neale/moth
neale
/
moth
mirror of https://github.com/dirtbags/moth.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add dillo puzzle

This commit is contained in:
Neale Pickett 2011-03-22 22:00:50 -06:00
parent 557b4cf4ec
commit d429727070
14 changed files with 138 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
packages/armadillo/service/pwnables/finish → packages/armadillo/service/armadillo/finish
View File

0
packages/armadillo/service/pwnables/ip.txt → packages/armadillo/service/armadillo/ip.txt
View File

0
packages/armadillo/service/pwnables/log/run → packages/armadillo/service/armadillo/log/run
View File

0
packages/armadillo/service/pwnables/motd → packages/armadillo/service/armadillo/motd
View File

0
packages/armadillo/service/pwnables/pwnie → packages/armadillo/service/armadillo/pwnie
View File

40
packages/armadillo/service/armadillo/run Executable file
View File

@ -0,0 +1,40 @@
#! /bin/sh -e
# Configure IP address
IP=$(cat ip.txt)
ip addr add $IP label eth0:armadillo dev eth0
# Set up chroot environment
# We never umount any of this since it's all just in RAM
mkdir -p /mnt/armadillo-root
grep -q armadillo-root /proc/mounts || mount -o bind / /mnt/armadillo-root
grep -q armadillo-var /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-var /mnt/armadillo-root/var
grep -q armadillo-tmp /proc/mounts || mount -t tmpfs -o size=15k armadillo-tmp /mnt/armadillo-root/tmp
grep -q armadillo-home /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 armadillo-home /mnt/armadillo-root/home
# Make some skeleton junk
install -o root -m 0755 -d /mnt/armadillo-root/var/lib
install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf
install -o root -m 0755 -d /mnt/armadillo-root/var/lib/ctf/tokens
install -o root -m 0755 -d /mnt/armadillo-root/var/log
install -o root -m 0755 -d /mnt/armadillo-root/var/spool
install -o root -m 0755 -d /mnt/armadillo-root/var/cache
install -o root -m 0777 -d /mnt/armadillo-root/var/run
install -o root -m 0777 -d /mnt/armadillo-root/var/cache
# Install the binaries
install -o root -d /mnt/armadillo-root/home/alice/
install -o bob -m 0111 /opt/armadillo/bin/gimmie /mnt/armadillo-root/home/alice/
install -o bob -m 0111 /opt/armadillo/bin/dillo /mnt/armadillo-root/home/alice/
# straceme and killme need to be suid, to prevent LD_PRELOAD
install -o bob -m 04111 /opt/armadillo/bin/straceme /mnt/armadillo-root/home/alice/
install -o bob -m 04111 /opt/armadillo/bin/killme /mnt/armadillo-root/home/alice/
# Set up links for tokens
mkdir -p /var/lib/ctf/tokens
for puzzle in gimmie straceme killme dillo; do
ln -sf /mnt/armadillo-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle
done
exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie

