docker
#linux
docker run -it --rm --name testctf -v $(pwd):/ctf/work --privileged --cap-add=SYS_PRTACE skysider/pwndocker sh
#windows(but `chdir` should exec before
docker run -it --rm --name testctf -v $(chdir):/ctf/work --privileged --cap-add=all skysider/pwndocker sh
#wiki
docker run -d --name=ctf-wiki -p 4100:80 ctfwiki/ctf-wiki
conda
conda info -e
conda list
conda create -n name what_you_want_to_pip
conda activate name
conda clean -i
conda remove -n name --all
docker 命令大全
rm -f $(id) #删除容器
rmi #删除镜像
commit $(id) $(镜像名) #提交镜像
参数
-d #后台运行
-v #外部路径:内部路径
-p #映射外端口:内端口
-it #创建一个可接受输入的终端
进入该虚拟机
docker run -it --rm --name testctf -v $(pwd):/ctf/work --cap-add=SYS_PTRACE skysider/pwndocker /bin/sh
如果不小心把和 docker 创建的终端关闭了,可以通过查看 docker ps 来获取容器 id ,之后使用docker exec -it $(id) bash再次进入
makefile
CC = gcc
CFLAGS = -lm -Wall -g
all: main_max main_min
main_max: main_max.c foo.o bar.o
$(CC) $(CFLAGS) main_max.c foo.o bar.o -o main_max
main_min: main_min.c foo.o bar.o
$(CC) $(CFLAGS) main_min.c foo.o bar.o -o main_min
foo.o: foo.c
$(CC) $(CFLAGS) -c foo.c
bar.o: bar.c
$(CC) $(CFLAGS) -c bar.c
clean:
rm *.o main
PR
- 卡点插件
- 字幕
- 转场
- 轨道遮罩
Pwndocker
A docker environment for pwn in ctf based on phusion/baseimage:master-amd64, which is a modified ubuntu 18.04 baseimage for docker
Usage
docker run -d \
--rm \
-h ${ctf_name} \
--name ${ctf_name} \
-v $(pwd)/${ctf_name}:/ctf/work \
-p 23946:23946 \
--cap-add=SYS_PTRACE \
skysider/pwndocker
docker exec -it ${ctf_name} /bin/bash
included software
- pwntools —— CTF framework and exploit development library
- pwndbg —— a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers
- pwngdb —— gdb for pwn
- ROPgadget —— facilitate ROP exploitation tool
- roputils —— A Return-oriented Programming toolkit
- one_gadget —— A searching one-gadget of execve(‘/bin/sh’, NULL, NULL) tool for amd64 and i386
- angr —— A platform-agnostic binary analysis framework
- radare2 —— A rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files
- seccomp-tools —— Provide powerful tools for seccomp analysis
- linux_server[64] —— IDA 7.0 debug server for linux
- tmux —— a terminal multiplexer
- ltrace —— trace library function call
- strace —— trace system call
included glibc
Default compiled glibc path is /glibc.
- 2.19 —— ubuntu 12.04 default libc version
- 2.23 —— ubuntu 16.04 default libc version
- 2.24 —— introduce vtable check in file struct
- 2.27 —— pwndocker default glibc version
- 2.28 —— new libc version
- 2.29 —— latest libc version
How to run in custom libc version?
cp /glibc/2.27/64/lib/ld-2.27.so /tmp/ld-2.27.so
patchelf --set-interpreter /tmp/ld-2.27.so ./test
LD_PRELOAD=./libc.so.6 ./test
or
from pwn import *
p = process(["/path/to/ld.so", "./test"], env={"LD_PRELOAD":"/path/to/libc.so.6"})
tmux
ctrl + B
--> Arrow keys//to chooce the correct panel
--> Pgup/Pgdn//rolling screen
strange
convert test.png -crop 760x1080+0+26 look.png//edit photo
echo 0 > /proc/sys/kernel/randomize_va_space//whether open aslr or not
ulimit -c unlimited//indicates that the program generates a dump file whenever there is an error
echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern//save to tmp directory
gdb $file_name core.%t//debug core file
socat TCP4-LISTEN:8888,fork EXEC:./a.out
nm -D some.so
objdump -tT some.so
#dump出so各函数地址
objdump -d -j .plt file_name
#显示plt表
objdump -R file_name
#显示got表
gdb
p (*(struct _IO_FILE_plus *) addr)
fpchain
telescope addr num
elfsymbol
vmmap
readelf
find string
record
x/wx addr
find addr,offset,string
print function
#gdb显示一些addr存放的值,炒鸡好用
- w可换位b/h/g,分别取1/2/8字节
- /后可以接数字,表示显示多少
- 第二个x可以换成u(unsinged int)/d(10进制数)/s(字符串)/i(指令)
set *addr=value
- 设置addr值,默认为4字节
- 也可以将*换位{char/short/long}分别设置1/2/8字节
pwntools
context.terminal = ['tmux', 'splitw', '-h']
p = process(["/glibc/2.23/64/lib/ld-2.23.so", "./pwn"], env={"LD_PRELOAD":"/glibc/2.23/64/lib/libc.so.6"})
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk ''".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(p,"b *{}".format(hex(addr)))
ROPgadget
ROPgadget --binary pwn --ropchain
ROPgadget --binary easy_pwn --only "pop|ret"
