add source code and scripts

hzqmwne · Jul 5, 2021 · 10e4254 · 10e4254
1 parent 9fc79b7
commit 10e4254
Show file tree

Hide file tree

Showing 33 changed files with 2,660 additions and 0 deletions.
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/Dockerfile b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/Dockerfile
@@ -0,0 +1,13 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && \
+	apt-get upgrade -y && \
+	apt-get install -y xinetd socat busybox
+
+RUN apt-get install -y libpixman-1-0 libglib2.0-0
+
+CMD ["/usr/sbin/xinetd", "-dontfork"]
+#CMD ["/usr/bin/socat", "tcp-l:8888,fork,reuseaddr", "exec:/home/pwn/start.sh,stderr,setsid,su=nobody"]
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/docker-compose.yml b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/docker-compose.yml
@@ -0,0 +1,25 @@
+services:
+    pwn:
+        build: ./
+        image: secure_storage
+        container_name: secure_storage_pwn_1
+        #tty: true
+        #command: ["/usr/sbin/xinetd", "-dontfork", "-d"]
+        volumes:
+            - ./share:/home/pwn:ro
+            - ./pwn-xinetd:/etc/xinetd.d/pwn-xinetd:ro
+            - ./tmp:/tmp:rw
+        ports:
+            - "12021:8888"    # 
+        pids_limit: 1024
+        restart: unless-stopped
+        deploy:
+            resources:
+                limits:
+                    cpus: '6.00'
+                    memory: 16G
+
+#networks:
+#    default:
+#        external: true
+#        name: pwn
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/generate.sh b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/generate.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+if [ $(id -u) -ne 0 ];then
+    echo "the user is not root"
+    exit 1
+fi
+
+
+cd $(dirname $0)
+
+
+rm -rf rootfs share
+
+mkdir -m 0755 rootfs
+(cd rootfs && mkdir -m 0755 bin challenge dev etc proc sbin sys usr etc/init.d usr/bin usr/sbin)
+(cd rootfs && mkdir -m 1777 tmp)
+
+
+cp ../../develop/busybox-x86_64 rootfs/bin/busybox
+chmod 0755 rootfs/bin/busybox
+
+(cd rootfs && bin/busybox --list-full | sed 's/^usr\/s\?bin\/.*\?$/..\/..\/bin\/busybox \0/g  ;  s/^sbin\/.*\?$/..\/bin\/busybox \0/g  ;  s/^bin\/.*\?$/busybox \0/g  ;  s/^linuxrc$/bin\/busybox \0/g' | xargs -L 1 ln -s)
+
+
+cp inittab rootfs/etc/
+chmod 0644 rootfs/etc/inittab
+cp rcS rootfs/etc/init.d/
+chmod 0755 rootfs/etc/init.d/rcS
+
+cp ../../src/ss_stripped.ko rootfs/challenge/ss.ko
+chmod 0644 rootfs/challenge/ss.ko
+
+cp ../../src/ss_agent_stripped rootfs/challenge/ss_agent
+chgrp 900 rootfs/challenge/ss_agent
+chmod 2755 rootfs/challenge/ss_agent
+
+cp secrets/admin_key.txt rootfs/challenge/
+chgrp 900 rootfs/challenge/admin_key.txt
+chmod 0640 rootfs/challenge/admin_key.txt
+
+cp secrets/secret2.txt rootfs/challenge/
+chgrp 900 rootfs/challenge/secret2.txt
+chmod 0640 rootfs/challenge/secret2.txt
+
+cp secrets/secret3.txt rootfs/challenge/
+chmod 0600 rootfs/challenge/secret3.txt
+
+
+mkdir -m 755 share
+(cd ./rootfs ; find . | cpio -o -H newc --quiet > ../share/initramfs.cpio)
+cp ../../develop/boot/vmlinuz-5.4.0-77-generic ./share/vmlinuz && chmod 0644 ./share/vmlinuz
+strip ../../develop/qemu-4.2.1/x86_64-softmmu/qemu-system-x86_64 -o ./share/qemu-system-x86_64
+mkdir -m 755 share/pc-bios
+cp ../../develop/qemu-4.2.1/pc-bios/bios-256k.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/kvmvapic.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/linuxboot_dma.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/vgabios-stdvga.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/efi-e1000.rom ./share/pc-bios/
