Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty /etc/passwd after auto escalation #173

Closed
WesVleuten opened this issue Aug 5, 2021 · 5 comments · May be fixed by #189
Closed

Empty /etc/passwd after auto escalation #173

WesVleuten opened this issue Aug 5, 2021 · 5 comments · May be fixed by #189
Labels
bug Something isn't working

Comments

@WesVleuten
Copy link
Contributor

Bug Description

Pwncat cleared the /etc/passwd file

pwncat version

$ pwncat --version
0.4.3

Target System (aka "victim")

Peak Hill

Steps to Reproduce

Using gASVLQAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBJjaG1vZCArcyAvYmluL2Jhc2iUhZRSlC4= as payload for the privesc located at /opt/peak_hill_farm/peak_hill_farm we make the bash file a suid.

Then we run on local shell run enumerate.gather clear=True to clear our local cache to enable auto escalation.
Afterwards we run run enumerate.gather to try and get the suid file in pwncat's cache
Running escalate list gives the following:

- add user using file write as root via /bin/bash (SUID) from root (linux.enumerate.file.suid)      
- shell as root via /bin/bash (SUID) from root (linux.enumerate.file.suid)                          
- implant: Private key owned by dill at /home/dill/.ssh/id_rsa                                      - implant: Private key owned by root at /root/.ssh/id_rsa

This would suggest we are able to get a root shell. Thus we run escalate run resulting in an empty /etc/passwd

Expected Behavior

For it to give me root bash shell and not clear out the /etc/passwd file

I think adding a priority to a route to root would be helpful. I think it goes down the list in order, however getting a shell through bash would be much easier and less noisy than getting it through a new user via writing to /etc/passwd. Thus "shell as root via /bin/bash" should be higher priority than "add user using file write as root"

Screenshot

Don't have a screenshot but I did this live on twitch vod is here:
https://www.twitch.tv/videos/1109027911?t=03h33m34s
@WesVleuten WesVleuten added the bug Something isn't working label Aug 5, 2021
@WesVleuten
Copy link
Contributor Author

WesVleuten commented Aug 7, 2021
edited
Loading

Issue seems to be that LinuxWriter doesn't respect the payloads encoding type.

- add user using file write as root via /bin/bash (SUID) from root (linux.enumerate.file.suid)

This fails since it will try to send the plaintext file to the stdin of the command bash -p -c "/usr/bin/base64 -d > /etc/passwd which expects base64 encoded text. After the base64 command fails it spits out an error over stderr and stdout will be empty. Thus resulting in an empty /etc/passwd

@WesVleuten WesVleuten mentioned this issue Aug 7, 2021
Closed
5 tasks
@trevorbryant
Copy link
Collaborator

@WesVleuten thanks for the live-action pwncat debugging session. Those Twitch comments are 🔥 😂

The developers are out of the metaphorical office for the time being. It may be a few days for them to get back and be recharged to resolve this.

@WesVleuten
Copy link
Contributor Author

That's no problem! I already looked into it and created #176 which resolves this. So when they get back, they would only need to review the changes!

@calebstewart
Copy link
Owner

This is very unfortunate, and I'm sorry that this happened during a stream D: hahaha

Thanks for reporting, and hopefully we can get that fix or a similar fix sorted in the next couple days. As @trevorbryant mentioned, we've been at DEFCON the past week, but hopefully getting back into the swing of things soon.

@calebstewart calebstewart mentioned this issue Sep 4, 2021
Open
5 tasks
@calebstewart
Copy link
Owner

I've created a new branch to work on this. I'm working to remove all remnants of the base64 stream type. This will take some extra testing to make sure I don't break anything (although it /shouldn't/). I'm closing this pull request in the meantime, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@calebstewart @trevorbryant @WesVleuten