 Those of you that have been watching some of my recent videos and hanging out in the premieres You might have noticed me mention Pwncat and it's kind of going through a little bit of revision a little bit of upgrade We're kind of wanting to switch it to more of like a metasploit like module syntax and use for running certain things I don't take any credit for that that is all towards Caleb the incredible genius and mastermind that Pwncat Really really belongs to I don't it's it's his baby and This is a conversation between me and him I thought I just call him up on discord and kind of see what he's been up to and Really the new changes and things that are happening in Pwncat and we can deep dive into the code and showcase some of the use cases and really What's been going on and hopefully some of the really cool stuff. So without further ado, let's roll the clip What's up? Yeah, yeah, I really went to the store and I was like looking for just Like a common webcam way I expect you go there and find like a bunch of like random logic ones But I knew would be like fine. Yeah one time But if it works then it works it works is my audio fine because the audio is going through that as well Yeah, you're a little echoey, but you know what the internet doesn't care It's probably because I'm in a really really big open space Cool So what did you want to actually do? I don't know. I mean, this isn't all like ready, but I'm fine talking Yeah, no The whole point was so like if you're cool and like either showcase and what you've been up to or like what you've been making or what changes are in there Yeah, let me make sure there's actually like Runs because I had an error I can actually run it Changing a lot of things and I just want to make like the stuff that I'm changing doesn't affect the other stuff I may before but at the moment Have you been pushing into the modules branch over on GitHub? Yes, that's what I push the enumeration stuff is there the persistent stuff I don't think I pushed yet and I'm working on The escalate stuff which the I just finished writing like the basic structure of it But I haven't converted any modules yet. I don't know if it's all actually working yet But I mean I can push what I have now I mean If you want before we actually do this sure push get finished I Guess I can make sure that this actually Sound may not be available when sharing a screen Yes, I can see your screen What you had just there was pretty perfect, I think yeah, like that's that's okay, that's good If you're opening only one of those can you bump that up at all or Yeah, cool Yeah, it's got the gross discord compression, but A little bit if you can do a smidge bigger but that yeah, yeah, yeah, that's good Yeah, I mean It's too late you already look like a fucking mad man The driving try don't like switch to a random desktop and there's like weird shit opening. I know it too well Okay, all it's led to the max shell and an empty firefox incredible I'm already recording so I'm gonna have all this good. I'm already gonna have it like the good filler Yeah, I know you're recording I don't know how you want to like start this or whatever absolutely casual and chill and What have you been working on what what would someone? Who had used Ponecat before and Now has suddenly been told well shit all the source code and everything has completely changed for how it runs Yeah, so I guess to start off with I am in the process of breaking everything I'm not breaking everything, but I'm changing the way everything works. So in the past there were three different main types of Modules or I called a lot of them were called methods for that you could implement there was privileged escalation Methods there was persistence methods and there was enumeration methods Each of those was handled by its own For lack of a better term handler in Python That that would actually dynamically load the module that was certain directory And then look for things implementing a specific class and then use those modules so you could actually access them through Okay, all that exists still I haven't removed any of it working on a branch Just like before However, I'm moving to something different. I would like to kind of consolidate things I'd like to kind of consolidate things one coherent interface that is consistent. So as opposed to Running or creating a module and having to worry about which directory goes in and how you access it and how you interface with it Or maybe you implement a Privilege escalation module that is more complicated in these other options. That's hard to do With the way that There's not really a way to pass arguments like arbitrary arguments to the specific Modules if they needed specific configuration values, they had to be set in the global configuration object And then that might mess up a different one. It was all shared So it was kind of it worked if you were assuming that everything could be Automated with no user intervention, but the minute things got more complicated. It didn't completely work Merge yet. Yeah, because I mean you you had commands like privisk and enum And those would have like a hyphen option or whatever parameter an argument you could pass through But that was it and that wouldn't trickle down to the sub modules that was actually using to do those things, right? So there was no way to give it any other I guess the old privilege escalation if we look at set UID blow that up a little bit So if we look at say UID The only things that you receive for example, the biggest part is the enumerate so numerous what would actually go through and say Hey, what options do I have for this privilege escalation method? And the only parameters you really got were what capabilities for those are things like read or write or a shell So reading writing read a writing file as a different user or getting a shell Those are the only options that you really got you were able to get any other information The only other way that you could actually get configuration for a module was through the config object Which was available to everything but it was a global object So if you set a configuration value, whether that be in the