mirror of https://github.com/dirtbags/moth.git
Add dillo puzzle
This commit is contained in:
parent
31d30ccc04
commit
4bc40220b0
|
@ -0,0 +1,40 @@
|
|||
#! /bin/sh -e
|
||||
|
||||
# Configure IP address
|
||||
IP=$(cat ip.txt)
|
||||
ip addr add $IP label eth0:armadillo dev eth0
|
||||
|
||||
# Set up chroot environment
|
||||
# We never umount any of this since it's all just in RAM
|
||||
mkdir -p /mnt/armadillo-root
|
||||
grep -q armadillo-root /proc/mounts || mount -o bind / /mnt/armadillo-root
|
||||
grep -q armadillo-var /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-var /mnt/armadillo-root/var
|
||||
grep -q armadillo-tmp /proc/mounts || mount -t tmpfs -o size=15k armadillo-tmp /mnt/armadillo-root/tmp
|
||||
grep -q armadillo-home /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-home /mnt/armadillo-root/home
|
||||
|
||||
# Make some skeleton junk
|
||||
install -o root -m 0755 -d /mnt/armadillo-root/var/lib
|
||||
install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf
|
||||
install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf/tokens
|
||||
install -o root -m 0755 -d /mnt/armadillo-root/var/log
|
||||
install -o root -m 0755 -d /mnt/armadillo-root/var/spool
|
||||
install -o root -m 0755 -d /mnt/armadillo-root/var/cache
|
||||
install -o root -m 0777 -d /mnt/armadillo-root/var/run
|
||||
install -o root -m 0777 -d /mnt/armadillo-root/var/cache
|
||||
|
||||
# Install the binaries
|
||||
install -o root -d /mnt/armadillo-root/home/alice/
|
||||
install -o bob -m 0111 /opt/armadillo/bin/gimmie /mnt/armadillo-root/home/alice/
|
||||
install -o bob -m 0111 /opt/armadillo/bin/dillo /mnt/armadillo-root/home/alice/
|
||||
|
||||
# straceme and killme need to be suid, to prevent LD_PRELOAD
|
||||
install -o bob -m 04111 /opt/armadillo/bin/straceme /mnt/armadillo-root/home/alice/
|
||||
install -o bob -m 04111 /opt/armadillo/bin/killme /mnt/armadillo-root/home/alice/
|
||||
|
||||
# Set up links for tokens
|
||||
mkdir -p /var/lib/ctf/tokens
|
||||
for puzzle in gimmie straceme killme dillo; do
|
||||
ln -sf /mnt/armadillo-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle
|
||||
done
|
||||
|
||||
exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie
|
|
@ -1,42 +0,0 @@
|
|||
#! /bin/sh -e
|
||||
|
||||
# Configure IP address
|
||||
IP=$(cat ip.txt)
|
||||
ip addr add $IP label eth0:pwnables dev eth0
|
||||
|
||||
# Set up chroot environment
|
||||
# We never umount any of this since it's all just in RAM
|
||||
mkdir -p /mnt/pwnables-root
|
||||
grep -q pwnables-root /proc/mounts || mount -o bind / /mnt/pwnables-root
|
||||
grep -q pwnables-var /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 pwnables-var /mnt/pwnables-root/var
|
||||
grep -q pwnables-tmp /proc/mounts || mount -t tmpfs -o size=15k pwnables-tmp /mnt/pwnables-root/tmp
|
||||
grep -q pwnables-home /proc/mounts || mount -t tmpfs -o size=5m pwnables-home /mnt/pwnables-root/home
|
||||
|
||||
# Make some skeleton junk
|
||||
install -o root -m 0755 -d /mnt/pwnables-root/var/lib
|
||||
install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf
|
||||
install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf/tokens
|
||||
install -o root -m 0755 -d /mnt/pwnables-root/var/log
|
||||
install -o root -m 0755 -d /mnt/pwnables-root/var/spool
|
||||
