offensive-basic-exploitation

# SKILL: Week 5: Basic Exploitation (Linux with Mitigations Disabled)

## Metadata
- **Skill Name**: basic-exploitation
- **Folder**: offensive-basic-exploitation
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/5-basic-exploitation.md

## Description
Week 5 exploit development curriculum. Foundational exploitation techniques: controlling EIP/RIP, ROP chain construction, ret2libc, shellcode injection, heap spraying, bypass techniques for ASLR/NX/stack canaries. Use when building initial PoCs or understanding classic exploitation primitives.

## Trigger Phrases
Use this skill when the conversation involves any of:
`basic exploitation, EIP control, RIP control, ROP chain, ret2libc, shellcode injection, heap spray, ASLR bypass, NX bypass, stack canary bypass, week 5`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# Week 5: Basic Exploitation (Linux with Mitigations Disabled)

## Overview

_created by AnotherOne from @Pwn3rzs Telegram channel_.

Now that you can find and analyze vulnerabilities (Week 2 & 4), it's time to learn exploitation. This week focuses on fundamental exploitation techniques in a simplified Linux environment with modern mitigations (DEP, ASLR, stack canaries) disabled. Mastering these basics is essential before tackling mitigation bypasses in Week 7.

Next week (Week 6) we'll focus on understanding mitigations in both Linux and Windows. Week 7 will cover bypassing them.

**Learning Environment**:

- **CPU arch (default)**: amd64 (x86-64)
- **OS**: Ubuntu 24.04 LTS (Linux)
- **Compiler Flags**: Disable protections (`-fno-stack-protector`, `-no-pie`, `-z execstack` for ret2shellcode labs, `/GS-`)
- **ASLR**: Keep enabled system-wide; disable per-process (`setarch -R`) or in GDB (`set disable-randomization on`) for deterministic labs
- **Focus**: Pure exploitation techniques without bypass complexity

## Day 1: Environment Setup and Stack Overflow Fundamentals

- **Goal**: Set up exploitation lab and understand stack buffer overflow mechanics.
- **Activities**:
  - _Reading_:
    - "Hacking: The Art of Exploitation" 2nd edition, by Jon Erickson - Chapter 0x300: "EXPLOITATION"
    - [Smashing The Stack For Fun And Profit](https://phrack.org/issues/49/14_md#article) - Classic paper
  - _Online Resources_:
    - [x86-64 Calling Conventions](https://wiki.osdev.org/Calling_Conventions)
    - [Stack Layout Visualization](https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64)
  - _Tool Setup_:
    - Ubuntu VM with protections disabled
    - pwntools, pwndbg, ROPgadget
  - _Exercise_:
    - Compile and exploit first vulnerable program
    - Overwrite return address to execute shellcode

### Context: QNAP Stack Overflow (CVE-2024-27130)

- Recall the **QNAP QTS Stack Overflow** from Week 1? That was a classic stack buffer overflow caused by `strcpy` without bounds checking—exactly what we'll be exploiting today.
- While modern systems have mitigations (which we'll disable for now), the underlying mechanic remains the same: overwriting the return address to hijack control flow.

### Deliverables

- **Environment**: `~/check_env.sh` passes and you recorded its output
- **Binary**: `vuln1` built and verified with `checksec`
- **Primitive proof**: RIP control demonstrated (controlled crash address)
- **Exploit**: `exploit1.py` (or equivalent) spawns a shell reliably
- **Notes**: brief writeup covering offset, return target, and payload layout

### Setting Up the Lab Environment

**Ubuntu VM Configuration**:

> [!IMPORTANT]
> **ASLR Policy**: Keep ASLR **enabled system-wide** for security. Disable only per-process for labs.
> Never disable ASLR globally on a machine connected to the internet.

```bash
# ============================================================
# ASLR CONFIGURATION (Per-Process Only - Do NOT disable globally!)
# ============================================================
# Option 0: Disable ASLR system-wide
# echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
# echo "kernel.randomize_va_space = 0" | sudo tee /etc/sysctl.d/99-disable-aslr.conf
# sudo sysctl --system

# Option 1: Disable in GDB (recommended for debugging)
# In GDB/pwndbg:
# (gdb) set disable-randomization on    # Default in GDB
# (gdb) set disable-randomization off   # If you want ASLR during debug

# Option 2: Disable for a single binary run
setarch x86_64 -R ./binary

# Option 3: In pwntools (for local process only)
# p = process('./binary', aslr=False)

# VERIFY: Check system ASLR is STILL ENABLED
cat /proc/sys/kernel/randomize_va_space
# Should output: 2 (full ASLR) - DO NOT change this!

# If you previously disabled ASLR system-wide, RE-ENABLE it:
# echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
# sudo rm -f /etc/sysctl.d/99-disable-aslr.conf  # Remove any persistent config

# ============================================================
# INSTALL ESSENTIAL TOOLS
# ============================================================

sudo apt update
sudo apt install -y \
    nasm \
    strace \
    ltrace \
    ruby \
    ruby-dev \
    libc6-dbg \
    checksec \
    patchelf

cd ~/crash_analysis_lab
source .venv/bin/activate
pip install ropgadget

# Install one_gadget (quick shell gadgets)
sudo gem install one_gadget

# Install radare2 (optional but useful)
cd ~/tools
git clone --depth 1 --branch master https://github.com/radareorg/radare2
cd radare2
sys/install.sh

# Check glibc version (important for heap exploitation)
ldd --version
# Ubuntu 24.04 ships with glibc 2.39

# ============================================================
# STANDARDIZED COMPILATION PROFILES (AMD64)
# ===========================================