gallopsled / pwntools-write-ups Goto Github PK

View Code? Open in Web Editor NEW

490.0 52.0 111.0 7.65 MB

A colleciton of CTF write-ups all using pwntools

License: MIT License

Python 82.46% C 1.62% Shell 15.41% Assembly 0.50%

pwntools-write-ups's Introduction

pwntools-write-ups

A collection of CTF write-ups all using pwntools

Dependencies

libc++1 (2014/gits-teaser/citadel)
pwntools (master branch from github, and ofc. all dependencies for pwntools)

Known Issues

Some of the tests are a bit finnicky, both due to pwntools and the services themselves.

Some services cannot be re-run immediately (services without REUSEADDR)
Services that aren't working:
- 2013/pctf/ropasaurus
- 2014/defcon-quals/babyfirst-heap
- 2014/defcon-quals/bbgp

If other tests are failing or there are other issues (e.g. services still running after the test), then please file an issue.

pwntools-write-ups's People

Contributors

Stargazers

Watchers

Forkers

zachriggle kriss-kross sigma-random bhohbaum cephurs idkwim ww9210 symeonp spchal aluex fee0 clubmate46 liu9662 burningcodes ksmaheshkumar hackertool list3nt0 defanlt velocitystorm spnow zined firebitsbr redteamcaliber lazenca hackerspace-djerba defstryker hxp2k6 b1gw00d shankaraman magnologan vest12385 devslashnull h4ok3 jinyu00 0xr0ot infernalheaven harkadious jijicanyu olivierh59500 blueroutecn riusksk m00zh33 heruix josh200501 methos2016 socketpy dloveshorses 97harsh julianvolodia youngcraft q1f3 shuixi2013 souldestroyer sireof howtoblind expressdesert devops-ng najeex hybridious smiletom 0xbadca7 giantbranchcollect permikomnaskaltara stealthyc sundaysec tesuji 8l4nk bhrdn flashspys melvinvarkey hoohooho super-positioned s0r4syl wxh0000mm hanszhao80 security-notes bgrewell noor572 xhackff 5l1v3r1 cqcya golem445 wsandin kipyegonmark ctfpwner ktzgraph 4thel00z rakhithjk theuszer0 shutupprohann slj99 ekmixon cboss6 pengpaio bilalaazzani amesianx 0xff1e071f gmh5225 thomasxm iq-scm

pwntools-write-ups's Issues

holy-moses does not have a write-up

run_all_tests.sh and harness.py

run_all_tests.sh should be replaced with a simple scandown for unit tests. For example, pytest or nosetests scans for all files which start with test, and executes all functions whose name start with test.

harness.py can then be renamed to test.py and replaced with a simple wrapper script that does something like what's shown below.

Example `test.py`

#!/usr/bin/env python2
from pwn import *

def run_exploit(**kwargs):
    # set up the flag and target file
    write('flag', randoms(20, string.ascii_letters))
    saveflag = tempfile.NamedTemporaryFile()

    # Set up arguments
    global args
    args['SAVEFLAG'] = saveflag.name
    args['FLAG'] = 'flag'
    args.update(**kwargs)

    exploit = __import__('exploit', level=0)
    del sys.modules['exploit']
    del exploit

    # verify
    assert read(saveflag.name) == read('flag')

def test_local():
    'Run the exploit locally'
    run_exploit()

def test_remote():
    l = listen(0)
    l.spawn_process('pwnme')
    run_exploit(REMOTE='localhost', PORT=l.lport)

if __name__ == '__main__':
    test_local()
    test_remote()

py.test and nosetest example

Given this input script

pip install pytest nose
cat > test_foo.py <<EOF
from pwn import *

def test_normal_success():
    print "Lol"

def test_normal_error():
    print "Shucks!"
    raise Exception()

def test_success():
    log.info("Hurray!")

def test_failure():
    log.error("Oh no!")
EOF
PWNLIB_NOTERM=1 py.test
PWNLIB_NOTERM=1 nosetests

py.test output

=============================================================================== test session starts ===============================================================================
platform linux2 -- Python 2.7.8 -- py-1.4.26 -- pytest-2.6.4
collected 4 items

test_foo.py .F.F

==================================================================================== FAILURES =====================================================================================
________________________________________________________________________________ test_normal_error ________________________________________________________________________________

    def test_normal_error():
        print "Shucks!"
>       raise Exception()
E       Exception

test_foo.py:8: Exception
------------------------------------------------------------------------------ Captured stdout call -------------------------------------------------------------------------------
Shucks!
__________________________________________________________________________________ test_failure ___________________________________________________________________________________

    def test_failure():
>       log.error("Oh no!")

test_foo.py:14:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

self = <pwnlib.log.Logger object at 0x7fc1eea42810>, m = 'Oh no!', a = (), kw = {'extra': {'pwnlib_stop': False, 'pwnlib_symbol': 'ERROR'}}

    def error(self, m, *a, **kw):
        """error(message)

            Logs an error message, and raises an ``Exception``.
            """
        self.__log(logging.ERROR, m, a, kw, text.on_red('ERROR'))
>       raise Exception(m)
E       Exception: Oh no!

