ssh module doesn't work with ForceCommand, and qemu output is invisible.

[lonnywong]

environment

$ docker run -it pwntools/pwntools:stable
pwntools@bb0ca7101abf:~$ sudo apt -y install sshpass vim

cat test.py

from pwn import *

# s = ssh('rootkit', 'pwnable.kr', 2222, 'guest')  # ssh is not working with ForceCommand

p = process('sshpass -p guest ssh -oStrictHostKeyChecking=no [email protected] -p2222', shell=True)

p.interactive()

python3 test.py

python3 test.py DEBUG LOG_FILE=log.txt

log.txt

another example with local qemu

https://github.com/Gallopsled/pwntools/issues/1937#issuecomment-953948360

but it's ok with python shell

[Arusekk]

PLEASE do not post such long logs in the issue! It sends HUGE e-mails to every person subscribed. And sending bloated e-mail is bad manners. Also, you should most likely use ssh(...) instead of process('ssh...').

m

2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.528377] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.529938] hpet0: 3 comparators, 64-bit 100.000000 MHz counter\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.537860] Switching to clocksource hpet\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.65092' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x24 bytes: 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'6] AppArmor: AppArmor Filesystem Ena' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x23a bytes: 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'bled\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.653332] pnp: PnP ACPI init\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.654407] ACPI: bus type pnp registered\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.668446] pnp: PnP ACPI: found 11 devices\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.669701] ACPI: ACPI bus type pnp unregistered\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.671055] PnPBIOS: Disabled by ACPI PNP\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.734801] NET: Registered protocol family 2\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.742277] TCP established hash table entries: 2048 (order: 2, 16384 bytes)\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.744653] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.746649] TCP: Hash tables configured (established 2048 bind 2048)\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.748937] TCP: reno registered\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.750089] UDP ha' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x121 bytes:

