pwncat icon indicating copy to clipboard operation
pwncat copied to clipboard

Published 20 hours ago verified publisher icon calebstewart

module "implant.pam" error

Open sierghart opened this issue 3 years ago • 7 comments

Bug Description

when i execute the module "implant.pam him returns an error

pwncat version

$ pwncat-cs --version
0.5.4

Target System (aka "victim")

the targets are the machine "admirertoo" in hackthebox and my own machine, in both i have the same error

my machine specifications

$ uname -a       
Linux kali2 5.8.0-kali2-amd64 #1 SMP Debian 5.8.10-1kali1 (2020-09-22) x86_64 GNU/Linux

Steps to Reproduce

Steps to reproduce the behavior:

  1. after getting a root shell, execute:
run implant.pam password=s3cr3ts
  1. Get the error: pwncat1

Expected Behavior

The execution of the module without error.

Screenshots

These screenshots are a continuation of the error commented on in topic 2 of "steps to reproduce". pwncat2-3 pwncat3-3

sierghart avatar Feb 16 '22 03:02 sierghart

@Mitul16 your fix solves the above errors <3, i tested and really works now

but now i got a different error, "module failed: failed to locate pam installation location"

the pwncat version and targets systems are the same

admirertoo machine(hackthebox): pwncat4

my machine: pwncat5

admirertoo

$ uname -a
Linux admirertoo 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux

my machine:

$ uname -a 
Linux kali2 5.8.0-kali2-amd64 #1 SMP Debian 5.8.10-1kali1 (2020-09-22) x86_64 GNU/Linux

sierghart avatar Feb 17 '22 03:02 sierghart

I am unsure why are you getting that error. I did test the module and it worked fine, I had to install libpam0g-dev for the C headers. The step, to which the error shown in your case, is when pwncat runs find / -name pam_deny.so 2>/dev/null | grep -v 'snap/' and this fails.

I don't think there should be any issues in running this command, but could you run it on the target machine :man_shrugging:? Also, try run implant.pam --traceback .... That should print the exception traceback, perhaps useful.

Mitul16 avatar Feb 17 '22 07:02 Mitul16

yes, i installed the module libpam0g-dev

and i too ran the command in the machine and returns the file: pwncat8

when i run in the pwncat with parameter --traceback he returns this: pwncat6 pwncat7

sierghart avatar Feb 17 '22 20:02 sierghart

Alright, man find says -

EXIT STATUS
    find  exits with status 0 if all files are processed successfully, greater than 0 if errors occur.

So, find / -name pam_deny.so 2>/dev/null | grep -v 'snap/' just gets a Permission denied or some other error and exits with a non-zero exit code. We could just remove check=True from the run(...) method for now.

But we are already running as root, so Permission denied shouldn't be an issue :sweat_smile: I wonder if find buffers dirent data and in between that is updated, e.g. /proc/X/task/Y/fd/Z when using du -sh /*

I guess, Caleb will decide that part then. I don't think we can do any better now :smile:

Mitul16 avatar Feb 18 '22 04:02 Mitul16

I'm here again :v

I did some tests to try to understand what is happing after changing the "check" to False(yes, change to False really works for the continuation of the execution).

when i change the "check" to False, the value of the variable that set the directory that the pam is put are changed to '.'(local) and the file pam_sucessed.so is puted where we are in the victim machine pwncat9

then, i went to try understand why the command "find" are returning 0

I discovered that for some reason him only finds the directory that contains "snap" (/snap/core18/2284/lib/x86_64-linux-gnu/security) - for this first output i retired the grep of the command "find" - but, if i change to the the shell in pwncat and execute the same command, this time including the grep, i get the directory that i need pwncato10

i really do not understand what is happing to this not working, my only kick is that the run command is running the commands somehow that don't return the expected output?

i really hope you guys can help me with this, this module is fantastic :)

Edit: i forget to say that i download a debian iso to setup another vm and test, because i thought that the problem are my kali, but i haved the same problem in debian

sierghart avatar Feb 19 '22 06:02 sierghart

Sorry, I merged the PR, which auto-closed this issue. :eyes:

I'll see if I can get this replicated on my end. For the record, the exit code you would get from that shell command would be the exit code from grep not find, but it should still be valid. I'm not sure why it's failing. It's even more odd that @sierghart 's output shows a /snap/ entry when grep should have filtered that out. Very weird.

calebstewart avatar Feb 20 '22 22:02 calebstewart

sorry @calebstewart , probably i expressed of a manner in that i left some things out

the /snap shows because i retired the grep of the command find to see if him returns something, when i did this, the /snap has been shown

then, i understand that the session.platform.run is running In a way that the command find don't returns the /usr/lib/x86_64-linux-gnu/security only the /snap/core18/2284/lib/x86_64-linux-gnu/security

what i go say now probably is wrong, because i don't understand ed the functionality behind the code....

i guess that the problem is in how the session.platform.run the find command. because how i showed in the last commentary, when i execute the module (that execute the find with session.platform.run) he only returns the /snap/, when i change to shell in pwncat the and execute the find in shell, the /usr/lib/x86_64-linux-gnu/security is showed

sierghart avatar Feb 20 '22 23:02 sierghart