/home/riggle/pwntools/pwnlib/log.py:134: Exception
------------------------------------------------------------------------------ Captured stdout call -------------------------------------------------------------------------------
[ERROR] Oh no!
======================================================================= 2 failed, 2 passed in 0.23 seconds ========================================================================

nosetests output

.E.E
======================================================================
ERROR: test_foo.test_normal_error
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/riggle/.pyenv/versions/2.7.8/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/media/SSD1T/riggle/yyy/test_foo.py", line 8, in test_normal_error
    raise Exception()
Exception:
-------------------- >> begin captured stdout << ---------------------
Shucks!

--------------------- >> end captured stdout << ----------------------

======================================================================
ERROR: test_foo.test_failure
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/riggle/.pyenv/versions/2.7.8/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/media/SSD1T/riggle/yyy/test_foo.py", line 14, in test_failure
    log.error("Oh no!")
  File "/home/riggle/pwntools/pwnlib/log.py", line 134, in error
    raise Exception(m)
Exception: Oh no!
-------------------- >> begin captured stdout << ---------------------
[ERROR] Oh no!

--------------------- >> end captured stdout << ----------------------
-------------------- >> begin captured logging << --------------------
pwnlib.exploit: ERROR: Oh no!
--------------------- >> end captured logging << ---------------------

----------------------------------------------------------------------
Ran 4 tests in 0.126s

FAILED (errors=2)

Pwntools doctest execution in Sphinx

Doctest in Sphinx Write Up

Find test differential and test modules not included in execution of

$ PWNLIB_NOTERM=1 make clean doctest

Sphinx = 941 vs 967 => difference of 26 tests.

Comparison of the Sphinx results to Pwntools Library resulted in the following list of unreported tests.

About
Atexception
Commandline
Dynelf
Elf
Environment.pickle
Exception
Index
Install
Log
Replacements
Term
UI
Tubes/Serial
Util/Net
Util/Hashes
Install/Binutils
Install/Headers
Shellcraft/Common

Getting Sphinx to execute the previous list of tests

Current efforts of first finding the files lead me to

/binjitsu/pwnlib which contain .py and .pyc
/binjitsu/docs/source which contain .rst
/binjitsu/docs/build/doctree which contain .doctree

Attempt to include missing test include

sphinx-quickstart with --ext-doctest extension
sphinx-build
sys.path update to include '/binjitsu/pwnlib'

all of which have yet to yield the desired results.

Not able to load libc

While trying to load libc, I receive the following error:

>>> ELF('/lib/i386-linux-gnu/i686/cmov/libc.so.6')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/elf/__init__.py", line 65, in __init__
    self._populate_got_plt()
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/elf/__init__.py", line 250, in _populate_got_plt
    rel_plt = next(s for s in self.sections if s.header.sh_info == self.sections.index(plt))
StopIteration

Any idea how to fix this?

Installed the latest version of capstone.
Running on Kali.

spoilers

Hello,

vortex is a maintained and ongoing wargeme (unlike a CTF, it is not over yet...). I think its a pity that you distribute spoilers like this, even when we explicitly ask players not to do so.

From the motd:

Please play nice:

don't leave orphan processes running

don't leave exploit-files laying around

don't annoy other players

don't post passwords or spoilers

Thank you for your attention!

babysfirst-heap does not have a write-up

bbgp does not have a write-up

ropasaurus does not have a write-up

doit.py, harness.py

The general model here is that doit.py is an exploit that gives a shell or reads a flag file, and harness.py verifies that.

First, the naming isn't obvious for anyone who's never used pwntools before and is casually browsing the repository. I'd suggest exploit.py instead of doit.py and test.py or test_harness.py instead of harness.py

Second, the harness.py using SILENT to doit.py. This makes it less useful for actual automated testing purposes, e.g. with travis-ci. Logging should be able to get cranked up all the way to DEBUG and still work. The issue is we need to see what's wrong, in the event that an exploit works locally but not on travis-ci.

One method of being able to verify that the flag was successfully retrieved, instead of scraping the exploit's output, may be to have the exploit check for a SAVEFLAG argument. The exploit would then write the flag to the specified file. For example, python exploit.py SAVEFLAG=foo. Then, the contents of foo and the real flag.txt can be verified for success (foo standing in for a temporary file path).

Instead of (or in addition to) echoing ok or not ok, what is currently called harness.py should use standard exit codes (0 for success, nonzero for failure).