pwncat.facts.ability module

Classes implementing specific abilities. Abilities provide access to specific actions as a different user. They are used when escalating privileges. Basic ability types are defined such as file read, file write and shell execution. This module also defines classes and methods which make building abilities from GTFOBins methods simpler, since they are used in multiple places within pwncat.

class pwncat.facts.ability.ExecuteAbility(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str])

Bases: pwncat.db.Fact

Represents the ability to execute a shell as a different user.

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

shell(session: pwncat.manager.Session) → Callable[[pwncat.manager.Session], None]

Replace the current shell with a new shell as the identified user

Parameters

session (pwncat.manager.Session) – the session to operate on

Returns

Callable - A lambda taking the session and exiting the new shell

class pwncat.facts.ability.FileReadAbility(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str])

Bases: pwncat.db.Fact

Represents the ability to read a file as a different user

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

open(session, path: str, mode: str = 'r', buffering: int = - 1, encoding: str = 'utf-8', errors: str = None, newline: str = None) → IO

Open a file for reading. This method mimics the builtin open function, and returns a file-like object for reading as the target user.

class pwncat.facts.ability.FileWriteAbility(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str])

Bases: pwncat.db.Fact

Represents the ability to write a file as a different user

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

open(session, path: str, mode: str = 'r', buffering: int = - 1, encoding: str = 'utf-8', errors: str = None, newline: str = None) → IO

Open a file for writing. This method mimics the builtin open function and returns a file-like object for writing as the target user.

class pwncat.facts.ability.GTFOExecute(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str], method: pwncat.gtfobins.MethodWrapper, **kwargs)

Bases: pwncat.facts.ability.ExecuteAbility

Execute a remote binary with a given GTFObins capability

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

  • method (pwncat.gtfobins.MethodWrapper) – the gtfobins method to utilize

  • **kwargs – keyword arguments passed to the method builder

Popen(session, *args, **kwargs)

Emulate the platform.Popen method for execution as another user

run(session, *args, **kwargs)

Emulate the platform.run method for execution as another user

send_command(session, command: bytes = None)

Send the command to the target for this GTFObin

shell(session)

Replace the running shell with a shell as another user

title(session)

Return a short-form description/title of the object. If not defined, this defaults to the object converted to a string.

class pwncat.facts.ability.GTFOFileRead(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str], method: pwncat.gtfobins.MethodWrapper, **kwargs)

Bases: pwncat.facts.ability.FileReadAbility

Utilize a GTFO Method Wrapper to implement the FileReadAbility.

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

  • method (pwncat.gtfobins.MethodWrapper) – the gtfobins method to utilize

  • **kwargs – keyword arguments passed to the method builder

open(session, path: str, mode: str = 'r', buffering: int = - 1, encoding: str = 'utf-8', errors: str = None, newline: str = None)

Read the file data using a GTFO bins reader

title(session)

Return a short-form description/title of the object. If not defined, this defaults to the object converted to a string.

class pwncat.facts.ability.GTFOFileWrite(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str], method: pwncat.gtfobins.MethodWrapper, **kwargs)

Bases: pwncat.facts.ability.FileWriteAbility

Utilize a GTFO Method Wrapper to implement the FileWriteAbility

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

  • method (pwncat.gtfobins.MethodWrapper) – the gtfobins method to utilize

  • **kwargs – keyword arguments passed to the method builder

open(session, path: str, mode: str = 'w', buffering: int = - 1, encoding: str = 'utf-8', errors: str = None, newline: str = None)

Read the file data using a GTFO bins reader

title(session)

Return a short-form description/title of the object. If not defined, this defaults to the object converted to a string.

class pwncat.facts.ability.SpawnAbility(source: str, source_uid: Optional[Union[int, str]], uid: Union[int, str])

Bases: pwncat.db.Fact

Represents the ability to spawn a non-interactive process as another user.

Parameters
  • source (str) – generating module name

  • source_uid (Optional[Union[int, str]]) – the starting UID or None if it doesnt matter

  • uid (Union[int, str]) – the target UID

execute(session: pwncat.manager.Session, command: str)

Utilize this ability to execute a command as a different user

Parameters
pwncat.facts.ability.build_gtfo_ability(source: str, uid: Union[int, str], method: pwncat.gtfobins.MethodWrapper, source_uid: Optional[Union[int, str]] = None, **kwargs) → Union[pwncat.facts.ability.GTFOFileRead, pwncat.facts.ability.GTFOFileWrite, pwncat.facts.ability.GTFOExecute]

Build a escalation ability from a GTFOBins method. This will return one of of the GTFO ability classes based on the capabilties exposed by the given GTFOBins method.

Parameters
  • source (str) – the generating module

  • uid (Union[int, str]) – the user ID of the target user

  • method (pwncat.gtfobins.MethodWrapper) – the GTFObins method to use

  • source_uid (Optional[Union[int, str]]) – the user ID of the required starting user (or None if it does not matter)

  • **kwargs – keyword arguments passed to the GTFOBins method builder

Return type

Union[GTFOFileRead, GTFOFileWrite, GTFOExecute]