Dive Deep into pwncat - Privilege Escalation & Persistence

November 06, 2021

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.


Persistence

Persistence Example
Pwncat has this feature of keeping persistence on the target machine. Pwncat adds persistence to the victim machine. In case the connection is lost and we need to regain the shell it’s a burden as we need to enter the ssh password and during situations like CTF, it is a huge time loss. 

What we can do is upload our public key to the authorized_keys of the server so that you can access it without typing your account password all the time. Pwncat automates this process with the help of the persist module. This will add our public key to the authorized_keys of the victim machine so that we do need not to use a password to log in again. 

You can also see the status of your persistence method with the persist --status command.  After our operation or getting the flag, if we need to remove the traces of our action we can easily do that by persist --clean. This will eventually remove our authorized key from the victim machine. 

If you want to track all the operations on the remote machine, tamper in pwncat help you track your activity
Tamper Example
Also, if you want to revert all the changes you made on the remote target you can do it with a single command tamper --revert --all
Revert all changes

Privilege Escalation

Privilege Escalation Methods
Pwncat can list out privilege escalation methods. In the figure, we can see that pwncat escalates privilege to developer user without a password using the help of vim. Pwncat has the ability to attempt automated privilege escalation methods. A number of methods are implemented by default such as:
  • Set UID Binaries
  • Sudo (with and without password)
  • Screen (CVE-2017-5618)
  • DirtyCOW
Escalating user to sysadmin
Pwncat can also automatically detect and fix mismatched EUID and UID after an attempted privilege escalation. In the attached picture we can see that we need to escalate the user to sysadmin. 

-u flag stands for the user and -e flag stands for escalating. Here we are escalating our privileges to that of sysadmin with just one command. We can see that we elevated our normal user to the developer with help of vim misconfiguration and then elevated to sysadmin user with help of setuid mismatch.

JSON File of GTBO Bins
Pwncat does this in the same way as a user would use GTFO bins to find privesc methods. The pwncat developers have a JSON file that has a lot of information about different privesc methods.
pwncat is a good tool in a CTF-like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalation to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.
    , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)