42
packages/armadillo/service/pwnables/run
View File

@ -1,42 +0,0 @@
#! /bin/sh -e
# Configure IP address
IP=$(cat ip.txt)
ip addr add $IP label eth0:pwnables dev eth0
# Set up chroot environment
# We never umount any of this since it's all just in RAM
mkdir -p /mnt/pwnables-root
grep -q pwnables-root /proc/mounts || mount -o bind / /mnt/pwnables-root
grep -q pwnables-var /proc/mounts || mount -t tmpfs -o size=5m,mode=0755 pwnables-var /mnt/pwnables-root/var
grep -q pwnables-tmp /proc/mounts || mount -t tmpfs -o size=15k pwnables-tmp /mnt/pwnables-root/tmp
grep -q pwnables-home /proc/mounts || mount -t tmpfs -o size=5m pwnables-home /mnt/pwnables-root/home
# Make some skeleton junk
install -o root -m 0755 -d /mnt/pwnables-root/var/lib
install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf
install -o root -m 0755 -d /mnt/pwnables-root/var/lib/ctf/tokens
install -o root -m 0755 -d /mnt/pwnables-root/var/log
install -o root -m 0755 -d /mnt/pwnables-root/var/spool
install -o root -m 0755 -d /mnt/pwnables-root/var/cache
install -o root -m 0777 -d /mnt/pwnables-root/var/run
install -o root -m 0777 -d /mnt/pwnables-root/var/cache
# Install the pwnables
install -o root -d /mnt/pwnables-root/home/alice/
install -o bob -m 0111 /opt/pwnables/bin/gimmie /mnt/pwnables-root/home/alice/
# ltrace needs to read the binary
install -o bob -m 0555 /opt/pwnables/bin/ltraceme /mnt/pwnables-root/home/alice/
# straceme and killme need to be suid, to prevent LD_PRELOAD
install -o bob -m 04111 /opt/pwnables/bin/straceme /mnt/pwnables-root/home/alice/
install -o bob -m 04111 /opt/pwnables/bin/killme /mnt/pwnables-root/home/alice/
# Set up links for tokens
mkdir -p /var/lib/ctf/tokens
for puzzle in gimmie ltraceme straceme killme; do
ln -sf /mnt/pwnables-root/var/lib/ctf/tokens/$puzzle /var/lib/ctf/tokens/$puzzle
done
exec tcpsvd -C 5:"Let's not be greedy" ${IP%/*} 23 /sbin/telnetd -l ./pwnie

1
packages/armadillo/src/Makefile
View File

@ -9,6 +9,7 @@ gimmie: gimmie.o token.o arc4.o
octopus: octopus.o token.o arc4.o octopus: octopus.o token.o arc4.o
straceme: straceme.o token.o arc4.o straceme: straceme.o token.o arc4.o
killme: killme.o token.o arc4.o killme: killme.o token.o arc4.o
dillo: dillo.o token.o arc4.o
install: $(TARGETS) install: $(TARGETS)
install -m 0755 $(TARGETS) $(DESTDIR)/bin install -m 0755 $(TARGETS) $(DESTDIR)/bin

22
packages/armadillo/src/dillo-solve Executable file
View File

@ -0,0 +1,22 @@
#! /usr/bin/python
import subprocess
# In the actual contest you'd want to run netcat or just
# open your own TCP connection to port 23 and run commands.
d = subprocess.Popen(['./dillo'],
stdout=subprocess.PIPE,
stdin=subprocess.PIPE)
o = d.stdout
i = d.stdin
c = o.read(1)
v = chr(ord(c) ^ 0x20)
i.write(v)
o.readline()
o.readline()
o.readline()
o.readline()
o.readline()
d.poll()

59
packages/armadillo/src/dillo.c Normal file
View File

@ -0,0 +1,59 @@
#include <unistd.h>
#include <time.h>
#include <stdint.h>
#include "arc4.h"
#include "token.h"
const uint8_t key[] =
{0xa5, 0xb1, 0x6f, 0xce,
0x59, 0x2d, 0xb1, 0xe9,
0x4b, 0x07, 0x91, 0x6d,
0x9f, 0x3b, 0xc8, 0xc6};
const char dillo[] =
(" .::7777::-.\n"
" /:'////' `::>/|/\n"
" .', |||| `/( e\\\n"
" -==~-'`-Xm````-mr' `-_\\\n");
int
main(int argc, char *argv[])
{
uint8_t v;
int i;
/* Pick a random non-zero xor value */
do {
v = arc4_rand8();
} while (! v);
/* Print the dillo */
for (i = 0; dillo[i]; i += 1) {
struct timespec req = {0, 33000000};
uint8_t c = dillo[i];
if ('\n' != c) {
c ^= v;
}
write(1, &c, 1);
nanosleep(&req, NULL);
}
/* Read a single byte; strace will help with solution */
{
uint8_t c;
read(0, &c, 1);
if (c != v) {
return 1;
}
}
if (-1 == print_token("dillo", key, sizeof(key))) {
write(2, "Something is broken; I can't read my token.\n", 44);
return 69;
}
return 0;
}

