Skip to content

Commit

Permalink
增加pwn-ubuntu_22.04,并更新项目说明
Browse files Browse the repository at this point in the history
  • Loading branch information
Randark-JMT committed Aug 30, 2023
1 parent 350ed11 commit 5481d07
Show file tree
Hide file tree
Showing 12 changed files with 173 additions and 11 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ jobs:
python-version: "3.10"

- name: Package
run: python3 ./workflow-action/deploy.py
run: python3 ./source-workflow/deploy.py

- name: Release
uses: ncipollo/release-action@v1
with:
tag: newest
tag: 已打包模板下载
artifacts: "release/*"
bodyFile: "./workflow-action/body.md"
bodyFile: "./source-workflow/body.md"
18 changes: 11 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@

三种动态flag部署方式,支持GZCTF、CTFd、安恒DASCTF等支持Docker动态部署题目靶机的平台

**有问题请开issue,好用请点star**
**有问题请开issue,好用请点star,有问题的话欢迎通过 [CTF-Archives售后快速服务群](http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=KFamhBpmURTZpndhc0MI7_1l3a6Xezrf&authKey=Yenwm7%2B%2F%2FT%2BtSXCSyr%2B7fYS47Ot0MwFqesH4HOLT8ZADE2e9XO6AS96HQvjxh%2B%2BG&noverify=0&group_code=894957229) 联系维护人员寻求帮助**

## 请注意,此仓库内的模板仅在Linux环境(linux/amd64)下进行测试并保证可用性,如果为windows(windows/amd64)或者macos(linux/arm)等其他架构,不保证不会出问题😔
## 请注意,此仓库内的模板仅在Linux环境(linux/amd64)下进行测试并保证可用性,如果为windows(windows/amd64)或者macos(linux/arm)等其他架构,不保证可用性😔

## 关于每个模板内的文件内容

Expand Down Expand Up @@ -69,12 +69,16 @@ sed -i ""s/\r//"" docker-entrypoint.sh

请注意,`sed`指令在`unix(macos)`下的预期执行效果与`linux`下的预期执行效果不同

## 如有其他问题
## A little advertisement

欢迎直接提issue,一般于三个工作日内就能有回复,也请遇到问题的时候能提供当前的整体题目文件,以及具体的报错/信息
[Randark-JMT](https://github.com/Randark-JMT) 可以无偿为CTF平台搭建、题目打包提供一定帮助,欢迎联系😘

也欢迎通过 [CTF-Archives售后快速服务群](http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=KFamhBpmURTZpndhc0MI7_1l3a6Xezrf&authKey=Yenwm7%2B%2F%2FT%2BtSXCSyr%2B7fYS47Ot0MwFqesH4HOLT8ZADE2e9XO6AS96HQvjxh%2B%2BG&noverify=0&group_code=894957229) 或者 [CTF快速入门手册 - QQ群聊](http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=wJ35e-T-qSlU7Y3Cs-PAasrAvZfRSc9k&authKey=WNEQbZUpolxgfKjUHHoUIoTBvSnvk2jZtcyWlhaDcUZ6ZYGgvywqi1ah5D7UwUrg&noverify=0&group_code=590430891) 联系维护人员寻求帮助
## 参考与鸣谢

## A little advertisement
[https://github.com/CTFTraining](https://github.com/CTFTraining)

[Randark-JMT](https://github.com/Randark-JMT) 可以无偿为CTF平台搭建、题目打包提供一定帮助,欢迎联系😘
感谢**glzjin-赵总****mozhu1024-陌竹**师傅们的项目,根据上述仓库,此项目才有了雏形,感谢他们为CTF事业做出的巨大贡献

[qsnctf / qsnctf_base_docker_images 青少年CTF基础Docker镜像](https://github.com/qsnctf/qsnctf_base_docker_images)

感谢**末心**师傅对相关模板作出的建议与努力
55 changes: 55 additions & 0 deletions pwn-ubuntu_22.04/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
FROM ubuntu:22.04

# 制作者信息
LABEL auther_template="CTF-Archives"

# apt更换镜像源,并安装相关依赖
RUN sed -i 's@//.*archive.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list && \
sed -i 's@//.*security.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list
RUN apt-get update && apt-get -y dist-upgrade && \
apt-get install -y lib32z1 xinetd

# 新建用户,并进行账户改变
RUN useradd -m ctf
WORKDIR /home/ctf

# 复制相关lib,并处理环境
RUN cp -R /usr/lib* /home/ctf

# 配置特殊管道映射
RUN mkdir /home/ctf/dev && \
mknod /home/ctf/dev/null c 1 3 && \
mknod /home/ctf/dev/zero c 1 5 && \
mknod /home/ctf/dev/random c 1 8 && \
mknod /home/ctf/dev/urandom c 1 9 && \
chmod 666 /home/ctf/dev/*

# 设置xinetd启动之后,chroot限制能使用的bin程序
RUN mkdir /home/ctf/bin && \
cp /bin/sh /home/ctf/bin && \
cp /bin/ls /home/ctf/bin && \
cp /bin/cat /home/ctf/bin && \
cp /usr/bin/timeout /home/ctf/bin

