Cybersecurity Notes
MathematicsCryptography
  • Cybersecurity Notes
  • Binary Exploitation
    • Stack
      • Introduction
      • ret2win
      • De Bruijn Sequences
      • Shellcode
      • NOPs
      • 32- vs 64-bit
      • No eXecute
      • Return-Oriented Programming
        • Calling Conventions
        • Gadgets
        • Exploiting Calling Conventions
        • ret2libc
        • Stack Alignment
      • Format String Bug
      • Stack Canaries
      • PIE
        • Pwntools, PIE and ROP
        • PIE Bypass with Given Leak
        • PIE Bypass
      • ASLR
        • ASLR Bypass with Given Leak
        • PLT and GOT
        • ret2plt ASLR bypass
      • GOT Overwrite
        • Exploiting a GOT overwrite
      • RELRO
      • Reliable Shellcode
        • ROP and Shellcode
        • Using RSP
        • ret2reg
          • Using ret2reg
      • One Gadgets and Malloc Hook
      • Syscalls
        • Exploitation with Syscalls
        • Sigreturn-Oriented Programming (SROP)
          • Using SROP
      • ret2dlresolve
        • Exploitation
      • ret2csu
        • Exploitation
        • CSU Hardening
      • Exploiting over Sockets
        • Exploit
        • Socat
      • Forking Processes
      • Stack Pivoting
        • Exploitation
          • pop rsp
          • leave
    • Heap
      • Introduction to the Heap
      • Chunks
      • Freeing Chunks and the Bins
        • Operations of the Fastbin
        • Operations of the Other Bins
      • Malloc State
      • malloc_consolidate()
      • Heap Overflow
        • heap0
        • heap1
      • Use-After-Free
      • Double-Free
        • Double-Free Protections
        • Double-Free Exploit
      • Unlink Exploit
      • The Tcache
        • Tcache: calloc()
        • Tcache Poisoning
      • Tcache Keys
      • Safe Linking
    • Kernel
      • Introduction
      • Writing a Char Module
        • An Interactive Char Driver
        • Interactivity with IOCTL
      • A Basic Kernel Interaction Challenge
      • Compiling, Customising and booting the Kernel
      • Double-Fetch
        • Double-Fetch without Sleep
      • The Ultimate Aim of Kernel Exploitation - Process Credentials
      • Kernel ROP - ret2usr
      • Debugging a Kernel Module
      • SMEP
        • Kernel ROP - Disabling SMEP
        • Kernel ROP - Privilege Escalation in Kernel Space
      • SMAP
      • modprobe_path
      • KASLR
      • KPTI
    • Browser Exploitation
      • *CTF 2019 - oob-v8
        • The Challenge
      • picoCTF 2021 - Kit Engine
      • picoCTF 2021 - Download Horsepower
  • Reverse Engineering
    • Strings in C++
    • C++ Decompilation Tricks
    • Reverse Engineering ARM
  • Blockchain
    • An Introduction to Blockchain
  • Smart Contracts and Solidity
  • Hosting a Testnet and Deploying a Contract
  • Interacting with Python
  • Writeups
    • Hack The Box
      • Linux Machines
        • Easy
          • Traceback
        • Medium
          • Magic
          • UpDown
        • Hard
          • Intense
      • Challenges
        • Web
          • Looking Glass
          • Sanitize
          • Baby Auth
          • Baby Website Rick
        • Pwn
          • Dream Diary: Chapter 1
            • Unlink Exploit
            • Chunk Overlap
          • Ropme
    • picoGym
      • Cryptography
        • Mod 26
        • Mind Your Ps and Qs
        • Easy Peasy
        • The Numbers
        • New Caesar
        • Mini RSA
        • Dachshund Attacks
        • No Padding, No Problem
        • Easy1
        • 13
        • Caesar
        • Pixelated
        • Basic-Mod1
        • Basic-Mod2
        • Credstuff
        • morse-code
        • rail-fence
        • Substitution0
        • Substitution1
        • Substitution2
        • Transposition-Trial
        • Vigenere
        • HideToSee
    • CTFs
      • Fword CTF 2020
        • Binary Exploitation
          • Molotov
        • Reversing
          • XO
      • X-MAS CTF 2020
        • Pwn
          • Do I Know You?
          • Naughty
        • Web
          • PHP Master
      • HTB CyberSanta 2021
        • Crypto
          • Common Mistake
          • Missing Reindeer
          • Xmas Spirit
          • Meet Me Halfway
  • Miscellaneous
    • pwntools
      • Introduction
      • Processes and Communication
      • Logging and Context
      • Packing
      • ELF
      • ROP
    • scanf Bypasses
    • Challenges in Containers
    • Using Z3
    • Cross-Compiling for arm32
Powered by GitBook
On this page
  • Quick Copy
  • Explanation
  • Install
  • Change Run Command in build_docker.sh
  • Start the Executable and get the PID
  • Starting GDBserver

