2020-05-13 16:43:45 +02:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
|
|
|
|
|
|
|
from pwncat.gtfobins import *
|
|
|
|
import subprocess
|
|
|
|
|
|
|
|
|
|
|
|
def which(path: str, quote=False):
|
|
|
|
try:
|
|
|
|
output = subprocess.check_output(f"which {path}", shell=True)
|
|
|
|
except subprocess.CalledProcessError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
return output.decode("utf-8").strip()
|
|
|
|
|
|
|
|
|
|
|
|
gtfo = GTFOBins("data/gtfobins.json", which)
|
|
|
|
|
2020-05-14 00:58:31 +02:00
|
|
|
|
2020-05-15 04:20:38 +02:00
|
|
|
binary_to_test = "curl"
|
|
|
|
# capabilities_to_test = Capability.SHELL
|
|
|
|
capabilities_to_test = Capability.WRITE
|
|
|
|
# capabilities_to_test = Capability.WRITE
|
2020-05-14 00:58:31 +02:00
|
|
|
our_shell = "/bin/bash"
|
|
|
|
|
2020-05-14 01:24:13 +02:00
|
|
|
binary = gtfo.find_binary(binary_to_test)
|
|
|
|
print(binary)
|
|
|
|
print(vars(binary))
|
2020-05-14 00:58:31 +02:00
|
|
|
|
2020-05-14 01:24:13 +02:00
|
|
|
methods = binary.iter_methods(
|
2020-05-14 00:58:31 +02:00
|
|
|
which(binary_to_test), caps=capabilities_to_test, stream=None
|
|
|
|
)
|
|
|
|
for method in methods:
|
2020-05-14 01:24:13 +02:00
|
|
|
# print(method)
|
2020-05-15 04:20:38 +02:00
|
|
|
# print(method.build(shell=our_shell, suid=True))
|
|
|
|
print(method.build(lfile="/etc/shadow", suid=True)[0])
|
2020-05-14 01:24:13 +02:00
|
|
|
# print(method.build(lfile="/tmp/test", data="hello")[0])
|
2020-05-14 00:58:31 +02:00
|
|
|
|
|
|
|
# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
|
|
|
|
# print(all_binaries[0].build(shell="/bin/bash", suid=True))
|