First stab at the services image

2009-10-05 17:09:20 -06:00 · 2009-10-05 17:09:20 -06:00 · 266951612b
parent 4de0f9c088
commit 266951612b
14 changed files with 281 additions and 2 deletions
--- a/ctf.css
+++ b/ctf.css
@ -64,6 +64,10 @@ th, td {
    vertical-align: top;
 }

+.scoreboard {
+    background: #222;
+}
+
 .scoreboard td {
    height: 400px;
 }
--- a/kevin/Makefile
+++ b/kevin/Makefile
@ -10,7 +10,7 @@ kevin.tce: target
 target: kevin.py run log.run
 	$(INSTALL) -D kevin.py target/usr/bin/kevin.py

-	$(INSTALL) --owner=100 -d target/var/lib/ctf/kevin/tokens
+	$(INSTALL) --owner=100 -d target/var/lib/kevin/tokens

 	$(INSTALL) -d target/var/service/kevin
 	$(INSTALL) run target/var/service/kevin/run
--- a/kevin/run
+++ b/kevin/run
@ -2,4 +2,4 @@

 [ -f /var/lib/ctf/disabled/kevin ] && exit 0

-exec envuidgid ctf /usr/bin/kevin.py --victims=/var/lib/ctf/kevin/victims.txt --tokens=/var/lib/ctf/kevin/tokens
+exec envuidgid ctf /usr/bin/kevin.py --victims=/var/lib/kevin/victims.txt --tokens=/var/lib/kevin/tokens
--- a/pwnables/Makefile
+++ b/pwnables/Makefile
@ -0,0 +1,28 @@
+CGI = cat.cgi
+
+TARGET = $(CURDIR)/target
+
+FAKE = fakeroot -s $(CURDIR)/fake -i $(CURDIR)/fake
+INSTALL = $(FAKE) install
+
+all: target
+
+target:
+	$(INSTALL) -d $(TARGET)
+	$(MAKE) -C daemons TARGET=$(TARGET) install
+
+	$(INSTALL) -D init/networking $(TARGET)/var/service/networking/run
+	$(INSTALL) -D init/telnetd $(TARGET)/var/service/networking/run
+	$(INSTALL) -D init/tftpd $(TARGET)/var/service/networking/run
+	$(INSTALL) -d $(TARGET)/usr/lib/www
+
+	$(INSTALL) $(CGI) $(TARGET)/usr/lib/www
+
+	$(INSTALL) -D flag $(TARGET)/var/lib/tftp/flag
+	$(INSTALL) -D flag $(TARGET)/var/lib/notes/flag
+	$(INSTALL) -D flag $(TARGET)/var/lib//flag
+	$(INSTALL) -D flag $(TARGET)/var/lib/tftp/flag
+
+
+clean:
+	rm -rf target
--- a/pwnables/cat.cgi
+++ b/pwnables/cat.cgi
@ -0,0 +1,6 @@
+#! /bin/sh
+
+echo 'Content-type: text/plain'
+echo
+cat .$PATH_INFO
+
--- a/pwnables/daemons/Makefile
+++ b/pwnables/daemons/Makefile
@ -0,0 +1,21 @@
+SBIN = in.fingerd in.noted
+BIN = notecli
+
+TARGET ?= $(CURDIR)/target
+FAKE = fakeroot -s $(CURDIR)/fake -i $(CURDIR)/fake
+INSTALL = $(FAKE) install
+
+all: $(SBIN) $(BIN)
+
+install: all
+	$(INSTALL) -d $(TARGET)/usr/sbin
+	$(INSTALL) -s $(SBIN) $(TARGET)/usr/sbin
+
+	$(INSTALL) -d $(TARGET)/usr/bin
+	$(INSTALL) -s $(BIN) $(TARGET)/usr/bin
+
+	$(INSTALL) -d $(TARGET)/var/service/fingerd
+	$(INSTALL) run.fingerd $(TARGET)/var/service/fingerd/run
+
+	$(INSTALL) -d $(TARGET)/var/service/noted
+	$(INSTALL) run.noted $(TARGET)/var/service/noted/run
--- a/pwnables/daemons/in.fingerd.c
+++ b/pwnables/daemons/in.fingerd.c
@ -0,0 +1,44 @@
+#include <syslog.h>
+#include <stdio.h>
+
+int
+main(int argc, char *argv)
+{
+  char    user[256];
+  char    path[512];
+  char   *data;
+  FILE   *f;
+  size_t  count;
+  int     i;
+  char   *peer = getenv("REMOTEADDR");
+
+  openlog("in.fingerd", LOG_PID, LOG_USER);
+  if (NULL == gets(user)) {
+    return 0;
+  }
+  for (data = user; *data; data += 1) {
+    if ('\r' == *data) {
+      *data = 0;
+    }
+  }
+  if (peer) {
+    syslog(LOG_INFO, "%s requests %s", peer, user);
+  }
+  if (0 == user[0]) {
+    printf("Nobody's home.\n");
+    return 0;
+  }
+
+  sprintf(path, "/home/%s/.plan", user);
+  f = fopen(path, "r");
+  if (NULL == f) {
+    printf("No such user.\n");
+    return 0;
+  }
+
+  data = path;
+  while (count = fread(data, sizeof(*data), 1, f)) {
+    fwrite(data, count, 1, stdout);
+  }
+  return 0;
+}
--- a/pwnables/daemons/in.noted.c
+++ b/pwnables/daemons/in.noted.c
@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <syslog.h>
+
+void
+readntrim(char *s)
+{
+  gets(s);
+  for (; *s; s++) {
+    switch (*s) {
+      case '\n':
