First stab at the services image

2009-10-05 17:09:20 -06:00 · 2009-10-05 17:09:20 -06:00 · 266951612b
parent 4de0f9c088
commit 266951612b
14 changed files with 281 additions and 2 deletions
--- a/ctf.css
+++ b/ctf.css
@ -64,6 +64,10 @@ th, td {
    vertical-align: top;
 }
 .scoreboard {
    background: #222;
 }
 .scoreboard td {
    height: 400px;
 }
--- a/kevin/Makefile
+++ b/kevin/Makefile
@ -10,7 +10,7 @@ kevin.tce: target
 target: kevin.py run log.run
 	$(INSTALL) -D kevin.py target/usr/bin/kevin.py
-	$(INSTALL) --owner=100 -d target/var/lib/ctf/kevin/tokens
+	$(INSTALL) --owner=100 -d target/var/lib/kevin/tokens
 	$(INSTALL) -d target/var/service/kevin
 	$(INSTALL) run target/var/service/kevin/run
--- a/kevin/run
+++ b/kevin/run
@ -2,4 +2,4 @@
 [ -f /var/lib/ctf/disabled/kevin ] && exit 0
-exec envuidgid ctf /usr/bin/kevin.py --victims=/var/lib/ctf/kevin/victims.txt --tokens=/var/lib/ctf/kevin/tokens
+exec envuidgid ctf /usr/bin/kevin.py --victims=/var/lib/kevin/victims.txt --tokens=/var/lib/kevin/tokens
--- a/pwnables/Makefile
+++ b/pwnables/Makefile
@ -0,0 +1,28 @@
 CGI = cat.cgi
 TARGET = $(CURDIR)/target
 FAKE = fakeroot -s $(CURDIR)/fake -i $(CURDIR)/fake
 INSTALL = $(FAKE) install
 all: target
 target:
 	$(INSTALL) -d $(TARGET)
 	$(MAKE) -C daemons TARGET=$(TARGET) install
 	$(INSTALL) -D init/networking $(TARGET)/var/service/networking/run
 	$(INSTALL) -D init/telnetd $(TARGET)/var/service/networking/run
 	$(INSTALL) -D init/tftpd $(TARGET)/var/service/networking/run
 	$(INSTALL) -d $(TARGET)/usr/lib/www
 	$(INSTALL) $(CGI) $(TARGET)/usr/lib/www
 	$(INSTALL) -D flag $(TARGET)/var/lib/tftp/flag
 	$(INSTALL) -D flag $(TARGET)/var/lib/notes/flag
 	$(INSTALL) -D flag $(TARGET)/var/lib//flag
 	$(INSTALL) -D flag $(TARGET)/var/lib/tftp/flag
 clean:
 	rm -rf target
--- a/pwnables/cat.cgi
+++ b/pwnables/cat.cgi
@ -0,0 +1,6 @@
 #! /bin/sh
 echo 'Content-type: text/plain'
 echo
 cat .$PATH_INFO
--- a/pwnables/daemons/Makefile
+++ b/pwnables/daemons/Makefile
@ -0,0 +1,21 @@
 SBIN = in.fingerd in.noted
 BIN = notecli
 TARGET ?= $(CURDIR)/target
 FAKE = fakeroot -s $(CURDIR)/fake -i $(CURDIR)/fake
 INSTALL = $(FAKE) install
 all: $(SBIN) $(BIN)
 install: all
 	$(INSTALL) -d $(TARGET)/usr/sbin
 	$(INSTALL) -s $(SBIN) $(TARGET)/usr/sbin
 	$(INSTALL) -d $(TARGET)/usr/bin
 	$(INSTALL) -s $(BIN) $(TARGET)/usr/bin
 	$(INSTALL) -d $(TARGET)/var/service/fingerd
 	$(INSTALL) run.fingerd $(TARGET)/var/service/fingerd/run
 	$(INSTALL) -d $(TARGET)/var/service/noted
 	$(INSTALL) run.noted $(TARGET)/var/service/noted/run
--- a/pwnables/daemons/in.fingerd.c
+++ b/pwnables/daemons/in.fingerd.c
@ -0,0 +1,44 @@
 #include <syslog.h>
 #include <stdio.h>
 int
 main(int argc, char *argv)
 {
  char    user[256];
  char    path[512];
  char   *data;
  FILE   *f;
  size_t  count;
  int     i;
  char   *peer = getenv("REMOTEADDR");
  openlog("in.fingerd", LOG_PID, LOG_USER);
  if (NULL == gets(user)) {
    return 0;
  }
  for (data = user; *data; data += 1) {
    if ('\r' == *data) {
      *data = 0;
    }
  }
  if (peer) {
    syslog(LOG_INFO, "%s requests %s", peer, user);
  }
  if (0 == user[0]) {
    printf("Nobody's home.\n");
    return 0;
  }
  sprintf(path, "/home/%s/.plan", user);
  f = fopen(path, "r");
  if (NULL == f) {
    printf("No such user.\n");
    return 0;
  }
  data = path;
  while (count = fread(data, sizeof(*data), 1, f)) {
    fwrite(data, count, 1, stdout);
  }
  return 0;
 }
--- a/pwnables/daemons/in.noted.c
+++ b/pwnables/daemons/in.noted.c
@ -0,0 +1,55 @@
 #include <stdio.h>
 #include <syslog.h>
 void
 readntrim(char *s)
 {
  gets(s);
  for (; *s; s++) {
    switch (*s) {
      case '\n':
      case '\r':
        *s = 0;
    }
  }
 }
 int
 main(int argc, char *argv)
 {
  int   cmd;
  char  line[4096];
  char  note[512];
  FILE *f = NULL;
  char   *peer = getenv("REMOTEADDR");
  openlog("in.noted", LOG_PID, LOG_USER);
  switch (getc(stdin)) {
