Updated the Intro to Tools section with more information on pwntools.

Author: nnamon

Vagrantfile

@@ -66,13 +66,23 @@ Vagrant.configure("2") do |config|
   # documentation for more information about their specific syntax and use.
   config.vm.provision "shell", inline: <<-SHELL
     dpkg --add-architecture i386
+    cp /etc/apt/sources.list /etc/apt/sources.list.old
+    sed -i -e 's/archive\.ubuntu\.com/mirror\.0x\.sg/g' /etc/apt/sources.list
     apt-get update
-    apt-get install -y libc6:i386 libncurses5:i386 libstdc++6:i386 gdb python python-pip libssl-dev gcc git binutils socat
+    apt-get install -y libc6:i386 libncurses5:i386 libstdc++6:i386 gdb python python-pip libssl-dev gcc git binutils socat apt-transport-https ca-certificates
     pip install --upgrade pip
     pip install pwntools
     pip install ipython
     pip install ropper
     git clone https://github.com/longld/peda.git /home/ubuntu/peda
     echo "source ~/peda/peda.py" >> /home/ubuntu/.gdbinit
+    apt-key adv --keyserver hkp://ha.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
+    echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" | tee /etc/apt/sources.list.d/docker.list
+    apt-get update
+    apt-get install -y linux-image-extra-$(uname -r) linux-image-extra-virtual
+    apt-get install -y docker-engine
+    groupadd docker
+    usermod -aG docker ubuntu
+    service docker start
   SHELL
 end

deploydocker.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+docker stop $(docker ps -a -q) 2>/dev/null
+
+

lessons/3_intro_to_tools/lessonplan.md

@@ -151,6 +151,21 @@ gdb-peda$
 
 We will go through a few of the interesting commands.
 
+### checksec
+
+The `checksec` command lists the protections that are enabled for the binary.
+This is useful when figuring out how to craft your exploit.
+
+```shell
+gdb-peda$ checksec
+CANARY    : disabled
+FORTIFY   : disabled
+NX        : ENABLED
+PIE       : disabled
+RELRO     : Partial
+gdb-peda$
+```
+
 ### distance
 
 Often, calculating offsets from addresses is required when crafting your payload
@@ -289,3 +304,157 @@ gdb-peda$
 ```
 
 ## Pwntools
+
+Pwntools is a Python library that provides a framework for writing exploits.
+Typically, it is used heavily in CTFs. There are a ton of useful functions
+provided by Pwntools but I will briefly describe the process I personally use.
+
+### Using Pwntools
+
+There are three ways you can use Pwntools:
+
+1. Interactively through the python/iPython consoles
+2. In a python script
+3. Pwntools command line tools
+
+#### Interactively through the Console
+
+Often, you want to try things out before actually writing an actual script when
+developing your exploit. The iPython console is a great way to explore the
+Pwntools API. For convenience, we will import everything in the `pwn` package to
+the global namespace.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/3_intro_to_tools/build$ ipython
+Python 2.7.12 (default, Nov 19 2016, 06:48:10)
+Type "copyright", "credits" or "license" for more information.
+
+IPython 5.1.0 -- An enhanced Interactive Python.
+?         -> Introduction and overview of IPython's features.
+%quickref -> Quick reference.
+help      -> Python's own help system.
+object?   -> Details about 'object', use 'object??' for extra details.
+
+In [1]: from pwn import *
+
+In [2]:
+```
+
+iPython provides tab completion and a built-in system to look up documentation
+in docstrings. For example, if we want to look at what the `p32` function does,
+we can look it up with the `?` sigil.
+
+```shell
+In [4]: p32?
+Signature: p32(*a, **kw)
+Docstring:
+p32(number, sign, endian, ...) -> str
+
+Packs an 32-bit integer
+
+Arguments:
+    number (int): Number to convert
+    endianness (str): Endianness of the converted integer ("little"/"big")
+    sign (str): Signedness of the converted integer ("unsigned"/"signed")
+    kwargs (dict): Arguments passed to context.local(), such as
+        ``endian`` or ``signed``.
+
+Returns:
+    The packed number as a string
+File:      /usr/local/lib/python2.7/dist-packages/pwnlib/context/__init__.py
+Type:      function
+
+In [5]: p32(0x41424344)
+Out[5]: 'DCBA'
+
+In [6]:
+```
+
+#### In a Python Script
+
+I like to begin with the following [template] when starting a new exploit.
+
+```python
+#!/usr/bin/python
+
+from pwn import *
+
+def main():
+    pass
+
+if __name__ == '__main__':
+    main()
+```
+
+Running the script is as simple as calling python on it. Try running this
+[script]:
+
+```python
+#!/usr/bin/python
+
+from pwn import *
+
+def main():
+    p = process("/bin/sh")
+    p.interactive()
+
+if __name__ == '__main__':
+    main()
+```
+
+Running the script:
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/3_intro_to_tools/scripts$ python 2_shellsample.py
+[+] Starting local process '/bin/sh': Done
+[*] Switching to interactive mode
+$ id
+uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),110(lxd)
+$
+```
+
+#### Pwntools Command Line Tools
+
+Pwntools installs the `pwn` python script in /usr/local/bin. It provides
+frontends to useful features of the library. To get a list of all available
+frontends, you can execute `pwn -h`.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/3_intro_to_tools/scripts$ pwn -h
+usage: pwn [-h]
+           {asm,checksec,constgrep,cyclic,disasm,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,unhex,update}
+           ...
+
+Pwntools Command-line Interface
+
+positional arguments:
+  {asm,checksec,constgrep,cyclic,disasm,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,unhex,update}
+    asm                 Assemble shellcode into bytes
+    checksec            Check binary security settings
+    constgrep           Looking up constants from header files. Example:
+                        constgrep -c freebsd -m ^PROT_ '3 + 4'
+    cyclic              Cyclic pattern creator/finder
+    disasm              Disassemble bytes into text format
+    elfdiff             Compare two ELF files
+    elfpatch            Patch an ELF file
+    errno               Prints out error messages
+    hex                 Hex-encodes data provided on the command line or stdin
+    phd                 Pwnlib HexDump
+    pwnstrip            Strip binaries for CTF usage
+    scramble            Shellcode encoder
+    shellcraft          Microwave shellcode -- Easy, fast and delicious
+    unhex               Decodes hex-encoded data provided on the command line
+                        or via stdin.
+    update              Check for pwntools updates
+
+optional arguments:
+  -h, --help            show this help message and exit
+```
+
+You can investigate the available options at your own time. Take a look at the
+[documentation] for a more detailed description of each of them.
+
+
+[template]: ./scripts/1_template.py
+[script]: ./scripts/2_shellsample.py
+[documentation]: https://docs.pwntools.com/en/stable/commandline.html

lessons/3_intro_to_tools/scripts/1_template.py

@@ -0,0 +1,9 @@
+#!/usr/bin/python
+
+from pwn import *
+
+def main():
+    pass
+
+if __name__ == '__main__':
+    main()

lessons/3_intro_to_tools/scripts/2_shellsample.py

@@ -0,0 +1,10 @@
+#!/usr/bin/python
+
+from pwn import *
+
+def main():
+    p = process("/bin/sh")
+    p.interactive()
+
+if __name__ == '__main__':
+    main()