configuration file or at prompt and pong cat that would apply to all modules Which can be bad depending on what you're doing You you might want one specific option with the same name set for differently for the two different modules And there wasn't really a way to do that you couldn't run an individual module itself because the actual privest command That you were talking about a minute ago Doesn't have an option to do you could exclude modules by name, but you couldn't actually Run an individual one by itself And the same kind of went for enumeration and things like that You couldn't run one enumeration module very easily by itself or maybe I added an option I forget exactly But it wasn't easy and it wasn't straightforward So I kind of went down a path Something I didn't want to do at the very beginning which kind of my my apprehension with it shaped the way pong cat is now Is that I didn't really want to copy what? Metasploit did With the whole use and run and then module that That being said, I kind of sucked it up and I did that So that's where I'm heading now Is defining modules instead of all in these separate directories. I don't know if that's easy or not But in these separate directories of whether that be privest or persist or enumerate may all of their own directory structure Consolidating that all into one module structure where Running them as a uniform interface whether it's privest or persistence or escalation of persistence or Enumeration it's all consistent and it makes for an easier interface So that's what I'm working on right now. It kind of works, but I'll have well, I shouldn't think kind of it does work but I have to Finish out the escalation part of it because while they all are are all Inheriting from the same basic module structure. They do have different requirements like a escalate module We're going to look different than an enumeration module The way you create them is going to be different, but at their core you run them the same. So that's the big part of it It does work right now for enumeration. So I mean you can search for Modules if you search you can see there's a few of them implemented here. My terminal is really small But you can search for modules and it will give you kind of a quick description of them You can actually run info and say we want to know about info.inumerate.caps So if we do that we'll get kind of a little help documentation of that specific module Now normally when you do enumeration we initially get our box Yeah, but you don't want to just enumerate capabilities of files Or maybe you do want to run that one so that is possible now you can run an individual module easier And so you can do things like run enumery caps and it will run that it will return the facts Hey, I found these facts. Here's the capabilities of different files But then on top of that there is still a clean Python interface so you can So there are modules implemented to group those together. So maybe you want to gather facts from multiple different Modules and you say hey, I want the types. I want are going to be file.caps That's going to do basically the exact same thing. You're going to gather file capability facts from all modules Now the caveat there is that that's not specifically referencing the enumerate.caps module That's referencing any module that can give you Enumeration data of that type So if there are multiple modules that might be able to find different things like that which happens sometimes or maybe one module might Inadvertently come across some data which sounds weird, but it's happened And it just says hey, I found this type as well Then it can find it throughout all of the modules You can also specify one specific module here. I think it's modules Let me check that which is going to hang don't know why that happened. Like I said, I am still working on this In any case, you can also specify individual modules run, but that kind of defeats That isn't really necessarily super useful because you can also just run it directly Right now all I have is set UID and capabilities to both of those work You can also clear enumeration. So you can do it on an individual one if you just specify clear Then that will clear the enumeration data and when you run it again, it will have to actually go through and find it all in But you can do that also with the gather so you gather and you Filter and you say I want to clear out all types File.caps and that's going to clear all of those. That way those will have to run again Um, so that's that is all working enumerate actually works pretty well at this point With the exception of the exception The exception of the exception that I'm going to go um, that I'll look into once this video is over But it is functioning pretty well. Uh, you saw the actual individual Help documentation, which I think is super useful and super cool. You can see exactly what arguments that each one takes You can see exactly How it works The and the things that we're working on today slash last night. Uh, have been some persistence structure and escalate structure Um escalate is more complicated just because there's more moving pieces and more things that have to happen And it uses enumerate and things like that. So that's not quite ready. Um persistence seems to be working so far Um, so if I search for persist and I can see there's two different persistence modules Or two different modules underneath persistence one is gather, which is similar to the enumerate gathers You're in a lookup thing. In this case, uh, gather is going to grab persistent modules that are installed. So if I run persist gather right now, it'll show me. Hey, I have a persistent password installed with these arguments So with that something that we kind of talked about before was that persistence modules or modules in general in the past couldn't Take in arbitrary arguments With the new structure you can do that now Um, so a persistence module is the most common one that I can think of that need those arbitrary random Unknown arguments that might need to be passed to it. Um, this whole thing kind of came up because someone put a pull request in for a on github for a A crontab persistent