CTF Framework

[toc]

CTF Framework, Save you time and exploit quickly

Start

pwn docker

python3 start_docker.py 20.04

r809pwn

git clone https://github.com/r888800009/CTF-tool
cd CTF-tool
pdm install
$(pdm venv activate)

import r809pwn.lib

gdb toolbox

toolbox should run after apogiatzis/gdb-peda-pwndbg-gef installed

python3 ./instal_gdb_toolbox.py

current toolbox include

• r888800009/gdb_toolbox
• 0n3t04ll/OneGadgetTest fork

fork is backup if original repo is deleted

there are some useful tools, but not include in this repo,

• symbolic execution
  • SQLab/symgdb
    • only support python2
  • andreafioraldi/angrgdb
    • crash on new version angr, because of angr api change
• misc
  • io12/pwninit: pwninit - automate starting binary exploit challenges
    • it may be useful for finding unstrip binary, maybe

firmware analyze

We call binwalk on the backend

import r809firmware
r809firmware.list_file_system('~/firmware.img')

Dependencies

• docker
• pwntools

Web

SQL encoder

>>> r809web.mysql.concat('asd')
'concat(0x61,0x73,0x64)'

Hash Tool chains (TODO)

import r809web.hash_tools

Hash Extractor (TODO)

use

hash_extractor(['sensitive.html', 'sensitive.txt'])

a tool extract all passable hash value from html or text file, after that can be cracked by rainbow table

• md5: [0-9a-f]{32}

ref:

• Cheat Sheet For Password Crackers
• A cheat-sheet for password crackers

Rainbow table searcher (TODO)

a tool search hash on rainbow table online or local database

use

rainbow_table(['21232f297a57a5a743894a0e4a801fc3', 'ee11cbb19052e40b07aac0ca060c23ee'])

Output

['admin', 'user']

or

'could not find a hash in the databases'

PWN

• test_pwn_heap_rwx.cpp 用來檢查 mappings
  • heap 能否執行和 kernel 版本有關聯
  • 如果採用 docker 需要注意 host kernel
• Old Ubuntu Releases
• ./libc-extractor.sh 20.04

todo

• format string leak analyser
  • find Leak return address and %?$p location
  • [ ]格式化字串攻擊 (Format String Attack) | r809's Notes
• exploit.py template
• Predefined hook function for angr an triton

Fuzzer

• r888800009/afl-darwin-dockerfile

Sensitive Path

Todo

• Auto-gen payload reading

/proc/pid/*

Docker

• pwn_docker/
  • ./setup_docker.sh 20.04

Build docker

cd pwn_docker/
docker build . -t ctf_ubuntu1804 --target ctf

# only devtools
docker build . -t ubuntu1804 --target basic
docker build . -t ubuntu_latest --target basic --build-arg VERSION=latest

# ubuntu 20.04
docker build . -t ctf_ubuntu2004 --target ctf --build-arg VERSION=20.04

# latest
docker build . -t ctf_ubuntu_latest --target ctf --build-arg VERSION=latest

Run docker

docker run --rm -it ctf_ubuntu1804 /bin/bash
docker run --rm -it -v $(pwd):/work ctf_ubuntu_latest bash

check ubuntu version

docker run --rm -it ctf_ubuntu1804 cat /etc/os-release
docker run --rm -it ctf_ubuntu2004 cat /etc/os-release
docker run --rm -it ctf_ubuntu_latest cat /etc/os-release

Maybe need --cap-add=SYS_PTRACE