pwncat_pwnkit

Introduction

The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

Setup and Use

Simply copy pwnkit.py somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
In pwncat, simply type: load /home/user/pwncat_mods
To confirm the module loaded, type: search pwnkit. You should see something like this:

(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root

To execute, simply type run pwnkit. If it's successful, you should see the UID change to 0, and now be root. ie:

(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) [email protected]:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)

Tips

If you don't want to always call load, you can have pwncat automatically load this module on startup by placing it in ~/.local/share/pwncat/modules
To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the cross variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:

# Set the gcc path
set cross "/usr/bin/gcc"

Thanks

A special shout out to Caleb Stewart for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Related tags

Overview

pwncat_pwnkit

Introduction

Setup and Use

Tips

Thanks

Owner

Dana Epp

This is a simple Port Flooder written in Python 3.

A honey token manager and alert system for AWS.

OpenSource Poc && Vulnerable-Target Storage Box.

Python sandbox runners for executing code in isolation aka snekbox.

Encrypted Python Password Manager

RedlineSpam - Python tool to spam Redline Infostealer panels with legit looking data

Brute force attack tool for Azure AD Autologon/Seamless SSO

Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

Time Discretization-Invariant Safe Action Repetition for Policy Gradient Methods

威胁情报播报

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses 🕵️

Code to do NF in HDR,HEVC,HPL,MPL

Sentinel-1 SAR time series analysis for OSINT use

A simple password generator using Python Tkinter.

Log4j command generator: Generate commands for CVE-2021-44228

Just your basic port scanner - with multiprocessing capabilities & further nmap enumeration.