Share
## https://sploitus.com/exploit?id=1C6ADB5F-35FF-50E6-A083-310F628EF5B4
# pwn-claude-plugin
Claude Code plugin for binary exploitation (pwn) challenges on HackTheBox and CTFs.
> Part of a security plugin suite alongside [whitebox-claude-plugin](https://github.com/allsmog/whitebox-claude-plugin) and [blackbox-claude-plugin](https://github.com/allsmog/blackbox-claude-plugin).
## Features
- **5-Phase Methodology** โ structured workflow: setup, recon, static analysis, dynamic analysis, exploit development
- **16 Slash Commands** โ from full methodology (`/pwn`) to individual exploit templates (`/pwn-ret2libc`, `/pwn-rop`, etc.)
- **3 Autonomous Agents** โ binary-analyzer, exploit-suggester, template-generator
- **Pwntools Exploit Templates** โ ret2win, ret2libc, format string, master template
- **GDB/pwndbg Integration** โ project-specific `.gdbinit` generation, crash analysis, offset calculation
- **Hook-Based Binary Auto-Detection** โ automatically detects and analyzes ELF binaries on session start
- **Protection-Aware** โ adapts exploitation suggestions based on checksec output (NX, PIE, RELRO, canary, etc.)
## Installation
```bash
git clone https://github.com/allsmog/pwn-claude-plugin.git
claude --plugin-dir ./pwn-claude-plugin/pwn-htb
```
## Prerequisites
### Required
- Python 3.8+
- [pwntools](https://github.com/Gallopsled/pwntools) (`pip install pwntools`)
- GDB with [pwndbg](https://github.com/pwndbg/pwndbg) extension
- checksec (`apt install checksec` or via pwntools)
### Optional (auto-installed via pip if missing)
- ropper (`pip install ropper`)
- one_gadget (`gem install one_gadget`)
- seccomp-tools (`gem install seccomp-tools`)
- ROPgadget (`pip install ROPgadget`)
## Quick Start
```bash
claude --plugin-dir ./pwn-claude-plugin/pwn-htb
# Verify tools are installed
> /pwn-setup
# Recon a binary
> /pwn-recon ./challenge
# Static analysis
> /pwn-static ./challenge
# Generate an exploit from findings
> /pwn-exploit
```
Or run the full 5-phase methodology in one command:
```bash
> /pwn ./challenge
```
## Commands
### Main Workflow
| Command | Description |
|---------|-------------|
| `/pwn ` | Run full methodology (all 5 phases with confirmations) |
| `/pwn-setup` | Environment setup and tool verification |
| `/pwn-recon ` | Reconnaissance phase (checksec, file, strings) |
| `/pwn-static ` | Static analysis (disassembly, dangerous functions) |
| `/pwn-dynamic ` | Dynamic analysis (GDB scripts, offset calculation) |
| `/pwn-exploit` | Exploit development guidance |
### Exploit Templates
| Command | Description |
|---------|-------------|
| `/pwn-template` | Interactive template selector |
| `/pwn-ret2libc` | ret2libc / ret2system template |
| `/pwn-rop` | ROP chain construction template |
| `/pwn-format-string` | Format string exploit template |
| `/pwn-shellcode` | Shellcode injection template |
| `/pwn-got-overwrite` | GOT overwrite template |
| `/pwn-heap` | Heap exploitation (tcache/fastbin) template |
| `/pwn-srop` | Sigreturn-oriented programming template |
### Utilities
| Command | Description |
|---------|-------------|
| `/pwn-gdbinit` | Generate project-specific `.gdbinit` for pwndbg |
| `/pwn-libc ` | Identify libc version from leaked addresses |
## Agents
| Agent | Purpose |
|-------|---------|
| **binary-analyzer** | Autonomous reconnaissance and static analysis |
| **exploit-suggester** | Recommends exploitation techniques based on findings |
| **template-generator** | Creates customized pwntools exploit skeletons |
## Exploit Templates
Pre-built pwntools templates in `pwn-htb/templates/`:
| Template | File |
|----------|------|
| Master template | `exploit-template.py` |
| ret2win | `ret2win.py` |
| ret2libc | `ret2libc.py` |
| Format string | `format-string.py` |
## License
[MIT](LICENSE)