Merge branch 'master' of cfl:/var/projects/gctf

This commit is contained in:
Curt Hash 2009-10-08 14:32:48 -06:00
commit 62d42934a0
18 changed files with 116 additions and 11 deletions

View File

@ -0,0 +1,2 @@
Recovery, while not strictly necessary, may be tremendously helpful.

View File

@ -0,0 +1 @@
jackalope wheeze

1
puzzles/bletchley/50/key Normal file
View File

@ -0,0 +1 @@
extra special text

View File

@ -1,2 +1,48 @@
Recovery, while not strictly necessary, may be tremendously helpful. <HTML>
<BODY>
<B>You are doing a forensics evaluation of a linux box that you know has been compromised. You find a binary on the system and assume it was used by the attackers to hide data on box that that was exfiltrated. You dissamble the file and find the x86 assembly shown below (from Ida) - this function was used for obfuscation. You also find a file obfuscated by this tool. Using the key you find in this encoder code what is the unobfuscated first line of the file which starts with</B><PRE>8%%>p2pzpzp8%%>pe8%%>pe(#$e(+9"</PRE>
<BR> HINT: The function was orginally defined as void convert_buf(unsigned char * buf, int len).
<BR>
<PRE>
.text:08048474 ; =============== S U B R O U T I N E =======================================
.text:08048474
.text:08048474 ; Attributes: bp-based frame
.text:08048474
.text:08048474 public convert_buf
.text:08048474 convert_buf proc near ; CODE XREF: main+B2p
.text:08048474
.text:08048474 cnt = dword ptr -4
.text:08048474 buf = dword ptr 8
.text:08048474 len = dword ptr 0Ch
.text:08048474
.text:08048474 push ebp
.text:08048475 mov ebp, esp
.text:08048477 sub esp, 10h
.text:0804847A mov [ebp+cnt], 0
.text:08048481 mov [ebp+cnt], 0
.text:08048488 jmp short loc_80484A4
.text:0804848A ; ---------------------------------------------------------------------------
.text:0804848A
.text:0804848A loc_804848A: ; CODE XREF: convert_buf+36j
.text:0804848A mov eax, [ebp+cnt]
.text:0804848D mov edx, eax
.text:0804848F add edx, [ebp+buf]
.text:08048492 mov eax, [ebp+cnt]
.text:08048495 add eax, [ebp+buf]
.text:08048498 movzx eax, byte ptr [eax]
.text:0804849B xor eax, 4Ah
.text:0804849E mov [edx], al
.text:080484A0 add [ebp+cnt], 1
.text:080484A4
.text:080484A4 loc_80484A4: ; CODE XREF: convert_buf+14j
.text:080484A4 mov eax, [ebp+cnt]
.text:080484A7 cmp eax, [ebp+len]
.text:080484AA jl short loc_804848A
.text:080484AC leave
.text:080484AD retn
.text:080484AD convert_buf endp
.text:080484AD
.text:080484AE
</PRE>
</BODY>
</HTML>

View File

@ -1 +1 @@
jackalope wheeze root:x:0:0:root:/root:/bin/bash

48
puzzles/compaq/50/index.html Executable file
View File

@ -0,0 +1,48 @@
<HTML>
<BODY>
<B>You are doing a forensics evaluation of a linux box that you know has been compromised. You find a binary on the system and assume it was used by the attackers to hide data on box that they were going to exfiltrate. You dissamble the file and find the following lines of x86 assembly - this function was used to encode a buffer in place to obfuscate a file. What is the 1 byte key used to obfuscate the data (in hex)?</B>
<BR> HINT: The function was orginally defined as void convert_buf(unsigned char * buf, int len). You can solve this puzzle by writing some code, or by using some of the advanced functions of some of the hex editors out there.
<BR>
<PRE>
.text:08048474 ; =============== S U B R O U T I N E =======================================
.text:08048474
.text:08048474 ; Attributes: bp-based frame
.text:08048474
.text:08048474 public convert_buf
.text:08048474 convert_buf proc near ; CODE XREF: main+B2p
.text:08048474
.text:08048474 cnt = dword ptr -4
.text:08048474 buf = dword ptr 8
.text:08048474 len = dword ptr 0Ch
.text:08048474
.text:08048474 push ebp
.text:08048475 mov ebp, esp
.text:08048477 sub esp, 10h
.text:0804847A mov [ebp+cnt], 0
.text:08048481 mov [ebp+cnt], 0
.text:08048488 jmp short loc_80484A4
.text:0804848A ; ---------------------------------------------------------------------------
.text:0804848A
.text:0804848A loc_804848A: ; CODE XREF: convert_buf+36j
.text:0804848A mov eax, [ebp+cnt]
.text:0804848D mov edx, eax
.text:0804848F add edx, [ebp+buf]
.text:08048492 mov eax, [ebp+cnt]
.text:08048495 add eax, [ebp+buf]
.text:08048498 movzx eax, byte ptr [eax]
.text:0804849B xor eax, 4Ch
.text:0804849E mov [edx], al
.text:080484A0 add [ebp+cnt], 1
.text:080484A4
.text:080484A4 loc_80484A4: ; CODE XREF: convert_buf+14j
.text:080484A4 mov eax, [ebp+cnt]
.text:080484A7 cmp eax, [ebp+len]
.text:080484AA jl short loc_804848A
.text:080484AC leave
.text:080484AD retn
.text:080484AD convert_buf endp
.text:080484AD
.text:080484AE
</PRE>
</BODY>
</HTML>

