How to create an extremely comfortable pwn environment (Season 3)

Installing Ubuntu 20.04 on a physical machine and configuring common software and a kernel pwn environment.

Installing Ubuntu 20.04

Creating a Bootable USB Drive

After downloading the Ubuntu 20.04 ISO file online, use UltraISO to burn the USB drive in RAW format.

Note: It must be RAW format, not something like USB-HDD+ or other options, otherwise the installer won't even boot!

When restarting and entering the BIOS, move the USB drive's boot priority above the hard drive.

Installing Ubuntu

At this point, the system will give you the option to try or install Ubuntu. My approach is to try it first and then click the installation program.

The trial interface functions like a bootable live environment with internet access—you can experience it and then proceed with the installation (or simply shut down).

During the trial, it's recommended to use Gparted to partition your hard drive. Allocate 100 GB at the end of the disk: assign 60 GB on the left for the root directory (/) and 40 GB on the right for the home directory (/home), both formatted as ext4. You can skip creating a swap partition—the only downside is a slightly slower boot time. This way, you won't need to deal with partitioning during the actual installation.

During installation, it's advisable to choose the full installation option but skip downloading updates (otherwise, the installation will be extremely slow). Under normal circumstances, the installation should be completed within half an hour.

Change Sources

sudo vim /etc/apt/sources.list

# Add Aliyun source
deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
# Add Tsinghua source
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse multiverse

sudo apt-get update

Input Method

The default input method in Ubuntu works quite well. It's based on iBus and requires minimal configuration.

https://blog.csdn.net/weixin_43431593/article/details/106444769

Setting Up a Proxy

As is well known, if you already have a ladder, finding another one is easy; but if you don't, it can be quite troublesome.

If you use a VPN, you may be able to download the China-specific version directly from the official website, saving a lot of trouble.

If you use a proxy service (airport), copying the subscription link is straightforward, but downloading the client from GitHub can be cumbersome. It is recommended to download the Linux version on a previous system and then install it directly on Ubuntu.

Terminal Environment Configuration

Original article: https://blog.csdn.net/weixin_41179606/article/details/80957817
There was an error in the original article when installing zsh-syntax-highlighting, which the author has corrected.

# The default path is the user's home directory
# Install zsh
sudo apt-get install zsh
# If an error occurs: Unable to locate package, manually update the software sources
sudo apt-get update
# After installation, switch the shell to zsh
chsh -s /bin/zsh

sudo apt-get install git

sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

# Install autojump
sudo apt-get install autojump
# Open the configuration file
vim .zshrc
# Add the following line at the end
. /usr/share/autojump/autojump.sh

# Install zsh-autosuggestions
git clone git://github.com/zsh-users/zsh-autosuggestions $ZSH_CUSTOM/plugins/zsh-autosuggestions
# Open the configuration file
vim .zshrc
# Add configuration 1
plugins	= (
	git
	zsh-autosuggestions  // Add this line
)
# Add configuration 2 (at the end of the file)
source $ZSH_CUSTOM/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh

# Install zsh-syntax-highlighting
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git
echo "source ${(q-)PWD}/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> ${ZDOTDIR:-$HOME}/.zshrc
source ./zsh-syntax-highlighting/zsh-syntax-highlighting.zsh

# Open the configuration file
vim .zshrc
# Modify ZSH_THEME
ZSH_THEME="ys" or "agnoster"

source ~/.zshrc

Software Installation

Now that you have access and have switched to a faster software source, you no longer need to worry about network issues when installing software or pulling projects.

