search

Gallopsled / pwntools

CTF framework and exploit development library
http://pwntools.com
Other
12.03k stars 1.71k forks source link

SSH/SFTP FileNotFoundError Exception #2058

Open jacopotediosi opened 2 years ago

jacopotediosi commented 2 years ago

Hi all, While solving pwn.college Capture The Flag challenges i got the following FileNotFoundError Exception connecting to dojo.pwn.college via SSH:

> py3 a.py DEBUG                           
[+] Connecting to dojo.pwn.college on port 22: Done
[+] Opening new channel: b'stty raw -ctlecho -echo; cd . >/dev/null 2>&1; pwd': Done
[+] Receiving all data: Done (109B)
[DEBUG] Received 0x60 bytes:
    b'\r'
    b'                                                                                  \r'
    b'Connected!\r\n'
[DEBUG] Received 0xd bytes:
    b'/home/hacker\n'
[*] Closed SSH channel with dojo.pwn.college
Traceback (most recent call last):
  File "a.py", line 3, in <module>
    conn = ssh(user='hacker', host='dojo.pwn.college', ssh_agent=True)
  File "/usr/local/lib/python3.8/dist-packages/pwnlib/tubes/ssh.py", line 677, in __init__
    self.cwd = context._decode(self.pwd())
  File "/usr/local/lib/python3.8/dist-packages/pwnlib/tubes/ssh.py", line 705, in cwd
    self.sftp.chdir(cwd)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/sftp_client.py", line 659, in chdir
    if not stat.S_ISDIR(self.stat(path).st_mode):
  File "/usr/local/lib/python3.8/dist-packages/paramiko/sftp_client.py", line 493, in stat
    t, msg = self._request(CMD_STAT, path)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/sftp_client.py", line 822, in _request
    return self._read_response(num)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/sftp_client.py", line 874, in _read_response
    self._convert_status(msg)
  File "/usr/local/lib/python3.8/dist-packages/paramiko/sftp_client.py", line 903, in _convert_status
    raise IOError(errno.ENOENT, text)
FileNotFoundError: [Errno 2] No such file

A.py script:

from pwn import *

conn = ssh(user='hacker', host='dojo.pwn.college', ssh_agent=True)

The error appears to have been introduced by this commit, which implements some new features including sftp.

The Dojo environment used by dojo.pwn.college prints "Connected!\r\n" every time a process is started, so self.pwd() returns "Connected!\r\n/home/hacker" instead of "/home/hacker".

An inelegant but functional fix might be replacing

self.cwd = packing._decode(self.pwd())

with

self.cwd = packing._decode(self.run('pwd', tty=False).recvall().strip())

I'm wondering also if the LocalContext runner function really needs to run commands with tty enabled. If not, maybe we can consider to disable tty there too.

Although I understand that what I am presenting is a particular case, I think that fixing this issue could improve support for any other remote host using custom shells or whatever

spencerpogo commented 2 years ago

Monkey-patch that accomplishes that change:

def _pwd_hack(self):
    self.run("pwd", tty=False).recvall().strip()
ssh.pwd = _pwd_hack
iAmG-r00t commented 2 years ago

image

Has this issue been patched? Faced the same issue while I have the updated version of pwntools.

spencerpogo commented 2 years ago

No, it has not

iAmG-r00t commented 2 years ago

@Scoder12 did ssh work for you on pwn.college using the pwn.ssh module?

Mine keeps hanging and when I set logs to debug it logs that the connection was successful, logs the home directory and then the ssh connection is closed and hangs unless I Ctrl+C

spencerpogo commented 2 years ago

No I ended up using raw paramiko :/ Check this repo: https://github.com/Scoder12/pwncollege-automation-template

ysf commented 2 years ago

This has been fixed in https://github.com/pwncollege/dojo/pull/101/commits and works now out of the box with pwntools.