2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'sh table entries: 256 (order: 1, 8192 bytes)\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.751865] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.756537] NET: Registered protocol family 1\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.758050] pci 0000:00:00.0: Limiting direct PCI/PCI transfers\r\n' 2021-07-19T15:12:35:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.759771] pci 0000:00:01.0: PIIX3: Enabling Pass' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x28 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'ive Release\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.761739] pci 0000:00:' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x288 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'01.0: Activating ISA DMA hang workarounds\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.769383] Trying to unpack rootfs image as initramfs...\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.779972] rootfs image is not initramfs (junk in compressed archive); looks like an initrd\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.809464] Freeing initrd memory: 4096k freed\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.823817] Initialise module verification\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.826175] audit: initializing netlink socket (disabled)\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.827312] type=2000 audit(1626707551.824:1): initialized\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.948730] HugeTLB registered 2 MB page size, pre-allocated 0 pages\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.970618] VFS: Disk quotas dquot_6.5.2\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.972809] Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.985597] fuse init (API ' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x1ce bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'version 7.20)\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 1.988530] msgmni has been set to 104\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.002222] Key type asymmetric registered\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b"[ 2.003506] Asymmetric key parser 'x509' registered\r\n" 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.005884] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.008637] io scheduler noop registered\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.009798] io scheduler deadline registered (default)\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.011415] io scheduler cfq registered\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.015645] pci_hotplug: PCI Hot Plug PCI Core version: 0.5\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ ' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x2a bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b' 2.018694] pciehp: PCI Express Hot Plug Co' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x11c bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'ntroller Driver version: 0.4\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.024519] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.027372] ACPI: Power Button [PWRF]\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.054420] GHES: HEST is not enabled!\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.055814] isapnp: Scanning for PnP cards...\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.416590] isapnp: No Plug & P' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x2c3 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'lay device found\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.419671] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.451815] 00:06: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.470807] Linux agpgart interface v0.103\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.494251] brd: module loaded\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.504929] loop: module loaded\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.545526] scsi0 : ata_piix\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.551789] scsi1 : ata_piix\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.552983] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc040 irq 14\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.554904] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc048 irq 15\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.582060] libphy: Fixed MDIO Bus: probed\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.584946] tun: Universal TUN/TAP device driver, 1.6\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.586347] tun: (C) 1999-2004 Max Krasnyansky @.>\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.598263] PPP generic driver ve' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x48 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'rsion 2.4.2\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b"[ 2.603780] ehci_hcd: USB 2.0 'Enhanced' Host Controller" 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x28 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b' (EHCI) Driver\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.606604] ohci_hcd:' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x418 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b" USB 1.1 'Open' Host Controller (OHCI) Driver\r\n" 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.608717] uhci_hcd: USB Universal Host Controller Interface driver\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.613772] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.623548] serio: i8042 KBD port at 0x60,0x64 irq 1\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.625526] serio: i8042 AUX port at 0x60,0x64 irq 12\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.630333] mousedev: PS/2 mouse device common for all mice\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.637695] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.642400] rtc_cmos 00:01: RTC can wake from S4\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.650857] rtc_cmos 00:01: rtc core: registered rtc_cmos as rtc0\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.653653] rtc0: alarms up to one day, 114 bytes nvram, hpet irqs\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.658154] device-mapper: uevent: version 1.0.3\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.661055] device-mapper: ioctl: 4.23.0-ioctl (2012-07-25) initialised: @.\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.663972] EISA: Probing bus 0 at eisa.0\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.665561] EISA: Cannot allocate resource for mainboard\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.667129] Cannot allocate resource for EISA slot 1\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.668697] Cannot allocate resource for EISA s' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x39 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'lot 2\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.670289] Cannot allocate resource for EISA s' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x28 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'lot 3\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.671627] Cannot allocate re' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x43 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'source for EISA slot 4\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.673230] Cannot allocate resource for' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x9e bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b' EISA slot 5\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.674579] Cannot allocate resource for EISA slot 6\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.675915] Cannot allocate resource for EISA slot 7\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.677431] Cannot allocate' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x446 bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b' resource for EISA slot 8\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.678810] EISA: Detected 0 cards.