search

calebstewart / pwncat

Fancy reverse and bind shell handler
https://pwncat.readthedocs.io
MIT License
2.57k stars 250 forks source link

module "implant.pam" error #245

Open sierghart opened 2 years ago

sierghart commented 2 years ago

Bug Description

when i execute the module "implant.pam him returns an error

pwncat version

$ pwncat-cs --version
0.5.4

Target System (aka "victim")

the targets are the machine "admirertoo" in hackthebox and my own machine, in both i have the same error

my machine specifications

$ uname -a       
Linux kali2 5.8.0-kali2-amd64 #1 SMP Debian 5.8.10-1kali1 (2020-09-22) x86_64 GNU/Linux

Steps to Reproduce

Steps to reproduce the behavior:

  1. after getting a root shell, execute: 
    run implant.pam password=s3cr3ts
  2. Get the error: pwncat1

Expected Behavior

The execution of the module without error.

Screenshots

These screenshots are a continuation of the error commented on in topic 2 of "steps to reproduce". pwncat2-3 pwncat3-3

sierghart commented 2 years ago

@Mitul16 your fix solves the above errors <3, i tested and really works now

but now i got a different error, "module failed: failed to locate pam installation location"

the pwncat version and targets systems are the same

admirertoo machine(hackthebox): pwncat4

my machine: pwncat5

admirertoo

$ uname -a
Linux admirertoo 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux

my machine:

$ uname -a 
Linux kali2 5.8.0-kali2-amd64 #1 SMP Debian 5.8.10-1kali1 (2020-09-22) x86_64 GNU/Linux
Mitul16 commented 2 years ago

I am unsure why are you getting that error. I did test the module and it worked fine, I had to install libpam0g-dev for the C headers. The step, to which the error shown in your case, is when pwncat runs find / -name pam_deny.so 2>/dev/null | grep -v 'snap/' and this fails.

I don't think there should be any issues in running this command, but could you run it on the target machine :man_shrugging:? Also, try run implant.pam --traceback .... That should print the exception traceback, perhaps useful.

sierghart commented 2 years ago

yes, i installed the module libpam0g-dev

and i too ran the command in the machine and returns the file: pwncat8

when i run in the pwncat with parameter --traceback he returns this: pwncat6 pwncat7

Mitul16 commented 2 years ago

Alright, man find says -

EXIT STATUS
    find  exits with status 0 if all files are processed successfully, greater than 0 if errors occur.

So, find / -name pam_deny.so 2>/dev/null | grep -v 'snap/' just gets a Permission denied or some other error and exits with a non-zero exit code. We could just remove check=True from the run(...) method for now.

But we are already running as root, so Permission denied shouldn't be an issue :sweat_smile: I wonder if find buffers dirent data and in between that is updated, e.g. /proc/X/task/Y/fd/Z when using du -sh /*

I guess, Caleb will decide that part then. I don't think we can do any better now :smile:

sierghart commented 2 years ago

I'm here again :v

I did some tests to try to understand what is happing after changing the "check" to False(yes, change to False really works for the continuation of the execution).

when i change the "check" to False, the value of the variable that set the directory that the pam is put are changed to '.'(local) and the file pam_sucessed.so is puted where we are in the victim machine pwncat9

then, i went to try understand why the command "find" are returning 0

I discovered that for some reason him only finds the directory that contains "snap" (/snap/core18/2284/lib/x86_64-linux-gnu/security) - for this first output i retired the grep of the command "find" - but, if i change to the the shell in pwncat and execute the same command, this time including the grep, i get the directory that i need pwncato10

i really do not understand what is happing to this not working, my only kick is that the run command is running the commands somehow that don't return the expected output?

i really hope you guys can help me with this, this module is fantastic :)

Edit: i forget to say that i download a debian iso to setup another vm and test, because i thought that the problem are my kali, but i haved the same problem in debian

calebstewart commented 2 years ago

Sorry, I merged the PR, which auto-closed this issue. :eyes:

I'll see if I can get this replicated on my end. For the record, the exit code you would get from that shell command would be the exit code from grep not find, but it should still be valid. I'm not sure why it's failing. It's even more odd that @sierghart 's output shows a /snap/ entry when grep should have filtered that out. Very weird.

sierghart commented 2 years ago

sorry @calebstewart , probably i expressed of a manner in that i left some things out

the /snap shows because i retired the grep of the command find to see if him returns something, when i did this, the /snap has been shown

then, i understand that the session.platform.run is running In a way that the command find don't returns the /usr/lib/x86_64-linux-gnu/security only the /snap/core18/2284/lib/x86_64-linux-gnu/security

what i go say now probably is wrong, because i don't understand ed the functionality behind the code....

i guess that the problem is in how the session.platform.run the find command. because how i showed in the last commentary, when i execute the module (that execute the find with session.platform.run) he only returns the /snap/, when i change to shell in pwncat the and execute the find in shell, the /usr/lib/x86_64-linux-gnu/security is showed