43
packages/armadillo/src/killme.c
View File

@ -1,11 +1,11 @@
#include <signal.h> #include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h> #include <unistd.h>
#include <time.h> #include <stdio.h>
#include <sysexits.h>
#include "arc4.h"
#include "token.h" #include "token.h"
#define SIGS 20 #define ROUNDS 20
uint8_t const key[] = {0x51, 0x91, 0x6d, 0x81, uint8_t const key[] = {0x51, 0x91, 0x6d, 0x81,
0x14, 0x21, 0xf8, 0x95, 0x14, 0x21, 0xf8, 0x95,
@ -25,26 +25,12 @@ main(int argc, char *argv[])
{ {
int i; int i;
{
/* Seed random number generator */
FILE *f;
int seed;
f = fopen("/dev/urandom", "r");
if (f) {
fread(&seed, sizeof(seed), 1, f);
srandom(seed);
} else {
srandom(getpid() * time(NULL));
}
}
for (i = 1; i < 8; i += 1) { for (i = 1; i < 8; i += 1) {
signal(i, handler); signal(i, handler);
} }
for (i = 0; i < SIGS; i += 1) { for (i = 0; i < ROUNDS; i += 1) {
int desired = (random() % 7) + 1; int desired = (arc4_rand8() % 7) + 1;
lastsig = 0; lastsig = 0;
printf("%d\n", desired); printf("%d\n", desired);
@ -64,20 +50,9 @@ main(int argc, char *argv[])
} }
} }
{ if (-1 == print_token("killme", key, sizeof(key))) {
char token[200]; fprintf(stderr, "Something is broken; I can't read my token.\n");
size_t tokenlen; return EX_UNAVAILABLE;
tokenlen = read_token("killme",
key, sizeof(key),
token, sizeof(token) - 1);
if (-1 == tokenlen) {
write(1, "Something is broken\nI can't read my token.\n", 43);
return 69;
}
token[tokenlen++] = '\n';
write(1, token, tokenlen);
} }
return 0; return 0;

16
packages/armadillo/src/straceme.c
View File

@ -60,10 +60,10 @@ main(int argc, char *argv[])
close(fd); close(fd);
} }
/* Read in category name from fd 2 (stderr!) /* Read in category name from fd 5
* *
* echo -n straceme > foo.txt * echo -n straceme > foo.txt
* ./straceme $$ 2< foo.txt * ./straceme $$ 5< foo.txt
*/ */
{ {
char cat[50]; char cat[50];
@ -72,22 +72,16 @@ main(int argc, char *argv[])
size_t tokenlen; size_t tokenlen;
int i; int i;
catlen = read(2, cat, sizeof(cat) - 1); catlen = read(5, cat, sizeof(cat) - 1);
for (i = 0; i < catlen; i += 1) { for (i = 0; i < catlen; i += 1) {
if (! isalnum(cat[i])) break; if (! isalnum(cat[i])) break;
} }
cat[i] = '\0'; cat[i] = '\0';
tokenlen = read_token(cat, if (-1 == print_token(cat, key, sizeof(key))) {
key, sizeof(key), write(2, "Something is broken; I can't read my token.\n", 44);
token, sizeof(token) - 1);
if (-1 == tokenlen) {
write(1, "Something is broken\nI can't read my token.\n", 43);
return 69; return 69;
} }
token[tokenlen++] = '\n';
write(1, token, tokenlen);
} }
return 0; return 0;
} }

17
packages/mktokendkey
View File

@ -1,19 +1,4 @@
#! /bin/sh #! /bin/sh
if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then dd bs=1 count=16 if=/dev/urandom | hd
echo "Usage: $0 CATEGORY"
echo
echo "Creates tokend key for CATEGORY."
exit 1
fi
puz=$1; shift
cat=${1:-$puz}
d=$(dirname $0)
td=$d/mcp/tokend.keys/$cat
echo "Writing new server key to $td"
dd bs=1 count=16 if=/dev/urandom of=$td
hd $td

1
src/arc4.h
View File

@ -1,6 +1,7 @@
#ifndef __ARC4_H__ #ifndef __ARC4_H__
#define __ARC4_H__ #define __ARC4_H__
#include <stdio.h>
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>