Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
99 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
FROM adamdoupe/vuln-base:latest | ||
|
||
COPY contents/ /challenge | ||
RUN chmod +x challenge | ||
|
||
WORKDIR /challenge | ||
|
||
EXPOSE 31337 | ||
CMD ["/usr/sbin/xinetd", "-d", "-dontfork", "-f", "challenge.conf"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
CC_FLAGS = -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -Wno-format -D_FORTIFY_SOURCE=0 | ||
|
||
|
||
MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) | ||
CURRENT_DIR := $(shell basename "$(shell dirname "$(MKFILE_PATH)")") | ||
|
||
CHALL_NAME = $(CURRENT_DIR) | ||
DOCKERHUB_ACCOUNT = adamdoupe | ||
ALL_CONTENTS_FILES = $(shell find contents -type f) | ||
|
||
THIS_FILE := $(lastword $(MAKEFILE_LIST)) | ||
|
||
|
||
.PHONY: run debug-shell build deploy run | ||
|
||
all: build | ||
|
||
run: | ||
docker run --rm -p 127.0.0.1:31337:31337 -it $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) | ||
|
||
debug-shell: | ||
docker run --rm --security-opt seccomp:unconfined -it $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) bash | ||
|
||
build: | ||
docker build . -t $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) | ||
|
||
deploy: build | ||
docker push $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) | ||
|
||
compile: contents/challenge | ||
|
||
contents/challenge: contents/$(CHALL_NAME).c | ||
@$(MAKE) -f $(THIS_FILE) build | ||
docker run -i --rm -v /build --volumes-from=$(BUILD) $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) bash -c "gcc $(CC_FLAGS) $(CHALL_NAME).c -o /build/$(CHALL_NAME)"; status=$$?; docker cp $(BUILD):/build/$(CHALL_NAME) .; docker rm -f -v $(BUILD); cp $(CHALL_NAME) contents/challenge; exit $$status | ||
@$(MAKE) -f $(THIS_FILE) build | ||
|
||
libc.so.6: | ||
docker run -i --rm $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) bash -c 'echo "$$(file ./challenge)" | grep "32-bit"; if [ $$? -eq 0 ]; then cat /lib/i386-linux-gnu/libc.so.6; else cat /lib/x86_64-linux-gnu/libc.so.6; fi;' > libc.so.6 | ||
|
||
|
||
BUILD_GEN = $(shell docker create -v /build $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME)) | ||
BUILD = $(eval BUILD := $(BUILD_GEN))$(BUILD) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# `johns-library` from poliCTF 2015 | ||
|
||
`johns-library` is an excellent challenge from the | ||
[2015 poliCTF][polictf-2015]. | ||
|
||
You are given the [binary][binary]. The challange was `pwnable` worth 150 points. | ||
|
||
The goal is to write a repeatable exploit script to steal the flag | ||
(located at `/challenge/flag`) remotely. | ||
|
||
To run the challenge locally on your machine: | ||
|
||
docker run -p 127.0.0.1:31337:31337 -it adamdoupe/johns-library | ||
|
||
This will download the [docker image][docker-container] and run it | ||
using docker. The challenge is running under [xinetd][xinetd-man] on | ||
port 31337 in the container. The `-p` option maps the localhost's port | ||
31337 to the docker container's port 31337. The 127.0.0.1 part is | ||
optional (this restricts the port on your actual machine to only | ||
listen for connections from localhost), however you are running | ||
intentionally vulnerable software on your machine, so it's not a good | ||
idea for it to be accessible to other machines. | ||
|
||
You should then be able to access johns-library like so: | ||
|
||
nc localhost 31337 | ||
|
||
To jump in and debug the program, you can use the following command | ||
to get a bash shell | ||
|
||
docker run --security-opt seccomp:unconfined -it adamdoupe/johns-library bash | ||
|
||
[google-quals-2017]: https://ctftime.org/event/455 | ||
[quals-2016]: https://ctftime.org/event/320 | ||
[pctf-2017]: https://ctftime.org/event/439 | ||
[polictf-2015]: https://ctftime.org/event/207 | ||
[binary]: johns-library | ||
[docker-container]: https://hub.docker.com/r/adamdoupe/johns-library/ | ||
[xinetd-man]: https://linux.die.net/man/8/xinetd | ||
[adamd-homepage]: http://adamdoupe.com | ||
[rop]: https://en.wikipedia.org/wiki/Return-oriented_programming | ||
[babys-first-rop-32]: ../babys-first-rop-32/README.md | ||
[baby-pivot]: ../baby-pivot/README.md | ||
[format-your-pivot]: ../format-your-pivot/README.md | ||
[one-byte-to-freedom]: ../one-byte-to-freedom/README.md | ||
[libc]: libc.so.6 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
flag{John_should_read_a_real_book_on_s3cur3_pr0gr4mm1ng} |
Binary file not shown.