skysider / pwndocker Goto Github PK

Notice that angr is included in README, but actually I can't import it in neither python2 nor python3. I have checked Dockerfile and find it seems that nothing about angr exists, which makes me confused.
Thank you so much.

Hi,

first of all, thanks for this image, it has been of great help when pwning!
I think there is an issue with the Dockerfile, as pulling the image from scratch yields to an error:

> docker pull skysider/pwndocker:latest
latest: Pulling from skysider/pwndocker
345e3491a907: Pull complete 
57671312ef6f: Pull complete 
5e9250ddb7d0: Pull complete 
469c73a16ba5: Pull complete 
6d234dc15284: Pull complete 
42cbb779a68f: Pull complete 
726d55798abf: Downloading [=========================>                         ]  156.5MB/306MB
511af35a6a8b: Download complete 
18c5e01ba678: Download complete 
5f90fb92201d: Download complete 
e376bbea8312: Download complete 
14641206fa09: Download complete 
1ea7e5742d7c: Download complete 
a2aa00890aee: Download complete 
d726458fad58: Downloading [=====>                                             ]  33.76MB/294.8MB
8f7ea1bd4f01: Download complete 
0e3bb34b7406: Download complete 
6ef28762945f: Downloading 
bf5fd95ca7c6: Waiting 
dfc489ce0e2d: Waiting 
0bf33740dafa: Waiting 
b98b027f6ebd: Waiting 
8acef8e579a8: Waiting 
2ee39d26bcf6: Waiting 
12441af2add7: Waiting 
c70656af2b50: Waiting 
2d0d71ee97a3: Waiting 
50ea63e52fc0: Waiting 
e9a6fb786549: Waiting 
3a54190c7994: Waiting 
d96ea314b9a1: Waiting 
docker: unauthorized: authentication required.   <------------ Error here!

It looks like it happens when docker tries to download the image with (partial?) hash 6ef28762945f.

How to reproduce

Steps:

1. Remove the image locally
2. Pull the image again

目前的pwndocker提供了glibc流行版本的编译文件，但是gdb调试进libc时没有对应的源码信息，是否可以为每个版本提供源码调试支持？

每次都是新docker，每次打开Pwndocker都需要设置一遍root的密码才行，能否在dockerfile中直接设置一个默认密码呢？

I run

patchelf --set-interpreter /glibc/2.23/64/lib/ld-2.23.so ./binary

and I run ldd on the binary
/glibc/2.23/64/lib/ld-2.23.so => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f0118a0a000)

It stills points to the default libc. If I try to set LD_PRELOAD to the 2.23 libc, it crashes.

phusion/baseimage:master-amd64 updated to libc-2.31 , 现在缺少2.27的libc了

When I tring to use gdb.attach(io) in py script using pwntools.
An Error occurred said :
Waiting for debugger: debugger exited! (maybe check /proc/sys/kernel/yama/ptrace_scope)

Here is my exp code:

from pwn import *
context.log_level = "debug"
context.terminal = ["tmux","splitw","-h"]
io = process("./login") 
io.recvuntil("Input the username:")
io.sendline("a"*0x7a)
gdb.attach(io)
io.recvuntil("Input the password:")
io.sendline("b"*0x10)
io.interactive()

I have searched for this problem and tried method listed as below,All of them didn't work:

1. add --privilidged option to the docker start file:

    docker run -d \
       --rm \
       -h $1 \
       --name $1 \
       -v $(pwd)/$1:/ctf/work \
       -p 23946:23946 \
       --privileged \
       --cap-add=SYS_PTRACE \
       skysider/pwndocker
   
    docker exec -it $1 /bin/bash

2. add --security-opt seccomp=unconfined option to the docker start file:

     docker run -d \
       --rm \
       -h $1 \
       --name $1 \
       -v $(pwd)/$1:/ctf/work \
       -p 23946:23946 \
       --privileged \
       --cap-add=SYS_PTRACE \
       --security-opt seccomp=unconfined \
       skysider/pwndocker
   
      docker exec -it $1 /bin/bash

3. add --security-opt apparmor=unconfined option to the docker start file:

     docker run -d \
       --rm \
       -h $1 \
       --name $1 \
       -v $(pwd)/$1:/ctf/work \
       -p 23946:23946 \
       --privileged \
       --cap-add=SYS_PTRACE \
       --security-opt apparmor=unconfined \
       --security-opt seccomp=unconfined \
       skysider/pwndocker
   
      docker exec -it $1 /bin/bash

4. run echo 0 > /proc/sys/kernel/yama/ptrace_scope

Basic System Information:
Machine that running docker: Ubuntu 20.04 running on Virtual Box

i think maybe need tzdata in image,do you have any other method to solve it.

This repo is really useful! Thanks for sharing.

The glibc included in the docker image are kind of outdated. Ubuntu 22.04 now uses glibc 2.35 but the image only support glibc 2.31. Can we add the latest libc (2.34~2.36) to the docker image?

While trying to open up a binary with gdb inside the container, it reports:

warning: Error disabling address space randomization: Operation not permitted

A Stack Overflow answer suggested adding a --security-opt seccomp=unconfined option on the command line. The docker-compose version of this would be:

security_opt:
    - seccomp:unconfined

Adding this option to the docker-compose.yml makes gdb work properly. I would just open up a PR but I'm not sure if this is the right approach. The issue is there, modifying the docker-compose.yml file is just a suggestion.

when running exploit script and attaching dynamically or not even interracting with binary and after process started if I attach i get this Traceback (most recent call last):
File "hack20.py", line 9, in
gdb.attach(p)
File "/usr/local/lib/python3.8/dist-packages/pwnlib/context/init.py", line 1543, in setter
return function(a, **kw)
File "/usr/local/lib/python3.8/dist-packages/pwnlib/gdb.py", line 1051, in attach
gdb_pid = misc.run_in_new_terminal(cmd, preexec_fn = preexec_fn)
File "/usr/local/lib/python3.8/dist-packages/pwnlib/util/misc.py", line 297, in run_in_new_terminal
pid = int(out)
ValueError: invalid literal for int() with base 10: b''
[] Stopped process './sint' (pid 20)

adding zsh will makes bash looks more prettier!
https://github.com/ohmyzsh/ohmyzsh

Notice that roputils is included in README, but actually I can't import it in neither python2 nor python3. I have checked Dockerfile and find it seems that nothing about roputils exists, which makes me confused.
Thank you so much.