pwncat.gtfobins module

The gtfobins module provides an abstract interface into the GTFOBins database. The GTFOBins database maps binaries to special permissions which could be used for privilege escalation (among other things). Internally, pwncat uses this database to identify ways to read/write files as well as during escalation with things like SETUID binaries and sudo rules. A full list of all supported binaries can be seen in pwncat/data/gtfobins.json.

class pwncat.gtfobins.Binary(gtfo: pwncat.gtfobins.GTFOBins, name: str, methods: List[Dict[str, Any]])

Bases: object

Encapsulates a GTFOBin and it’s methods for all capabilities

iter_methods(binary_path: str, caps: pwncat.gtfobins.Capability, stream: pwncat.gtfobins.Stream, spec: Optional[str] = None)

Iterate over methods in this binary matching the capability and stream masks

exception pwncat.gtfobins.BinaryNotFound

Bases: Exception

The binary asked for either doesn’t provided the required functionality or isn’t present on the remote system

flag pwncat.gtfobins.Capability(value)

Bases: enum.Flag

The capabilities of a given GTFOBin Binary. A binary may have multiple implementations of each capability, but these flags indicate a list of all capabilities which a given binary supports.

Valid values are as follows:

READ = <Capability.READ: 1>

WRITE = <Capability.WRITE: 2>

SHELL = <Capability.SHELL: 4>

ALL = <Capability.ALL: 7>

NONE = <Capability.NONE: 0>

class pwncat.gtfobins.ControlCodes

Bases: object

CTRL_C = '\x03'

CTRL_D = '\x04'

CTRL_O = '\x0f'

CTRL_R = '\x12'

CTRL_T = '\x14'

CTRL_X = '\x18'

CTRL_Z = '\x1a'

ESCAPE = '\x1b'

class pwncat.gtfobins.GTFOBins(gtfobins: str, which: Callable[[str], str])

Bases: object

Wrapper around the GTFOBins database. Provides access to searching for methods of performing various capabilities generically. All iterations yield MethodWrapper objects.

Parameters

• gtfobins (str) – path to the gtfobins database

• which (Callable[[str, Optional[bool]], str]) – a callable which resolves binary basenames to full paths. A second parameter indicates whether the returned path should be quoted as with shlex.quote.

find_binary(binary_path: str, caps: pwncat.gtfobins.Capability = Capability.ALL)

Locate a binary by name. Only return a binary if the capabilities overlap. Raise an BinaryNotFound exception if the capabilities don’t match or the given binary doesn’t exist on the remote system.

iter_binary(binary_path: str, caps: pwncat.gtfobins.Capability = Capability.ALL, stream: Optional[pwncat.gtfobins.Stream] = None, spec: Optional[str] = None) → Generator[pwncat.gtfobins.MethodWrapper, None, None]

Iterate over methods for the given remote binary path. A binary will be located by taking the basename of the given path, and the cross- referencing with the given capabilities and stream types.

iter_methods(caps: pwncat.gtfobins.Capability = Capability.ALL, stream: Optional[pwncat.gtfobins.Stream] = None, spec: Optional[str] = None) → Generator[pwncat.gtfobins.MethodWrapper, None, None]

Iterate over methods which provide the given capabilities

iter_sudo(spec: str, caps: pwncat.gtfobins.Capability = Capability.ALL, stream: Optional[pwncat.gtfobins.Stream] = None, **kwargs)

Iterate over methods which are sudo-capable w/ the given sudo spec. This will restrict the search to those binaries which match the given sudo command spec.

parse_binary_data(binary_data: Dict[str, List[Dict[str, Any]]])

Parse the given GTFObins binary information into the associated in-memory binary objects

resolve_binaries(target: str, **args)

resolve any missing binaries with the self.which method

class pwncat.gtfobins.Method(binary: pwncat.gtfobins.Binary, cap: pwncat.gtfobins.Capability, data: Dict[str, Any])

Bases: object

Abstract method class built from the JSON database

build_payload(gtfo: pwncat.gtfobins.GTFOBins, binary_path: str, spec: Optional[str] = None, user: Optional[str] = None, suid: bool = False, **kwargs) → str

Generate a read payload

sudo_args(binary_path: str, spec: str) → bool

Check if this method is compatible with the given sudo command spec. It will evaluate whether there are wildcards, or if the given parameters satisfy the parameters needed for this method. The method returns the list of arguments that need to be added_lines to the sudo spec in order for it to run this method.

If this method is incompatible with the given sudo spec, SudoNotPossible is raised. If this spec is compatible, a list of arguments which need to be appended to the spec is returned.

class pwncat.gtfobins.MethodWrapper(method: pwncat.gtfobins.Method, binary_path: str)

Bases: object

Wraps a method and full binary path pair which together are capable of generating a payload to perform the specified capability.

build(gtfo: pwncat.gtfobins.GTFOBins, **kwargs) → Tuple[str, str, str]

Build the payload for this method and binary path. Depending on capability and stream type, different named parameters are required.

property cap: pwncat.gtfobins.Capability

Access this methods capabilities

exit(gtfo: pwncat.gtfobins.GTFOBins, **kwargs) → str

input(gtfo: pwncat.gtfobins.GTFOBins, **kwargs) → str

payload(gtfo: pwncat.gtfobins.GTFOBins, **kwargs) → str

property stream: pwncat.gtfobins.Stream

Access this methods stream type

wrap_stream(pipe: BinaryIO) → IO

Wrap the given BinaryIO pipe with the appropriate stream wrapper for this method. For “RAW” or “PRINT” streams, this is a null wrapper. For BASE64 and HEX streams, this will automatically decode the data as it is streamed. Closing the wrapper will automatically close the underlying pipe.

exception pwncat.gtfobins.MissingBinary

Bases: Exception

A method required an external binary that didn’t exist

flag pwncat.gtfobins.Stream(value)

Bases: enum.Flag

What time of streaming data is required for a specific method.

Valid values are as follows:

RAW = <Stream.RAW: 1>

PRINT = <Stream.PRINT: 2>

HEX = <Stream.HEX: 4>

BASE64 = <Stream.BASE64: 8>

ANY = <Stream.ANY: 15>

NONE = <Stream.NONE: 0>

exception pwncat.gtfobins.SudoNotPossible

Bases: Exception

The given sudo command spec is not compatible with the method attempted.