Dive Deep into pwncat - Enumeration & Busy Box

November 06, 2021

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.


Utilize your connection for the enumeration of the target machine

The first thing that we do after we receive a connection is to enumerate and find out about the users, groups, and other information. The thing we focus to achieve here is to find a way to elevate to higher privileged users and it is usually so hectic.  Pwncat can do this in an automated manner.

The enumeration in pwncat is achieved through the enumerate.* modules. Enumeration can be run individually or you can use one of the automated enumeration groups. By default, enumeration modules run only once and their results are cached in the database. The enumerate.gather module is used to gather enumeration facts from all other enumeration modules. 

# Enumerate only SUID and File Capability enumeration types
(local) pwncat$ run enumerate.gather types=file.suid,file.caps

# Enumerate facts from all available modules
(local) pwncat$ run enumerate.gather

enumerate.quick module enumerates some useful types of enumeration data, but is intended to not take much time. Both enumerate.gather and enumerate.quick implement the output parameter which allows you to write the enumeration results to a markdown file instead of standard output.

# Output a markdown formatted report to results.md
(local) pwncat$ run enumerate.auto output=results.md

Example for SUDO
So the above image depicts how pwncat gathered facts about sudo and it was able to find and able to elevate the privileges to sudo or root user with the help of vim as it is shown NOPASSWD.

Busy Box

Install BusyBox
BusyBox combines tiny versions of many common UNIX utilities into a single small executable. This can help you get all the essential utilities into the machine if it’s not available on the target machine. 

BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size optimization and limited resources in mind. In a few hundred kb size file, one could get a huge list of functionalities on the system.
pwncat is a good tool in a CTF-like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.
    , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)