\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.681362] cpufreq-nforce2: No nForce2 chipset.\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.682824] cpuidle: using governor ladder\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.684131] cpuidle: using governor menu\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.685478] ledtrig-cpu: registered to indicate activity on CPUs\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.687122] EFI Variables Facility v0.08 2004-May-17\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.692615] ashmem: initialized\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.701450] TCP: cubic registered\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.704513] NET: Registered protocol family 10\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.715772] NET: Registered protocol family 17\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.718348] Key type dns_resolver registered\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.721134] Using IPI No-Shortcut mode\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.723794] Loading module verification certificates\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.736720] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.745160] ata2.00: configured for MWDMA2\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.791302] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.802014] sr0: scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.803813] cdrom: Uniform CD-ROM driver Revision: 3.20\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.810471] sr 1:0:0:0: Attached scsi generic sg0 type 5\r\n' 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b"[ 2.819563] MODSIGN: Loaded cert 'Magr" 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x6c bytes: 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b"athea: Glacier signing key: af26baf82a92b2e31d93ae3ecf1e7a7be0ee0889'\r\n" 2021-07-19T15:12:36:DEBUG:pwnlib.tubes.process.process.140062931591464:b'[ 2.824856] registered taskstats v' 2021-07-19T15:12:37:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x752 bytes: 2021-07-19T15:12:37:DEBUG:pwnlib.tubes.process.process.140062931591464:00000000 65 72 73 69 6f 6e 20 31 0d 0a 5b 20 20 20 20 32 │ersi│on 1│··[ │ 2│ 00000010 2e 38 34 30 33 30 31 5d 20 4b 65 79 20 74 79 70 │.840│301]│ Key│ typ│ 00000020 65 20 74 72 75 73 74 65 64 20 72 65 67 69 73 74 │e tr│uste│d re│gist│ 00000030 65 72 65 64 0d 0a 5b 20 20 20 20 32 2e 38 34 33 │ered│··[ │ 2│.843│ 00000040 34 38 36 5d 20 4b 65 79 20 74 79 70 65 20 65 6e │486]│ Key│ typ│e en│ 00000050 63 72 79 70 74 65 64 20 72 65 67 69 73 74 65 72 │cryp│ted │regi│ster│ 00000060 65 64 0d 0a 5b 20 20 20 20 32 2e 38 35 37 30 36 │ed··│[ │ 2.8│5706│ 00000070 39 5d 20 72 74 63 5f 63 6d 6f 73 20 30 30 3a 30 │9] r│tc_c│mos │00:0│ 00000080 31 3a 20 73 65 74 74 69 6e 67 20 73 79 73 74 65 │1: s│etti│ng s│yste│ 00000090 6d 20 63 6c 6f 63 6b 20 74 6f 20 32 30 32 31 2d │m cl│ock │to 2│021-│ 000000a0 30 37 2d 31 39 20 31 35 3a 31 32 3a 33 34 20 55 │07-1│9 15│:12:│34 U│ 000000b0 54 43 20 28 31 36 32 36 37 30 37 35 35 34 29 0d │TC (│1626│7075│54)·│ 000000c0 0a 5b 20 20 20 20 32 2e 38 36 32 35 38 39 5d 20 │·[ │ 2.│8625│89] │ 000000d0 42 49 4f 53 20 45 44 44 20 66 61 63 69 6c 69 74 │BIOS│ EDD│ fac│ilit│ 000000e0 79 20 76 30 2e 31 36 20 32 30 30 34 2d 4a 75 6e │y v0│.16 │2004│-Jun│ 000000f0 2d 32 35 2c 20 30 20 64 65 76 69 63 65 73 20 66 │-25,│ 0 d│evic│es f│ 00000100 6f 75 6e 64 0d 0a 5b 20 20 20 20 32 2e 38 36 34 │ound│··[ │ 2│.864│ 00000110 32 31 38 5d 20 45 44 44 20 69 6e 66 6f 72 6d 61 │218]│ EDD│ inf│orma│ 00000120 74 69 6f 6e 20 6e 6f 74 20 61 76 61 69 6c 61 62 │tion│ not│ ava│ilab│ 00000130 6c 65 2e 0d 0a 5b 20 20 20 20 32 2e 38 37 36 37 │le.·│·[ │ 2.