module, which is great fantastic thing that um, we had talked about implementing and I was working on other features and Think of like that. It's not something it's Incredibly complicated. We just hadn't done it. Um, and so somebody did that I was like, oh, it's fantastic and I went through and looked at it and and shout out to him I forget his username to be honest with you I'll pull it up It's on github. Um, and and he he implemented that and I was like, oh, this is fantastic Happy out though. You're he prompted for uh user input with input by God That's not the end of the world But the problem being that sometimes in certain situations phone cat tries to automatically run these persistence modules One of those situations is if you don't have a gcc or python and you get a effective uid versus uid mismatch is what it calls it Um, it tries to use a persistence module install that and then use that as a way to get full. Um Uid and uid matching But that would break because it would call input and then the user would advertise something in and that would break Kind of the the use case or not the use case but the the flow of execution in phone cat It wouldn't be right. So I looked at it. I was like, okay. Well, now I really should implement some way Have arguments and I realized that the architecture I built didn't really support that. That's how this all kind of started Um, so this is a basic one to just add the new user to add the password But you can see that you can specify specific arguments Um, those arguments come from can come from a few different places The first place so we can run and persist Remove and that should remove it. So now if we run gather again gone um The actual arguments can be specified in a few different ways. So if I go persist password I can just specify them here. Um, I can actually say like that to a user equal John I think John actually already Caleb will just use my name If I just say back where user equal Caleb that will actually work and I guess I can show I go info persist password You can see all the different arguments that it's expecting and description of what it's going to do I'm going to install it back to our user with a uid of zero and at the password and use our password You can set all these different things and most of them have defaults. You need to specify the user And then the Other options have some defaults So what I was going to say ago is I can actually run persist The password I can say that I want to install through persistence. Um, and I want to use a backdoor user Caleb, um, it should do that Theoretically it says it's completed if I run gather again I see that the backdoor user is Caleb and if I actually went and I said at the password Um, I can see that. Hey, I have a username Caleb with uid zero So that works um something else The actual escalation works as well. I So now I run phone cat again, and I'm going to get a shell Bob instead of root this time. So now I'm bob if I do Because the password is there I can run persist gather and it already has a module installed So if I run, uh persist dot gather I just made all this in the last two days. So forgive me for giving So if I run persist gather and then I tell it hey of all the persistence methods that you enumerated that are installed and so Of those try and escalate with them So if I just do this basically what's going to happen is that uh, I am saying I want to find uh, all Persistence mod installed persistence modules That give me access as the user root And I want to use whichever one works and give me root It's basically what that's saying In this case, there's only one of them. So I'm just going to do that one and it works and now I'm So that that works that piece works um One of the things moving forward, uh, that I would that I'm working on actually it was actually working on a little bit ago Was the actual escalation structure, which is going to Look a little different. It's going to look in like this basically in the end From a prompt side and it's also going to look a little different from a python side I don't remember what else was in our chat. I won't open that for now. I'll just kind of go through the code. Um But basically what I'm envisioning it to look like is that you'll be able to run something like run escalate Uh and running escalate by itself will just attempt to list all of the privilege escalation Methods that we know or techniques that we know about That's what that would do. Um if you ran escalate You could also run escalate dot. I don't know sudo And you would run that specific module and try and escalate to and to list out the techniques that it found Nice, so you'd be able to run each individual one by itself But there would also be still that auto function where it will try and recursively find a way to the user you're looking for um What's kind of interesting? So that's that's the majority of of what that would look like there You again, you would still be able to pass like the parameters like user and things like that Um, you would end up if you ran it by itself you would get a list of the techniques that it was able to find Um, and if you ran it you'd run it as exec and shell equal spin and bash or something like that There would obviously be a default for shell or um, but this is what I'm envisioning the syntax to look like on The terminal and obviously you can run like I said You can run escalate by itself and that would do the auto escalate kind of like we had before And you could do the same type of thing by itself It would just list out the techniques that I found and if you ran it with exec it would run the shell that you found where you could Read and say that the path is as shadow That means I want to read file at this path as a different user and we'll try and do that So similar things that existed before but with a little bit more of a interface And hopefully a more uh an easier to follow On the code side as well Um, I'm trying to think of what else I can show. I mean All right, you you said you had made it kind of like better split like so I saw you using that run kind of prefix all the time Can you like use a module or yeah, I forgot about that