|
* File Read
|
|
|
|
* Binary execution
|
|
|
|
|
|
|
|
Escalations could be things such as:
|
2020-10-03 04:28:47 +02:00
|
|
|
|
|
|
|
* Executing a shell (the simplest option)
|
|
|
|
* Reading user private keys and ssh-ing to localhost
|
|
|
|
* Writing private keys
|
|
|
|
* Implanting a backdoor user in /etc/passwd (if file-write as root is available)
|
|
|
|
|
|
|
|
Invoking Privilege Escalation
|
|
|
|
-----------------------------
|
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
There are two ``escalate`` subcommands. In order to locate direct escalation vectors, you can use the
|
|
|
|
``list`` subcommand. This will use the enumeration framework to locate any escalations that may be
|
|
|
|
possible as the active user.
|
2020-10-03 04:28:47 +02:00
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
# List direct escalations for any user
|
|
|
|
(local) pwncat$ escalate list
|
|
|
|
# List direct escalations to the specified user
|
|
|
|
(local) pwncat$ escalate list -u root
|
|
|
|
|
|
|
|
Escalation can be triggered with the ``run`` subcommand. This command will first attempt to escalate
|
|
|
|
directly to the requested user. If no direct escalations are possible, it will try to recursively
|
|
|
|
escalate through other users based on the available direct escalations.
|
2020-10-03 04:28:47 +02:00
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
.. code-block:: bash
|
2020-10-03 04:28:47 +02:00
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
# Escalate to root
|
|
|
|
(local) pwncat$ escalate run
|
|
|
|
# Escalate to a specified user
|
|
|
|
(local) pwncat$ escalate run -u john
|