-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
350ed11
commit 5481d07
Showing
12 changed files
with
173 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
FROM ubuntu:22.04 | ||
|
||
# 制作者信息 | ||
LABEL auther_template="CTF-Archives" | ||
|
||
# apt更换镜像源,并安装相关依赖 | ||
RUN sed -i 's@//.*archive.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list && \ | ||
sed -i 's@//.*security.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list | ||
RUN apt-get update && apt-get -y dist-upgrade && \ | ||
apt-get install -y lib32z1 xinetd | ||
|
||
# 新建用户,并进行账户改变 | ||
RUN useradd -m ctf | ||
WORKDIR /home/ctf | ||
|
||
# 复制相关lib,并处理环境 | ||
RUN cp -R /usr/lib* /home/ctf | ||
|
||
# 配置特殊管道映射 | ||
RUN mkdir /home/ctf/dev && \ | ||
mknod /home/ctf/dev/null c 1 3 && \ | ||
mknod /home/ctf/dev/zero c 1 5 && \ | ||
mknod /home/ctf/dev/random c 1 8 && \ | ||
mknod /home/ctf/dev/urandom c 1 9 && \ | ||
chmod 666 /home/ctf/dev/* | ||
|
||
# 设置xinetd启动之后,chroot限制能使用的bin程序 | ||
RUN mkdir /home/ctf/bin && \ | ||
cp /bin/sh /home/ctf/bin && \ | ||
cp /bin/ls /home/ctf/bin && \ | ||
cp /bin/cat /home/ctf/bin && \ | ||
cp /usr/bin/timeout /home/ctf/bin | ||
|
||
# 部署xinetd服务 | ||
COPY ./config/ctf.xinetd /etc/xinetd.d/ctf | ||
RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail | ||
|
||
# 复制容器启动脚本 | ||
COPY ./service/docker-entrypoint.sh / | ||
RUN chmod +x /docker-entrypoint.sh | ||
|
||
# 部署程序 | ||
COPY ./src/attachment /home/ctf/attachment | ||
|
||
# 初始化flag | ||
RUN chown -R root:ctf /home/ctf && \ | ||
chmod -R 750 /home/ctf && \ | ||
touch /home/ctf/flag && \ | ||
chmod 744 /home/ctf/flag | ||
|
||
# [可选]指定对外暴露端口,对于GZCTF等平台,强制EXPOSE可能会造成非预期端口泄露,请酌情启用 | ||
# EXPOSE 9999 | ||
|
||
# 指定容器入口点 | ||
ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# pwn-ubuntu_22.04 | ||
|
||
## 环境说明 | ||
|
||
提供 `Ubuntu 22.04 GLIBC 2.35` 的基础环境,并已经添加 `lib32z1` + `xinetd` 软件包,并基于 `xinetd` 实现服务转发,默认暴露端口位于9999 | ||
|
||
实现:当选手连接到对应端口(默认为9999端口,默认选手使用 `netcat` )的时候,运行 `程序文件`,并将会话转发至选手的连接 | ||
|
||
镜像做到: | ||
- 选手通过端口连接到容器/靶机 | ||
- xinted服务检测到连接,启动一个 `chroot` 会话 | ||
- `chroot` 通过参数 `--userspec=1000:1000 /home/ctf` 限制了程序运行时的账户权限,并更改了程序运行时的root根目录环境位置为 `/home/ctf` ,然后在限制环境中启动程序 | ||
- `xinted` 将程序会话转发给选手的连接 | ||
|
||
## 如何使用 | ||
|
||
将程序文件放入 `./src` 目录即可,文件名请修改为 `attachment` 作为文件名,便于镜像定位程序位置 | ||
|
||
如果需要更改为自己的文件名,需要在 `./config/ctf.xinetd`、`./Dockerfile` 和 `./service/docker-entrypoint.sh` 中进行修改 | ||
|
||
程序放置进 `./src` 目录之后,执行 | ||
```shell | ||
docker build . | ||
``` | ||
即可开始编译镜像 | ||
|
||
也可以在安放好程序文件之后,直接使用 `./docker/docker-compose.yml` 内的 `docker-compose` 文件实现一键启动测试容器 | ||
|
||
```shell | ||
cd ./docker | ||
docker-compose up -d | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
service ctf | ||
{ | ||
disable = no | ||
socket_type = stream | ||
protocol = tcp | ||
wait = no | ||
user = root | ||
type = UNLISTED | ||
port = 9999 | ||
bind = 0.0.0.0 | ||
# 设置xinetd连接启动后的服务程序 | ||
server = /usr/sbin/chroot | ||
# 设置chroot的相关参数 | ||
server_args = --userspec=1000:1000 /home/ctf ./attachment | ||
banner_fail = /etc/banner_fail | ||
# safety options | ||
per_source = 10 # the maximum instances of this service per source IP address | ||
rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use | ||
#rlimit_as = 1024M # the Address Space resource limit for the service | ||
#access_times = 2:00-9:00 12:00-24:00 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
version: '3' | ||
services: | ||
test: | ||
build: ../ | ||
environment: | ||
# 仅为测试用flag | ||
FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}" | ||
ports: | ||
# 设置了暴露端口 | ||
- 9999:9999 | ||
restart: unless-stopped |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/sh | ||
|
||
# Get the user | ||
user=$(ls /home) | ||
|
||
# Check the environment variables for the flag and assign to INSERT_FLAG | ||
if [ "$DASFLAG" ]; then | ||
INSERT_FLAG="$DASFLAG" | ||
export DASFLAG=no_FLAG | ||
DASFLAG=no_FLAG | ||
elif [ "$FLAG" ]; then | ||
INSERT_FLAG="$FLAG" | ||
export FLAG=no_FLAG | ||
FLAG=no_FLAG | ||
elif [ "$GZCTF_FLAG" ]; then | ||
INSERT_FLAG="$GZCTF_FLAG" | ||
export GZCTF_FLAG=no_FLAG | ||
GZCTF_FLAG=no_FLAG | ||
else | ||
INSERT_FLAG="flag{TEST_Dynamic_FLAG}" | ||
fi | ||
|
||
# 将FLAG写入文件 请根据需要修改 | ||
echo $INSERT_FLAG | tee /home/$user/flag | ||
|
||
# 赋予程序运行权限 | ||
chmod 711 /home/ctf/attachment | ||
|
||
/etc/init.d/xinetd start; | ||
sleep infinity; |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Workflow 相关文件 | ||
|
||
此文件夹内的文件用于为 Github Action 自动化流提供支持,请勿随意修改 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
以下压缩包基于 Github Action 进行自动化打包,**不保证与源码之间的完整正确(已尽力保证)** | ||
|
||
可以尝试以下镜像/加速服务 | ||
|
||
- https://github.ur1.fun/ | ||
- https://github.zhlh6.cn/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.