Thank you. So if I so like I said before we can run that we can If we we can also do use persist.gather, I guess I kind of got on a Side track there Originally a long time ago on video. I was talking about where parameters come from you can do them as at the end of a run command You can set Very believable value at the end of a run command They also come from two other places one being the global configuration That we've always had uh and the other being if you actually use a module to say Do we still have one of them installed? So remove that um, so then if we go And we say use persist.password Now that changes our context. We're now in the context of that module Um While you're in that context you'll get the information about the current module similar to how again how You'll get information about the arguments and things that you need to specify In this context if you run like user set user root now That has set the current user or the current value of that variable to you can see it with set As i'm saying this i'm realizing I should probably add a column in that info output to show the current value that you set In any case, you may want to be in the future, but if you type set by itself, you'll see all the current values including global values If it's not set in your Module specific setting like we were just setting will reset user equal to root. It will look at the global Again similar to Metasploit if you set tag g and then Then you can set a global value that will proceed across all of them All the modules that you run. That's the last resort place that it'll try and pull a value from But ideally either at the end of the run command or or In like your local setting Once you have set all your options, you can just type run because that without any other parameters and Run that and then just just dot gather Without removed We'll see it installed with the default options that you saw with those global options of backer user of phone cat backer And shell equals current basically means whatever shell phone cat is running in that's the shell You can also set it to a file path. That's how it works Uh, like I said persistence, uh, and enumeration. I think are in a pretty good and solid spot Um from a code side. I'm trying to think of what I could open that would actually be interesting and make any sense whatsoever Uh, if I actually open Look at I don't know an enumerate module I open this It's gonna make any sense. It looks all similar to what it used to Um a little simpler. I think though So all the enumerate modules are going to inherit from this enumerate module base class All they have to define is an enumerate method That is going to be a generator that yield a tuple of a type of fact that you're yielding and then the actual fact they did Facts can be basically anything but they should have a string Method so that you can actually display them so that whenever you for example Just run it in the terminal and you get that output. It knows how to actually build that out for the crumbly So they just have a string but they can be any And what is some other interesting? I guess from a usage point of view how you actually use this Code because that was another goal of mine is that hey, even if I move to this I still need it all to be easily accessible from python I need to be able to from python run these modules and get the raw facts out without it trying to like Claude or the terminal and do weird Like these individual modules shouldn't be dependent on Display and interface they should just return results and however you run them is what dictates how it gets how it gets displayed So as an example the gather module for enumerate Can actually run through and say hey poke at modules match I'm going to look for any enumerate module that is of a base class of enumerate module So that actually gets back a list or in this case a set because we're trying to deduce them Gets back a list of modules themselves The actual module object itself the module object has a method run And so that's generally how you run any module You can literally just call met module run with whatever keyword arguments that it requires So in the case of the The enumerate modules, uh, there's different whatever options But so like in in the case of this if you ran, uh, for example Pongkat that modules run is a method or a function And then you gave it the module you wanted to run as a string persist dot gather You could then put comma and give it keyword arguments of like module equals or escalate equals or move equal And it would actually take those in and pass them on to the module properly so When you actually Receive them you can see in this example here You define this arguments dictionary that is basically mapping the name of the argument to an argument type that has A function or a callable that will convert a string into the type you want And then it also has a default value and a help string and then How you actually process that Pongkat will automatically interpret those values convert them to correct types make sure that they actually convert the correct types properly Um, give you the default that need be And that kind of thing and then you just take them in as normal parameters to your run So in this case we had output module types and clear which have come from directly right here And we know that output will be This file type that I created that is it's similar to the our file type Thing where it returns an open file um Or modules we know that's going to be a list of strings Or types is also going to be a list of clear is going to be a boolean value We know that those types are already checked and that's already correct in here. We ought to be Um, so that's kind of cool Um, what else did you want me to get into? No, I mean this is super duper cool. It looks super clean Uh, it's funny because I'm noticing like the emacs things that you have in there Like I don't know how it shortened that function to an f in the four each those are like symbols. Yeah Yeah, it uh, it shrinks stuff I I turned it on a long time ago and I'm still I'm still unsure whether I hate it or I like it But I haven't turned it off so I mean whatever