+      case '\r':
+        *s = 0;
+    }
+  }
+}
+
+int
+main(int argc, char *argv)
+{
+  int   cmd;
+  char  line[4096];
+  char  note[512];
+  FILE *f = NULL;
+  char   *peer = getenv("REMOTEADDR");
+
+  openlog("in.noted", LOG_PID, LOG_USER);
+  switch (getc(stdin)) {
+    case EOF:
+      return 0;
+    case 'r':
+      readntrim(note);
+      if (peer) {
+        syslog(LOG_INFO, "%s read %s", peer, note);
+      }
+      f = fopen(note, "r");
+      while (fgets(line, sizeof(line), f)) {
+        fputs(line, stdout);
+      }
+      fclose(f);
+      break;
+    case 'w':
+      readntrim(note);
+      if (peer) {
+        syslog(LOG_INFO, "%s write %s", peer, note);
+      }
+      f = fopen(note, "w");
+      while (gets(line)) {
+        fputs(line, f);
+      }
+      fclose(f);
+      break;
+  }
+
+  return 0;
+}
--- a/pwnables/daemons/notecli.c
+++ b/pwnables/daemons/notecli.c
@ -0,0 +1,90 @@
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <string.h>
+
+int
+open_connection(char *host, int port)
+{
+  struct sockaddr_in  addr;
+  struct hostent     *h;
+  int                 fd;
+
+  if (! inet_aton(host, &(addr.sin_addr))) {
+    if (!(h = gethostbyname(host))) {
+      return -1;
+    } else {
+      memcpy(&(addr.sin_addr), h->h_addr, h->h_length);
+    }
+  }
+  fd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (fd == -1) {
+    return -1;
+  }
+  addr.sin_family = AF_INET;
+  addr.sin_port = htons(port);
+  if (connect(fd, (struct sockaddr *)&addr, sizeof(addr))) {
+    close(fd);
+    return -1;
+  }
+
+  return fd;
+}
+
+void
+clean(char *s)
+{
+  for (; *s; s++) {
+    switch (*s) {
+      case '/':
+      case '.':
+        *s = '_';
+    }
+  }
+}
+
+int
+main(int argc, char *argv[])
+{
+  int     fd;
+  char    s[4096];
+  ssize_t len;
+
+  if (4 != argc) {
+    printf("Usage: %s HOST NOTE COMMAND\n", argv[0]);
+    printf("\n");
+    printf("  COMMAND must be 'r' (read) or 'w' (write).\n");
+    printf("  For w, input is taken from stdin.\n");
+    return 1;
+  }
+
+  fd = open_connection(argv[1], 4000);
+  clean(argv[2]);
+  switch (argv[3][0]) {
+    case 'r':
+      write(fd, "r", 1);
+      write(fd, argv[2], strlen(argv[2]));
+      write(fd, "\n", 1);
+      do {
+        len = read(fd, s, sizeof(s));
+        write(1, s, len);
+      } while (len);
+      break;
+    case 'w':
+      write(fd, "w", 1);
+      write(fd, argv[2], strlen(argv[2]));
+      write(fd, "\n", 1);
+      do {
+        len = read(0, s, sizeof(s));
+        write(fd, s, len);
+      } while (len);
+      break;
+    default:
+      printf("I don't understand that command.\n");
+      break;
+  }
+
+  return 0;
+}
--- a/pwnables/daemons/run.fingerd
+++ b/pwnables/daemons/run.fingerd
@ -0,0 +1,3 @@
+#! /bin/sh
+
+exec tcpsvd 0 79 /usr/sbin/in.fingerd
--- a/pwnables/daemons/run.noted
+++ b/pwnables/daemons/run.noted
@ -0,0 +1,4 @@
+#! /bin/sh
+
+cd /var/lib/notes
+exec tcpsvd 0 4000 /usr/sbin/in.noted
--- a/pwnables/init/networking
+++ b/pwnables/init/networking
@ -0,0 +1,14 @@
+#! /bin/sh -e
+
+# busybox's dc doesn't support i :<
+# Its awk does support 0xa0 as an int, but gawk doesn't.  This only works on busybox.
+lastd=awk -F ':' '{for (i=1; i<NF; i++) {q = xor(q, "0x" $i);} print (q<2?2:q);}' /sys/class/net/eth0/address
+
+myip=10.0.0.$lastd
+
+ifconfig eth0 $myip netmask 255.255.0.0
+ifconfig eth1 192.168.0.1
+
+while true; do
+    sleep 10d
+done
--- a/pwnables/init/telnetd
+++ b/pwnables/init/telnetd
@ -0,0 +1,7 @@
+#! /bin/sh
+
+state=$(cat /sys/class/net/eth1/operstate)
+if [ "$state" != "up" ]; then
+    exit 0
+fi
+exec tcpsvd 192.168.0.1 23 telnetd -i -l /bin/sh
--- a/pwnables/init/tftpd
+++ b/pwnables/init/tftpd
@ -0,0 +1,3 @@
+#! /bin/sh
+
+exec udpsvd 0 69 tftpd /var/lib/tftp