pwncat_pwnkit

Introduction

The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

Setup and Use

Simply copy pwnkit.py somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
In pwncat, simply type: load /home/user/pwncat_mods
To confirm the module loaded, type: search pwnkit. You should see something like this:

(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root

To execute, simply type run pwnkit. If it's successful, you should see the UID change to 0, and now be root. ie:

(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) [email protected]:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)

Tips

If you don't want to always call load, you can have pwncat automatically load this module on startup by placing it in ~/.local/share/pwncat/modules
To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the cross variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:

# Set the gcc path
set cross "/usr/bin/gcc"

Thanks

A special shout out to Caleb Stewart for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Related tags

Overview

pwncat_pwnkit

Introduction

Setup and Use

Tips

Thanks

Owner

Dana Epp

#whois it? Let's find out!

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

TCP/UDP port scanner on python, usong scapy and multiprocessin

Exploiting CVE-2021-42278 and CVE-2021-42287

Web Headers Security Scanner

(D)arth (S)ide of the (L)og4j (F)orce, the ultimate log4j vulnerabilities assessor

Python tool for dumping flash via uboot reliably

PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github

This is a simple Port Flooder written in Python 3.

Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

Pass2Pwn: a simple python3 tool created to assist penetration testers generate possible passwords for a targeted system based solely on the organization's name

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

Log4j rce test environment and poc

windows电脑查看全部连接过的WiFi密码

CloudFlare reconnaissance, tries to uncover the IP behind CF.

Kriecher is a simple Web Scanner which will run it's own checks for the OWASP

A proxy server application written in python for trial purposes

Threat Intel Platform for T-POTs