+
+cp start.sh share/
+cp secrets/flag.txt share/
+
+
+
+tar zcf secure_storage_attachments_on_server.tar.gz share Dockerfile docker-compose.yml pwn-xinetd tmp
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/inittab b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/inittab
@@ -0,0 +1,6 @@
+::sysinit:/etc/init.d/rcS
+ttyS0::respawn:/usr/bin/setuidgid 1000 /bin/sh
+::ctrlaltdel:/sbin/reboot
+::shutdown:/sbin/swapoff -a
+::shutdown:/bin/umount -a -r
+::restart:/sbin/init
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/pwn-xinetd b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/pwn-xinetd
@@ -0,0 +1,21 @@
+service pwn
+{
+    disable = no
+    type        = UNLISTED
+    wait        = no
+    server      = /usr/bin/socat
+    server_args = stdio exec:/home/pwn/start.sh,stderr,setsid
+    socket_type = stream
+    protocol    = tcp
+    user        = 1000
+    port        = 8888
+    # bind        = 0.0.0.0
+    # safety options
+    flags       = REUSE
+    per_source  = 10 # the maximum instances of this service per source IP address
+    #rlimit_cpu  = 1 # the maximum number of CPU seconds that the service may use
+    #rlimit_as  = 1024M # the Address Space resource limit for the service
+    #access_times = 2:00-9:00 12:00-24:00
+    #nice        = 18
+}
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/rcS b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/rcS
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+mount -t devtmpfs devtmpfs /dev
+mkdir /dev/pts
+mount -t devpts devpts /dev/pts
+
+insmod /challenge/ss.ko
+chgrp 900 /dev/ss
+chmod 660 /dev/ss 
+
+echo "0 0 0 0" > /proc/sys/kernel/printk
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/admin_key.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/admin_key.txt
@@ -0,0 +1,2 @@
+yIqOWG6uyE2xldHdJef7AnsRNS01Px1I
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/flag.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/flag.txt
@@ -0,0 +1,2 @@
+flag{TlAGbj9cgBNfsUCW3iJaO2e13xz0Wkrs}
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/secret2.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/secret2.txt
@@ -0,0 +1,2 @@
+LquGZdVsbz3aff5iVIOjrO9FaF9DONcF
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/secret3.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/secrets/secret3.txt
@@ -0,0 +1 @@
+cnhhE41Ob0sJpWSP3yZFdYd1QWmRimWf
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/start.sh b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/on_server/start.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+cd $(dirname $0)
+
+exec timeout -s KILL 60m ./qemu-system-x86_64 \
+    -L ./pc-bios \
+    -m 128M \
+    -cpu qemu64,+smep,+smap \
+    -smp 2 \
+    -kernel ./vmlinuz \
+    -initrd ./initramfs.cpio \
+    -append "console=ttyS0 root=/dev/ram rw rdinit=/sbin/init kaslr pti=on oops=panic panic=1 quiet" \
+    -device ss \
+    -monitor none \
+    -nographic
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/Dockerfile b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/Dockerfile
@@ -0,0 +1,12 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && \
+	apt-get upgrade -y && \
+	apt-get install -y xinetd socat busybox
+
+RUN apt-get install -y libpixman-1-0 libglib2.0-0
+
+CMD ["/usr/sbin/xinetd", "-dontfork"]
