diff --git a/packages/armadillo/service/pwnables/finish b/packages/armadillo/service/armadillo/finish similarity index 100% rename from packages/armadillo/service/pwnables/finish rename to packages/armadillo/service/armadillo/finish diff --git a/packages/armadillo/service/pwnables/ip.txt b/packages/armadillo/service/armadillo/ip.txt similarity index 100% rename from packages/armadillo/service/pwnables/ip.txt rename to packages/armadillo/service/armadillo/ip.txt diff --git a/packages/armadillo/service/pwnables/log/run b/packages/armadillo/service/armadillo/log/run similarity index 100% rename from packages/armadillo/service/pwnables/log/run rename to packages/armadillo/service/armadillo/log/run diff --git a/packages/armadillo/service/pwnables/motd b/packages/armadillo/service/armadillo/motd similarity index 100% rename from packages/armadillo/service/pwnables/motd rename to packages/armadillo/service/armadillo/motd diff --git a/packages/armadillo/service/pwnables/pwnie b/packages/armadillo/service/armadillo/pwnie similarity index 100% rename from packages/armadillo/service/pwnables/pwnie rename to packages/armadillo/service/armadillo/pwnie diff --git a/packages/armadillo/service/armadillo/run b/packages/armadillo/service/armadillo/run new file mode 100755 index 0000000..40b5dab --- /dev/null +++ b/packages/armadillo/service/armadillo/run @@ -0,0 +1,40 @@ +#! /bin/sh -e + +# Configure IP address +IP=$(cat ip.txt) +ip addr add $IP label eth0:armadillo dev eth0 + +# Set up chroot environment +# We never umount any of this since it's all just in RAM +mkdir -p /mnt/armadillo-root +grep -q armadillo-root /proc/mounts || mount -o bind / /mnt/armadillo-root +grep -q armadillo-var /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-var /mnt/armadillo-root/var +grep -q armadillo-tmp /proc/mounts || mount -t tmpfs -o size=15k armadillo-tmp /mnt/armadillo-root/tmp +grep -q armadillo-home /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-home /mnt/armadillo-root/home + +# Make some skeleton junk +install -o root -m 0755 -d /mnt/armadillo-root/var/lib +install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf +install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf/tokens +install -o root -m 0755 -d /mnt/armadillo-root/var/log +install -o root -m 0755 -d /mnt/armadillo-root/var/spool +install -o root -m 0755 -d /mnt/armadillo-root/var/cache +install -o root -m 0777 -d /mnt/armadillo-root/var/run +install -o root -m 0777 -d /mnt/armadillo-root/var/cache + +# Install the binaries +install -o root -d /mnt/armadillo-root/home/alice/ +install -o bob -m 0111 /opt/armadillo/bin/gimmie /mnt/armadillo-root/home/alice/ +install -o bob -m 0111 /opt/armadillo/bin/dillo /mnt/armadillo-root/home/alice/ + +# straceme and killme need to be suid, to prevent LD_PRELOAD +install -o bob -m 04111 /opt/armadillo/bin/straceme /mnt/armadillo-root/home/alice/ +install -o bob -m 04111 /opt/armadillo/bin/killme /mnt/armadillo-root/home/alice/ + +# Set up links for tokens +mkdir -p /var/lib/ctf/tokens +for puzzle in gimmie straceme killme dillo; do + ln -sf /mnt/armadillo-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle +done + +exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie diff --git a/packages/armadillo/service/pwnables/run b/packages/armadillo/service/pwnables/run deleted file mode 100755 index 27fb1de..0000000 --- a/packages/armadillo/service/pwnables/run +++ /dev/null @@ -1,42 +0,0 @@ -#! /bin/sh -e - -# Configure IP address -IP=$(cat ip.txt) -ip addr add $IP label eth0:pwnables dev eth0 - -# Set up chroot