From 4c4656ede082780bc9915cd09fc87a7333fda9d1 Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Fri, 22 Oct 2010 11:15:37 -0600 Subject: [PATCH] A couple fixes made during NSM --- doc/ideas.txt | 10 +++++++++- mcp/src/puzzler.cgi.c | 2 +- mcp/www/ctf.css | 4 +++- octopus/solution.sh | 5 +++-- pwnables/service/eth0.pwn/run | 8 +++++--- pwnables/service/sshd.pwn/log/run | 3 +++ pwnables/service/sshd.pwn/rsa.key | Bin 0 -> 427 bytes pwnables/service/sshd.pwn/run | 10 ++++++++++ 8 files changed, 34 insertions(+), 8 deletions(-) create mode 100755 pwnables/service/sshd.pwn/log/run create mode 100644 pwnables/service/sshd.pwn/rsa.key create mode 100755 pwnables/service/sshd.pwn/run diff --git a/doc/ideas.txt b/doc/ideas.txt index 0bf82e9..723a657 100644 --- a/doc/ideas.txt +++ b/doc/ideas.txt @@ -1,6 +1,5 @@ Ideas for puzzles ================= -* Hide something in a .docx zip file * Bootable image with FreeDOS, Linux, Inferno? HURD? * Bury puzzles in various weird locations within each OS * Maybe put some in the boot loader, too @@ -9,7 +8,16 @@ Ideas for puzzles * DHCP option * Single TCP RST with token in payload * Multiple TCP RST with different payloads + * http://10.0.0.2/token * PXE boot some sort of points-gathering client * Init asks for a team hash, and starts awarding points * Broken startup scripts, when fixed award more points * Lots of remote exploits +* "qemu -net socket" vpn thingy and then... + + +Capture the Packet +------------------ + +* Jim Meilander could teach a class about Bro +* Use qemu -net socket,connect=10.0.0.2:5399 for capture the packet diff --git a/mcp/src/puzzler.cgi.c b/mcp/src/puzzler.cgi.c index 4c71c5c..2fdbe36 100644 --- a/mcp/src/puzzler.cgi.c +++ b/mcp/src/puzzler.cgi.c @@ -49,7 +49,7 @@ main(int argc, char *argv[]) char *p; for (p = category; *p; p += 1) { - if (! isalnum(*p)) { + if ((! isalnum(*p)) && ('-' != *p)) { cgi_page("Invalid category", ""); } } diff --git a/mcp/www/ctf.css b/mcp/www/ctf.css index 8bc503b..90fff8a 100644 --- a/mcp/www/ctf.css +++ b/mcp/www/ctf.css @@ -162,4 +162,6 @@ table.pollster thead { font-weight: bold; } - +table.scoreboard { + height: 400px; +} diff --git a/octopus/solution.sh b/octopus/solution.sh index 3745ab0..a3b938e 100755 --- a/octopus/solution.sh +++ b/octopus/solution.sh @@ -1,14 +1,15 @@ #! /bin/sh port=8888 +host=10.0.0.10 blooper=$(tempfile) trap "rm $blooper" 0 -echo foo | socat -t 0.01 STDIO UDP:127.0.0.1:8888 | tail -n +4 > $blooper +echo foo | socat -t 0.01 STDIO UDP:$host:$port | tail -n +4 > $blooper for i in $(seq 8); do - result=$(socat -t 0.01 STDIO UDP:127.0.0.1:$port < $blooper | awk -F': ' '(NF > 1) {print $2; exit;}') + result=$(socat -t 0.01 STDIO UDP:$host:$port < $blooper | awk -F': ' '(NF > 1) {print $2; exit;}') port=$(echo "ibase=8; $result" | bc) echo $port done diff --git a/pwnables/service/eth0.pwn/run b/pwnables/service/eth0.pwn/run index a6b4415..c5aeb14 100755 --- a/pwnables/service/eth0.pwn/run +++ b/pwnables/service/eth0.pwn/run @@ -1,8 +1,10 @@ #! /bin/sh -if ! [ -d /opt/mcp ]; then - hostname pwnables - ifconfig eth0 10.0.0.10 netmask 255.0.0.0 +if [ -d /opt/mcp ]; then + sv d . + exit fi +hostname pwnables +ifconfig eth0 10.0.0.10 netmask 255.0.0.0 exec inotifyd true $(pwd):x diff --git a/pwnables/service/sshd.pwn/log/run b/pwnables/service/sshd.pwn/log/run new file mode 100755 index 0000000..4794c8e --- /dev/null +++ b/pwnables/service/sshd.pwn/log/run @@ -0,0 +1,3 @@ +#! /bin/sh + +exec logger -t sshd diff --git a/pwnables/service/sshd.pwn/rsa.key b/pwnables/service/sshd.pwn/rsa.key new file mode 100644 index 0000000000000000000000000000000000000000..f5304714ddfc57c5e1e6262755e7887a495e8f32 GIT binary patch literal 427 zcmV;c0aX3~000Mbb7(Dcb724g00RL40RR91g8+&Gz9X&3hPr_T!}rb#=j4h2g7>pY zuuBMGH)k02`GM#KTQ9>6G*s*KUo6R}hHa*3&psvA_6wYpXY$jsrw-(5z|qg$P_{ge zACA2a5W5&jw^$0VZnU!1V9+%h`nUxxw~QTW^nJVBdmAc4 zM$MP4B15JT;*&m15zXV-U01OcE)`{fVBs5)f(^yw0TTxv%_E$Qn~vBx`G z0000&0Io)rLhx?jZ~=+z1L|H7?O+XZ&1 + +if [ -d /opt/mcp ]; then + sv d . + exit +fi + +exec dropbear -r ./rsa.key -E -F