现充|junyu33
Home Archive Categories Tags 中文站

How to create an extremely comfortable pwn environment

If only we could focus our energy on writing shellcode instead of constantly switching back and forth between the virtual machine and VSCode—what a delight that would be.

Let's assume the reader has just installed VSCode with no plugins whatsoever, starting from scratch.

The entire process will likely take half a day to a full day.

Result preview:

Setting Up a Linux System and Beautifying the Shell

I personally recommend downloading the virtual machine version from the official Kali website. This way, installation is just a matter of importing it, which takes only a few minutes and saves you from many potential pitfalls.

Additionally, once installed, the packages pre-installed in the system are generally sufficient for most tasks. Tools like Python 3, pip, GDB, and SSH are all pre-configured, making it very convenient.

The built-in terminal, Zsh, also has a visually appealing interface and requires minimal additional configuration.

Method 2: Using WSL/WSL2

If your Windows build version is lower than 18362, I do not recommend choosing this method because earlier versions can only install WSL, and WSL is not a true Linux kernel. More specifically, you cannot run 32-bit programs.

If your Windows build version is lower than 19041, installing WSL2 will enable Hyper-V, which may cause conflicts with VMware virtual machines. Therefore, I also do not recommend it for personal use.

For experienced users: If you have previously installed WSL, you can refer to this upgrade guide: https://zhuanlan.zhihu.com/p/356397851

My system build version is 18363, so I installed WSL. I will use the installation of WSL as an example for explanation.

Enable WSL and Download a Linux Subsystem

Windows 10 Settings → Update & Security → For Developers → Developer Mode

Press Win+Q → Turn Windows features on or off → Restart

Go to the Microsoft Store and download a Linux distribution of your choice. I opted for Ubuntu 18.04.

Remember to change the software source as the first thing after installation.

Learn to survive in Vim.

If you have access to a proxy, consider installing proxychains to avoid the agony of slow git clone operations.

Customize and Beautify the Linux Terminal (Optional)

This process can be divided into the following three main steps:

  1. Install Zsh
  2. Install Oh-My-Zsh
  3. Configure the Powerlevel9k theme in Oh-My-Zsh

(These steps might keep you busy for a while 😉)

Reference Links:

https://www.thisfaner.com/p/powerlevel9k-zsh/#powerlevel9k-introduction
https://www.sysgeek.cn/install-zsh-shell-ubuntu-18-04/

Setting Up Shared Folders

VMware

Right-click the virtual machine → Settings → Options → Shared Folders → Always Enabled → Add Path

In Kali: The path to the shared folder is /mnt/hgfs.

If Kali was directly imported, no additional mounting is required.

Otherwise, refer to this article: https://www.cnblogs.com/wuhongbin/p/14052984.html

WSL

You can directly see all the drive letters of the host system in /mnt/ without the need for sharing.

Configuring a Pwn Environment in Linux

Using IDA Pro on Linux (Updated on 4/29/2023)

If you can afford a legitimate license for the Linux version, you may skip this section.

ref: https://www.debugwar.com/article/activate-IDAPython-with-wine-IDA-under-linux

It is assumed that most readers have access to a study version of IDA Pro 7.7, albeit the Windows edition. To run IDA Pro in a Linux environment, follow these steps (using Ubuntu 22.04.2 LTS as an example):

  1. Download winehq, selecting the stable-branch: https://wiki.winehq.org/Ubuntu
  2. Run ida.exe or ida64.exe once using wine. At this point, IDA will prompt that there is no Python environment.
  3. It is recommended to download the portable package of python3.8.10:
    wget https://www.python.org/ftp/python/3.8.10/python-3.8.10-embed-amd64.zip
    and place it in the corresponding Windows partition of wine at C:\Program Files\Python3
    (i.e., the Linux partition path ~/.wine/drive_c/Program Files/Python3).
  4. Add the path from step 3 to the PATH in the Windows registry, specifically the PATH key value under
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment.
  5. Add C:\Program Files\Python3\python38.dll to the Python3TargetDLL key value under
    HKEY_CURRENT_USER\Software\Hex-Rays (create the key if it does not exist).
  6. At this point, opening IDA should allow the use of IDAPython, but plugins related to yara and keystone may still report errors. This is because the relevant modules have not been installed via pip.
  7. Execute the pip installation script:
    wine python https://bootstrap.pypa.io/get-pip.py
    and add the line ./Lib/site-packages to the python38._pth file in the Python3 directory.
    Executing wine python.exe -m pip --version should then display the pip version.
  8. Install the required modules:
    wine python -m pip install yara-python keystone-engine six
  9. (Optional) Add pip to the PATH (C:\Program Files\Python3\Scripts), integrate the ChatGPT plugin gepetto.py (requires installing the openai module), configure theme files, etc.
  10. Do not run idapyswitch.exe, as it may undo all previous progress.

