各种小命令(防遗忘

Posted by Domain knowledge on July 1, 2021

python

    python -m http.server 80

git

    git init
    git add .
    git commit -m "just modify something fist time"
    git remote add origin remoteurl
    git push -u origin master
    git remote rm origin

conda

    conda info -e
    conda list
    conda create -n name what_you_want_to_pip
    conda activate name
    conda clean -i
    conda remove -n name --all

docker

rm -f $(id) #删除容器
rmi         #删除镜像
commit $(id) $(镜像名) #提交镜像
参数
-d  #后台运行
-v  #外部路径:内部路径
-p  #映射外端口:内端口
-it #创建一个可接受输入的终端
# linux docker for pwn
docker run -it --rm --name testctf -v $(pwd):/ctf/work \
--privileged --cap-add=SYS_PRTACE skysider/pwndocker sh
    
# windows(but `chdir` should exec before
docker run -it --rm --name testctf -v $(chdir):/ctf/work \
--privileged --cap-add=all skysider/pwndocker sh
    
# wiki
docker run -d --name=ctf-wiki -p 4100:80 ctfwiki/ctf-wiki

# jekyll
docker run -it --rm -v $(pwd):/srv/jekyll -p 4000:4000 sh

makefile

CC = gcc
CFLAGS = -lm -Wall -g

all: main_max main_min

main_max: main_max.c foo.o bar.o
	$(CC) $(CFLAGS) main_max.c foo.o bar.o -o main_max

main_min: main_min.c foo.o bar.o
	$(CC) $(CFLAGS) main_min.c foo.o bar.o -o main_min

foo.o: foo.c
	$(CC) $(CFLAGS) -c foo.c
	
bar.o: bar.c
	$(CC) $(CFLAGS) -c bar.c

clean:
	rm *.o main

tmux

ctrl + B
        --> Arrow keys//to chooce the correct panel
        --> Pgup/Pgdn//rolling screen

python

import base64# 修改表映射
a = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbn/+m1234567890"
b = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
base_fix = "ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8="
table = ''.maketrans(a, b)
print(base64.b64decode(base_fix.translate(table)))

f = open("Amazon")
a=f.read()
sp = a.splitlines()
b=[]
for i in sp:
	c = i.split("\t")
	b.append(c)
print(len(b))
d = b[0][0]
print(1)
print(1>100)
c=[]
d=[]
for i in b:
	if int(i[0])<100 and int(i[1])<100:
		c.append(i[0]+"\t"+i[1]+"\n")
f = open("guo", "w+")
for i in c:
	f.write(i)
f.close()

PR(这是什么奇怪的东西)

  • 卡点插件
  • 字幕
  • 转场
  • 轨道遮罩

Pwndocker

A docker environment for pwn in ctf based on phusion/baseimage:master-amd64, which is a modified ubuntu 18.04 baseimage for docker

Usage

docker run -d \
	--rm \
	-h ${ctf_name} \
	--name ${ctf_name} \
	-v $(pwd)/${ctf_name}:/ctf/work \
	-p 23946:23946 \
	--cap-add=SYS_PTRACE \
	skysider/pwndocker

docker exec -it ${ctf_name} /bin/bash

included software

  • pwntools —— CTF framework and exploit development library
  • pwndbg —— a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers
  • pwngdb —— gdb for pwn
  • ROPgadget —— facilitate ROP exploitation tool
  • roputils —— A Return-oriented Programming toolkit
  • one_gadget —— A searching one-gadget of execve(‘/bin/sh’, NULL, NULL) tool for amd64 and i386
  • angr —— A platform-agnostic binary analysis framework
  • radare2 —— A rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files
  • seccomp-tools —— Provide powerful tools for seccomp analysis
  • linux_server[64] —— IDA 7.0 debug server for linux
  • tmux —— a terminal multiplexer
  • ltrace —— trace library function call
  • strace —— trace system call

included glibc

Default compiled glibc path is /glibc.

  • 2.19 —— ubuntu 12.04 default libc version
  • 2.23 —— ubuntu 16.04 default libc version
  • 2.24 —— introduce vtable check in file struct
  • 2.27 —— pwndocker default glibc version
  • 2.28 —— new libc version
  • 2.29 —— latest libc version

    How to run in custom libc version?

cp /glibc/2.27/64/lib/ld-2.27.so /tmp/ld-2.27.so
patchelf --set-interpreter /tmp/ld-2.27.so ./test
LD_PRELOAD=./libc.so.6 ./test

or

from pwn import *
p = process(["/path/to/ld.so", "./test"], env={"LD_PRELOAD":"/path/to/libc.so.6"})

strange

    echo 0 > /proc/sys/kernel/randomize_va_space//whether open aslr or not  
    ulimit -c unlimited//指示程序每当出现错误时会生成转储文件
    echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern//save to tmp directory
    gdb $file_name core.%t//debug core file
    socat TCP4-LISTEN:8888,fork EXEC:./a.out
    nm -D some.so
    objdump -tT  some.so
    #dump出so各函数地址
    objdump -d -j .plt file_name
    #显示plt表
    objdump -R file_name
    #显示got表

gdb

    p (*(struct _IO_FILE_plus *) addr)
    fpchain
    telescope addr num
    elfsymbol
    vmmap
    readelf
    find string
    record
    x/wx addr
    find addr,offset,string
    print function
    #gdb显示一些addr存放的值,炒鸡好用
    - w可换位b/h/g,分别取1/2/8字节
    - /后可以接数字,表示显示多少
    - 第二个x可以换成u(unsinged int)/d(10进制数)/s(字符串)/i(指令)
    set *addr=value
    - 设置addr值,默认为4字节
    - 也可以将*换位{char/short/long}分别设置1/2/8字节

pwntools

    context.terminal = ['tmux', 'splitw', '-h']
    p = process(["/glibc/2.23/64/lib/ld-2.23.so", "./pwn"\
    ], env={"LD_PRELOAD":"/glibc/2.23/64/lib/libc.so.6"})
    
    def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk ''".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr)))

ROPgadget

    ROPgadget --binary pwn --ropchain
    ROPgadget --binary easy_pwn --only "pop|ret"
FEATURED TAGS
tools chat misc CTF pwn ai Web python Misc Fuzz fuzz
FRIENDS