Automated Privilege Escalation¶
pwncat has the ability to locate and exploit privilege escalation vulnerabilities. The vulnerabilities
are identified through enumeration, and can be exploited through the escalate command. Internally,
pwncat has two types of escalation objects. Firstly, there are abilities. These are actions
which we are able to perform with the permissions of a different user on the target. The second type
of objects are escalations. Escalations utilize one or more abilities to achieve a session as the
targeted user.
As an example, abilities could be things such as:
File Write
File Read
Binary execution
Escalations could be things such as:
Executing a shell (the simplest option)
Reading user private keys and ssh-ing to localhost
Writing private keys
Implanting a backdoor user in /etc/passwd (if file-write as root is available)
Invoking Privilege Escalation¶
There are two escalate subcommands. In order to locate direct escalation vectors, you can use the
list subcommand. This will use the enumeration framework to locate any escalations that may be
possible as the active user.
# List direct escalations for any user
(local) pwncat$ escalate list
# List direct escalations to the specified user
(local) pwncat$ escalate list -u root
Escalation can be triggered with the run subcommand. This command will first attempt to escalate
directly to the requested user. If no direct escalations are possible, it will try to recursively
escalate through other users based on the available direct escalations.
# Escalate to root
(local) pwncat$ escalate run
# Escalate to a specified user
(local) pwncat$ escalate run -u john