View File

@ -1 +1 @@
extra special text 4C

View File

@ -202,14 +202,16 @@ class Pflanzarr:
winner = random.choice(winners) winner = random.choice(winners)
html = ['<html>', html = ['<html>',
'<head><title>Game %d results</title>', '<head><title>Game %d Results</title>' % self._gameNum ,
'<link href="/ctf.css" rel="stylesheet" type="text/css">', '<link href="/tanks/ctf.css" rel="stylesheet" type="text/css">',
'</head>', '</head>',
'<body>', '<body>',
'<table><tr><th>Team<th>Kills<th>Cause of Death'] '<H1>Game %d Results</H1>' % self._gameNum,
'<table class="results">',
'<tr><th>Team<th>Kills<th>Cause of Death']
for tank in tanks: for tank in tanks:
if tank is winner: if tank is winner:
rowStyle = 'style="font-weight:bold; '\ rowStyle = 'style="text-decoration:underline; '\
'background-color:%s"' % tank.color 'background-color:%s"' % tank.color
else: else:
rowStyle = 'style="background-color:%s"' % tank.color rowStyle = 'style="background-color:%s"' % tank.color
@ -238,7 +240,7 @@ class Pflanzarr:
movieCmd = ['ffmpeg', movieCmd = ['ffmpeg',
'-r', '10', # Set the framerate to 10/second '-r', '10', # Set the framerate to 10/second
'-b', '8k', # Set the bitrate '-b', '4000k', # Set the bitrate
'-i', '%s/%%05d.ppm' % self._imageDir, # The input files. '-i', '%s/%%05d.ppm' % self._imageDir, # The input files.
# '-vcodec', 'msmpeg4v2', # '-vcodec', 'msmpeg4v2',
'%s/game.avi' % self._gameDir] '%s/game.avi' % self._gameDir]

View File

@ -2,5 +2,5 @@
[ -f /var/lib/ctf/disabled/tanks ] && exit 0 [ -f /var/lib/ctf/disabled/tanks ] && exit 0
exec envuidgid ctf python2.6 run_tanks.py /var/lib/tanks/ easy 100 2>&1 exec envuidgid ctf python2.6 run_tanks.py /var/lib/tanks/ easy 500 2>&1
#envuidgid ctf report_score.py 2>&1 #envuidgid ctf report_score.py 2>&1

View File

@ -98,3 +98,7 @@ fieldset * {
margin: 3px; margin: 3px;
} }
table.results td, th{
padding : 3px;
font-weight : bold;
}

View File

@ -24,6 +24,7 @@ teams.build_teams()
head = open('head.html').read() % "Error Report" head = open('head.html').read() % "Error Report"
print(head) print(head)
print('<H1>Your Errors</H1>')
print(open('links.html').read()) print(open('links.html').read())
def done(): def done():

View File

@ -42,7 +42,7 @@ gameNums.sort(reverse=True)
i = 0 i = 0
num = str(gameNums[i]) num = str(gameNums[i])
for i in range(len(gameNums)): for i in range(len(gameNums)):
path = os.path.join( 'results', str(gameNums[i]), 'results.html') ) path = os.path.join( 'results', str(gameNums[i]), 'results.html')
if os.path.exists( path ): if os.path.exists( path ):
break break
gameNums = gameNums[i:] gameNums = gameNums[i:]