pwncat works by try as much as possible not to depend on specific binaries on the remote system. It does this
most of the time by selecting an unidentified existing binary from the GTFOBins database in order to perform a
generic capability (e.g. file read, file write or shell). However, sometimes a critical binary is missing on the
target host which has been removed (either maliciously or never installed). In these situations, obtaining a stable
version of all basic binaries is very helpful. To this end, pwncat has the capability to automatically upload a
copy of the
busybox program to the remote host.
busybox command manages the installation, status, and removal of the installed busybox. Installing busybox lets
pwncat know that it has a list of standard binaries with known good interfaces easily accessible. The
command also understands how to locate a
busybox binary precompiled for the victim architecture and upload it
through the existing C2 channel. The new busybox installation will be installed in a temporary directory, and any
further automated tools within pwncat will use it’s implementation of common unix tools.
To install busybox on the remote victim, you can use the
--install option to the
busybox command. This will
first check for an existing, distribution specific, installation on the remote host. If the
busybox command exists,
it will utilize that vice installing a new copy. If it doesn’t, it will begin proxying a connection to the official
busybox servers to upload a busybox binary specific to the victim architecture.
After installation, pwncat will examine the endpoints provided by busybox, and remove any that are provided SUID by
the remote system. This prevents pwncat from replacing the real
su binary with
busybox su in it’s database.
(local) pwncat$ busybox --install uploading busybox for x86_64 100.0% [==================================================>] 1066640/1066640 eta [00:00] [+] uploaded busybox to /tmp/busyboxIu1gu [+] pruned 164 setuid entries (local) pwncat$
Status and Applet List¶
To check if busybox has been installed and is known by pwncat (for example from a previous session), you can use the
--status option. This is the default action, and can be accessed by passing no parameters to
(local) pwncat$ busybox [+] busybox is installed to: /tmp/busyboxIu1gu [+] busybox provides 232 applets (local) pwncat$
If you would like to see a list of binaries which busybox is currently providing for pwncat, you can use the
option. This is normally a large list (232 lines in this case), but it is provided for completeness sake.
(local) pwncat$ busybox --list [+] binaries which the remote busybox provides: * [ * [[ * acpid * add-shell * addgroup * adduser * adjtimex ... removed for brevity ...
Busybox is tracked by pwncat as a remote tamper. This means that the
tamper command will show that you have
installed busybox, and
busybox can be uninstalled using the
(local) pwncat$ tamper 0 - installed busybox to /tmp/busyboxIu1gu (local) pwncat$ tamper -r -t 0 (local) pwncat$ busybox --status [!] busybox hasn't been installed yet (local) pwncat$