│8767│ 00000140 32 34 5d 20 6d 64 3a 20 57 61 69 74 69 6e 67 20 │24] │md: │Wait│ing │ 00000150 66 6f 72 20 61 6c 6c 20 64 65 76 69 63 65 73 20 │for │all │devi│ces │ 00000160 74 6f 20 62 65 20 61 76 61 69 6c 61 62 6c 65 20 │to b│e av│aila│ble │ 00000170 62 65 66 6f 72 65 20 61 75 74 6f 64 65 74 65 63 │befo│re a│utod│etec│ 00000180 74 0d 0a 5b 20 20 20 20 32 2e 38 37 38 33 39 37 │t··[│ │2.87│8397│ 00000190 5d 20 6d 64 3a 20 49 66 20 79 6f 75 20 64 6f 6e │] md│: If│ you│ don│ 000001a0 27 74 20 75 73 65 20 72 61 69 64 2c 20 75 73 65 │'t u│se r│aid,│ use│ 000001b0 20 72 61 69 64 3d 6e 6f 61 75 74 6f 64 65 74 65 │ rai│d=no│auto│dete│ 000001c0 63 74 0d 0a 5b 20 20 20 20 32 2e 38 38 35 30 36 │ct··│[ │ 2.8│8506│ 000001d0 39 5d 20 6d 64 3a 20 41 75 74 6f 64 65 74 65 63 │9] m│d: A│utod│etec│ 000001e0 74 69 6e 67 20 52 41 49 44 20 61 72 72 61 79 73 │ting│ RAI│D ar│rays│ 000001f0 2e 0d 0a 5b 20 20 20 20 32 2e 38 38 36 31 32 33 │.··[│ │2.88│6123│ 00000200 5d 20 6d 64 3a 20 53 63 61 6e 6e 65 64 20 30 20 │] md│: Sc│anne│d 0 │ 00000210 61 6e 64 20 61 64 64 65 64 20 30 20 64 65 76 69 │and │adde│d 0 │devi│ 00000220 63 65 73 2e 0d 0a 5b 20 20 20 20 32 2e 38 38 37 │ces.│··[ │ 2│.887│ 00000230 31 38 33 5d 20 6d 64 3a 20 61 75 74 6f 72 75 6e │183]│ md:│ aut│orun│ 00000240 20 2e 2e 2e 0d 0a 5b 20 20 20 20 32 2e 38 38 37 │ ...│··[ │ 2│.887│ 00000250 38 37 30 5d 20 6d 64 3a 20 2e 2e 2e 20 61 75 74 │870]│ md:│ ...│ aut│ 00000260 6f 72 75 6e 20 44 4f 4e 45 2e 0d 0a 5b 20 20 20 │orun│ DON│E.··│[ │ 00000270 20 32 2e 38 39 33 35 34 30 5d 20 52 41 4d 44 49 │ 2.8│9354│0] R│AMDI│ 00000280 53 4b 3a 20 65 78 74 32 20 66 69 6c 65 73 79 73 │SK: │ext2│ fil│esys│ 00000290 74 65 6d 20 66 6f 75 6e 64 20 61 74 20 62 6c 6f │tem │foun│d at│ blo│ 000002a0 63 6b 20 30 0d 0a 5b 20 20 20 20 32 2e 38 39 35 │ck 0│··[ │ 2│.895│ 000002b0 31 33 35 5d 20 52 41 4d 44 49 53 4b 3a 20 4c 6f │135]│ RAM│DISK│: Lo│ 000002c0 61 64 69 6e 67 20 34 30 39 36 4b 69 42 20 5b 31 │adin│g 40│96Ki│B [1│ 000002d0 20 64 69 73 6b 5d 20 69 6e 74 6f 20 72 61 6d 20 │ dis│k] i│nto │ram │ 000002e0 64 69 73 6b 2e 2e 2e 20 7c 08 2f 08 2d 08 5c 08 │disk│... │|·/·│-·\·│ 000002f0 7c 08 2f 08 2d 08 5c 08 7c 08 2f 08 2d 08 5c 08 │|·/·│-·\·│|·/·│-·\·│ * 00000350 5b 20 20 20 20 32 2e 39 34 30 36 39 33 5d 20 74 │[ │ 2.9│4069│3] t│ 00000360 73 63 3a 20 52 65 66 69 6e 65 64 20 54 53 43 20 │sc: │Refi│ned │TSC │ 00000370 63 6c 6f 63 6b 73 6f 75 72 63 65 20 63 61 6c 69 │cloc│ksou│rce │cali│ 00000380 62 72 61 74 69 6f 6e 3a 20 32 31 30 30 2e 30 32 │brat│ion:│ 210│0.02│ 00000390 30 20 4d 48 7a 0d 0a 5b 20 20 20 20 32 2e 39 34 │0 MH│z··[│ │2.94│ 000003a0 33 30 36 36 5d 20 53 77 69 74 63 68 69 6e 67 20 │3066│] Sw│itch│ing │ 000003b0 74 6f 20 63 6c 6f 63 6b 73 6f 75 72 63 65 20 74 │to c│lock│sour│ce t│ 000003c0 73 63 0d 0a 7c 08 2f 08 2d 08 5c 08 7c 08 2f 08 │sc··│|·/·│-·\·│|·/·│ 000003d0 2d 08 5c 08 7c 08 2f 08 2d 08 5c 08 7c 08 2f 08 │-·\·│|·/·│-·\·│|·/·│ * 00000550 2d 08 5c 08 7c 08 2f 08 2d 08 5c 08 64 6f 6e 65 │-·\·│|·/·│-·\·│done│ 00000560 2e 0d 0a 5b 20 20 20 20 33 2e 31 36 36 33 35 39 │.··[│ │3.16│6359│ 00000570 5d 20 45 58 54 34 2d 66 73 20 28 72 61 6d 30 29 │] EX│T4-f│s (r│am0)│ 00000580 3a 20 6d 6f 75 6e 74 65 64 20 66 69 6c 65 73 79 │: mo│unte│d fi│lesy│ 00000590 73 74 65 6d 20 77 69 74 68 6f 75 74 20 6a 6f 75 │stem│ wit│hout│ jou│ 000005a0 72 6e 61 6c 2e 20 4f 70 74 73 3a 20 28 6e 75 6c │rnal│. Op│ts: │(nul│ 000005b0 6c 29 0d 0a 5b 20 20 20 20 33 2e 31 36 39 38 37 │l)··│[ │ 3.1│6987│ 000005c0 32 5d 20 56 46 53 3a 20 4d 6f 75 6e 74 65 64 20 │2] V│FS: │Moun│ted │ 000005d0 72 6f 6f 74 20 28 65 78 74 34 20 66 69 6c 65 73 │root│ (ex│t4 f│iles│ 000005e0 79 73 74 65 6d 29 20 6f 6e 20 64 65 76 69 63 65 │yste│m) o│n de│vice│ 000005f0 20 31 3a 30 2e 0d 0a 5b 20 20 20 20 33 2e 31 37 │ 1:0│.··[│ │3.17│ 00000600 34 33 36 31 5d 20 64 65 76 74 6d 70 66 73 3a 20 │4361│] de│vtmp│fs: │ 00000610 6d 6f 75 6e 74 65 64 0d 0a 5b 20 20 20 20 33 2e │moun│ted·│·[ │ 3.