Add dillo puzzle

2011-03-22 22:00:50 -06:00 · 2011-03-22 22:00:50 -06:00 · 4bc40220b0
parent 31d30ccc04
commit 4bc40220b0
14 changed files with 138 additions and 103 deletions
--- a/packages/armadillo/service/armadillo/finish
+++ b/packages/armadillo/service/armadillo/finish
--- a/packages/armadillo/service/armadillo/ip.txt
+++ b/packages/armadillo/service/armadillo/ip.txt
--- a/packages/armadillo/service/armadillo/log/run
+++ b/packages/armadillo/service/armadillo/log/run
--- a/packages/armadillo/service/armadillo/motd
+++ b/packages/armadillo/service/armadillo/motd
--- a/packages/armadillo/service/armadillo/pwnie
+++ b/packages/armadillo/service/armadillo/pwnie
--- a/packages/armadillo/service/armadillo/run
+++ b/packages/armadillo/service/armadillo/run
@ -0,0 +1,40 @@
+#! /bin/sh -e
+
+# Configure IP address
+IP=$(cat ip.txt)
+ip addr add $IP label eth0:armadillo dev eth0
+
+# Set up chroot environment
+# We never umount any of this since it's all just in RAM
+mkdir -p /mnt/armadillo-root
+grep -q armadillo-root /proc/mounts || mount -o bind / /mnt/armadillo-root
+grep -q armadillo-var /proc/mounts  || mount -t tmpfs -o size=5m,mode=0755 armadillo-var /mnt/armadillo-root/var
+grep -q armadillo-tmp /proc/mounts  || mount -t tmpfs -o size=15k armadillo-tmp /mnt/armadillo-root/tmp
+grep -q armadillo-home /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-home /mnt/armadillo-root/home
+
+# Make some skeleton junk
+install -o root -m 0755 -d /mnt/armadillo-root/var/lib
+install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf
+install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf/tokens
+install -o root -m 0755 -d /mnt/armadillo-root/var/log
+install -o root -m 0755 -d /mnt/armadillo-root/var/spool
+install -o root -m 0755 -d /mnt/armadillo-root/var/cache
+install -o root -m 0777 -d /mnt/armadillo-root/var/run
+install -o root -m 0777 -d /mnt/armadillo-root/var/cache
+
+# Install the binaries
+install -o root -d /mnt/armadillo-root/home/alice/
+install -o bob -m 0111 /opt/armadillo/bin/gimmie /mnt/armadillo-root/home/alice/
+install -o bob -m 0111 /opt/armadillo/bin/dillo /mnt/armadillo-root/home/alice/
+
+# straceme and killme need to be suid, to prevent LD_PRELOAD
+install -o bob -m 04111 /opt/armadillo/bin/straceme /mnt/armadillo-root/home/alice/
+install -o bob -m 04111 /opt/armadillo/bin/killme /mnt/armadillo-root/home/alice/
+    
+# Set up links for tokens
+mkdir -p /var/lib/ctf/tokens
+for puzzle in gimmie straceme killme dillo; do
+    ln -sf /mnt/armadillo-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle
+done
+
+exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie
--- a/packages/armadillo/service/pwnables/run
+++ b/packages/armadillo/service/pwnables/run
@ -1,42 +0,0 @@
-#! /bin/sh -e
-
-# Configure IP address
-IP=$(cat ip.txt)
-ip addr add $IP label eth0:pwnables dev eth0
-
-# Set up chroot environment
-# We never umount any of this since it's all just in RAM
-mkdir -p /mnt/pwnables-root
-grep -q pwnables-root /proc/mounts || mount -o bind / /mnt/pwnables-root
-grep -q pwnables-var /proc/mounts  || mount -t tmpfs -o size=5m,mode=0755 pwnables-var /mnt/pwnables-root/var
-grep -q pwnables-tmp /proc/mounts  || mount -t tmpfs -o size=15k pwnables-tmp /mnt/pwnables-root/tmp
-grep -q pwnables-home /proc/mounts || mount -t tmpfs -o size=5m pwnables-home /mnt/pwnables-root/home
-
-# Make some skeleton junk
-install -o root -m 0755 -d /mnt/pwnables-root/var/lib
-install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf
-install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf/tokens
-install -o root -m 0755 -d /mnt/pwnables-root/var/log
-install -o root -m 0755 -d /mnt/pwnables-root/var/spool
-install -o root -m 0755 -d /mnt/pwnables-root/var/cache
-install -o root -m 0777 -d /mnt/pwnables-root/var/run
-install -o root -m 0777 -d /mnt/pwnables-root/var/cache
-
-# Install the pwnables
-install -o root -d /mnt/pwnables-root/home/alice/
-install -o bob -m 0111 /opt/pwnables/bin/gimmie /mnt/pwnables-root/home/alice/
-
-# ltrace needs to read the binary
-install -o bob -m 0555 /opt/pwnables/bin/ltraceme /mnt/pwnables-root/home/alice/
-
-# straceme and killme need to be suid, to prevent LD_PRELOAD
-install -o bob -m 04111 /opt/pwnables/bin/straceme /mnt/pwnables-root/home/alice/
-install -o bob -m 04111 /opt/pwnables/bin/killme /mnt/pwnables-root/home/alice/
-    
-# Set up links for tokens
-mkdir -p /var/lib/ctf/tokens
-for puzzle in gimmie ltraceme straceme killme; do
-    ln -sf /mnt/pwnables-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle
-done
-
-exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie
--- a/packages/armadillo/src/Makefile
+++ b/packages/armadillo/src/Makefile
@ -9,6 +9,7 @@ gimmie: gimmie.o token.o arc4.o
 octopus: octopus.o token.o arc4.o
 straceme: straceme.o token.o arc4.o
 killme: killme.o token.o arc4.o
+dillo: dillo.o token.o arc4.o

