1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-12-02 21:34:15 +01:00
pwncat/docs/source/commands/tamper.rst

71 lines
3.4 KiB
ReStructuredText

Tamper
======
``pwncat`` tracks modifications of the remote system through the ``tamper`` module. Programmatically, ``pwncat``
interfaces with the tamper subsystem through the ``pwncat.victim.tamper`` object. This allows generic modifications
to be registered with a method to revert the change. Built-in capabilities like ``privesc`` and ``persist`` will
any modifications made to the remote system with the tamper module. This includes but is not limited to created users,
created files, modified files, and removed files.
Listing Tampers
---------------
To view a list of current remote modifications, use the ``tamper`` command. The default action is to list all registered
tampers.
.. code-block:: bash
(local) pwncat$ tamper
0 - Created file /tmp/tmp.U2KlLIG5dW
1 - Modified /home/george/.ssh/authorized_keys
2 - Created file /tmp/tmp.tnJfd2BaCd
3 - Created file /tmp/tmp.PAXFRgfYzW
4 - Modified /home/george/.ssh/authorized_keys
5 - Created file /tmp/tmp.xi5Evy4ZPF
6 - Created file /tmp/tmp.05AwnolMNL
7 - Modified /home/george/.ssh/authorized_keys
8 - Created file /tmp/tmp.6LwcrXSdWE
9 - Persistence: passwd as system (local)
Reverting Tampers
-----------------
Tampers can be reverted to their original state with the ``--revert/-r`` flag of the ``tamper`` command. In this mode,
can either specify ``--all/-a`` or ``--tamper/-t ID`` to revert all tampers or a specific tamper ID. In some cases, the
modifications were made as a different user and therefore cannot be removed currently. In this case, the tamper is left
in the list and can be reverted later once you have the required privileges:
.. code-block:: bash
(local) pwncat$ tamper -r -a
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
[/] reverting tamper: Created file /tmp/tmp.tnJfd2BaCd
[?] Created file /tmp/tmp.tnJfd2BaCd: revert failed: /tmp/tmp.tnJfd2BaCd: unable to remove file
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
[/] reverting tamper: Created file /tmp/tmp.xi5Evy4ZPF
[?] Created file /tmp/tmp.xi5Evy4ZPF: revert failed: /tmp/tmp.xi5Evy4ZPF: unable to remove file
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
[/] reverting tamper: Created file /tmp/tmp.6LwcrXSdWE
[?] Created file /tmp/tmp.6LwcrXSdWE: revert failed: /tmp/tmp.6LwcrXSdWE: unable to remove file
[-] reverting tamper: Persistence: passwd as system (local)
[?] Persistence: passwd as system (local): revert failed: Permission denied: '/etc/passwd'
[+] tampers reverted!
After utilizing our ``passwd`` persistence to gain root access, we can successfully remove all tampers:
.. code-block:: bash
(local) pwncat$ privesc -e
[+] privilege escalation succeeded using:
⮡ persistence - passwd as system (local)
[+] pwncat is ready 🐈
(remote) root@pwncat-centos-testing:~#
[+] local terminal restored
(local) pwncat$ tamper -r -a
[+] tampers reverted!
(local) pwncat$ tamper
(local) pwncat$