# 部署xinetd服务
COPY ./config/ctf.xinetd /etc/xinetd.d/ctf
RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail

# 复制容器启动脚本
COPY ./service/docker-entrypoint.sh /
RUN chmod +x /docker-entrypoint.sh

# 部署程序
COPY ./src/attachment /home/ctf/attachment

# 初始化flag
RUN chown -R root:ctf /home/ctf && \
chmod -R 750 /home/ctf && \
touch /home/ctf/flag && \
chmod 744 /home/ctf/flag

# [可选]指定对外暴露端口,对于GZCTF等平台,强制EXPOSE可能会造成非预期端口泄露,请酌情启用
# EXPOSE 9999

# 指定容器入口点
ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"]
32 changes: 32 additions & 0 deletions pwn-ubuntu_22.04/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# pwn-ubuntu_22.04

## 环境说明

提供 `Ubuntu 22.04 GLIBC 2.35` 的基础环境,并已经添加 `lib32z1` + `xinetd` 软件包,并基于 `xinetd` 实现服务转发,默认暴露端口位于9999

实现:当选手连接到对应端口(默认为9999端口,默认选手使用 `netcat` )的时候,运行 `程序文件`,并将会话转发至选手的连接

镜像做到:
- 选手通过端口连接到容器/靶机
- xinted服务检测到连接,启动一个 `chroot` 会话
- `chroot` 通过参数 `--userspec=1000:1000 /home/ctf` 限制了程序运行时的账户权限,并更改了程序运行时的root根目录环境位置为 `/home/ctf` ,然后在限制环境中启动程序
- `xinted` 将程序会话转发给选手的连接

## 如何使用

将程序文件放入 `./src` 目录即可,文件名请修改为 `attachment` 作为文件名,便于镜像定位程序位置

如果需要更改为自己的文件名,需要在 `./config/ctf.xinetd``./Dockerfile``./service/docker-entrypoint.sh` 中进行修改

程序放置进 `./src` 目录之后,执行
```shell
docker build .
```
即可开始编译镜像

也可以在安放好程序文件之后,直接使用 `./docker/docker-compose.yml` 内的 `docker-compose` 文件实现一键启动测试容器

```shell
cd ./docker
docker-compose up -d
```
21 changes: 21 additions & 0 deletions pwn-ubuntu_22.04/config/ctf.xinetd
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
service ctf
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
type = UNLISTED
port = 9999
bind = 0.0.0.0
# 设置xinetd连接启动后的服务程序
server = /usr/sbin/chroot
# 设置chroot的相关参数
server_args = --userspec=1000:1000 /home/ctf ./attachment
banner_fail = /etc/banner_fail
# safety options
per_source = 10 # the maximum instances of this service per source IP address
rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use
#rlimit_as = 1024M # the Address Space resource limit for the service
#access_times = 2:00-9:00 12:00-24:00
}
11 changes: 11 additions & 0 deletions pwn-ubuntu_22.04/docker/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: '3'
services:
test:
build: ../
environment:
# 仅为测试用flag
FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}"
ports:
# 设置了暴露端口
- 9999:9999
restart: unless-stopped
30 changes: 30 additions & 0 deletions pwn-ubuntu_22.04/service/docker-entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/bin/sh

# Get the user
user=$(ls /home)

# Check the environment variables for the flag and assign to INSERT_FLAG
if [ "$DASFLAG" ]; then
INSERT_FLAG="$DASFLAG"
export DASFLAG=no_FLAG
DASFLAG=no_FLAG
elif [ "$FLAG" ]; then
INSERT_FLAG="$FLAG"
export FLAG=no_FLAG
FLAG=no_FLAG
elif [ "$GZCTF_FLAG" ]; then
INSERT_FLAG="$GZCTF_FLAG"
export GZCTF_FLAG=no_FLAG
GZCTF_FLAG=no_FLAG
else
INSERT_FLAG="flag{TEST_Dynamic_FLAG}"
fi

# 将FLAG写入文件 请根据需要修改
echo $INSERT_FLAG | tee /home/$user/flag

# 赋予程序运行权限
chmod 711 /home/ctf/attachment

/etc/init.d/xinetd start;
sleep infinity;
Binary file added pwn-ubuntu_22.04/src/attachment
Binary file not shown.
3 changes: 3 additions & 0 deletions source-workflow/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Workflow 相关文件

此文件夹内的文件用于为 Github Action 自动化流提供支持,请勿随意修改
6 changes: 6 additions & 0 deletions source-workflow/body.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
以下压缩包基于 Github Action 进行自动化打包,**不保证与源码之间的完整正确(已尽力保证)**

可以尝试以下镜像/加速服务

- https://github.ur1.fun/
- https://github.zhlh6.cn/
1 change: 1 addition & 0 deletions workflow-action/deploy.py → source-workflow/deploy.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
if (
not directory.name.startswith(".")
and not directory.name.startswith("sp")
and not directory.name.startswith("source")
and os.path.isdir("./" + directory.name)
and directory.name != "release"
):
Expand Down
1 change: 0 additions & 1 deletion workflow-action/body.md

This file was deleted.

0 comments on commit 5481d07

Please sign in to comment.