Um But yeah, so that was kind of my my biggest goal was to Strattle the line between provide I guess advanced maybe is the right word I don't know more complicated features to these modules so that they could accept Have more complicated situations that they work in for example accepting war arguments or other things like that But not take away from the automation that poke had had before so I didn't want to Make accessing this information any worse from python. I wanted to still work nicely But I also Wanted to make it more broad and more more applicable to more situations What I think is kind of cool is that another thing I guess that I talked about with john before is that this run method What actually happens is this run method in the actual modules themselves Gets decorated automatically. There's a there's a meta class and it gets automatically decorated in python So that when you actually run that There's a decorator that runs first and it will do all the argument processing For you, but it also if this run method is a generator. So if it uses yield and generates values This actual decorator, which I guess I could open it quick So this actual decorator is up here and it might be kind of gross Yeah But this is the decorator for every single run function run method for every single module is decorated with this function This whole block of grossness It's just processing the arguments. So the argument type it's gonna it's going to pass the Value you send in to the argument type constructor to make sure that all the arguments are the correct type It's going to raise exceptions if there's missing arguments and that kind of thing But one of the really cool parts is it's going to run the actual real run as we call it here real run Passing it obviously the self and all the arguments that we just processed The return value of that you're going to be one of two things right pipe on if you have a generator The return value when you actually run that function Is a generator on jim Now that's not that means if you receive if you get a return a generator back that function We did running it might be stuck in the middle of it because you haven't iterated through the generator yet So we actually checked for that because these modules could return anything We have to check to see if it is or isn't because some things might not actually need to be a generator But if it is a generator, it says, okay, we have a generator in that case I'm going to create a progress bar using rich like we do ever welcome in uh in oh cat We're going to create a progress bar and we're actually going to track the progress of the That is really useful for things like enumeration Because that way if the enumeration modules themselves don't say oh goodness this This operation might take a while. I need to create a progress bar and look nice And you make it not conflict with another progress bar that might already be running I don't want to like clobber the output on the terminal or anything like that this handle all of that so If you are running a module from within a module you can pass in your own progress bar and it will Notice hey, I already have one. I don't need to create another one Or if it doesn't have one already it will create a new progress bar and play it that way this kind of like Recursive module calling which happens in the case of these gather functions or or these gather modules or in the case of What i'm working on now the escalate recursive escalation to try and find privilege escalation paths modules it called by other modules repeatedly And what what would happen if this didn't work the way it does is that you would end up with multiple progress bars trying to display it and Rich progress bars really don't like that because they think they have a lock on the terminal and then end up with the possibility of some kind of deadlock and or Progress bar output just overlapping each other, which is really really gross So this is really cool. It's just kind of like a built-in. Hey, no matter what you're doing. You're going to get a progress And it'll get when I say progress where I don't mean the thing it'll say like zero percent 10% Because there's no way for it to know how many items you're returning But it will be a progress bar in the sense that it's a status output that updates itself as it runs the actual status Segment of it is taken by the string equivalent of whatever you So if you yield a string the status will just be that string And if you yield some other object or run string on it And so that's nice and useful. And then if it is a generator and you yield specifically There's the status class that I find which is actually Find right here. It's literally just a subclass of string So it's just a string But it allows me if you yield a status object It does not get added to the results that get returned from run But it does get update it has update the progress bar So that as you're running you might say oh, well I don't have anything to return yet, but this might take a while So I need to update the progress bar You can just yield the status object and that doesn't get clover your results It just updates the progress bar and allows you to keep going So that just kind of makes it really easy and simple for Whatever module you're writing to get nice status and long output without actually having to do all of that And without them can put them each other. So I thought that was really cool It's kind of a gross function between argument processing and this progress stuff But it works and it's cool it also with the Modules calling modules you end up with a new task on the progress bar for each module they get called and then as they finish They disappear So it's kind of a cool if you have it if it calls Like one module calls one module which calls another one It's called another one you end up with four actual tasks on there You can see them all completing and as one completes the peer and eventually the whole progress bar disappears and it's completed So it's kind of cool to be able to see hey, this is actually still working It's not just hung that kind of stuff kind of comes naturally and as a as an ad has been um