Dive Deep into pwncat - Download or Upload Files

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

Uploading Files

Usually transferring a file from our host machine to the victim machine is so hard. It involves you hosting a python server and then using services like wget in Linux to download the file. 

But pwncat does all the steps with ease. It does not require you to host an HTTP server by python or need wget to get the file. You can simply upload the file by upload filename.

In the CTF competition, we need to upload winpeas or linpeas for privilege escalation. So pwncat save a lot of time for you to transfer file. 

Uploading File Example
In the picture attached the /etc/hosts file is uploaded to /tmp/hosts of the victim machine from the host machine.

Downloading Files

Downloading files is also easy in pwncat. You can easily download a file from the victim machine to the host machine. This is usually useful when you want to edit a file in your host machine. 

To edit that file to escalate privileges, the attacker should download the file, edit it and upload it back. For example, you find a cron job executing every minute and the file is owned by the root user. Your current user has edit privilege and now you can download the file in your machine and edit with ease with pwncat. 

Usually editing on a remote machine is tuff. Here pwncat helps you to download the file and then you can reupload the edited file and set up a listener so that we can get a reverse shell when the cron job is again executed.

Downloading File Example
pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. ...

    Dive Deep into pwncat - Privilege Escalation & Persistence

    pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

    Persistence

    Persistence Example
    Pwncat has this feature of keeping persistence on the target machine. Pwncat adds persistence to the victim machine. In case if the connection is lost and we need to regain the shell it’s a burden as we need to enter the ssh password and during situations like CTF, it is a huge time loss. 

    What we can do is upload our public key to the authorized_keys of the server so that you can access it without typing your account password all the time. Pwncat automates this process with the help of the persist module. This will add our public key to authorized_keys of the victim machine so that we need not use a password to log in again. 

    You can also see the status of your persistence method with the persist --status command.  After our operation or getting the flag, if we need to remove the traces of our action we can easily do that by persist --clean. This will eventually remove our authorized key from the victim machine. 

    If you want to track all the operations on the remote machine, tamper in pwncat help you track your activity
    Tamper Example
    Also, if you want to revert all the changes you made on the remote target you can do it with a single command tamper --revert --all
    Revert all changes

    Privilege Escalation

    Privilege Escalation Methods
    Pwncat can list out privilege escalation methods. In the figure, we can see that pwncat escalate privilege to developer user without password using the help of vim. Pwncat has the ability to attempt automated privilege escalation methods. A number of methods are implemented by default such as:
    • Set UID Binaries
    • Sudo (with and without password)
    • Screen (CVE-2017-5618)
    • DirtyCOW
    Escalating user to sysadmin
    Pwncat can also automatically detect and fix mismatched EUID and UID after an attempted privilege escalation. In the attached picture we can see that we need to escalate the user to sysadmin. 

    -u flag stands for the user and -e flag stands for escalating. Here we are escalating our privileges to that of sysadmin with just one command. We can see that we elevated our normal user to the developer with help of vim misconfiguration and then elevated to sysadmin user with help of setuid mismatch.

    JSON File of GTBO Bins
    Pwncat does this in the same way as a user would use GTFO bins to find privesc methods. The pwncat developers have a JSON file that has a lot of information about different privesc methods.
    pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. ...

      Dive Deep into pwncat - Enumeration & Busy Box

      pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

      Utilize your connection for enumeration of the target machine

      The first thing that we do after we receive a connection is to enumerate and find about the users, groups, and other information. The thing we focus to achieve here is to find a way to elevate to higher privileged users and it is usually so hectic.  Pwncat can do this in an automated manner.

      The enumeration in pwncat is achieved through the enumerate.* modules. Enumeration can be run individually or you can use one of the automated enumeration groups. By default, enumeration modules run only once and their results are cached in the database. The enumerate.gather module is used to gather enumeration facts from all other enumeration modules. 

      # Enumerate only SUID and File Capability enumeration types
      (local) pwncat$ run enumerate.gather types=file.suid,file.caps

      # Enumerate facts from all available modules
      (local) pwncat$ run enumerate.gather

      enumerate.quick module enumerates some useful types of enumeration data, but is intended to not take much time. Both enumerate.gather and enumerate.quick implement the output parameter which allows you to write the enumeration results to a markdown file instead of standard output.

      # Output a markdown formatted report to results.md
      (local) pwncat$ run enumerate.auto output=results.md

      Example for SUDO
      So the above image depicts how pwncat gathered facts about sudo and it was able to find and able to elevate the privileges to sudo or root user with the help of vim as it is showed NOPASSWD.

      Busy Box

      Install BusyBox
      BusyBox combines tiny versions of many common UNIX utilities into a single small executable. This can help you get all the essential utilities into the machine if it’s not available on the target machine. 

      BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. In a few hundred kb size file, one could get a huge list of functionalities on the system.
      pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
        We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

        pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. ...

        pwncat Basics

        pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.


        The basic mode of pwncat

        • In Terminal Mode: It acts as a normal terminal that we obtain by a reverse shell.
        • In pwncat CLI (command-line interface) Mode: Here, we will get all other special features that pwncat has to offer. 
        Ctrl + D helps you to move between both modes.

        Establishing a bind shell

        Bind shell is a type of shell in which the target machine opens up a connection port or listener on the victim machine and waits for an incoming connection. Here the target machine is waiting for connection and as soon as the connection is active. It executes /bin/bash which gives the attacker access to the victim machine. 

        Bind Shell Comparison

        Establishing a reverse shell

        A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the localhost. Here we can see that just like netcat we can receive connections by using -lp which means listen on a port. But the shell that we obtain has much more features than an ordinary shell that we get with the help of netcat.
        Reverse Shell Comparision

        All kinds of connections are possible via pwncat

        Connection Example
        pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
          We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

          pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. ...

          Introduction to pwncat

          pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. This is somewhat similar to netcat. We can use this tool to get the reverse shell from the victim's machine.

          A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the localhost. 


          A bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.


          Netcat is a very good tool to receive connections and enumerate further but there are some drawbacks. To bind a stabilize the shell in netcat works well. However, the added steps to get a reverse shell are repetitive after a while. There is also a  danger of losing your remote shell by accidentally pressing “C-c” prior to gaining raw access is high. 


          Pwncat rectified the problem by running a script on the target machine which contains all the commands soon after the connection is established. It gives a terminal that has more features and is not easily breakable. It has a huge number of features, rather than running a script on the target machine to get an unbreakable and fully functional shell.


          Some of the important features of pwncat:

          • Utilize your connection for enumeration of the target machine.
          • File upload/download.
          • Automatic persistence installation.
          • Automated privilege escalation.

          Installation

          pwncat requires python and pip.
          cd pwncat
          • It is recommended to use a virtual environment. However, this can be done easily with the Python3 venv module:
          python -m venv env
          source env/bin/activate
          python setup.py install
          • If pip is not installed, you can install pwncat with the provided setup scripts:
          python setup.py --user install
          • To verify installation run pwncat --help.
          pwncat is successfully installed
          pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.
          We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

          pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. Th...