install -o root -m 0755 -d /mnt/pwnables-root/var/cache
|
||||
install -o root -m 0777 -d /mnt/pwnables-root/var/run
|
||||
install -o root -m 0777 -d /mnt/pwnables-root/var/cache
|
||||
|
||||
# Install the pwnables
|
||||
install -o root -d /mnt/pwnables-root/home/alice/
|
||||
install -o bob -m 0111 /opt/pwnables/bin/gimmie /mnt/pwnables-root/home/alice/
|
||||
|
||||
# ltrace needs to read the binary
|
||||
install -o bob -m 0555 /opt/pwnables/bin/ltraceme /mnt/pwnables-root/home/alice/
|
||||
|
||||
# straceme and killme need to be suid, to prevent LD_PRELOAD
|
||||
install -o bob -m 04111 /opt/pwnables/bin/straceme /mnt/pwnables-root/home/alice/
|
||||
install -o bob -m 04111 /opt/pwnables/bin/killme /mnt/pwnables-root/home/alice/
|
||||
|
||||
# Set up links for tokens
|
||||
mkdir -p /var/lib/ctf/tokens
|
||||
for puzzle in gimmie ltraceme straceme killme; do
|
||||
ln -sf /mnt/pwnables-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle
|
||||
done
|
||||
|
||||
exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie
|
|
@ -9,6 +9,7 @@ gimmie: gimmie.o token.o arc4.o
|
|||
octopus: octopus.o token.o arc4.o
|
||||
straceme: straceme.o token.o arc4.o
|
||||
killme: killme.o token.o arc4.o
|
||||
dillo: dillo.o token.o arc4.o
|
||||
|
||||
install: $(TARGETS)
|
||||
install -m 0755 $(TARGETS) $(DESTDIR)/bin
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
#! /usr/bin/python
|
||||
|
||||
import subprocess
|
||||
|
||||
# In the actual contest you'd want to run netcat or just
|
||||
# open your own TCP connection to port 23 and run commands.
|
||||
d = subprocess.Popen(['./dillo'],
|
||||
stdout=subprocess.PIPE,
|
||||
stdin=subprocess.PIPE)
|
||||
o = d.stdout
|
||||
i = d.stdin
|
||||
|
||||
c = o.read(1)
|
||||
v = chr(ord(c) ^ 0x20)
|
||||
i.write(v)
|
||||
|
||||
o.readline()
|
||||
o.readline()
|
||||
o.readline()
|
||||
o.readline()
|
||||
o.readline()
|
||||
d.poll()
|
|
@ -0,0 +1,59 @@
|
|||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <stdint.h>
|
||||
#include "arc4.h"
|
||||
#include "token.h"
|
||||
|
||||
const uint8_t key[] =
|
||||
{0xa5, 0xb1, 0x6f, 0xce,
|
||||
0x59, 0x2d, 0xb1, 0xe9,
|
||||
0x4b, 0x07, 0x91, 0x6d,
|
||||
0x9f, 0x3b, 0xc8, 0xc6};
|
||||
|
||||
const char dillo[] =
|
||||
(" .::7777::-.\n"
|
||||
" /:'////' `::>/|/\n"
|
||||
" .', |||| `/( e\\\n"
|
||||
" -==~-'`-Xm````-mr' `-_\\\n");
|
||||
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
uint8_t v;
|
||||
int i;
|
||||
|
||||
/* Pick a random non-zero xor value */
|
||||
do {
|
||||
v = arc4_rand8();
|
||||
} while (! v);
|
||||
|
||||
|
||||
/* Print the dillo */
|
||||
for (i = 0; dillo[i]; i += 1) {
|
||||
struct timespec req = {0, 33000000};
|
||||
uint8_t c = dillo[i];
|
||||
|
||||
if ('\n' != c) {
|
||||
c ^= v;
|
||||
}
|
||||
write(1, &c, 1);
|
||||
nanosleep(&req, NULL);
|
||||
}
|
||||
|
||||
/* Read a single byte; strace will help with solution */
|
||||
{
|
||||
uint8_t c;
|
||||
|
||||
read(0, &c, 1);
|
||||
if (c != v) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (-1 == print_token("dillo", key, sizeof(key))) {
|
||||
write(2, "Something is broken; I can't read my token.\n", 44);
|
||||
return 69;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -1,11 +1,11 @@
|
|||
#include <signal.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <stdio.h>
|
||||
#include <sysexits.h>
