Skip to content

Commit

Permalink
add intro.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@reteps
reteps committed Aug 26, 2024
1 parent 962e2dc commit 943540d
Show file tree
Hide file tree
Showing 5 changed files with 448 additions and 2 deletions.
333 changes: 333 additions & 0 deletions fallctf-2023/src/pwn/pwntools.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,333 @@
<!DOCTYPE HTML>
<html lang="en" class="navy" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>pwntools - Fall CTF 2024 Guide</title>


<!-- Custom HTML head -->

<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">

<link rel="icon" href="../../../favicon.svg">
<link rel="shortcut icon" href="../../../favicon.png">
<link rel="stylesheet" href="../../../css/variables.css">
<link rel="stylesheet" href="../../../css/general.css">
<link rel="stylesheet" href="../../../css/chrome.css">
<link rel="stylesheet" href="../../../css/print.css" media="print">

<!-- Fonts -->
<link rel="stylesheet" href="../../../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../../../fonts/fonts.css">

<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" href="../../../highlight.css">
<link rel="stylesheet" href="../../../tomorrow-night.css">
<link rel="stylesheet" href="../../../ayu-highlight.css">

<!-- Custom theme stylesheets -->
<link rel="stylesheet" href="../../../theme/css/custom.css">

<!-- MathJax -->
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
</head>
<body class="sidebar-visible no-js">
<div id="body-container">
<!-- Provide site root to javascript -->
<script>
var path_to_root = "../../../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "navy";
</script>

<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');

if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}

if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>

<!-- Set the theme before any content is loaded, prevents flash -->
<script>
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('navy')
html.classList.add(theme);
var body = document.querySelector('body');
body.classList.remove('no-js')
body.classList.add('js');
</script>

<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">

<!-- Hide / unhide sidebar before it is displayed -->
<script>
var body = document.querySelector('body');
var sidebar = null;
var sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
body.classList.remove('sidebar-visible');
body.classList.add("sidebar-" + sidebar);
</script>

<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<div class="sidebar-scrollbox">
<ol class="chapter"><li class="chapter-item expanded "><a href="../../../intro.html"><strong aria-hidden="true">1.</strong> Intro</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../../../../fallctf-2023/src/pwn/pwntools.html" class="active"><strong aria-hidden="true">1.1.</strong> pwntools</a></li></ol></li></ol>
</div>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>

<!-- Track and set sidebar scroll position -->
<script>
var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
sidebarScrollbox.addEventListener('click', function(e) {
if (e.target.tagName === 'A') {
sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
}
}, { passive: true });
var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
sessionStorage.removeItem('sidebar-scroll');
if (sidebarScrollTop) {
// preserve sidebar scroll position when navigating via links within sidebar
sidebarScrollbox.scrollTop = sidebarScrollTop;
} else {
// scroll sidebar to current active section when navigating via "next/previous chapter" buttons
var activeSection = document.querySelector('#sidebar .active');
if (activeSection) {
activeSection.scrollIntoView({ block: 'center' });
}
}
</script>

<div id="page-wrapper" class="page-wrapper">

<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
<a id="back-button" href="../../../.." title="Return Home" aria-label="Return Home">
<i class="fa fa-home"></i>
<div id="back-button-text">Return Home</div>
</a>
</div>

<h1 class="menu-title">Fall CTF 2024 Guide</h1>

<div class="right-buttons">
<a href="../../../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/sigpwny/websites/tree/main/fallctf.com" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/rust-lang/mdBook/edit/main/fallctf.com/guide-2024/src/../../fallctf-2023/src/pwn/pwntools.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>

</div>
</div>

<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>

<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>

<div id="content" class="content">
<main>
<h1 id="a-primer-on-pwntools"><a class="header" href="#a-primer-on-pwntools">A Primer on pwntools</a></h1>
<h2 id="introduction"><a class="header" href="#introduction">Introduction</a></h2>
<p>When developing exploits for various challenges, it might be beneficial to use scripts and automation to make your life easier. Especially when you want to deal with sending bytes and data that are not printable, or large numbers when dealing with cryptography.</p>
<p>Of course, one of the easiest scripting languages to use is Python. While you could manually set up connections, text piping, and the whole host of annoying debugging issues that come along with that, there's already a handy library to handle the plumbing for you.</p>
<p><code>pwntools</code> is a Python library with <em>lots</em> of handy functions, classes, and scripts to help automate and streamline exploit development.</p>
<p>You can install pwntools through <code>pip</code>, Python's package manager:</p>
<pre><code>pip3 install pwntools
</code></pre>
<p>or</p>
<pre><code>python3 -m pip install pwntools
</code></pre>
<h3 id="maclinux-pwntools-installation-help"><a class="header" href="#maclinux-pwntools-installation-help">Mac/Linux pwntools installation help</a></h3>
<p>If the above command does not work for you on MacOS or Linux, you may need some dependencies that are required to install pwntools. Specifically, pwntools expects you to have <code>cmake</code> and <code>pkg-config</code>. Try running:</p>
<pre><code>brew install cmake
brew install pkg-config
</code></pre>
<p>or</p>
<pre><code>sudo apt-get install cmake
sudo apt-get install pkg-config
</code></pre>
<h2 id="interacting-with-a-process"><a class="header" href="#interacting-with-a-process">Interacting with a process</a></h2>
<p><code>pwntools</code> uses the idea of "tubes" to handle data transfer/receive. You can make a connection with an actual network interface (like you would with <code>netcat</code>), or with a local process, and link standard in and standard out with <code>pwntools</code>.</p>
<p>Here's a few ways to make a connection:</p>
<pre><code class="language-py">from pwn import * # It's usually just better to import everything when using pwntools

