pwn题目部署

Posted on Edited on In Views: Word count in article: 2.7k Reading time ≈ 2 mins.
arm_pwn题目部署Dockerfile和x86-64题目部署的Dockerfile

记录一次pwn题目的部署,本来是想出一道arm_pwn的题目的,但因各种问题最后一步在本地docker中打不通换了一个heap题

网上的arm的Dockerfile较少我这个最终也没搞成功,放在文末还是有一定的参考价值

heap

主要参考RoderickChan师傅的github的项目,在这里我用的alpine+xinetd+chroot+patchelf2

Dockerfile

有一些注意事项:

  • 在运行./build_image.sh时如果patchelf发生了报错,可以在运行前先给/bin/pwn配置好它的glibc(这里就用./glibc目录下的glibc)
  • 最终打通的目录如下,因为是alpine轻量级的linux,最终的docker大小55MB左右
image-20250729102705074

最终的dockerfile基本没什么变动就不贴了

失败的arm_pwn题目

最终效果是在本地测试时最终的getshell部分不会执行了,但能够在docker中启动arm程序,也算是做一个参考吧,呜~~~

dockerfile

可以参考的也就这个qemu和lib目录引入docker的这一部分,和run_pwn.sh最终启动的那一部分

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# 用于 ARM PWN 挑战的 Dockerfile

# --- 第一阶段:获取 qemu-arm-static ---
FROM multiarch/qemu-user-static:latest as qemu

# --- 第二阶段:最终的运行镜像 ---
FROM alpine:latest

# --- 基础环境设置 ---
USER root

RUN apk update && \
    apk add --no-cache bash coreutils && \
    ln -sf `which bash` /bin/sh && \
	adduser ctf -u 1000 -s /bin/sh -D

WORKDIR /home/ctf


COPY --from=qemu /usr/bin/qemu-arm-static ./qemu-arm
COPY ./pwn ./pwn
COPY ./lib ./lib
COPY ./flag ./
COPY ./run_pwn.sh /
COPY ./ctf.xinetd /etc/ctf.xinetd
COPY ./bin/ls ./bin/ls
COPY ./bin/cat ./bin/cat
COPY ./bin/xinetd /bin/xinetd

RUN chmod +x ./bin/* && \
    chmod +x /bin/xinetd && \
    cp /bin/bash ./bin/sh
# --- 创建 Chroot 环境 ---
RUN mkdir ./dev && \
    mknod ./dev/null c 1 3 && \
    mknod ./dev/zero c 1 5 && \
    mknod ./dev/random c 1 8 && \
    mknod ./dev/urandom c 1 9 && \
    chmod 666 ./dev/*

RUN mkdir -p ./usr/lib

# --- 设置文件权限 ---
RUN chmod 644 ./flag  && \
	chmod 711 /run_pwn.sh && \
	chmod +x ./lib/* && \
	chmod +x ./pwn && \
    chmod +x ./qemu-arm && \
    chmod +x ./bin/* && \
    chown -R root:root .

# --- 启动服务 ---
EXPOSE 1337


CMD xinetd -f /etc/ctf.xinetd -pidfile /run/xinetd.pid -limit 1000 -reuse;sleep infinity;

run_pwn.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/bash

set -e

# set pow using sha256 POW by ENABLE_POOW
if [ ! -z $ENABLE_POW ]
then
    if [ "$ENABLE_POW" == "1" ]
    then
        echo "=================proof-of-work================="
        echo ""
        rand_str=$(head -c 27 /dev/urandom | base64)
        hash_value=$(echo -n "$rand_str" | sha256sum - | cut -c 1-64)
        frontend=$(echo "$rand_str" | cut -c -4 )
        backend=$(echo "$rand_str" | cut -c 5- )
        prompt="sha256(XXXX + \"${backend}\") == ${hash_value}"
        echo $prompt
        echo -n "Gime me XXXX: "

        read -t 300 -r input_hash

        if [ "$input_hash" != "$frontend" ]
        then
            echo "Proof of work failed!"
            exit 2
        fi
    fi
fi

unset ENABLE_POW

# override flag from env
# if environmental variable FLAG is not empty string
if [ ! -z $FLAG ]
then
    if [ "$(cat /home/ctf/flag)" != "$FLAG" ]
    then
        echo $FLAG > /home/ctf/flag
        chmod 644 /home/ctf/flag
    fi
fi

# the env will not pass to ctf
unset FLAG

cd /home/ctf

exec timeout 300 $(which chroot) --userspec=1000:1000 /home/ctf ./qemu-arm -L . ./pwn