|
||||
#include "arc4.h"
|
||||
#include "token.h"
|
||||
|
||||
#define SIGS 20
|
||||
#define ROUNDS 20
|
||||
|
||||
uint8_t const key[] = {0x51, 0x91, 0x6d, 0x81,
|
||||
0x14, 0x21, 0xf8, 0x95,
|
||||
|
@ -25,26 +25,12 @@ main(int argc, char *argv[])
|
|||
{
|
||||
int i;
|
||||
|
||||
{
|
||||
/* Seed random number generator */
|
||||
FILE *f;
|
||||
int seed;
|
||||
|
||||
f = fopen("/dev/urandom", "r");
|
||||
if (f) {
|
||||
fread(&seed, sizeof(seed), 1, f);
|
||||
srandom(seed);
|
||||
} else {
|
||||
srandom(getpid() * time(NULL));
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 1; i < 8; i += 1) {
|
||||
signal(i, handler);
|
||||
}
|
||||
|
||||
for (i = 0; i < SIGS; i += 1) {
|
||||
int desired = (random() % 7) + 1;
|
||||
for (i = 0; i < ROUNDS; i += 1) {
|
||||
int desired = (arc4_rand8() % 7) + 1;
|
||||
|
||||
lastsig = 0;
|
||||
printf("%d\n", desired);
|
||||
|
@ -64,20 +50,9 @@ main(int argc, char *argv[])
|
|||
}
|
||||
}
|
||||
|
||||
{
|
||||
char token[200];
|
||||
size_t tokenlen;
|
||||
|
||||
tokenlen = read_token("killme",
|
||||
key, sizeof(key),
|
||||
token, sizeof(token) - 1);
|
||||
if (-1 == tokenlen) {
|
||||
write(1, "Something is broken\nI can't read my token.\n", 43);
|
||||
return 69;
|
||||
}
|
||||
token[tokenlen++] = '\n';
|
||||
|
||||
write(1, token, tokenlen);
|
||||
if (-1 == print_token("killme", key, sizeof(key))) {
|
||||
fprintf(stderr, "Something is broken; I can't read my token.\n");
|
||||
return EX_UNAVAILABLE;
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -60,10 +60,10 @@ main(int argc, char *argv[])
|
|||
close(fd);
|
||||
}
|
||||
|
||||
/* Read in category name from fd 2 (stderr!)
|
||||
/* Read in category name from fd 5
|
||||
*
|
||||
* echo -n straceme > foo.txt
|
||||
* ./straceme $$ 2< foo.txt
|
||||
* ./straceme $$ 5< foo.txt
|
||||
*/
|
||||
{
|
||||
char cat[50];
|
||||
|
@ -72,22 +72,16 @@ main(int argc, char *argv[])
|
|||
size_t tokenlen;
|
||||
int i;
|
||||
|
||||
catlen = read(2, cat, sizeof(cat) - 1);
|
||||
catlen = read(5, cat, sizeof(cat) - 1);
|
||||
for (i = 0; i < catlen; i += 1) {
|
||||
if (! isalnum(cat[i])) break;
|
||||
}
|
||||
cat[i] = '\0';
|
||||
|
||||
tokenlen = read_token(cat,
|
||||
key, sizeof(key),
|
||||
token, sizeof(token) - 1);
|
||||
if (-1 == tokenlen) {
|
||||
write(1, "Something is broken\nI can't read my token.\n", 43);
|
||||
if (-1 == print_token(cat, key, sizeof(key))) {
|
||||
write(2, "Something is broken; I can't read my token.\n", 44);
|
||||
return 69;
|
||||
}
|
||||
token[tokenlen++] = '\n';
|
||||
|
||||
write(1, token, tokenlen);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -1,19 +1,4 @@
|
|||
#! /bin/sh
|
||||
|
||||
if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
||||
echo "Usage: $0 CATEGORY"
|
||||
echo
|
||||
echo "Creates tokend key for CATEGORY."
|
||||
exit 1
|
||||
fi
|
||||
dd bs=1 count=16 if=/dev/urandom | hd
|
||||
|
||||
puz=$1; shift
|
||||
cat=${1:-$puz}
|
||||
|
||||
d=$(dirname $0)
|
||||
|
||||
td=$d/mcp/tokend.keys/$cat
|
||||
echo "Writing new server key to $td"
|
||||
dd bs=1 count=16 if=/dev/urandom of=$td
|
||||
|
||||
hd $td
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#ifndef __ARC4_H__
|
||||
#define __ARC4_H__
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
|
|
Loading…
Reference in New Issue