software.sudo.rule facts
- User dev: /usr/bin/sudo as ALL:ALL on ALL (NOPASSWD)
- User dev: /usr/bin/su as ALL:ALL on ALL (NOPASSWD)
- User dev: /usr/bin/bash as ALL:ALL on ALL (NOPASSWD)
(local) pwncat$ connect 127.0.0.1 8000 -m linux
[19:57:15] connection to 127.0.0.1:8000 established connect.py:63
localhost:8000: normalizing shell path manager.py:957
[19:57:16] localhost:8000: loaded known host from db manager.py:957
(local) pwncat$ escalate run --user root
[19:59:55] localhost:8000: error: no working escalation paths found for root manager.py:955
(remote) dev@archlinux:/home/user$ id
uid=1001(dev) gid=1001(dev) группы=1001(dev),0(root) контекст=user_u:user_r:user_t
(remote) dev@archlinux:/home/user$ sudo -l
Runas and Command-specific defaults for dev:
Defaults!/etc/ctdb/statd-callout !requiretty
User dev may run the following commands on archlinux:
(ALL : ALL) NOPASSWD: /usr/bin/sudo
(ALL : ALL) NOPASSWD: /usr/bin/su
(ALL : ALL) NOPASSWD: /usr/bin/bash
pwncat version
Provide the output of pwncat --version or a commit hash if working from
a development branch.
$ pwncat --version
0.5.4
Target System (aka "victim")
ArchLinux archlinux.org
Steps to Reproduce
Steps to reproduce the behavior:
spawn bind shell (ncat -e /bin/bash -lp 8000)
connect pwncat to bind shell (connect 127.0.0.1 8000 -m linux)
run enumerate.software.sudo.rules ### shows AVAILABLE rules for privilege escalation (dev:sudo su->root:bash)
escalate run --user root --recursive
error: no working escalation paths found for root manager.py:955
Bug Description
sudo privilege escalation not working
pwncat version
Provide the output of
pwncat --version
or a commit hash if working from a development branch.Target System (aka "victim")
ArchLinux archlinux.org
Steps to Reproduce
Steps to reproduce the behavior:
Expected Behavior
pwncat exec: /usr/bin/sudo /usr/bin/su root obtained
what's happening
instead of quickly escalating privileges with sudo, he looks for ways through suid files
Screenshots