Software List

• Chrome
• NetEase Music
• VirtualBox
• VSCode
• IntelliJ IDEA
• Typora
• Albert
• FSearch
• Python3 (pip3)
  • pwntools
  • ropgadget, ropper
  • gdb, peda, gef, pwndbg, pwngdb
• Ruby (gem)
  • one_gadget
• QEMU
• Docker
• IDA Pro
• Tencent Meeting
• WeChat
• TIM

Installing from APT Repository

# install
sudo apt install *
# OR sudo apt-get install *
# remove
sudo apt remove *
# OR sudo apt-get remove *

Installing .deb Files

Most applications are installed this way

# install
sudo dpkg -i *.deb
# remove
sudo dpkg -r *.deb

Using Non-Domestic Windows Applications

Most can be handled with Wine.

sudo dpkg --add-architecture i386 
wget -nc https://dl.winehq.org/wine-builds/winehq.key
sudo mv winehq.key /usr/share/keyrings/winehq-archive.key
wget -nc https://dl.winehq.org/wine-builds/ubuntu/dists/focal/winehq-focal.sources
sudo mv winehq-focal.sources /etc/apt/sources.list.d/
sudo apt update
sudo apt install --install-recommends winehq-stable

It still takes up a couple of gigabytes, and the installation is somewhat time-consuming.

However, some configurations for IDA can be quite troublesome, so it's worth writing about here:

IDA Configuration

It is assumed here that the reader is using the portable version of IDA.

Pitfall 1

Opening IDA directly with Wine seems to cause DLLs to fail loading, which prevents various features of IDA from functioning.

Two scripts were written to specify the Python path:

# start.bat
@set path=.\python-3;%path%
@set PYTHONPATH=.\python-3
@start ida.exe
# start64.bat
@set path=.\python-3;%path%
@set PYTHONPATH=.\python-3
@start ida64.exe

Then:

wine start.bat
wine start64.bat

Occasionally, there are inexplicable errors where IDAPython fails to load. My solution is to create a soft link to the IDA root directory on the desktop, open a shell from the desktop to enter the soft link, and then run these two .bat files with Wine.

However, directly using the absolute path with cd results in an error for unknown reasons.

Pitfall 2

At this point, IDA itself and IDAPython can function normally, but some plugins, such as findcrypt and keypatch, still encounter issues with missing dependencies like yara and keystone-engine.

The installation method is described in Pitfall 3.

Since our Python is the portable version, using pip to install plugins naturally won't work.

My approach was to first install a 32-bit Python, without adding it to the environment variables, then locate the pip path, run pip install xxx, check which files were added, and manually copy them to the corresponding relative paths in the portable Python directory.

A convenient way to see which files were added is to attempt to uninstall the plugin. The shell will then display which files will be deleted—these are the files that were added during installation.

Pitfall 3

Original link: https://github.com/polymorf/findcrypt-yara/issues/34

Even if you've made it this far, there may still be some issues. For example, when using the findcrypt plugin, errors may occur.

The GitHub solution suggests uninstalling yara and installing yara-python. However, I tried this, and due to the peculiarities of Wine, it didn't seem to work.

First, execute get-pip.py with Python, then locate the python38._pth file, add a new line Lib\site-packages, and then you can happily install packages with pip.

A simple and crude solution is to delete this rule in findcrypt3.rules:

Trying Out Domestic Windows Applications

NetEase Cloud Music

Deepin is the GOAT (Greatest of All Time)!

https://www.deepin.org/zh/cooperative/netease-cloud-music/

Tencent Meeting

There is a native Linux version, probably because DingTalk has a Linux version, so Tencent was willing to develop a native one.

WeChat

Native Version for Ubuntu Kylin (Untested)

https://www.ubuntukylin.com/applications/106-cn.html

Using Deepin Wine

https://blog.csdn.net/qq_40756508/article/details/107511334

tim/qq

Official Ancient Native Version

https://im.qq.com/linuxqq/index.html

QR code scanning doesn't work, dammit.

deepinwine

Crashes very easily, basically crashes right after login.

No good solution for now.

docker

https://github.com/top-bettercode/docker-qq

Change all instances of fcitx to ibus in the startup script to enable Chinese input.

Tested and working on June 13, 2022.

