How to Build a Docker‑Based Linux Pwn Lab with IDA Remote Debugging and Pwntools

As a recent graduate struggling with entry‑level CTF pwn challenges, the author created a comprehensive Linux pwn tutorial covering common exploitation techniques (stack, heap, integer overflow, format strings, race conditions) on i386/amd64 platforms.

Docker Environment Setup

Prepare a 64‑bit Linux system with Docker (kernel >3.10). Import pre‑built images, e.g.:

cat ubuntu.17.04.amd64 | docker import - ubuntu/17.04.amd64

Run the image and expose port 23946 for IDA debugging:

docker run -it -p 23946:23946 ubuntu/17.04.amd64 /bin/bash

Rename the container for clarity:

docker container rename nostalgic_raman ubuntu.17.04.amd64

Enter the container shell when needed: docker exec -it ubuntu.17.04.amd64 /bin/bash Note: use docker start if the container is stopped and avoid port conflicts by changing the host port.

IDA Remote Debugging Setup

Copy the appropriate linux_server (32‑bit) or linux_serverx64 (64‑bit) binaries from IDA's dbgsrv folder into the Kali container.

Start the server inside the container (it listens on 23946):

dockercontainercplinux_server ubuntu.17.04.i386:/root/linux_server

In IDA, open the target binary (e.g., heapTest_x86), set a breakpoint, then configure remote debugging with the Kali IP address and port 23946.

After connecting, IDA will display the remote process, allowing standard debugging shortcuts (F2, F7, F8, F9, etc.) and windows (Assembly, Registers, Stack, Memory, Output).

Automating Interaction with Pwntools

Install pwntools in Kali ( pip install pwntools) and import it in Python: from pwn import * Expose the vulnerable binary inside the container via socat:

socat tcp-listen:10001,reuseaddr,fork EXEC:./heapTest_x86,pty,raw,echo=0

Connect from Python: io = remote("172.17.0.2", 10001) Use io.recv() to read program output and io.send() or io.sendline() to provide input (remember to terminate with a newline). Attach IDA to the running process (Debugger → Attach to process…) after the program has started, placing breakpoints after input‑waiting calls to avoid missing them.

When debugging is finished, close the connection with io.close() to prevent multiple attached processes.

Key Tips and Caveats

Ensure Docker containers are running before issuing docker exec or docker container rename commands.

Verify network connectivity between the host and container (ping, correct port mapping).

When using IDA remote debugging, the first breakpoint must be set after the input call; otherwise the breakpoint may be missed.

Pwntools interactions may block if the program has no output; advance the debugger to a point where output is produced.

This tutorial provides a reproducible environment for learning Linux exploitation, combining Docker isolation, IDA remote debugging, and pwntools automation.