environment -# We never umount any of this since it's all just in RAM -mkdir -p /mnt/pwnables-root -grep -q pwnables-root /proc/mounts || mount -o bind / /mnt/pwnables-root -grep -q pwnables-var /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 pwnables-var /mnt/pwnables-root/var -grep -q pwnables-tmp /proc/mounts || mount -t tmpfs -o size=15k pwnables-tmp /mnt/pwnables-root/tmp -grep -q pwnables-home /proc/mounts || mount -t tmpfs -o size=5m pwnables-home /mnt/pwnables-root/home - -# Make some skeleton junk -install -o root -m 0755 -d /mnt/pwnables-root/var/lib -install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf -install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf/tokens -install -o root -m 0755 -d /mnt/pwnables-root/var/log -install -o root -m 0755 -d /mnt/pwnables-root/var/spool -install -o root -m 0755 -d /mnt/pwnables-root/var/cache -install -o root -m 0777 -d /mnt/pwnables-root/var/run -install -o root -m 0777 -d /mnt/pwnables-root/var/cache - -# Install the pwnables -install -o root -d /mnt/pwnables-root/home/alice/ -install -o bob -m 0111 /opt/pwnables/bin/gimmie /mnt/pwnables-root/home/alice/ - -# ltrace needs to read the binary -install -o bob -m 0555 /opt/pwnables/bin/ltraceme /mnt/pwnables-root/home/alice/ - -# straceme and killme need to be suid, to prevent LD_PRELOAD -install -o bob -m 04111 /opt/pwnables/bin/straceme /mnt/pwnables-root/home/alice/ -install -o bob -m 04111 /opt/pwnables/bin/killme /mnt/pwnables-root/home/alice/ - -# Set up links for tokens -mkdir -p /var/lib/ctf/tokens -for puzzle in gimmie ltraceme straceme killme; do - ln -sf /mnt/pwnables-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle -done - -exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie diff --git a/packages/armadillo/src/Makefile b/packages/armadillo/src/Makefile index 659f710..12e748d 100644 --- a/packages/armadillo/src/Makefile +++ b/packages/armadillo/src/Makefile @@ -9,6 +9,7 @@ gimmie: gimmie.o token.o arc4.o octopus: octopus.o token.o arc4.o straceme: straceme.o token.o arc4.o killme: killme.o token.o arc4.o +dillo: dillo.o token.o arc4.o install: $(TARGETS) install -m 0755 $(TARGETS) $(DESTDIR)/bin diff --git a/packages/armadillo/src/dillo-solve b/packages/armadillo/src/dillo-solve new file mode 100755 index 0000000..296dbc5 --- /dev/null +++ b/packages/armadillo/src/dillo-solve @@ -0,0 +1,22 @@ +#! /usr/bin/python + +import subprocess + +# In the actual contest you'd want to run netcat or just +# open your own TCP connection to port 23 and run commands. +d = subprocess.Popen(['./dillo'], + stdout=subprocess.PIPE, + stdin=subprocess.PIPE) +o = d.stdout +i = d.stdin + +c = o.read(1) +v = chr(ord(c) ^ 0x20) +i.write(v) + +o.readline() +o.readline() +o.readline() +o.readline() +o.readline() +d.poll() diff --git a/packages/armadillo/src/dillo.c b/packages/armadillo/src/dillo.c new file mode 100644 index 0000000..75b2090 --- /dev/null +++ b/packages/armadillo/src/dillo.c @@ -0,0 +1,59 @@ +#include +#include +#include +#include "arc4.h" +#include "token.h" + +const uint8_t key[] = + {0xa5, 0xb1, 0x6f, 0xce, + 0x59, 0x2d, 0xb1, 0xe9, + 0x4b, 0x07, 0x91, 0x6d, + 0x9f, 0x3b, 0xc8, 0xc6}; + +const char dillo[] = + (" .::7777::-.\n" + " /:'////' `::>/|/\n" + " .', |||| `/( e\\\n" + " -==~-'`-Xm````-mr' `-_\\\n"); + +int +main(int argc, char *argv[]) +{ + uint8_t v; + int i; + + /* Pick a random non-zero xor value */ + do { + v = arc4_rand8(); + } while (! v); + + + /* Print the dillo */ + for (i = 0; dillo[i]; i += 1) { + struct timespec req = {0, 33000000}; + uint8_t c = dillo[i]; + + if ('\n' != c) { + c ^= v; + } + write(1, &c, 1); + nanosleep(&req, NULL); + } + + /* Read a single byte; strace will help with solution */ + { + uint8_t c; + + read(0, &c, 1); + if (c != v) { + return 1; + } + } + + if (-1 == print_token("dillo", key, sizeof(key))) { + write(2, "Something is broken; I can't read my token.