Drawback: Received files cannot be opened directly; they must be copied out from the virtual environment using the docker shell.

# 10f0ec600caf is the container ID, which can be obtained via the sudo docker ps command
sudo docker cp 10f0ec600caf:'/TencentFiles/2658799217/FileRecv/RV.rar' ~/Desktop

Kernel Pwn Environment Setup

Some content sourced from https://kiprey.gitee.io/2021/10/kernel_pwn_introduction/

Kernel Download and Compilation

Here is a project that packages the entire process of downloading, extracting, compiling, and packaging the rootfs, making it very convenient.

https://github.com/pwncollege/pwnkernel

git clone https://github.com/pwncollege/pwnkernel.git
./build.sh
./launch.sh
# Since launch.sh includes the operation to package the rootfs, you only need to place the compiled drivers into the _install folder.

gdb attach and Debugging

# Always specify the architecture in advance
set architecture i386:x86-64
gef-remote --qemu-mode localhost:1234

# After QEMU is suspended with the -S parameter, type the following commands in gdb
add-symbol-file vmlinux
b start_kernel
continue

[Breakpoint 1, start_kernel () at init/main.c:837]
......

Startup Script (Untested)

#! /bin/bash

# Check if the current user has root privileges, which are required to execute gef-remote --qemu-mode
user=$(env | grep "^USER" | cut -d "=" -f 2)
if [ "$user" != "root"  ]
  then
    echo "Please run with root privileges"
    exit
fi

# Copy drivers to rootfs
cp ./mydrivers/*.ko busybox-1.32.0/_install

# Build rootfs
pushd busybox-1.32.0/_install
find . | cpio -o --format=newc > ../../rootfs.img
popd

# Start qemu
qemu-system-x86_64 \
    -kernel ./arch/x86/boot/bzImage \
    -initrd ./rootfs.img \
    -append "nokaslr" \
    -s  \
    -S&

    # -s: Equivalent to -gdb tcp::1234, specifies the debugging connection for qemu
    # -S: Specifies that qemu should suspend immediately after startup

    # -nographic                # Disable QEMU graphical interface
    # -append "console=ttyS0"   # Used with -nographic, the startup interface becomes the current terminal

gnome-terminal -e 'gdb -x mygdbinit'

mygdbinit:

set architecture i386:x86-64
add-symbol-file vmlinux
gef-remote --qemu-mode localhost:1234

b start_kernel
c

Upload Script

Taken from the school competition, to be used with exp.c in this directory.

#!/usr/bin/python
from pwn import *

HOST = "127.0.0.1"
PORT =  25000

USER = "pwn"
PW = "pwn"

def compile():
    # sudo apt install musl-tools
    log.info("Compile")
    os.system("musl-gcc -w -s -masm=intel  -static -o3 exp.c -o pwn")

def exec_cmd(cmd):
    r.sendline(cmd)
    r.recvuntil("$ ")

def upload():
    p = log.progress("Upload")

    with open("pwn", "rb") as f:
        data = f.read()

    encoded = base64.b64encode(data)
    
    r.recvuntil("$ ")
    
    for i in range(0, len(encoded), 300):
        p.status("%d / %d" % (i, len(encoded)))
        exec_cmd("echo \"%s\" >> benc" % (encoded[i:i+300]))
        
    exec_cmd("cat benc | base64 -d > bout")    
    exec_cmd("chmod +x bout")
    
    p.success()

def exploit(r):
    compile()
    upload()
    context.log_level = "debug"
    r.interactive()

    return

if __name__ == "__main__":
    if len(sys.argv) > 1:
        # session = ssh(USER, HOST, PORT, PW)
        # r = session.run("/bin/sh")
        HOST = "43.155.90.127"
        PORT = 25000 
        r = remote(HOST, PORT)
        exploit(r)
    else:
        r = process("./boot.sh")
        print(util.proc.pidof(r))
        pause()
        exploit(r)