What else Do you have any modules that uh that like can do that? Like can we see that progress in action or is that best done with just a regular enumerate? Enumerate does that it's just rather quick. Yeah Enumerate Everything and if I do there's only two of them so it's hard to see you can see there's two progress bars there though Or two progress lines. Are those like stacked? Yeah, yeah, so they'll both be there the top one is for the enumerate.gap itself And that status output will just be the name of the sub module that it's running And the second one was the actual sub module that's running and the status will be the actual fact that it's finding So you see both of them at the same time. Okay, because it's not hard to see because That's really cool Yeah, so so you get you get both of those um The the markdown file producing stuff does still work Is there any way to kind of see What has finished already and Or and and not wait until the end For everything to finish or can you see like partial output as to what it's finding? Uh, it does not do that. Okay Would that be a pain the different results kind of screaming by but you don't you don't get the actual whole thing, right? um Maybe it's it it would not work right this. Yeah, okay. I'm still making everything so it's possible. I would have Um, it does not do that right now though. Yeah um The and and I see I see we were getting at like having that that intermediate Would be useful I mean It certainly doesn't have to do it like by default But as an option that I think that would be handy because I think a lot of times the use cases for doing enumeration Is always the use case of using poncat is kind of whenever you can and whenever it's kind of easiest and wherever it's best Um, but the first thing you'll do is like either run lin enum or lin p's in a regular Uh, like bear reversal that you have and it'd be nice to do that with But you also kind of still want to be able to like Make sure that it all happens and actually succeeds Because the hang up when you run enumeration and if it just takes forever then you just have to sit and wait until you're I guess your shell comes back or you get any information that you can actually work with Yeah, I guess not not to say that it's not useful. It's heavily useful. I don't look into it. Um But the counterpoint to that I guess is that even if you get results as stream back It's it's not going to make it so you can do what you think You still have to do all that finishes Just because the nature of it is running commands over a there's only one c2 channel And you can't have multiple of them. Um, so There yeah, there's no way for it to send another command or put that in the background Yeah, no, obviously the same way like if you're running lin p's naturally you have to wait till the whole script finishes Sure But yeah, uh, I mean That does produce a markdown file. Um Similar to what it was before where you have these facts all listed out similar to what you see here, but in markdown Cool Can you showcase any of the Like escalation code that you're that you're putting together now or kind of sharing your thought process on that So now it's no longer going to be called previsc will like syntactically refer to it as just escalate. Is that right? Yeah, that's kind of like well, I like I personally think that sounds better. Yeah, um, and I but then also it's kind of like a a, uh, okay, I can't think of a word but in any case it's like a, uh A My mind just went blank. It's not an important thing. So I didn't think it was a big deal to change it before I was like, I don't really like I don't know why I just kind of Wasn't as nice per vest to me in my mind Um, but I wasn't gonna go back and make all those changes because that's silly. Um, but since I'm already doing this That's kind of the direction I went Um, so escalate Uh, I tried to I don't know simplify the right word. Um, but make the way that it actually finds an escalation I'm trying to make it a little Cleaner, uh, than it was before it used to be if you if anyone's ever actually opened the code for privest. It's kind of Disgusting if I'm being honest with myself. Um, if you actually look at it Where are we actually looking here like escalate single is the thing that actually takes a list of techniques It tries to find a way to escalate using those either read or write or show techniques That you've enumerated. Um, so it tries to does it do that for a single step a single use And it's just a super long function and it's really disgusting to read if I'm being honest with myself. It's um, yeah I just wasn't incredibly happy with it. I was happy with it that it worked, but it's just It's gross. I it's the only way I can put it. It's just gross. Um So, uh, I I was trying to figure out a way to kind of organize this a little better Trying to try to make it less gross easier to go through easier to modify easier That was my goal. Um With that, um, there's still the idea of these techniques. Um, there's still that each of these modules will give you back a Technique those techniques like I kind of mentioned a couple times Are either file read file write or they're able to execute some kind of shell Um, so those are the three like primitives for really criminal justification, right? Those are the three things that you might want to do. Um And so each technique implements some or all those capabilities In the past this technique class was just data was just the data class. It just had a capability the user and some arbitrary data variable that the module could specify and then the actual privest finder is what it was called would actually call the module again Passing the technique back to it and go back What I've done here is instead of doing that For a specific module, uh, you can define a technique And then that technique has the right read write and execute methods. Um, so instead of like keeping everything in one Class which is kind of bloated and gross. Um, I tried to split some things up where I could So technique is a fully encompassed thing That on its own you can call write read or execute. Um, and it will write read or execute a binary or file With