Was this helpful?

Export as PDF
  1. Miscellaneous

Challenges in Containers

Sometimes you get challenges provided with a Dockerfile. In most cases, it's best to use it, as you can be sure it acts the same locally and remotely.

Unfortunately, that can be rough. There are a few steps. In essence, we want to use gdbserver to set up a debug session, then connect to gdbserver from our host to leverage the full power of whatever we want to debug with. These steps work for debugging a binary hosted via socat.

Quick Copy

Add:

RUN apt-get install -y gdb gdbserver
 -- OR --
RUN apk add gdb

-p 9090:9090 --cap-add=SYS_PTRACE

Run:

docker exec -it challenge /bin/bash
gdbserver :9090 --attach $(pidof challenge)

Connect:

r2 -d gdb://localhost:9090

OR

gdb challenge
target remote :9090

Explanation

Install

Add some installs to the Dockerfile:

RUN apt-get install -y gdb gdbserver

If the Dockerfile is an alpine image, instead use

RUN apk add gdb

gdbserver is automatically installed as part of the package.

Change Run Command in build_docker.sh

Add the

-p 9090:9090 --cap-add=SYS_PTRACE

flags to the docker run ... command in build_docker.sh.

  • -p 9090:9090 binds the internal port 9090 to the external port 9090, so we can connect to localhost:9090 for the gdbserver

  • --cap-add=SYS_PTRACE gives the container the capability to ptrace a process, which we need for debugging. The alternative is to run it in --privileged mode, which is far more unsafe

Start the Executable and get the PID

Get a shell with docker exec:

docker exec -it challenge /bin/bash

Note that to get a binary started with socat, we have to connect to the service first in order to start a process. So, outside the container, connect with nc:

$ nc localhost 1337
<pwnable binary>

Don't end the process. Switch back to the Docker root shell:

root@096c4ec3bca6:/# pidof challenge
22

Grab the PID of the subprocess, in this case 22.

Starting GDBserver

Now start a gdbserver:

gdbserver :9090 --attach 22

You can combine this into one command: gdbserver :9090 --attach $(pidof challenge)

And on your host you can now connect to it with radare2 or GDB:

$ r2 -d gdb://localhost:9090
$ gdb challenge
(gdb) target remote :9090
Remote debugging using 172.17.0.2:9090
[...]
(gdb)

And boom.

Note the issue is that you have to restart gdbserver every time you connect again. Don't forget! Maybe there's a better way, but I don't know.

Did try and replace the shell commands with a single docker exec, but the $() is resolved before it is piped to the Docker:

$ docker exec -it challenge gdbserver :9090 --attach $(pidof challenge)
Cannot attach to process 7196: No such process (3)
Exiting

But when connecting via shell and running, it worked:

$ docker exec -it challenge /bin/bash
root@e2cd6b6e2e2c:/# gdbserver :9090 --attach $(pidof challenge)
Attached; pid = 201
Listening on port 9090

If anybody finds a fix, please let me know!

Last updated 1 year ago

Was this helpful?