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/docker-compose.yml b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/docker-compose.yml
@@ -0,0 +1,13 @@
+services:
+    pwn:
+        build: ./
+        image: secure_storage
+        container_name: secure_storage_pwn_1
+        volumes:
+            - ./share:/home/pwn:ro
+            - ./pwn-xinetd:/etc/xinetd.d/pwn-xinetd:ro
+            - ./tmp:/tmp:rw
+        ports:
+            - "12021:8888"
+        restart: unless-stopped
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/generate.sh b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/generate.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+if [ $(id -u) -ne 0 ];then
+    echo "the user is not root"
+    exit 1
+fi
+
+
+cd $(dirname $0)
+
+
+rm -rf rootfs share
+
+mkdir -m 0755 rootfs
+(cd rootfs && mkdir -m 0755 bin challenge dev etc proc sbin sys usr etc/init.d usr/bin usr/sbin)
+(cd rootfs && mkdir -m 1777 tmp)
+
+
+cp ../../develop/busybox-x86_64 rootfs/bin/busybox
+chmod 0755 rootfs/bin/busybox
+
+(cd rootfs && bin/busybox --list-full | sed 's/^usr\/s\?bin\/.*\?$/..\/..\/bin\/busybox \0/g  ;  s/^sbin\/.*\?$/..\/bin\/busybox \0/g  ;  s/^bin\/.*\?$/busybox \0/g  ;  s/^linuxrc$/bin\/busybox \0/g' | xargs -L 1 ln -s)
+
+
+cp inittab rootfs/etc/
+chmod 0644 rootfs/etc/inittab
+cp rcS rootfs/etc/init.d/
+chmod 0755 rootfs/etc/init.d/rcS
+
+cp ../../src/ss_stripped.ko rootfs/challenge/ss.ko
+chmod 0644 rootfs/challenge/ss.ko
+
+cp ../../src/ss_agent_stripped rootfs/challenge/ss_agent
+chgrp 900 rootfs/challenge/ss_agent
+chmod 2755 rootfs/challenge/ss_agent
+
+cp secrets/admin_key.txt rootfs/challenge/
+chgrp 900 rootfs/challenge/admin_key.txt
+chmod 0640 rootfs/challenge/admin_key.txt
+
+cp secrets/secret2.txt rootfs/challenge/
+chgrp 900 rootfs/challenge/secret2.txt
+chmod 0640 rootfs/challenge/secret2.txt
+
+cp secrets/secret3.txt rootfs/challenge/
+chmod 0600 rootfs/challenge/secret3.txt
+
+
+mkdir -m 755 share
+(cd ./rootfs ; find . | cpio -o -H newc --quiet > ../share/initramfs.cpio)
+cp ../../develop/boot/vmlinuz-5.4.0-77-generic ./share/vmlinuz && chmod 0644 ./share/vmlinuz
+strip ../../develop/qemu-4.2.1/x86_64-softmmu/qemu-system-x86_64 -o ./share/qemu-system-x86_64
+mkdir -m 755 share/pc-bios
+cp ../../develop/qemu-4.2.1/pc-bios/bios-256k.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/kvmvapic.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/linuxboot_dma.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/vgabios-stdvga.bin ./share/pc-bios/
+cp ../../develop/qemu-4.2.1/pc-bios/efi-e1000.rom ./share/pc-bios/
+
+cp start.sh share/
+cp secrets/flag.txt share/
+
+
+
+tar zcf secure_storage_attachments_to_player.tar.gz share Dockerfile docker-compose.yml pwn-xinetd tmp
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/inittab b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/inittab
@@ -0,0 +1,6 @@
+::sysinit:/etc/init.d/rcS
+ttyS0::respawn:/usr/bin/setuidgid 1000 /bin/sh
+::ctrlaltdel:/sbin/reboot
+::shutdown:/sbin/swapoff -a
+::shutdown:/bin/umount -a -r
+::restart:/sbin/init
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/pwn-xinetd b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/pwn-xinetd
@@ -0,0 +1,14 @@
+service pwn
+{
+    disable = no
+    type        = UNLISTED
+    wait        = no
+    server      = /usr/bin/socat
+    server_args = stdio exec:/home/pwn/start.sh,stderr,setsid
+    socket_type = stream
+    protocol    = tcp
+    user        = 1000
+    port        = 8888