\n", 44); + return 69; + } + + return 0; +} diff --git a/packages/armadillo/src/killme.c b/packages/armadillo/src/killme.c index b0f4952..90ba60b 100644 --- a/packages/armadillo/src/killme.c +++ b/packages/armadillo/src/killme.c @@ -1,11 +1,11 @@ #include -#include -#include #include -#include +#include +#include +#include "arc4.h" #include "token.h" -#define SIGS 20 +#define ROUNDS 20 uint8_t const key[] = {0x51, 0x91, 0x6d, 0x81, 0x14, 0x21, 0xf8, 0x95, @@ -25,26 +25,12 @@ main(int argc, char *argv[]) { int i; - { - /* Seed random number generator */ - FILE *f; - int seed; - - f = fopen("/dev/urandom", "r"); - if (f) { - fread(&seed, sizeof(seed), 1, f); - srandom(seed); - } else { - srandom(getpid() * time(NULL)); - } - } - for (i = 1; i < 8; i += 1) { signal(i, handler); } - for (i = 0; i < SIGS; i += 1) { - int desired = (random() % 7) + 1; + for (i = 0; i < ROUNDS; i += 1) { + int desired = (arc4_rand8() % 7) + 1; lastsig = 0; printf("%d\n", desired); @@ -64,20 +50,9 @@ main(int argc, char *argv[]) } } - { - char token[200]; - size_t tokenlen; - - tokenlen = read_token("killme", - key, sizeof(key), - token, sizeof(token) - 1); - if (-1 == tokenlen) { - write(1, "Something is broken\nI can't read my token.\n", 43); - return 69; - } - token[tokenlen++] = '\n'; - - write(1, token, tokenlen); + if (-1 == print_token("killme", key, sizeof(key))) { + fprintf(stderr, "Something is broken; I can't read my token.\n"); + return EX_UNAVAILABLE; } return 0; diff --git a/packages/armadillo/src/straceme.c b/packages/armadillo/src/straceme.c index 9994e5a..badb03d 100644 --- a/packages/armadillo/src/straceme.c +++ b/packages/armadillo/src/straceme.c @@ -60,10 +60,10 @@ main(int argc, char *argv[]) close(fd); } - /* Read in category name from fd 2 (stderr!) + /* Read in category name from fd 5 * * echo -n straceme > foo.txt - * ./straceme $$ 2< foo.txt + * ./straceme $$ 5< foo.txt */ { char cat[50]; @@ -72,22 +72,16 @@ main(int argc, char *argv[]) size_t tokenlen; int i; - catlen = read(2, cat, sizeof(cat) - 1); + catlen = read(5, cat, sizeof(cat) - 1); for (i = 0; i < catlen; i += 1) { if (! isalnum(cat[i])) break; } cat[i] = '\0'; - tokenlen = read_token(cat, - key, sizeof(key), - token, sizeof(token) - 1); - if (-1 == tokenlen) { - write(1, "Something is broken\nI can't read my token.\n", 43); + if (-1 == print_token(cat, key, sizeof(key))) { + write(2, "Something is broken; I can't read my token.\n", 44); return 69; } - token[tokenlen++] = '\n'; - - write(1, token, tokenlen); } return 0; } diff --git a/packages/mktokendkey b/packages/mktokendkey index 366b5a9..849d6ff 100755 --- a/packages/mktokendkey +++ b/packages/mktokendkey @@ -1,19 +1,4 @@ #! /bin/sh -if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then - echo "Usage: $0 CATEGORY" - echo - echo "Creates tokend key for CATEGORY." - exit 1 -fi +dd bs=1 count=16 if=/dev/urandom | hd -puz=$1; shift -cat=${1:-$puz} - -d=$(dirname $0) - -td=$d/mcp/tokend.keys/$cat -echo "Writing new server key to $td" -dd bs=1 count=16 if=/dev/urandom of=$td - -hd $td diff --git a/src/arc4.h b/src/arc4.h index 337d96d..64dc565 100644 --- a/src/arc4.h +++ b/src/arc4.h @@ -1,6 +1,7 @@ #ifndef __ARC4_H__ #define __ARC4_H__ +#include #include #include