    case EOF:
      return 0;
    case 'r':
      readntrim(note);
      if (peer) {
        syslog(LOG_INFO, "%s read %s", peer, note);
      }
      f = fopen(note, "r");
      while (fgets(line, sizeof(line), f)) {
        fputs(line, stdout);
      }
      fclose(f);
      break;
    case 'w':
      readntrim(note);
      if (peer) {
        syslog(LOG_INFO, "%s write %s", peer, note);
      }
      f = fopen(note, "w");
      while (gets(line)) {
        fputs(line, f);
      }
      fclose(f);
      break;
  }
  return 0;
 }
--- a/pwnables/daemons/notecli.c
+++ b/pwnables/daemons/notecli.c
@ -0,0 +1,90 @@
 #include <stdio.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <string.h>
 int
 open_connection(char *host, int port)
 {
  struct sockaddr_in  addr;
  struct hostent     *h;
  int                 fd;
  if (! inet_aton(host, &(addr.sin_addr))) {
    if (!(h = gethostbyname(host))) {
      return -1;
    } else {
      memcpy(&(addr.sin_addr), h->h_addr, h->h_length);
    }
  }
  fd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (fd == -1) {
    return -1;
  }
  addr.sin_family = AF_INET;
  addr.sin_port = htons(port);
  if (connect(fd, (struct sockaddr *)&addr, sizeof(addr))) {
    close(fd);
    return -1;
  }
  return fd;
 }
 void
 clean(char *s)
 {
  for (; *s; s++) {
    switch (*s) {
      case '/':
      case '.':
        *s = '_';
    }
  }
 }
 int
 main(int argc, char *argv[])
 {
  int     fd;
  char    s[4096];
  ssize_t len;
  if (4 != argc) {
    printf("Usage: %s HOST NOTE COMMAND\n", argv[0]);
    printf("\n");
    printf("  COMMAND must be 'r' (read) or 'w' (write).\n");
    printf("  For w, input is taken from stdin.\n");
    return 1;
  }
  fd = open_connection(argv[1], 4000);
  clean(argv[2]);
  switch (argv[3][0]) {
    case 'r':
      write(fd, "r", 1);
      write(fd, argv[2], strlen(argv[2]));
      write(fd, "\n", 1);
      do {
        len = read(fd, s, sizeof(s));
        write(1, s, len);
      } while (len);
      break;
    case 'w':
      write(fd, "w", 1);
      write(fd, argv[2], strlen(argv[2]));
      write(fd, "\n", 1);
      do {
        len = read(0, s, sizeof(s));
        write(fd, s, len);
      } while (len);
      break;
    default:
      printf("I don't understand that command.\n");
      break;
  }
  return 0;
 }
--- a/pwnables/daemons/run.fingerd
+++ b/pwnables/daemons/run.fingerd
@ -0,0 +1,3 @@
 #! /bin/sh
 exec tcpsvd 0 79 /usr/sbin/in.fingerd
--- a/pwnables/daemons/run.noted
+++ b/pwnables/daemons/run.noted
@ -0,0 +1,4 @@
 #! /bin/sh
 cd /var/lib/notes
 exec tcpsvd 0 4000 /usr/sbin/in.noted
--- a/pwnables/init/networking
+++ b/pwnables/init/networking
@ -0,0 +1,14 @@
 #! /bin/sh -e
 # busybox's dc doesn't support i :<
 # Its awk does support 0xa0 as an int, but gawk doesn't.  This only works on busybox.
 lastd=awk -F ':' '{for (i=1; i<NF; i++) {q = xor(q, "0x" $i);} print (q<2?2:q);}' /sys/class/net/eth0/address
 myip=10.0.0.$lastd
 ifconfig eth0 $myip netmask 255.255.0.0
 ifconfig eth1 192.168.0.1
 while true; do
    sleep 10d
 done
--- a/pwnables/init/telnetd
+++ b/pwnables/init/telnetd
@ -0,0 +1,7 @@
 #! /bin/sh
 state=$(cat /sys/class/net/eth1/operstate)
 if [ "$state" != "up" ]; then
    exit 0
 fi
 exec tcpsvd 192.168.0.1 23 telnetd -i -l /bin/sh
--- a/pwnables/init/tftpd
+++ b/pwnables/init/tftpd
@ -0,0 +1,3 @@
 #! /bin/sh
 exec udpsvd 0 69 tftpd /var/lib/tftp
`@ -2,4 +2,4 @@`

	`[ -f /var/lib/ctf/disabled/kevin ] && exit 0`	`[ -f /var/lib/ctf/disabled/kevin ] && exit 0`

	`exec envuidgid ctf /usr/bin/kevin.py --victims=/var/lib/ctf/kevin/victims.txt --tokens=/var/lib/ctf/kevin/tokens`	`exec envuidgid ctf /usr/bin/kevin.py --victims=/var/lib/kevin/victims.txt --tokens=/var/lib/kevin/tokens`
		`@ -0,0 +1,3 @@`
							`#! /bin/sh`

							`exec tcpsvd 0 79 /usr/sbin/in.fingerd`
		`@ -0,0 +1,3 @@`
							`#! /bin/sh`

							`exec udpsvd 0 69 tftpd /var/lib/tftp`