whatever data you gave That's the direction I'd like to go. Uh, that doesn't really matter The actual result of a individual running an individual module when you call for example, he said run escalate dot sudo, for example It's gonna Look for techniques involving a sudo, right? It's gonna go and enumerate use the enumerate model to figure out what sudo information We know going to read at these sudoers can run sudo teckels. We have a password to run You're gonna find that kind of stuff You're going to get those back and then the sudo escalate module is going to build out techniques and it's going to say Oh, I can run. I don't Pat as this user and I can run Um, I don't know said as this other user and those are those all create techniques that are either able to read or write Files or execute binary as another user um Those techniques that come back in now in the updated what I'm what I'm kind of moving toward and this isn't all Exactly working yet. I've been working out today Those all get bundled up into one object called an escalate move The escalate result is essentially wrapping a list of techniques. Um, in this case, it stores them as a dictionary that maps a That target user for a technique to an actual list of techniques for that target user just for easier Interface we're actually trying to do the escalation This escalate result is also compatible with the results type from the base module So that if you just run a module by itself You get this escalate result back and the run command knows how to format that and display it in a pretty way Um, so that's what all these category and title and description stuff is just formatting so that the run command knows How to handle it then the actual methods that are interesting Um are similar to the technique. You have a write a read and an exact method Each of those methods are is going to look at all you're going to pass it Hey, I want to for example, write a file in the context of this other user and the file path is going to be this and the data It's going to look through the techniques that it knows and look for one that allows it to write to a file as If it has one literally a technique that has the capability to upright capability It will just use that outright going to return the same thing that whatever that If it doesn't have its technique with capability at right as a last resort And we're trying to use delta exec which is another method down here What that does is that looks for anything that is allowed to run other shells And it will try and use that to actually get a full shell as that other user Once you have a full shell as that user you can just So the same thing we have before we just punk out the victims that open It's actually open a remote file and then you're going to write the That makes it kind of easy if we have shell access, but we don't have shell access Right, so it'll it'll do all of that with a list of techniques that we already And the same thing with read it'll go through them find the one that works Same thing with exact it'll go through find and see if we have any shell techniques that can run our shell for us and do them That's not incredibly complicated But what's kind of cool is that you have this extend which is just like extending an array, but it extends a an escalate result with new techniques from a different So what that means is that which this is part of it that I have written yet I have some kind of notes here But what it might look like is that hey if we have this auto module that does kind of the same thing Now what it can actually do is it can create an empty escalate result And then for all of the modules like every single privilege escalation module It can run that module and extend its escalate result with all the results from all the others And then all it should have to do is try and run without exit And if it if it works then cool, we've just escalated to that and Because that escalate result now has all the techniques from all the modules can use them and mix and match them As it as it needs to um and theoretically be able to do that a little cleaner a little easier to read Less messy because I think the old one was very messy in my personal opinion. It's not up to my own standards, but I did write it That's what that looks like Uh, I don't know what else That is super cool Else done yet for us that is my vision of it. That's what I hope it looks like This is the little bit of code that I've done so far There's only like with 300 lines that I've written so far for us late That's literally all that exists at the moment Um But and that's included as giant comment Uh, but that's my vision. I think it'll be cool. I think it'll be uh useful because not only can you uh, then run Not only do you still get a cleaner and then and more uniform interface to the old Automated per vest like that still exists. Obviously that will still exist. Um But also you're able to run individual modules Some of the problems we have before I don't even know if I call it problems because they were artifacts of The fact that we were testing or running these on on machines that we knew had specific For example, you open up like a tri-hack new machine or something and the name is really obvious What really you're looking for is um, you know what you're looking for you know if you want You know it can be something like this In that case, maybe you don't want to run the auto because it's just going to take a little while It has to do a lot of enumeration. It has no context for what this is going to be. That's a check every Um, so with this you can actually run individual modules. Oh, well, I'm pretty sure this is going to be two So let me just run and like splay.sudo and see what happens Um, and that might be very good for you for your specific use Um, so I think that'll be good It also opens up the avenue of being able to specify More parameters because these escalate modules have the same Features as all the other modules and you can specify arbitrary parameters as we comment down there Down here that I kind of scrolled by there are a bunch of arguments that by default any Escalate module will take for example, there's all these