search

calebstewart / pwncat

Fancy reverse and bind shell handler
https://pwncat.readthedocs.io
MIT License
2.58k stars 250 forks source link

sudo no path #253

Open freedom1b2830 opened 2 years ago

freedom1b2830 commented 2 years ago

Bug Description

sudo privilege escalation not working

software.sudo.rule facts
  - User dev: /usr/bin/sudo as ALL:ALL on ALL (NOPASSWD)
  - User dev: /usr/bin/su as ALL:ALL on ALL (NOPASSWD)
  - User dev: /usr/bin/bash as ALL:ALL on ALL (NOPASSWD)

(local) pwncat$ connect 127.0.0.1 8000 -m linux
[19:57:15] connection to 127.0.0.1:8000 established                                                                                                        connect.py:63
               localhost:8000: normalizing shell path                                                                                                         manager.py:957
[19:57:16] localhost:8000: loaded known host from db                                                                                                      manager.py:957

(local) pwncat$ escalate run --user root 
[19:59:55] localhost:8000: error: no working escalation paths found for root  manager.py:955

(remote) dev@archlinux:/home/user$ id
uid=1001(dev) gid=1001(dev) группы=1001(dev),0(root) контекст=user_u:user_r:user_t
(remote) dev@archlinux:/home/user$ sudo -l
Runas and Command-specific defaults for dev:
    Defaults!/etc/ctdb/statd-callout !requiretty

User dev may run the following commands on archlinux:
    (ALL : ALL) NOPASSWD: /usr/bin/sudo
    (ALL : ALL) NOPASSWD: /usr/bin/su
    (ALL : ALL) NOPASSWD: /usr/bin/bash

pwncat version

Provide the output of pwncat --version or a commit hash if working from a development branch.

$ pwncat --version
0.5.4

Target System (aka "victim")

ArchLinux archlinux.org

Steps to Reproduce

Steps to reproduce the behavior:

  1. spawn bind shell (ncat -e /bin/bash -lp 8000)
  2. connect pwncat to bind shell (connect 127.0.0.1 8000 -m linux)
  3. run enumerate.software.sudo.rules ### shows AVAILABLE rules for privilege escalation (dev:sudo su->root:bash)
  4. escalate run --user root --recursive
  5. error: no working escalation paths found for root manager.py:955

Expected Behavior

pwncat exec: /usr/bin/sudo /usr/bin/su root obtained

what's happening

instead of quickly escalating privileges with sudo, he looks for ways through suid files

Screenshots

ROOOT ROOOT_2

freedom1b2830 commented 2 years ago

installed by: python3 -m pip install pwncat-cs

with --recursive the same situation

freedom1b2830 commented 2 years ago

https://user-images.githubusercontent.com/102818470/170409038-ecabf59a-2f7d-43c7-a444-877c3f183138.mp4

r4vanan commented 6 months ago

hmm this bug intresting