Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sudo no path #253

Open
freedom1b2830 opened this issue May 24, 2022 · 3 comments
Open

sudo no path #253

freedom1b2830 opened this issue May 24, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@freedom1b2830
Copy link

freedom1b2830 commented May 24, 2022
edited
Loading

Bug Description

sudo privilege escalation not working

software.sudo.rule facts
  - User dev: /usr/bin/sudo as ALL:ALL on ALL (NOPASSWD)
  - User dev: /usr/bin/su as ALL:ALL on ALL (NOPASSWD)
  - User dev: /usr/bin/bash as ALL:ALL on ALL (NOPASSWD)

(local) pwncat$ connect 127.0.0.1 8000 -m linux
[19:57:15] connection to 127.0.0.1:8000 established                                                                                                        connect.py:63
               localhost:8000: normalizing shell path                                                                                                         manager.py:957
[19:57:16] localhost:8000: loaded known host from db                                                                                                      manager.py:957

(local) pwncat$ escalate run --user root 
[19:59:55] localhost:8000: error: no working escalation paths found for root  manager.py:955

(remote) dev@archlinux:/home/user$ id
uid=1001(dev) gid=1001(dev) группы=1001(dev),0(root) контекст=user_u:user_r:user_t
(remote) dev@archlinux:/home/user$ sudo -l
Runas and Command-specific defaults for dev:
    Defaults!/etc/ctdb/statd-callout !requiretty

User dev may run the following commands on archlinux:
    (ALL : ALL) NOPASSWD: /usr/bin/sudo
    (ALL : ALL) NOPASSWD: /usr/bin/su
    (ALL : ALL) NOPASSWD: /usr/bin/bash

pwncat version

Provide the output of pwncat --version or a commit hash if working from
a development branch.

$ pwncat --version
0.5.4

Target System (aka "victim")

ArchLinux archlinux.org

Steps to Reproduce

Steps to reproduce the behavior:

  1. spawn bind shell (ncat -e /bin/bash -lp 8000)
  2. connect pwncat to bind shell (connect 127.0.0.1 8000 -m linux)
  3. run enumerate.software.sudo.rules ### shows AVAILABLE rules for privilege escalation (dev:sudo su->root:bash)
  4. escalate run --user root --recursive
  5. error: no working escalation paths found for root manager.py:955

Expected Behavior

pwncat exec: /usr/bin/sudo /usr/bin/su
root obtained

#what's happening
instead of quickly escalating privileges with sudo, he looks for ways through suid files

Screenshots

ROOOT
ROOOT_2
@freedom1b2830 freedom1b2830 added the bug Something isn't working label May 24, 2022
@freedom1b2830
Copy link
Author

freedom1b2830 commented May 24, 2022
edited
Loading

installed by:
python3 -m pip install pwncat-cs

with --recursive the same situation

@freedom1b2830
Copy link
Author

freedom1b2830 commented May 24, 2022
edited
Loading

root-2022-05-24_21.16.31.mp4

@r4vanan
Copy link

r4vanan commented Feb 17, 2024

hmm this bug intresting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@r4vanan @freedom1b2830