def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
# If we have ran this before, don't bother running it
if self.ran_before or not (Capability.SHELL & capability):
return []
# Carve out the version of screen
version_output = self.pty.run("screen -v").decode("utf-8").strip()
match = re.search(r"(\d+\.\d+\.\d+)", version_output)
if not match:
raise PrivescError("could not gather screen version")
# Knowing the version of screen, check if it is vulnerable...
version_triplet = [int(x) for x in match.group().split(".")]
if version_triplet[0] > 4:
raise PrivescError("screen seemingly not vulnerable")
if version_triplet[0] == 4 and version_triplet[1] > 5:
raise PrivescError("screen seemingly not vulnerable")
if (version_triplet[0] == 4 and version_triplet[1] == 5
and version_triplet[2] >= 1):
raise PrivescError("screen seemingly not vulnerable")
# If screen is vulnerable, try the technique!
techniques = [Technique("root", self, None, Capability.SHELL)]
return techniques
def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
# Update the cache for the current user
self.find_suid()
known_techniques = []
for user, paths in self.suid_paths.items():
for path in paths:
binary = gtfobins.Binary.find(self.pty.which, path=path)
if binary is not None:
if (capability & binary.capabilities) == 0:
continue
known_techniques.append(
Technique(user, self, binary, binary.capabilities))
return known_techniques
def enumerate(self, caps: Capability = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
# Update the cache for the current user
self.find_suid()
known_techniques = []
for user, paths in self.suid_paths.items():
for path in paths:
try:
binary = self.pty.gtfo.find_binary(path, caps)
except BinaryNotFound:
continue
for method in binary.iter_methods(path, caps, Stream.ANY):
known_techniques.append(Technique(user, self, method, method.cap))
return known_techniques
def enumerate(self, caps: Capability = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
# Update the cache for the current user
self.find_suid()
known_techniques = []
for suid in pwncat.victim.host.suid:
try:
binary = pwncat.victim.gtfo.find_binary(suid.path, caps)
except BinaryNotFound:
continue
for method in binary.iter_methods(suid.path, caps, Stream.ANY):
known_techniques.append(
Technique(suid.owner.name, self, method, method.cap)
)
return known_techniques
def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
if self.ran_before or (Capability.SHELL & capability):
return []
# Determine if this kernel version is vulnerable
kernel = self.pty.run("uname -r").decode("utf-8").strip()
triplet = [int(x) for x in kernel.split(".")]
if triplet[0] > 4:
raise PrivescError("kernel seemingly not vulnerable")
if triplet[0] == 4 and triplet[1] == 7 and triplet[2] >= 9:
raise PrivescError("kernel seemingly not vulnerable")
if triplet[0] == 4 and triplet[1] == 8 and triplet[2] >= 3:
raise PrivescError("kernel seemingly not vulnerable")
if triplet[0] == 4 and triplet[1] == 4 and triplet[2] >= 26:
raise PrivescError("kernel seemingly not vulnerable")
techniques = [Technique("root", self, None, Capability.SHELL)]
def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
sudo_rules = self.find_sudo()
current_user = self.pty.current_user
if not sudo_rules:
return []
sudo_no_password = []
sudo_all_users = []
sudo_other_commands = []
for rule in sudo_rules:
for commands in rule["commands"]:
if commands["tags"] is None:
command_split = commands["command"].split()
run_as_user = command_split[0]
tag = ""
command = " ".join(command_split[1:])
if type(commands["tags"]) is list:
tags_split = " ".join(commands["tags"]).split()
if len(tags_split) == 1:
command_split = commands["command"].split()
run_as_user = command_split[0]
tag = " ".join(tags_split)
command = " ".join(command_split[1:])
else:
run_as_user = tags_split[0]
tag = " ".join(tags_split[1:])
command = commands["command"]
if "NOPASSWD" in tag:
sudo_no_password.append(
{
"run_as_user": run_as_user,
"command": command,
"password": False,
}
)
if "ALL" in run_as_user:
sudo_all_users.append(
{"run_as_user": "******", "command": command, "password": True}
)
else:
sudo_other_commands.append(
{
"run_as_user": run_as_user,
"command": command,
"password": True,
}
)
current_user = self.pty.current_user
techniques = []
for sudo_privesc in [*sudo_no_password, *sudo_all_users, *sudo_other_commands]:
if current_user["password"] is None and sudo_privesc["password"]:
continue
try:
# Locate a GTFObins binary which satisfies the given sudo spec.
# The PtyHandler.which method is used to verify the presence of
# different GTFObins on the remote system when an "ALL" spec is
# found.
binaries = gtfobins.Binary.find_sudo(
sudo_privesc["command"], self.pty.which, capability
)
except gtfobins.SudoNotPossible:
# No GTFObins possible with this sudo spec
continue
for binary in binaries:
command = sudo_privesc["command"]
if command == "ALL":
command = binary.path
if sudo_privesc["run_as_user"] == "ALL":
# add a technique for root
techniques.append(
Technique(
"root",
self,
(binary, command, sudo_privesc["password"]),
binary.capabilities,
)
)
else:
users = sudo_privesc["run_as_user"].split(",")
for u in users:
techniques.append(
Technique(
u,
self,
(binary, command, sudo_privesc["password"],),
binary.capabilities,
)
)
return techniques
def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
sudo_rules = self.find_sudo()
if not sudo_rules:
return []
sudo_no_password = []
sudo_all_users = []
sudo_other_commands = []
for rule in sudo_rules:
for commands in rule["commands"]:
if commands["tags"] is None:
command_split = commands["command"].split()
run_as_user = command_split[0]
tag = ""
command = " ".join(command_split[1:])
if type(commands["tags"]) is list:
tags_split = " ".join(commands["tags"]).split()
if len(tags_split) == 1:
command_split = commands["command"].split()
run_as_user = command_split[0]
tag = " ".join(tags_split)
command = " ".join(command_split[1:])
else:
run_as_user = tags_split[0]
tag = " ".join(tags_split[1:])
command = commands["command"]
if "NOPASSWD" in tag:
sudo_no_password.append({
"run_as_user": run_as_user,
"command": command,
"password": False,
})
if "ALL" in run_as_user:
sudo_all_users.append({
"run_as_user": "******",
"command": command,
"password": True
})
else:
sudo_other_commands.append({
"run_as_user": run_as_user,
"command": command,
"password": True,
})
current_user = self.pty.current_user
techniques = []
for sudo_privesc in [
*sudo_no_password, *sudo_all_users, *sudo_other_commands
]:
if current_user.password is None and sudo_privesc["password"]:
continue
# Split the users on a comma
users = sudo_privesc["run_as_user"].split(",")
# We don't need to go anywhere else...
if "ALL" in users:
users = ["root"]
for method in self.pty.gtfo.iter_sudo(sudo_privesc["command"],
caps=capability):
for user in users:
techniques.append(
Technique(
user,
self,
(method, sudo_privesc["command"],
sudo_privesc["password"]),
method.cap,
))
self.pty.flush_output()
return techniques