flags that are basically like, hey, do I want to write a file? File do I want to read one? What's the path? What's the shell I'm going to use the user I'm looking for all that kind of stuff It's all default all module But you can when you subclass and create your own escalate module specify custom arguments What what would basically happen then is that that module wouldn't really be available for automatic escalation It would still try If you've set for example a global argument or you pass one specifically to the auto that matches that it would do it But if it doesn't have that argument then the auto Pretty legislation just won't try it because it doesn't know what the value for that argument should be And there's no way it could know But that allows you to create more complicated escalation modules that need user input you need to tell it. Hey, here's where to look for this I know because of context So that's cool and useful for more complicated stuff down the road you're one of my uh like Latest or someone that's been viewing a couple of the other videos has been telling me he's been a Trying to put together a module for pwncat so we can do like the The sudo cve the vulnerability where you specify like a user id of negative one or like that high like above the Or he put it up on on a github, uh, I actually need to check to look at it So it showed out to you wester if you happen to be watching this video But I tried to say like hey, I know we're doing a couple things. Caleb's been kind of maneuvering and moving and rearranging some things Oh I hope my doctors don't pull. I hope you About but he used all the stuff that like how it was supposed to be there and how I envisioned the use was really cool to see that Like, oh, it's exactly how I meant someone to use. It was really cool. Awesome. Um, uh, but I I did feel kind of bad We messed me up like oh dang. I'm in the middle of ripping everything apart It's it's at the end of the day, uh, if anyone's worried It's my fault that it's all changing. So it's my responsibility to like convert everything so eventually once I get all this stable and then also convert all of the modules and units Katana All the modules and methods over to the new then I will merge This branch back in but uh until then it won't break So yeah with that said this is still very very heavily a work in progress like This has all been just something cool that we would like to I think I think it's cool That you could showcase and like hey kind of peel back the curtain, but it's not done yet This isn't something that you can just get poll and get play with right now unless you want to switch that branch and Maybe finagle. It is it is there. You can go look at it. Uh, it's under a branch called module On github, uh, but it is in no way stable And also the only escalate modules implemented or sorry the only enumerate modules implemented our File capabilities and set your id and the only persistence module is uh, fd password So it's not incredibly useful at the moment and no other part of phone cat is using it if nothing depends on it um, so it's It's not incredibly useful at the moment, but the the underlying skeleton and structure I'm hoping I can kind of jump into it soon enough if if you made it like that beautiful easy incredibly Extensible and simple like hey, just pull down one of the uh Other like the enumeration modules and then if I can refactor and recreate it for some of the other things Hopefully I can jump in and help out with that as well I would appreciate it because converting things is the main of my existence Well, it's funny. You you're always so gridded Destroying everything to build it back up in a new in a new framework and architecture I let it try to help merge everything or migrate into that new setup between between katana and this It's like notorious for just be like oh wait. I changed my mind. Let's change everything John's in the background like oh Yep more for me to convert hopefully or at least I want to help where I can But yeah, um, I'm excited. I think it'll be good. I think it is good so far anyway Well, it's very very cool to see the new Things that you're cleaning and the new stuff that I don't know is still very and I think even even going to the metasploit like Syntax and setup. Maybe that's like less of a barrier of entry or there's not as many weird Like we said kind of different for every single command earlier to Arguments or parameters to to pass it. So maybe this I think this will be really cool I think I originally I think I just didn't think very far ahead or far enough ahead anyway when I when I I think the last thing We implemented was escalate Very escalation or sorry. I think the last thing we implemented was enumeration Uh modules in the old framework. Yeah last thing Um, I remember started to do that and I was like, oh crap. All of these are completely This is not Not good and not that it's bad like it worked and it was fine But as far as like if if I wanted somebody else what I do I think it's really cool people do to come in and like implement something like a module or something for it like Okay, well, which one are you implementing and they're all different and they all take arguments different or don't take argument stipulations on them all Consolidating all that I think Oh cool Alrighty, thanks for thanks for peeling back the curtain Yeah, no problem Uh I've been chatting for like a good hour or so, but hopefully this will be cool for some folks It's so it's so funny. There are so many people that say like, yo, where's Caleb at? Like are you guys going to do another hack the box stream sometime that shit's hilarious? We moved away. I know. Yeah, the brotherhood's broken up. It's sad Cool, we do want to try to Oh, yeah, I mean if you if you're up for it, I might the internet would be crazy I'm down for whatever man as long as there's pizza involved Yeah, dude The world got a whole lot better after pizza was invented That's true. I remember that day Sweet all right, I'll let you go, but thanks for doing this. I appreciate you hanging out I hope it was kind of still fun and cool and casual. So Yeah, goodbye internet. Goodbye Okay