Empty /etc/passwd after auto escalation

Bug Description

Pwncat cleared the /etc/passwd file

pwncat version

$ pwncat --version
0.4.3

Target System (aka “victim”)

Peak Hill

Steps to Reproduce

Using gASVLQAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBJjaG1vZCArcyAvYmluL2Jhc2iUhZRSlC4= as payload for the privesc located at /opt/peak_hill_farm/peak_hill_farm we make the bash file a suid.

Then we run on local shell run enumerate.gather clear=True to clear our local cache to enable auto escalation. Afterwards we run run enumerate.gather to try and get the suid file in pwncat’s cache Running escalate list gives the following:

- add user using file write as root via /bin/bash (SUID) from root (linux.enumerate.file.suid)      
- shell as root via /bin/bash (SUID) from root (linux.enumerate.file.suid)                          
- implant: Private key owned by dill at /home/dill/.ssh/id_rsa                                      - implant: Private key owned by root at /root/.ssh/id_rsa

This would suggest we are able to get a root shell. Thus we run escalate run resulting in an empty /etc/passwd

Expected Behavior

For it to give me root bash shell and not clear out the /etc/passwd file

I think adding a priority to a route to root would be helpful. I think it goes down the list in order, however getting a shell through bash would be much easier and less noisy than getting it through a new user via writing to /etc/passwd. Thus “shell as root via /bin/bash” should be higher priority than “add user using file write as root”

Screenshot

Don’t have a screenshot but I did this live on twitch vod is here: https://www.twitch.tv/videos/1109027911?t=03h33m34s