Tools Required for Writing Shellcode

  1. Install Python, recommended version between 3.6 and 3.10.
  2. Install the latest version of pip.
  3. Install pwntools.

Debugging Tools

  1. Install gdb. (It is recommended to also install gcc and g++.)

  2. Install gdb plugins: peda, gef, and pwndbg. (I used the gdbplugins project for a bundled installation.)

  3. Since these three plugins cannot coexist, you need to write a startup selection script or remember the startup methods for each plugin.

    Selection script: https://www.jianshu.com/p/94a71af2022a
    Or edit ~/.gdbinit:

    source ~/GdbPlugins/gef/gef.py
#source ~/GdbPlugins/pwndbg/gdbinit.py
#source ~/GdbPlugins/peda/peda.py

    Uncomment the line for the plugin you want to use.

Configuring VSCode Remote Connection

This process is relatively complex and has many pitfalls, so be mentally prepared.

Configuring SSH on Linux

Kali Linux should come with it pre-installed, so no additional installation is needed.

sudo apt-get install ssh

Change PermitRootLogin to yes in /etc/ssh/sshd_config using vim.

service ssh start

Configuring the Port (Optional)

vim /etc/ssh/sshd_config

In vim, the find command is executed in normal mode by typing / followed by #port, as vim defaults to exact match and is case-sensitive.
(If you are unsure what normal mode is, press the Esc key a few times.)

The default port is 22. To change it, remove the comment symbol.

Configuring SSH on Windows

It is recommended to install Git, which comes with SSH pre-installed.

The remaining configuration steps are similar to those on Linux.

Windows Environment Testing

Open your terminal and enter:

ssh kali@<your outer ip in kali> -p <your modified port> (for Kali virtual machine)

ssh <your name>@localhost -p <your modified port> (for WSL)

If you enter the correct password and successfully access the Linux terminal, it means the configuration is successful.

Configuring SSH Keys (Optional)

If you prefer not to enter a password each time, you can resolve this by deploying a pair of SSH keys. (The principle is the same as deploying a blog.)

You can refer to this article: https://blog.csdn.net/andriodhahaha/article/details/104809303

Configuring the VSCode SSH Plugin

Search for Remote - SSH, install it, and then click the newly appeared Remote Explorer menu on the side.

Click the plus sign, re-enter the SSH command you previously used in the terminal, and wait for VSCode to install the VSCode server on the remote Android device.

Pitfall 1 — bad owner or permissions on /.ssh/config

https://blog.csdn.net/chaoenhu/article/details/103698804

Pitfall Two - The vscode server appears to freeze during installation

It looks something like this:

Actually, it hasn't frozen—it has already finished installing. All you need to do is click the plus sign in the upper right corner to open a new terminal.

Installing Plugins on VSCode Server (Optional)

The process is similar to installing plugins locally, but you need to click Install on 192.168.xxx.xxx/127.0.0.1 to ensure it is installed on the server, not your local machine.

Frequently Asked Questions——Updated on 3/25/2022

The Pylance plugin in VSCode may fail to recognize some functions in pwntools and generate warnings. You can ignore these warnings by following the steps below:

  1. Press Ctrl+Shift+P and type "settings.json".

  2. You will be taken to a settings interface. Ignore any existing content. Find the option edit in setting.json in your remote IP settings and click on it.

  3. Add the following code on the line above the last closing brace:

       "python.analysis.diagnosticSeverityOverrides": {
        "reportUndefinedVariable": "none"
   }

The Pylance plugin in VSCode may also report the code is unreachable error extensively due to the sendline series of functions. The modification method is as follows:

Check the source code of sendline and modify the following section:

    def send_raw(self, data):
        """send_raw(data) Should not be called directly. Sends data to the tube. Should return ``exceptions.EOFError``, if it is unable to send any more, because of a close tube. """

        raise EOFError('Not implemented')

Change raise EOFError('Not implemented') to raise NotImplementedError.

VSCode Interface Tweaks

Right-click in non-editing areas to make adjustments.

After completing these steps, we can start coding happily!