│ 00000620 31 37 37 37 34 35 5d 20 46 72 65 65 69 6e 67 20 │1777│45] │Free│ing │ 00000630 75 6e 75 73 65 64 20 6b 65 72 6e 65 6c 20 6d 65 │unus│ed k│erne│l me│ 00000640 6d 6f 72 79 3a 20 37 38 30 6b 20 66 72 65 65 64 │mory│: 78│0k f│reed│ 00000650 0d 0a 5b 20 20 20 20 33 2e 31 38 39 36 31 35 5d │··[ │ 3│.189│615]│ 00000660 20 57 72 69 74 65 20 70 72 6f 74 65 63 74 69 6e │ Wri│te p│rote│ctin│ 00000670 67 20 74 68 65 20 6b 65 72 6e 65 6c 20 74 65 78 │g th│e ke│rnel│ tex│ 00000680 74 3a 20 36 31 31 32 6b 0d 0a 5b 20 20 20 20 33 │t: 6│112k│··[ │ 3│ 00000690 2e 31 39 31 31 30 38 5d 20 57 72 69 74 65 20 70 │.191│108]│ Wri│te p│ 000006a0 72 6f 74 65 63 74 69 6e 67 20 74 68 65 20 6b 65 │rote│ctin│g th│e ke│ 000006b0 72 6e 65 6c 20 72 65 61 64 2d 6f 6e 6c 79 20 64 │rnel│ rea│d-on│ly d│ 000006c0 61 74 61 3a 20 32 34 35 36 6b 0d 0a 5b 20 20 20 │ata:│ 245│6k··│[ │ 000006d0 20 33 2e 33 37 31 30 33 36 5d 20 72 6f 6f 74 6b │ 3.3│7103│6] r│ootk│ 000006e0 69 74 3a 20 6d 6f 64 75 6c 65 20 6c 69 63 65 6e │it: │modu│le l│icen│ 000006f0 73 65 20 27 75 6e 73 70 65 63 69 66 69 65 64 27 │se '│unsp│ecif│ied'│ 00000700 20 74 61 69 6e 74 73 20 6b 65 72 6e 65 6c 2e 0d │ tai│nts │kern│el.·│ 00000710 0a 5b 20 20 20 20 33 2e 33 37 31 32 37 35 5d 20 │·[ │ 3.│3712│75] │ 00000720 44 69 73 61 62 6c 69 6e 67 20 6c 6f 63 6b 20 64 │Disa│blin│g lo│ck d│ 00000730 65 62 75 67 67 69 6e 67 20 64 75 65 20 74 6f 20 │ebug│ging│ due│ to │ 00000740 6b 65 72 6e 65 6c 20 74 61 69 6e 74 0d 0a 2f 20 │kern│el t│aint│··/ │ 00000750 23 20 │# │ 00000752 2021-07-19T15:12:40:DEBUG:pwnlib.tubes.process.process.140062931591464:Sent 0x3 bytes: 2021-07-19T15:12:40:DEBUG:pwnlib.tubes.process.process.140062931591464:b'ls\n' 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x4 bytes: 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:b'ls\r\n' 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x9 bytes: 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:00000000 1b 5b 31 3b 33 34 6d 62 69 │·[1;│34mb│i│ 00000009 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x47 bytes: 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:00000000 6e 1b 5b 30 6d 20 20 20 20 20 20 20 20 20 1b 5b │n·[0│m │ │ ·[│ 00000010 31 3b 33 34 6d 65 74 63 1b 5b 30 6d 20 20 20 20 │1;34│metc│·[0m│ │ 00000020 20 20 20 20 20 1b 5b 31 3b 33 34 6d 6c 69 62 1b │ │ ·[1│;34m│lib·│ 00000030 5b 30 6d 20 20 20 20 20 20 20 20 20 1b 5b 31 3b │[0m │ │ │·[1;│ 00000040 33 34 6d 6c 6f 73 74 │34ml│ost│ 00000047 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0xcf bytes: 2021-07-19T15:12:41:DEBUG:pwnlib.tubes.process.process.140062931591464:00000000 2b 66 6f 75 6e 64 1b 5b 30 6d 20 20 1b 5b 30 3b │+fou│nd·[│0m │·[0;│ 00000010 30 6d 72 6f 6f 74 6b 69 74 2e 6b 6f 1b 5b 30 6d │0mro│otki│t.ko│·[0m│ 00000020 20 20 1b 5b 31 3b 33 34 6d 74 6d 70 1b 5b 30 6d │ ·[│1;34│mtmp│·[0m│ 00000030 20 20 20 20 20 20 20 20 20 1b 5b 31 3b 33 34 6d │ │ │ ·[1│;34m│ 00000040 76 61 72 1b 5b 30 6d 0d 0a 1b 5b 31 3b 33 34 6d │var·│[0m·│··[1│;34m│ 00000050 64 65 76 1b 5b 30 6d 20 20 20 20 20 20 20 20 20 │dev·│[0m │ │ │ 00000060 1b 5b 30 3b 30 6d 66 6c 61 67 1b 5b 30 6d 20 20 │·[0;│0mfl│ag·[│0m │ 00000070 20 20 20 20 20 20 1b 5b 31 3b 33 36 6d 6c 69 6e │ │ ·[│1;36│mlin│ 00000080 75 78 72 63 1b 5b 30 6d 20 20 20 20 20 1b 5b 31 │uxrc│·[0m│ │ ·[1│ 00000090 3b 33 34 6d 70 72 6f 63 1b 5b 30 6d 20 20 20 20 │;34m│proc│·[0m│ │ 000000a0 20 20 20 20 1b 5b 31 3b 33 34 6d 73 62 69 6e 1b │ │·[1;│34ms│bin·│ 000000b0 5b 30 6d 20 20 20 20 20 20 20 20 1b 5b 31 3b 33 │[0m │ │ ·│[1;3│ 000000c0 34 6d 75 73 72 1b 5b 30 6d 0d 0a 2f 20 23 20 │4mus│r·[0│m··/│ # │ 000000cf 2021-07-19T15:12:44:DEBUG:pwnlib.tubes.process.process.140062931591464:Sent 0x3 bytes: 2021-07-19T15:12:44:DEBUG:pwnlib.tubes.process.process.140062931591464:b'id\n' 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x1 bytes: 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:b'i' 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x3 bytes: 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:b'd\r\n' 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x16 bytes: 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:b'uid=0 gid=0 groups=0\r\n' 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:Received 0x4 bytes: 2021-07-19T15:12:45:DEBUG:pwnlib.tubes.process.process.140062931591464:b'/ # ' 2021-07-19T15:12:45:INFO:pwnlib.tubes.process.process.140062931591464:Interrupted