 install: $(TARGETS)
 	install -m 0755 $(TARGETS) $(DESTDIR)/bin
--- a/packages/armadillo/src/dillo-solve
+++ b/packages/armadillo/src/dillo-solve
@ -0,0 +1,22 @@
+#! /usr/bin/python
+
+import subprocess
+
+# In the actual contest you'd want to run netcat or just
+# open your own TCP connection to port 23 and run commands.
+d = subprocess.Popen(['./dillo'],
+                     stdout=subprocess.PIPE,
+                     stdin=subprocess.PIPE)
+o = d.stdout
+i = d.stdin
+
+c = o.read(1)
+v = chr(ord(c) ^ 0x20)
+i.write(v)
+
+o.readline()
+o.readline()
+o.readline()
+o.readline()
+o.readline()
+d.poll()
--- a/packages/armadillo/src/dillo.c
+++ b/packages/armadillo/src/dillo.c
@ -0,0 +1,59 @@
+#include <unistd.h>
+#include <time.h>
+#include <stdint.h>
+#include "arc4.h"
+#include "token.h"
+
+const uint8_t key[] =
+  {0xa5, 0xb1, 0x6f, 0xce,
+   0x59, 0x2d, 0xb1, 0xe9,
+   0x4b, 0x07, 0x91, 0x6d,
+   0x9f, 0x3b, 0xc8, 0xc6};
+
+const char dillo[] = 
+  ("           .::7777::-.\n"
+   "          /:'////' `::>/|/\n"
+   "        .',  ||||   `/( e\\\n"
+   "    -==~-'`-Xm````-mr' `-_\\\n");
+
+int
+main(int argc, char *argv[])
+{
+  uint8_t v;
+  int     i;
+
+  /* Pick a random non-zero xor value */
+  do {
+    v = arc4_rand8();
+  } while (! v);
+
+
+  /* Print the dillo */
+  for (i = 0; dillo[i]; i += 1) {
+    struct timespec req = {0, 33000000};
+    uint8_t         c   = dillo[i];
+
+    if ('\n' != c) {
+      c ^= v;
+    }
+    write(1, &c, 1);
+    nanosleep(&req, NULL);
+  }
+
+  /* Read a single byte; strace will help with solution */
+  {
+    uint8_t c;
+
+    read(0, &c, 1);
+    if (c != v) {
+      return 1;
+    }
+  }
+
+  if (-1 == print_token("dillo", key, sizeof(key))) {
+    write(2, "Something is broken; I can't read my token.\n", 44);
+    return 69;
+  }
+
+  return 0;
+}
--- a/packages/armadillo/src/killme.c
+++ b/packages/armadillo/src/killme.c
@ -1,11 +1,11 @@
 #include <signal.h>
-#include <stdlib.h>
-#include <stdio.h>
 #include <unistd.h>
-#include <time.h>
+#include <stdio.h>
+#include <sysexits.h>
+#include "arc4.h"
 #include "token.h"