+    flags       = REUSE
+}
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/rcS b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/rcS
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+mount -t devtmpfs devtmpfs /dev
+mkdir /dev/pts
+mount -t devpts devpts /dev/pts
+
+insmod /challenge/ss.ko
+chgrp 900 /dev/ss
+chmod 660 /dev/ss 
+
+echo "0 0 0 0" > /proc/sys/kernel/printk
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/admin_key.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/admin_key.txt
@@ -0,0 +1,6 @@
+0123456789abcdefFEDCBA9876543210
+
+(32 bytes)
+(possible chars: [0-9,a-z,A-Z])
+(this is only a sample, the correct admin key is on remote server)
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/flag.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/flag.txt
@@ -0,0 +1,4 @@
+flag{sample}
+
+(this is only a sample, the correct flag is on remote server)
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/secret2.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/secret2.txt
@@ -0,0 +1,4 @@
+secret2secret2secret2secret2secret2secret2secret2secret2
+
+(this is only a sample, the correct secret2 is on remote server)
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/secret3.txt b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/secrets/secret3.txt
@@ -0,0 +1,4 @@
+secret3secret3secret3secret3secret3secret3secret3
+
+(this is only a sample, the correct secret3 is on remote server)
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/start.sh b/0CTF_TCTF-2021-Quals/Secure Storage/deployment/to_player/start.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+cd $(dirname $0)
+
+exec timeout -s KILL 60m ./qemu-system-x86_64 \
+    -L ./pc-bios \
+    -m 128M \
+    -cpu qemu64,+smep,+smap \
+    -smp 2 \
+    -kernel ./vmlinuz \
+    -initrd ./initramfs.cpio \
+    -append "console=ttyS0 root=/dev/ram rw rdinit=/sbin/init kaslr pti=on oops=panic panic=1 quiet" \
+    -device ss \
+    -monitor none \
+    -nographic
+
diff --git a/0CTF_TCTF-2021-Quals/Secure Storage/develop/prepare.sh b/0CTF_TCTF-2021-Quals/Secure Storage/develop/prepare.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+
+# download
+
+wget https://download.qemu.org/qemu-4.2.1.tar.xz
+
+wget http://archive.ubuntu.com/ubuntu/pool/main/l/linux-signed/linux-image-5.4.0-77-generic_5.4.0-77.86_amd64.deb
+wget http://archive.ubuntu.com/ubuntu/pool/main/l/linux/linux-modules-5.4.0-77-generic_5.4.0-77.86_amd64.deb
+wget http://archive.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-5.4.0-77_5.4.0-77.86_all.deb
+wget http://archive.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-5.4.0-77-generic_5.4.0-77.86_amd64.deb
+
+wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev_2.27-3ubuntu1.2_amd64.deb
+
+wget https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-x86_64
+
+# wget https://raw.githubusercontent.com/hugsy/gdb-static/master/gdbserver-7.10.1-x64
+
+# extract
+
+tar Jxvf qemu-4.2.1.tar.xz
+
+dpkg -x linux-image*.deb ./
+dpkg -x linux-headers*all.deb ./
+dpkg -x linux-headers*amd64.deb ./
+dpkg -x libc6-dev*.deb ./
+
+# create symbol links
+
+ln -s ../src/ss_device.c qemu-4.2.1/hw/misc/
+echo 'common-obj-y += ss_device.o' >> qemu-4.2.1/hw/misc/Makefile.objs
+
+ln -s ../prepare/usr/lib/x86_64-linux-gnu/libc.a ../src/
+
+ln -s ../prepare/busybox-x86_64 ../src/
+
+
+# build qemu with new device
+
+(cd qemu-4.2.1; ./configure --target-list=x86_64-softmmu; make)
+
+