pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.
Persistence
![]() |
Persistence Example |
Pwncat has this feature of keeping persistence on the target machine. Pwncat
adds persistence to the victim machine. In case the connection is lost and we
need to regain the shell it’s a burden as we need to enter the ssh password
and during situations like CTF, it is a huge time loss.
What we can do is upload our public key to the authorized_keys of the
server so that you can access it without typing your account password all the
time. Pwncat automates this process with the help of the persist module. This
will add our public key to the authorized_keys of the victim machine so that
we do need not to use a password to log in again.
You can also see the status of your persistence method with the
persist --status
command. After our operation or getting the flag, if we need to remove
the traces of our action we can easily do that by
persist --clean. This will eventually remove our authorized key from the victim
machine.
If you want to track all the operations on the remote machine, tamper in pwncat help you track your activity
![]() |
Tamper Example |
Also, if you want to revert all the changes you made on the remote target
you can do it with a single command
tamper --revert --all
![]() |
Revert all changes |
Privilege Escalation
![]() |
Privilege Escalation Methods |
Pwncat can list out privilege escalation methods. In the figure, we can
see that pwncat escalates privilege to developer user without a password
using the help of vim. Pwncat has the ability to attempt automated
privilege escalation methods. A number of methods are implemented by
default such as:
- Set UID Binaries
- Sudo (with and without password)
- Screen (CVE-2017-5618)
- DirtyCOW
![]() |
Escalating user to sysadmin |
Pwncat can also automatically detect and fix mismatched EUID and UID after
an attempted privilege escalation. In the attached picture we can see that
we need to escalate the user to sysadmin.
-u flag stands for the user and -e flag stands for
escalating. Here we are escalating our privileges to that of sysadmin with
just one command. We can see that we elevated our normal user to the
developer with help of vim misconfiguration and then elevated to
sysadmin user with help of setuid mismatch.
![]() |
JSON File of GTBO Bins |
Pwncat does this in the same way as a user would use GTFO bins to find
privesc methods. The pwncat developers have a JSON file that has a lot of
information about different privesc methods.
We hope this helps. If any suggestions or doubts you can add a comment and we
will reply as soon as possible.
No comments:
Post a Comment