1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00
pwncat/docs/source/persist.rst
Caleb Stewart 72dc93e6f7 privesc now uses persist to overcome UID!=EUID
`pwncat.victim.privesc` will use the first available
and working persistence mechanism to overcome UID!=EUID
situations. Also, added more documentation.
2020-05-20 15:58:43 -04:00

108 lines
4.6 KiB
ReStructuredText

Persistence
===========
The ``pwncat.victim.persist`` module provides an abstract way to install various persistence methods
on the target host. To view a list of available persistence methods, you can use the ``--list/-l``
switch:
.. code-block:: bash
(local) pwncat$ persist -l
- authorized_keys as user (local)
- pam as system (local)
- passwd as system (local)
- sshd as system (local)
This output indicates a few things. First, if a given method specifies "as user", then the persistence
method is installed as a specific user. If no user is specified during installation, ``root`` is
attempted, but will likely only succeed if you do not currently have root permissions. Second,
persistence methods marked "local" allow a local user to escalate to that user (or to root for system
persistence modules). This is in contrast to persistence methods which only allow remote access
as the specified user.
To get more information on a specific module, you can pass the ``--method/-m`` option with the method
name when using ``--list/-l``. This will provide the module specific documentation on what is being
installed specifically on the remote system:
.. code-block:: bash
(local) pwncat$ persist -l -m pam
pam as system (local)
Add a malicious PAM module which will allow authentication as any user.
This persistence method will install a custom PAM module which authenticates
every user successfully with your backdoor password. This module also logs
any passwords in plaintext which are not your backdoor password in /var/log/firstlog.
The log file is tracked as a separate tamper and will not be automatically removed
by removing this persistence method.
The remote host **must** have `gcc` and `openssl-devel` packages installed
and you must already have root access.
Persistence Installation Status
-------------------------------
To list all currently installed persistence methods, you can use the ``--status/-s`` switch. This
will list all registered/installed persistence methods known to ``pwncat``. This is also the default
action if no options are specified.
.. code-block:: bash
(local) pwncat$ persist -s
- pam as system (local) installed
This is useful because in some situations, the ``pwncat.victim.privesc`` module will automatically
install persistence. This is normally to overcome a ``EUID != UID`` situation. If this happens,
``pwncat`` will still track persistence methods correctly.
Persistence methods are also tracked by the ``pwncat.victim.tamper`` module. When a persistence
method is installed, it is registered as both a tamper and a persistence method. In this way, using
``tamper -r -a`` will remove all of your modifications including persistence methods. If a persistence
method is removed with tamper, it will also be removed from the persistence status and vice-versa.
Installing Persistence
----------------------
The ``persist`` command can be used to install individual persistence methods. The ``--install/-i``
switch enables this mode. In installation mode, you must specify a module to install with the
``--method/-m`` option. For user-based methods, you should also specify a user. If no user is specified,
``pwncat`` will assume you would like root-level persistence. For system methods, the user argument
is ignored.
.. code-block:: bash
(local) pwncat$ persist -i -m pam
[/] pam_sneaky: adding pam auth configuration: login
(local) pwncat$ persist -i -m authorized_keys -u george
(local) pwncat$ persist
- pam as system (local) installed
- authorized_keys as george (local) installed
Removing Persistence
--------------------
Once again, the ``persist`` command is used to remove persistence from the target host. The
``--remove/-r`` switch is used to enable this mode. You must specify a method with the ``--method/-m``
option. For user-based methods, you must specify a user to remove the persistence from. As with
the install, ``pwncat`` will assume you would like to remove the root persistence. If no user is
specified and persistence as root is not installed, the removal will fail.
.. code-block:: bash
(local) pwncat$ persist -r -m authorized_keys -u george
(local) pwncat$ persist -r -m authorized_keys
[!] authorized_keys as root (local): not installed
As mentioned above, persistence installation is also tracked by the tamper command. The ``tamper``
command can also be used to view and remove persistence methods:
.. code-block:: bash
(local) pwncat$ tamper
0 - Created file /var/log/firstlog
1 - Persistence: pam as system (local)
(local) pwncat$ tamper -r -t 1