Automated Privilege Escalation¶
pwncat
has the ability to attempt automated privilege escalation methods. A number of methods are implemented by
default such as:
- Set UID Binaries
- Sudo (with and without password)
- screen (CVE-2017-5618)
- DirtyCOW
Each of these methods utilize the capabilities of the GTFOBins module. The GTFOBins module provides a programmatic
interface to gtfobins. Each privilege escalation module implements shell, file read or file write capabilities.
pwncat
will leverage these to get shell access as the specified user. pwncat
does this by trying the following
methods with the provided capabilities:
- Executing a shell (the simplest option)
- Reading user private keys and ssh-ing to localhost
- Writing private keys
- Implanting a backdoor user in /etc/passwd (if file-write as root is available)
If pwncat
does not find a method of gaining access as the specified user directly, it will attempt to escalate to
any other user it can recursively to attempt to find a path to the requested user.
Invoking Privilege Escalation¶
Privilege escalation is implemented utilizing pwncat
modules. These modules can be run individually
if desired or you can utilize the escalate.auto
module which will recursively search for a path
to a desired user.
The escalate.auto
module by default simply lists the escalation techniques which were found for the
current user. To actually escalate to a new user, you can use the exec
option. This option will
go through every possible user and attempt to escalate. It then keeps attempting escalation until it finds
a path to the requested user recursively.
Escalation modules also implement read
and write
modes which attempt to read or write a file
as the specified user. All three of read
, write
, and exec
are also supported by every
individual escalation module.
# Locate and list available techniques as the current user
(local) pwncat$ run escalate.auto
# Attempt automated escalation to the specified user
(local) pwncat$ run escalate.auto exec user=root shell=/bin/bash
# Attempt automated escalation to root with the current shell
(local) pwncat$ run escalate.auto exec
# Read /etc/shadow with the escalate.sudo module
(local) pwncat$ run escalate.sudo read user=root path=/etc/shadow
# Write a file as root
(local) pwncat$ run escalate.auto write user=root path=/tmp/test data="hello world!"