Tamper¶
pwncat
tracks modifications of the remote system through the tamper
module. Programmatically, pwncat
interfaces with the tamper subsystem through the pwncat.victim.tamper
object. This allows generic modifications
to be registered with a method to revert the change. Built-in capabilities like privesc
and persist
will
any modifications made to the remote system with the tamper module. This includes but is not limited to created users,
created files, modified files, and removed files.
Listing Tampers¶
To view a list of current remote modifications, use the tamper
command. The default action is to list all registered
tampers.
(local) pwncat$ tamper
0 - Created file /tmp/tmp.U2KlLIG5dW
1 - Modified /home/george/.ssh/authorized_keys
2 - Created file /tmp/tmp.tnJfd2BaCd
3 - Created file /tmp/tmp.PAXFRgfYzW
4 - Modified /home/george/.ssh/authorized_keys
5 - Created file /tmp/tmp.xi5Evy4ZPF
6 - Created file /tmp/tmp.05AwnolMNL
7 - Modified /home/george/.ssh/authorized_keys
8 - Created file /tmp/tmp.6LwcrXSdWE
9 - Persistence: passwd as system (local)
Reverting Tampers¶
Tampers can be reverted to their original state with the --revert/-r
flag of the tamper
command. In this mode,
can either specify --all/-a
or --tamper/-t ID
to revert all tampers or a specific tamper ID. In some cases, the
modifications were made as a different user and therefore cannot be removed currently. In this case, the tamper is left
in the list and can be reverted later once you have the required privileges:
(local) pwncat$ tamper -r -a
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
[/] reverting tamper: Created file /tmp/tmp.tnJfd2BaCd
[?] Created file /tmp/tmp.tnJfd2BaCd: revert failed: /tmp/tmp.tnJfd2BaCd: unable to remove file
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
[/] reverting tamper: Created file /tmp/tmp.xi5Evy4ZPF
[?] Created file /tmp/tmp.xi5Evy4ZPF: revert failed: /tmp/tmp.xi5Evy4ZPF: unable to remove file
[\] reverting tamper: Modified /home/george/.ssh/authorized_keys
[?] Modified /home/george/.ssh/authorized_keys: revert failed: No such file or directory: '/home/george/.ssh/authorized_keys'
[/] reverting tamper: Created file /tmp/tmp.6LwcrXSdWE
[?] Created file /tmp/tmp.6LwcrXSdWE: revert failed: /tmp/tmp.6LwcrXSdWE: unable to remove file
[-] reverting tamper: Persistence: passwd as system (local)
[?] Persistence: passwd as system (local): revert failed: Permission denied: '/etc/passwd'
[+] tampers reverted!
After utilizing our passwd
persistence to gain root access, we can successfully remove all tampers:
(local) pwncat$ privesc -e
[+] privilege escalation succeeded using:
⮡ persistence - passwd as system (local)
[+] pwncat is ready 🐈
(remote) root@pwncat-centos-testing:~#
[+] local terminal restored
(local) pwncat$ tamper -r -a
[+] tampers reverted!
(local) pwncat$ tamper
(local) pwncat$