Introduction
pwnup is a utility to automate pwntools
Install
pip install pwnup
Examples
-
OverTheWire's Bandit0 [ SPOILERS ]
Simple Bandit0 example pwnup session:
$ pwnup bandit.labs.overthewire.org 22 [*] Running PwnUp 1.0.5 [?] Choose a type. 1> 1) ssh 2) remote 3) local [*] You Chose: ssh user > bandit0 password > bandit0 cmd > cat readme [+] Connecting to bandit.labs.overthewire.org on port 22: Done [+] Opening new channel: 'cat readme': Done [*] Pressto stop recording ... [*] Switching to interactive mode boJ9jbbUNNfktd78OOpsqOltutMc3MY1 [*] Got EOF while reading in interactive $ [*] Closed SSH channel with bandit.labs.overthewire.org [*] Got EOF while sending in interactive [*] Client Written to client.py Generated client from session:
#!/usr/bin/env python from pwn import * sh = ssh(host='bandit.labs.overthewire.org', user='bandit0', password='bandit0', port=22) r = sh.run('cat readme') def main(): print(r.recvuntil('oJ9jbbUNNfktd78OOpsqOltutMc3MY1\n')) if __name__ == "__main__": main() -
Pwnable.kr's fd [ SPOILERS ]
Pwnable.kr fd example session:
$ pwnup pwnable.kr 2222 [*] Running PwnUp 1.0.5 [?] Choose a type. 1> 1) ssh 2) remote 3) local [*] You Chose: ssh user > fd password > guest cmd > ./fd 4660 [+] Connecting to pwnable.kr on port 2222: Done [+] Opening new channel: './fd 4660': Done [*] Pressto stop recording ... [*] Switching to interactive mode $ LETMEWIN mommy! I think I know what a file descriptor is!! good job :) [*] Got EOF while reading in interactive $ [*] Closed SSH channel with pwnable.kr [*] Got EOF while sending in interactive [*] Client Written to client.py Generated client from session:
#!/usr/bin/env python from pwn import * sh = ssh(host='pwnable.kr', user='fd', password='guest', port=2222) r = sh.run('./fd 4660') def main(): r.send('LETMEWIN\n') print(r.recvuntil('ile descriptor is!!\ngood job :)\n')) if __name__ == "__main__": main() -
Google Banner Grab
Simple www.google.com banner grab:
$ pwnup [*] Running PwnUp 1.0.5 [?] Choose a type. 1) ssh 2> 2) remote 3) local [*] You Chose: remote host > www.google.com port > 80 [+] Opening connection to www.google.com on port 80: Done [*] Pressto stop recording ... [*] Switching to interactive mode $ HEAD / HTTP/1.1 $ HTTP/1.1 200 OK Date: Wed, 08 Jun 2016 01:06:53 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Transfer-Encoding: chunked Accept-Ranges: none Vary: Accept-Encoding $ [*] Client Written to client.py [*] Closed connection to www.google.com port 80 Generated client from session:
#!/usr/bin/env python from pwn import * r = remote('www.google.com', 80) def main(): r.send('HEAD / HTTP/1.1\n') r.send('\n') print(r.recvuntil(' none\r\nVary: Accept-Encoding\r\n\r\n')) r.send('\n') if __name__ == "__main__": main()Local Shell ExampleLocal bash run:
$ pwnup [*] Running PwnUp 1.0.5 [?] Choose a type. 1) ssh 2) remote => 3) local [*] You Chose: local binary > bash [+] Started program 'bash' [*] Pressto stop recording ... [*] Switching to interactive mode $ ls -la total 16 drwx------ 2 ubuntu ubuntu 4096 Jun 8 01:23 . drwxrwxrwt 5 root root 4096 Jun 8 01:23 .. -rw-r--r-- 1 ubuntu ubuntu 5 Jun 8 01:23 secrets -rwxr-xr-x 1 ubuntu ubuntu 17 Jun 8 01:23 shell $ whoami ubuntu $ cat secrets 1234 $ [*] Client Written to client.py [*] Stopped program 'bash' Generated client from session:
#!/usr/bin/env python from pwn import * r = process('bash') def main(): r.send('ls -la\n') print(r.recvuntil(' ubuntu 17 Jun 8 01:23 shell\n')) r.send('whoami\n') print(r.recvuntil('ubuntu\n')) r.send('cat secrets\n') print(r.recvuntil('1234\n')) if __name__ == "__main__": main()