Linux-简单PWN搭建

0x1 简单的Pwn题目搭建（不安全）

socat tcp-l:端口,fork exec:文件目录,reuseaddr

找到Pwn所在的端口

常规
ps aux | less //找到对应的程序的pid
netstat -anop | grep PID

-------------------------
一把梭
netstat -pant

0x2 安全的Pwn题目搭建方法

https://github.com/giantbranch/pwn_deploy_chroot 下载环境

将题目放到bin目录中

然后在config.py，将REPLACE_BINSH设置为False

运行一次python initialize.py

然后会出现一个flags.txt（如果想替换flag，就直接修改flag.txt里的flag字符串即可，然后运行一次python initialize.py）

然后运行 docker-compose up --build -d

开启题目即可

注意：若出现libstdc++.so.6找不到的情况，说明C++环境没有配好，只需要在已经配好C++环境的同版本ubuntu下找到libstdc++.so.6.0.XX（XX为数字）和libgcc_s.so.1放到pwn_deploy_chroot目录下，然后在dockerfile里加入一下代码

COPY ./libstdc++.so.6.0.21 /usr/lib/libstdc++.so.6
COPY ./libgcc_s.so.1 /usr/lib/libgcc_s.so.1

0x3 单独docker靶机搭建

适用于AWD或者特殊Pwn的搭建

docker build -t pwn_test .
docker run -tid -p 8888:8888 pwn_test

ctf.xinted

service ctf
{
    disable = no
    socket_type = stream
    protocol    = tcp
    wait        = no
    user        = root
    type        = UNLISTED
    port        = 8888
    bind        = 0.0.0.0
    server      = /usr/sbin/chroot
    server_args = --userspec=1000:1000 / timeout 50 ./pwn/pwn
    banner_fail = /etc/banner_fail

    # safety options
    per_source	  = 10 # the maximum instances of this service per source IP address
    rlimit_cpu	  = 60 # the maximum number of CPU seconds that the service may use
    rlimit_as     = 1024M # the Address Space resource limit for the service
    #access_times = 2:00-9:00 12:00-24:00

    #Instances   = 20 #process limit
    #per_source  = 5 #link ip limit

    #log warning die
    log_on_success  = PID HOST EXIT DURATION
    log_on_failure  = HOST ATTEMPT 
    log_type =FILE /var/log/myservice.log 8388608 15728640
    
}

Dockerfile

FROM ubuntu:18.04

RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.aliyun.com/g" /etc/apt/sources.list
RUN apt-get update && apt-get -y dist-upgrade
RUN apt-get install -y lib32z1 xinetd build-essential

RUN useradd -m ctf

COPY ./flag /flag
COPY ./pwn /pwn/pwn
COPY ./ctf.xinetd /etc/xinetd.d/ctf

RUN chown root:ctf /pwn/pwn && chmod 750 /pwn/pwn

RUN echo 'ctf - nproc 1500' >>/etc/security/limits.conf

CMD exec /bin/bash -c "/etc/init.d/xinetd start; trap : TERM INT; sleep infinity & wait"

EXPOSE 8888 
``