-#define SIGS 20
+#define ROUNDS 20

 uint8_t const key[] = {0x51, 0x91, 0x6d, 0x81,
                       0x14, 0x21, 0xf8, 0x95,
@ -25,26 +25,12 @@ main(int argc, char *argv[])
 {
  int i;

-  {
-    /* Seed random number generator */
-    FILE *f;
-    int seed;
-
-    f = fopen("/dev/urandom", "r");
-    if (f) {
-      fread(&seed, sizeof(seed), 1, f);
-      srandom(seed);
-    } else {
-      srandom(getpid() * time(NULL));
-    }
-  }
-
  for (i = 1; i < 8; i += 1) {
    signal(i, handler);
  }

-  for (i = 0; i < SIGS; i += 1) {
-    int desired = (random() % 7) + 1;
+  for (i = 0; i < ROUNDS; i += 1) {
+    int desired = (arc4_rand8() % 7) + 1;

    lastsig = 0;
    printf("%d\n", desired);
@ -64,20 +50,9 @@ main(int argc, char *argv[])
    }
  }

-  {
-    char   token[200];
-    size_t tokenlen;
-
-    tokenlen = read_token("killme",
-                          key, sizeof(key),
-                          token, sizeof(token) - 1);
-    if (-1 == tokenlen) {
-      write(1, "Something is broken\nI can't read my token.\n", 43);
-      return 69;
-    }
-    token[tokenlen++] = '\n';
-
-    write(1, token, tokenlen);
+  if (-1 == print_token("killme", key, sizeof(key))) {
+    fprintf(stderr, "Something is broken; I can't read my token.\n");
+    return EX_UNAVAILABLE;
  }

  return 0;
--- a/packages/armadillo/src/straceme.c
+++ b/packages/armadillo/src/straceme.c
@ -60,10 +60,10 @@ main(int argc, char *argv[])
    close(fd);
  }

-  /* Read in category name from fd 2 (stderr!)
+  /* Read in category name from fd 5
   *
   * echo -n straceme > foo.txt
-   * ./straceme $$ 2< foo.txt
+   * ./straceme $$ 5< foo.txt
   */
  {
    char   cat[50];
@ -72,22 +72,16 @@ main(int argc, char *argv[])
    size_t tokenlen;
    int    i;

-    catlen = read(2, cat, sizeof(cat) - 1);
+    catlen = read(5, cat, sizeof(cat) - 1);
    for (i = 0; i < catlen; i += 1) {
      if (! isalnum(cat[i])) break;
    }
    cat[i] = '\0';

-    tokenlen = read_token(cat,
-                          key, sizeof(key),
-                          token, sizeof(token) - 1);
-    if (-1 == tokenlen) {
-      write(1, "Something is broken\nI can't read my token.\n", 43);
+    if (-1 == print_token(cat, key, sizeof(key))) {
+      write(2, "Something is broken; I can't read my token.\n", 44);
      return 69;
    }
-    token[tokenlen++] = '\n';
-
-    write(1, token, tokenlen);
  }
  return 0;
 }
--- a/packages/mktokendkey
+++ b/packages/mktokendkey
@ -1,19 +1,4 @@
 #! /bin/sh

-if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
-    echo "Usage: $0 CATEGORY"
-    echo
-    echo "Creates tokend key for CATEGORY."
-    exit 1
-fi
+dd bs=1 count=16 if=/dev/urandom | hd

-puz=$1; shift
-cat=${1:-$puz}
-
-d=$(dirname $0)
-
-td=$d/mcp/tokend.keys/$cat
-echo "Writing new server key to $td"
-dd bs=1 count=16 if=/dev/urandom of=$td
-
-hd $td
--- a/src/arc4.h
+++ b/src/arc4.h
@ -1,6 +1,7 @@
 #ifndef __ARC4_H__
 #define __ARC4_H__

+#include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>