pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Related tags

Security related resourcespwncat_pwnkit
Overview

pwncat_pwnkit

asciicast

Introduction

The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

Setup and Use

  • Simply copy pwnkit.py somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
  • In pwncat, simply type: load /home/user/pwncat_mods
  • To confirm the module loaded, type: search pwnkit. You should see something like this:
(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root
  • To execute, simply type run pwnkit. If it's successful, you should see the UID change to 0, and now be root. ie:
(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) [email protected]:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)

Tips

  • If you don't want to always call load, you can have pwncat automatically load this module on startup by placing it in ~/.local/share/pwncat/modules
  • To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the cross variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:
# Set the gcc path
set cross "/usr/bin/gcc"

Thanks

A special shout out to Caleb Stewart for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

Owner
Dana Epp
Security (de)engineering for fun and profit.
Dana Epp
GitHub Repository
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Above is an adversarial example: the slightly pert

Anish Athalye 838 Dec 18, 2022
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
APKLeaks - Scanning APK file for URIs, endpoints & secrets.

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

dw1 3.5k Jan 09, 2023
Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

Horizon 3 AI Inc 210 Dec 31, 2022
Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile.

Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile. It effectively runs its own MDM server and allows the operator to interface with it using Mythic.

Mythic Agents 37 Dec 06, 2022
Log4j vuln fuzz/scan with python

Log4jFuzz log4j vuln fuzz/scan USE // it's use localhost udp server to check target vuln. python3 log4jFuzz.py [option] optional arguments: -u URL,

VVzv 3 Dec 22, 2021
macOS persistence tool

PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cy

Cyborg Security, Inc 212 Dec 29, 2022
NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat

NoSecerets NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat How does it work? Instead of taking

DosentTrust GithubDatabase 9 Jul 04, 2022
Privilege escalation with polkit - CVE-2021-3560

Polkit-exploit - CVE-2021-3560 Privilege escalation with polkit - CVE-2021-3560 Summary CVE-2021-3560 is an authentication bypass on polkit, which all

Ahmad Almorabea 95 Dec 27, 2022
NFC Implant-base RSA Encrypted Messagging application

Encrypted messaging application with the use of MIFARE DESfire chip to store the private/public keys needed for the application authentication

4 Nov 06, 2021
Used to build an XSS platform on the command line.

pyXSSPlatform Used to build an XSS platform on the command line. Usage: 1.generate the cert file You can use openssl like this: openssl req -new -x509

70 Jun 21, 2022
Scanner for Intranet

cthun3是集成端口扫描,服务识别,netbios扫描,网站识别,暴力破解和漏洞扫描的工具. cthun(克苏恩)是魔兽世界电子游戏中一位上古之神 截图 cthun3结合viper使用时截图 使用方法 端口扫描 -ps-ip 端口扫描的ip地址范围,例如可以输入 -ps-ip 192.168.14

rootkit 18 Sep 03, 2022
Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for

Black Lantern Security 35 Oct 25, 2022
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

Zhe 1 Dec 28, 2021
A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

3 Sep 26, 2022
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022