# Start a process on your machine, locally
conn = process('./file')

# Start a process and simultaneously start gdb debugging it.
# You can provide an initial set of commands using the gdbscript parameter
conn2 = gdb.debug('./file', gdbscript="""
b main
continue
""")

# Pause a process running locally and attach gdb to it and start debugging
gdb.attach(conn)

# Connect to a server
port = 22
conn3 = remote('ip.or.domain', port)
</code></pre>
<p>With <code>process</code>, it just launches the file specified via the path. If you give it an array of strings, you can run a file with command line arguments, e.g. <code>['./file', '-t', 'data.txt']</code>. You can also start a program locally with a debugger using <code>gdb.debug()</code> instead. <strong>You need to be using a terminal with support for paneling</strong>. So install and enter terminal multiplexer such as <code>tmux</code> before running a debugger with pwntools (Windows Terminal, oddly, supports this natively?). You can also attach gdb to an existing process with <code>gdb.attach()</code>. Finally, for communicating with networks (and in our case, challenge servers), you can use <code>remote()</code> to provide an ip/domain and port to connect to.</p>
<p>Once we have our connection, we can send or receive data from it. There are many functions to do this, but I'll show off a few:</p>
<pre><code class="language-py">from pwn import *
port = 9999
conn = remote('chal.sigpwny.com',port)

# Receive functions will return a bytestring of what it receives.

# Receive text until it encounters a new line character (e.g. \n)
line = conn.recvline()

# Receive text until it encounters the specified delimiter.
prompt = conn.recvuntil(b'&gt;&gt; ')

# Receive exactly n bytes.
resp = conn.recvn(8)

# Receive everything until End of File (EOF) is received from the pipe (i.e. they closed the connection)
everything = conn.recvall()

# Sends the string along with an new line ending
conn.sendline(b'my response\x05\x0f\xa0')

# Does NOT send a newline
conn.send(b'not a line yet')

# Does a recvuntil('delim') and sends the 2nd argument
conn.sendlineafter(b'&gt;&gt; ', b'1')
</code></pre>
<p>Note that strings in these functions are bytestrings <code>b''</code>. pwntools will warn you if you dont use bytestrings, and automatically convert to ASCII.
That being said, this means its really easy to send non-printable characters over the wire using <code>\x</code> escape. It's also important to keep in mind that functions looking for a specific character (like a new line or delimiter), will block until it does. If your script is stuck, check to see whether or not you are actually getting the text you think you are. <em>Running the script with the DEBUG argument will cause it to print a hex dump of any data it sends/receives</em>: <code>python3 exploit.py DEBUG</code></p>
<p>Note, pipes with processes and such are <em>buffered</em>. The OS maintains a 4kb buffer of any text received. If you call <code>recvline()</code>, and the program sent 3 lines in total, only the first line is retrieved, and the other 2 remain in the buffer. Keep this in mind when processing received data. If you want to retrieve anything that's in the buffer currently, <code>recv()</code> will empty it out.</p>
<p>Finally, if you want to regain control of the process input/output, simply call:</p>
<pre><code class="language-py">conn.interactive()
</code></pre>
<p>You'll want this to read the final printout of a program after running your exploit, or to use a shell, etc.</p>
<h2 id="using-shellcode"><a class="header" href="#using-shellcode">Using shellcode</a></h2>
<p>For some of our challenges, you will need to use <code>pwntool</code>s <code>asm</code> function. This requires a binutils installation for the architecture that our machines are running on, in this case, amd64. If you are on an M1/M2 mac, you'll need to run the following commands somewhere to generate assembly for our servers:</p>
<pre><code>wget https://raw.githubusercontent.com/Gallopsled/pwntools-binutils/master/macos/binutils-amd64.rb
brew install binutils-amd64.rb
</code></pre>

</main>

<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../../intro.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>


<div style="clear: both"></div>
</nav>
</div>
</div>

<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../../intro.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>

</nav>

</div>

<!-- Livereload script (if served using the cli tool) -->
<script>
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
const socket = new WebSocket(wsAddress);
socket.onmessage = function (event) {
if (event.data === "reload") {
socket.close();
location.reload();
}
};

window.onbeforeunload = function() {
socket.close();
}
</script>



<script>
window.playground_copyable = true;
</script>


<script src="../../../elasticlunr.min.js"></script>
<script src="../../../mark.min.js"></script>
<script src="../../../searcher.js"></script>

<script src="../../../clipboard.min.js"></script>
<script src="../../../highlight.js"></script>
<script src="../../../book.js"></script>

<!-- Custom JS scripts -->


</div>
</body>
</html>
3 changes: 2 additions & 1 deletion fallctf-2024/src/SUMMARY.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Summary

- [Chapter 1](./chapter_1.md)
- [Intro](./intro.md)
- [pwntools](./pwntools.md)
1 change: 0 additions & 1 deletion fallctf-2024/src/chapter_1.md
View file

This file was deleted.

5 changes: 5 additions & 0 deletions fallctf-2024/src/intro.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Fall CTF 2024 Guide

Welcome to the Fall CTF 2024 Guide! Feel free to click around the categories as you solve challenges.

Hello Fall CTF Developers!!!!
Loading

0 comments on commit 943540d

Please sign in to comment.