diff --git a/inst_prof/README.md b/inst_prof/README.md index de608f5..9c7e8a6 100644 --- a/inst_prof/README.md +++ b/inst_prof/README.md @@ -1,4 +1,4 @@ -# `inst_prof` from DEFCON Quals 2016 +# `inst_prof` from 2017 GoogleCTF Quals `inst_prof` is an excellent challenge from the [2017 GoogleCTF Quals][google-quals-2017]. diff --git a/johns-library/Dockerfile b/johns-library/Dockerfile new file mode 100644 index 0000000..3b6766e --- /dev/null +++ b/johns-library/Dockerfile @@ -0,0 +1,9 @@ +FROM adamdoupe/vuln-base:latest + +COPY contents/ /challenge +RUN chmod +x challenge + +WORKDIR /challenge + +EXPOSE 31337 +CMD ["/usr/sbin/xinetd", "-d", "-dontfork", "-f", "challenge.conf"] diff --git a/johns-library/Makefile b/johns-library/Makefile new file mode 100644 index 0000000..645f625 --- /dev/null +++ b/johns-library/Makefile @@ -0,0 +1,42 @@ +CC_FLAGS = -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -Wno-format -D_FORTIFY_SOURCE=0 + + +MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) +CURRENT_DIR := $(shell basename "$(shell dirname "$(MKFILE_PATH)")") + +CHALL_NAME = $(CURRENT_DIR) +DOCKERHUB_ACCOUNT = adamdoupe +ALL_CONTENTS_FILES = $(shell find contents -type f) + +THIS_FILE := $(lastword $(MAKEFILE_LIST)) + + +.PHONY: run debug-shell build deploy run + +all: build + +run: + docker run --rm -p 127.0.0.1:31337:31337 -it $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) + +debug-shell: + docker run --rm --security-opt seccomp:unconfined -it $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) bash + +build: + docker build . -t $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) + +deploy: build + docker push $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) + +compile: contents/challenge + +contents/challenge: contents/$(CHALL_NAME).c + @$(MAKE) -f $(THIS_FILE) build + docker run -i --rm -v /build --volumes-from=$(BUILD) $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) bash -c "gcc $(CC_FLAGS) $(CHALL_NAME).c -o /build/$(CHALL_NAME)"; status=$$?; docker cp $(BUILD):/build/$(CHALL_NAME) .; docker rm -f -v $(BUILD); cp $(CHALL_NAME) contents/challenge; exit $$status + @$(MAKE) -f $(THIS_FILE) build + +libc.so.6: + docker run -i --rm $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME) bash -c 'echo "$$(file ./challenge)" | grep "32-bit"; if [ $$? -eq 0 ]; then cat /lib/i386-linux-gnu/libc.so.6; else cat /lib/x86_64-linux-gnu/libc.so.6; fi;' > libc.so.6 + + +BUILD_GEN = $(shell docker create -v /build $(DOCKERHUB_ACCOUNT)/$(CHALL_NAME)) +BUILD = $(eval BUILD := $(BUILD_GEN))$(BUILD) diff --git a/johns-library/README.md b/johns-library/README.md new file mode 100644 index 0000000..cd186fe --- /dev/null +++ b/johns-library/README.md @@ -0,0 +1,46 @@ +# `johns-library` from poliCTF 2015 + +`johns-library` is an excellent challenge from the +[2015 poliCTF][polictf-2015]. + +You are given the [binary][binary]. The challange was `pwnable` worth 150 points. + +The goal is to write a repeatable exploit script to steal the flag +(located at `/challenge/flag`) remotely. + +To run the challenge locally on your machine: + + docker run -p 127.0.0.1:31337:31337 -it adamdoupe/johns-library + +This will download the [docker image][docker-container] and run it +using docker. The challenge is running under [xinetd][xinetd-man] on +port 31337 in the container. The `-p` option maps the localhost's port +31337 to the docker container's port 31337. The 127.0.0.1 part is +optional (this restricts the port on your actual machine to only +listen for connections from localhost), however you are running +intentionally vulnerable software on your machine, so it's not a good +idea for it to be accessible to other machines. + +You should then be able to access johns-library like so: + + nc localhost 31337 + +To jump in and debug the program, you can use the following command +to get a bash shell + + docker run --security-opt seccomp:unconfined -it adamdoupe/johns-library bash + +[google-quals-2017]: https://ctftime.org/event/455 +[quals-2016]: https://ctftime.org/event/320 +[pctf-2017]: https://ctftime.org/event/439 +[polictf-2015]: https://ctftime.org/event/207 +[binary]: johns-library +[docker-container]: https://hub.docker.com/r/adamdoupe/johns-library/ +[xinetd-man]: https://linux.die.net/man/8/xinetd +[adamd-homepage]: http://adamdoupe.com +[rop]: https://en.wikipedia.org/wiki/Return-oriented_programming +[babys-first-rop-32]: ../babys-first-rop-32/README.md +[baby-pivot]: ../baby-pivot/README.md +[format-your-pivot]: ../format-your-pivot/README.md +[one-byte-to-freedom]: ../one-byte-to-freedom/README.md +[libc]: libc.so.6 diff --git a/johns-library/contents/challenge b/johns-library/contents/challenge new file mode 100755 index 0000000..74e4c08 Binary files /dev/null and b/johns-library/contents/challenge differ diff --git a/johns-library/contents/flag b/johns-library/contents/flag new file mode 100644 index 0000000..788f258 --- /dev/null +++ b/johns-library/contents/flag @@ -0,0 +1 @@ +flag{John_should_read_a_real_book_on_s3cur3_pr0gr4mm1ng} \ No newline at end of file diff --git a/johns-library/johns-library b/johns-library/johns-library new file mode 100755 index 0000000..74e4c08 Binary files /dev/null and b/johns-library/johns-library differ