mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-24 09:35:39 +01:00
71 lines
3.4 KiB
ReStructuredText
71 lines
3.4 KiB
ReStructuredText
Tamper
|
|
======
|
|
|
|
``pwncat`` tracks modifications of the remote system through the ``tamper`` module. Programmatically, ``pwncat``
|
|
interfaces with the tamper subsystem through the ``pwncat.victim.tamper`` object. This allows generic modifications
|
|
to be registered with a method to revert the change. Built-in capabilities like ``privesc`` and ``persist`` will
|
|
any modifications made to the remote system with the tamper module. This includes but is not limited to created users,
|
|
created files, modified files, and removed files.
|
|
|
|
Listing Tampers
|
|
---------------
|
|
|
|
To view a list of current remote modifications, use the ``tamper`` command. The default action is to list all registered
|
|
tampers.
|
|
|
|
.. code-block:: bash
|
|
|
|
(local) pwncat$ tamper
|
|
0 - Created file /tmp/tmp.U2KlLIG5dW
|
|
1 - Modified /home/george/.ssh/authorized_keys
|
|
2 - Created file /tmp/tmp.tnJfd2BaCd
|
|
3 - Created file /tmp/tmp.PAXFRgfYzW
|
|
4 - Modified /home/george/.ssh/authorized_keys
|
|
5 - Created file /tmp/tmp.xi5Evy4ZPF
|
|
6 - Created file /tmp/tmp.05AwnolMNL
|
|
7 - Modified /home/george/.ssh/authorized_keys
|
|
8 - Created file /tmp/tmp.6LwcrXSdWE
|
|
9 - Persistence: passwd as system (local)
|
|
|
|
Reverting Tampers
|
|
-----------------
|
|
|
|
Tampers can be reverted to their original state with the ``--revert/-r`` flag of the ``tamper`` command. In this mode,
|
|
can either specify ``--all/-a`` or ``--tamper/-t ID`` to revert all tampers or a specific tamper ID. In some cases, the
|
|
modifications were made as a different user and therefore cannot be removed currently. In this case, the tamper is left
|
|
in the list and can be reverted later once you have the required privileges:
|
|
|
|
.. code-block:: bash
|
|
|
|
(local) pwncat$ tamper -r -a
|
|
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
|
|
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
|
|
[/] reverting tamper: Created file /tmp/tmp.tnJfd2BaCd
|
|
[?] Created file /tmp/tmp.tnJfd2BaCd: revert failed: /tmp/tmp.tnJfd2BaCd: unable to remove file
|
|
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
|
|
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
|
|
[/] reverting tamper: Created file /tmp/tmp.xi5Evy4ZPF
|
|
[?] Created file /tmp/tmp.xi5Evy4ZPF: revert failed: /tmp/tmp.xi5Evy4ZPF: unable to remove file
|
|
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
|
|
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
|
|
[/] reverting tamper: Created file /tmp/tmp.6LwcrXSdWE
|
|
[?] Created file /tmp/tmp.6LwcrXSdWE: revert failed: /tmp/tmp.6LwcrXSdWE: unable to remove file
|
|
[-] reverting tamper: Persistence: passwd as system (local)
|
|
[?] Persistence: passwd as system (local): revert failed: Permission denied: '/etc/passwd'
|
|
[+] tampers reverted!
|
|
|
|
After utilizing our ``passwd`` persistence to gain root access, we can successfully remove all tampers:
|
|
|
|
.. code-block:: bash
|
|
|
|
(local) pwncat$ privesc -e
|
|
[+] privilege escalation succeeded using:
|
|
⮡ persistence - passwd as system (local)
|
|
[+] pwncat is ready 🐈
|
|
|
|
(remote) root@pwncat-centos-testing:~#
|
|
[+] local terminal restored
|
|
(local) pwncat$ tamper -r -a
|
|
[+] tampers reverted!
|
|
(local) pwncat$ tamper
|
|
(local) pwncat$ |