mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-30 20:34:15 +01:00
bcb1f77606
- Added some last touches to module system. - Modified connect syntax to allow more flexible parameters - Still need to update enumeration API docs and connect command docs
56 lines
2.5 KiB
ReStructuredText
56 lines
2.5 KiB
ReStructuredText
Automated Privilege Escalation
|
|
==============================
|
|
|
|
``pwncat`` has the ability to attempt automated privilege escalation methods. A number of methods are implemented by
|
|
default such as:
|
|
|
|
* Set UID Binaries
|
|
* Sudo (with and without password)
|
|
* screen (CVE-2017-5618)
|
|
* DirtyCOW
|
|
|
|
Each of these methods utilize the capabilities of the GTFOBins module. The GTFOBins module provides a programmatic
|
|
interface to gtfobins_. Each privilege escalation module implements shell, file read or file write capabilities.
|
|
``pwncat`` will leverage these to get shell access as the specified user. ``pwncat`` does this by trying the following
|
|
methods with the provided capabilities:
|
|
|
|
* Executing a shell (the simplest option)
|
|
* Reading user private keys and ssh-ing to localhost
|
|
* Writing private keys
|
|
* Implanting a backdoor user in /etc/passwd (if file-write as root is available)
|
|
|
|
If ``pwncat`` does not find a method of gaining access as the specified user directly, it will attempt to escalate to
|
|
any other user it can recursively to attempt to find a path to the requested user.
|
|
|
|
Invoking Privilege Escalation
|
|
-----------------------------
|
|
|
|
Privilege escalation is implemented utilizing ``pwncat`` modules. These modules can be run individually
|
|
if desired or you can utilize the ``escalate.auto`` module which will recursively search for a path
|
|
to a desired user.
|
|
|
|
The ``escalate.auto`` module by default simply lists the escalation techniques which were found for the
|
|
current user. To actually escalate to a new user, you can use the ``exec`` option. This option will
|
|
go through every possible user and attempt to escalate. It then keeps attempting escalation until it finds
|
|
a path to the requested user recursively.
|
|
|
|
Escalation modules also implement ``read`` and ``write`` modes which attempt to read or write a file
|
|
as the specified user. All three of ``read``, ``write``, and ``exec`` are also supported by every
|
|
individual escalation module.
|
|
|
|
.. code-block:: bash
|
|
|
|
# Locate and list available techniques as the current user
|
|
(local) pwncat$ run escalate.auto
|
|
# Attempt automated escalation to the specified user
|
|
(local) pwncat$ run escalate.auto exec user=root shell=/bin/bash
|
|
# Attempt automated escalation to root with the current shell
|
|
(local) pwncat$ run escalate.auto exec
|
|
# Read /etc/shadow with the escalate.sudo module
|
|
(local) pwncat$ run escalate.sudo read user=root path=/etc/shadow
|
|
# Write a file as root
|
|
(local) pwncat$ run escalate.auto write user=root path=/tmp/test data="hello world!"
|
|
|
|
|
|
.. _gtfobins: https://gtfobins.github.io
|