Dive Deep into pwncat - Download or Upload Files

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.


Uploading Files

Usually transferring a file from our host machine to the victim machine is so hard. It involves you hosting a python server and then using services like wget in Linux to download the file. 

But pwncat does all the steps with ease. It does not require you to host an HTTP server by python or need wget to get the file. You can simply upload the file by upload filename.

In the CTF competition, we need to upload winpeas or linpeas for privilege escalation. So pwncat save a lot of time for you to transfer file. 

Uploading File Example
In the picture attached the /etc/hosts file is uploaded to /tmp/hosts of the victim machine from the host machine.

Downloading Files

Downloading files is also easy in pwncat. You can easily download a file from the victim machine to the host machine. This is usually useful when you want to edit a file on your host machine. 

To edit that file to escalate privileges, the attacker should download the file, edit it and upload it back. For example, you find a cron job executing every minute and the file is owned by the root user. Your current user has edit privilege and now you can download the file on your machine and edit with ease with pwncat. 

Usually editing on a remote machine is tuff. Here pwncat helps you to download the file and then you can reupload the edited file and set up a listener so that we can get a reverse shell when the cron job is again executed.

Downloading File Example
pwncat is a good tool in a CTF-like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalation to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    No comments:

    Post a Comment