= Started at 2021-07-19T15:12:45 = = sys.argv = [ = = 'test.py', = = ] =

2021-07-19T15:12:45:INFO:pwnlib.tubes.process.process.140062931591464:Stopped process '/bin/sh' (pid 216)

-- 
You are 

-- Wysłane z mojego urządzenia Sailfish

[lonnywong]

Also, you should most likely use ssh(...) instead of process('ssh...').

• sorry about the huge logs.
• the ssh(...) doesn't work with qemu in the server. you should try it.

[levintp]

Is there a plan on addressing this issue?

[Arusekk]

The real problem here is that pwntools' ssh does not work due to ForceCommand in the SSH server we connect to (pwntools execute some commands upon connecting, and they all end up being replaced with a qemu instance).

You can probably use PWNLIB_NOTERM=1 as a workaround.

[lonnywong]

The real problem here is that pwntools' ssh does not work due to ForceCommand in the SSH server we connect to (pwntools execute some commands upon connecting, and they all end up being replaced with a qemu instance).

You can probably use PWNLIB_NOTERM=1 as a workaround.

export PWNLIB_NOTERM=1

This works for me. Thanks very much.

[levintp]

didn't work out for me. Using pwntools' ssh just freezes (see output 1) and using lonnywong's method with ssshpass returns the commands as output like before.

Output 1 (using ssh module):

❯ python exploit.py
[x] Connecting to pwnable.kr on port 2222
[+] Connecting to pwnable.kr on port 2222: Done
(here it gets stuck)

Output 2 (using lonnywong's method):

❯ python exploit.py
[x] Starting local process '/bin/sh'
[+] Starting local process '/bin/sh': pid 2823324
[*] waiting for the qemu env to boot . . .
[*] uploading privesc binary to the server . . .
[*] Switching to interactive mode
echo b' (payload in here) '
> id
id
> ls
ls
>

As you can see, it either gets stuck or just returns the commands sent to it as output. Only thing exporting PWNLIB_NOTERM did was removing the color from the log prints.

[TAbdiukov]

I can confirm that workaround works. I had a completely different environment (Telnet), and I encountered the same issue

export PWNLIB_NOTERM=1

[TAbdiukov]

Suggestion: let's rename the issue to something unspecific to Qemu

[lonnywong]

I think there are 2 issues:

• ssh module doesn't work with ForceCommand.
• output is invisible with qemu.

There is another example Hitb 2017 - Babyqemu:

$ docker run -it pwntools/pwntools:stable
pwntools@8cd8de960ff6:~$ sudo apt update
pwntools@8cd8de960ff6:~$ sudo apt -y install wget libaio1 libcurl3 libnuma1 libpixman-1-0
pwntools@8cd8de960ff6:~$ wget https://uaf.io/assets/babyqemu.tar.gz
pwntools@8cd8de960ff6:~$ tar zxf babyqemu.tar.gz
pwntools@8cd8de960ff6:~$ sed -i '6d' launch.sh
pwntools@8cd8de960ff6:~$ cat <<EOF >test.py
> from pwn import *
> p = process('./launch.sh')
> p.interactive()
> EOF
pwntools@8cd8de960ff6:~$ python3 test.py


<< a lot invisible output >>



HITB login: $ root

# $ id


# $ ls

# $ pwd


# $

[874anthony]

I'm getting the same problem. Can anybody give me some material that I could learn in order to help solve this issue?

Btw the workaround works of export PWNLIB_NOTERM=1 works

[peace-maker]

This is fixed in pwntools 4.11, which is currently in beta.

#2037 allows you to pass raw=True to ssh() to disable the environment checks and just drop you into a raw tube. #2129 enabled replacing of newline characters in interactive() using context.newline or tube.newline. In your example, qemu output \r\n instead of \n, causing the lines to appear empty in your terminal.

from pwn import *

p = ssh('rootkit', 'pwnable.kr', 2222, 'guest', raw=True)

# p = process('sshpass -p guest ssh -oStrictHostKeyChecking=no [email protected] -p2222', shell=True)

p.newline = b'\r\n' # context.newline = b'\r\n'
p.interactive()

[peace-maker]

4.11 is out, so I think this issue is fixed.