From 5481d075f92d87789a2ac824f68acb6b31bef786 Mon Sep 17 00:00:00 2001 From: Randark_JMT Date: Wed, 30 Aug 2023 11:05:45 +0000 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0pwn-ubuntu=5F22.04=EF=BC=8C?= =?UTF-8?q?=E5=B9=B6=E6=9B=B4=E6=96=B0=E9=A1=B9=E7=9B=AE=E8=AF=B4=E6=98=8E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/release.yml | 6 +- README.md | 18 +++--- pwn-ubuntu_22.04/Dockerfile | 55 ++++++++++++++++++ pwn-ubuntu_22.04/README.md | 32 ++++++++++ pwn-ubuntu_22.04/config/ctf.xinetd | 21 +++++++ pwn-ubuntu_22.04/docker/docker-compose.yml | 11 ++++ pwn-ubuntu_22.04/service/docker-entrypoint.sh | 30 ++++++++++ pwn-ubuntu_22.04/src/attachment | Bin 0 -> 8608 bytes source-workflow/README.md | 3 + source-workflow/body.md | 6 ++ .../deploy.py | 1 + workflow-action/body.md | 1 - 12 files changed, 173 insertions(+), 11 deletions(-) create mode 100644 pwn-ubuntu_22.04/Dockerfile create mode 100644 pwn-ubuntu_22.04/README.md create mode 100644 pwn-ubuntu_22.04/config/ctf.xinetd create mode 100644 pwn-ubuntu_22.04/docker/docker-compose.yml create mode 100644 pwn-ubuntu_22.04/service/docker-entrypoint.sh create mode 100644 pwn-ubuntu_22.04/src/attachment create mode 100644 source-workflow/README.md create mode 100644 source-workflow/body.md rename {workflow-action => source-workflow}/deploy.py (94%) delete mode 100644 workflow-action/body.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 14ae156..7108203 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,11 +20,11 @@ jobs: python-version: "3.10" - name: Package - run: python3 ./workflow-action/deploy.py + run: python3 ./source-workflow/deploy.py - name: Release uses: ncipollo/release-action@v1 with: - tag: newest + tag: 已打包模板下载 artifacts: "release/*" - bodyFile: "./workflow-action/body.md" \ No newline at end of file + bodyFile: "./source-workflow/body.md" \ No newline at end of file diff --git a/README.md b/README.md index 23eef82..5e23afe 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,9 @@ 三种动态flag部署方式,支持GZCTF、CTFd、安恒DASCTF等支持Docker动态部署题目靶机的平台 -**有问题请开issue,好用请点star** +**有问题请开issue,好用请点star,有问题的话欢迎通过 [CTF-Archives售后快速服务群](http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=KFamhBpmURTZpndhc0MI7_1l3a6Xezrf&authKey=Yenwm7%2B%2F%2FT%2BtSXCSyr%2B7fYS47Ot0MwFqesH4HOLT8ZADE2e9XO6AS96HQvjxh%2B%2BG&noverify=0&group_code=894957229) 联系维护人员寻求帮助** -## 请注意,此仓库内的模板仅在Linux环境(linux/amd64)下进行测试并保证可用性,如果为windows(windows/amd64)或者macos(linux/arm)等其他架构,不保证不会出问题😔 +## 请注意,此仓库内的模板仅在Linux环境(linux/amd64)下进行测试并保证可用性,如果为windows(windows/amd64)或者macos(linux/arm)等其他架构,不保证可用性😔 ## 关于每个模板内的文件内容 @@ -69,12 +69,16 @@ sed -i ""s/\r//"" docker-entrypoint.sh 请注意,`sed`指令在`unix(macos)`下的预期执行效果与`linux`下的预期执行效果不同 -## 如有其他问题 +## A little advertisement -欢迎直接提issue,一般于三个工作日内就能有回复,也请遇到问题的时候能提供当前的整体题目文件,以及具体的报错/信息 +某 [Randark-JMT](https://github.com/Randark-JMT) 可以无偿为CTF平台搭建、题目打包提供一定帮助,欢迎联系😘 -也欢迎通过 [CTF-Archives售后快速服务群](http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=KFamhBpmURTZpndhc0MI7_1l3a6Xezrf&authKey=Yenwm7%2B%2F%2FT%2BtSXCSyr%2B7fYS47Ot0MwFqesH4HOLT8ZADE2e9XO6AS96HQvjxh%2B%2BG&noverify=0&group_code=894957229) 或者 [CTF快速入门手册 - QQ群聊](http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=wJ35e-T-qSlU7Y3Cs-PAasrAvZfRSc9k&authKey=WNEQbZUpolxgfKjUHHoUIoTBvSnvk2jZtcyWlhaDcUZ6ZYGgvywqi1ah5D7UwUrg&noverify=0&group_code=590430891) 联系维护人员寻求帮助 +## 参考与鸣谢 -## A little advertisement +[https://github.com/CTFTraining](https://github.com/CTFTraining) -某 [Randark-JMT](https://github.com/Randark-JMT) 可以无偿为CTF平台搭建、题目打包提供一定帮助,欢迎联系😘 +感谢**glzjin-赵总**和**mozhu1024-陌竹**师傅们的项目,根据上述仓库,此项目才有了雏形,感谢他们为CTF事业做出的巨大贡献 + +[qsnctf / qsnctf_base_docker_images 青少年CTF基础Docker镜像](https://github.com/qsnctf/qsnctf_base_docker_images) + +感谢**末心**师傅对相关模板作出的建议与努力 diff --git a/pwn-ubuntu_22.04/Dockerfile b/pwn-ubuntu_22.04/Dockerfile new file mode 100644 index 0000000..60505f2 --- /dev/null +++ b/pwn-ubuntu_22.04/Dockerfile @@ -0,0 +1,55 @@ +FROM ubuntu:22.04 + +# 制作者信息 +LABEL auther_template="CTF-Archives" + +# apt更换镜像源,并安装相关依赖 +RUN sed -i 's@//.*archive.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list && \ + sed -i 's@//.*security.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list +RUN apt-get update && apt-get -y dist-upgrade && \ + apt-get install -y lib32z1 xinetd + +# 新建用户,并进行账户改变 +RUN useradd -m ctf +WORKDIR /home/ctf + +# 复制相关lib,并处理环境 +RUN cp -R /usr/lib* /home/ctf + +# 配置特殊管道映射 +RUN mkdir /home/ctf/dev && \ + mknod /home/ctf/dev/null c 1 3 && \ + mknod /home/ctf/dev/zero c 1 5 && \ + mknod /home/ctf/dev/random c 1 8 && \ + mknod /home/ctf/dev/urandom c 1 9 && \ + chmod 666 /home/ctf/dev/* + +# 设置xinetd启动之后,chroot限制能使用的bin程序 +RUN mkdir /home/ctf/bin && \ + cp /bin/sh /home/ctf/bin && \ + cp /bin/ls /home/ctf/bin && \ + cp /bin/cat /home/ctf/bin && \ + cp /usr/bin/timeout /home/ctf/bin + +# 部署xinetd服务 +COPY ./config/ctf.xinetd /etc/xinetd.d/ctf +RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail + +# 复制容器启动脚本 +COPY ./service/docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +# 部署程序 +COPY ./src/attachment /home/ctf/attachment + +# 初始化flag +RUN chown -R root:ctf /home/ctf && \ + chmod -R 750 /home/ctf && \ + touch /home/ctf/flag && \ + chmod 744 /home/ctf/flag + +# [可选]指定对外暴露端口,对于GZCTF等平台,强制EXPOSE可能会造成非预期端口泄露,请酌情启用 +# EXPOSE 9999 + +# 指定容器入口点 +ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"] diff --git a/pwn-ubuntu_22.04/README.md b/pwn-ubuntu_22.04/README.md new file mode 100644 index 0000000..8f3249a --- /dev/null +++ b/pwn-ubuntu_22.04/README.md @@ -0,0 +1,32 @@ +# pwn-ubuntu_22.04 + +## 环境说明 + +提供 `Ubuntu 22.04 GLIBC 2.35` 的基础环境,并已经添加 `lib32z1` + `xinetd` 软件包,并基于 `xinetd` 实现服务转发,默认暴露端口位于9999 + +实现:当选手连接到对应端口(默认为9999端口,默认选手使用 `netcat` )的时候,运行 `程序文件`,并将会话转发至选手的连接 + +镜像做到: +- 选手通过端口连接到容器/靶机 +- xinted服务检测到连接,启动一个 `chroot` 会话 +- `chroot` 通过参数 `--userspec=1000:1000 /home/ctf` 限制了程序运行时的账户权限,并更改了程序运行时的root根目录环境位置为 `/home/ctf` ,然后在限制环境中启动程序 +- `xinted` 将程序会话转发给选手的连接 + +## 如何使用 + +将程序文件放入 `./src` 目录即可,文件名请修改为 `attachment` 作为文件名,便于镜像定位程序位置 + +如果需要更改为自己的文件名,需要在 `./config/ctf.xinetd`、`./Dockerfile` 和 `./service/docker-entrypoint.sh` 中进行修改 + +程序放置进 `./src` 目录之后,执行 +```shell +docker build . +``` +即可开始编译镜像 + +也可以在安放好程序文件之后,直接使用 `./docker/docker-compose.yml` 内的 `docker-compose` 文件实现一键启动测试容器 + +```shell +cd ./docker +docker-compose up -d +``` \ No newline at end of file diff --git a/pwn-ubuntu_22.04/config/ctf.xinetd b/pwn-ubuntu_22.04/config/ctf.xinetd new file mode 100644 index 0000000..6044ae7 --- /dev/null +++ b/pwn-ubuntu_22.04/config/ctf.xinetd @@ -0,0 +1,21 @@ +service ctf +{ + disable = no + socket_type = stream + protocol = tcp + wait = no + user = root + type = UNLISTED + port = 9999 + bind = 0.0.0.0 + # 设置xinetd连接启动后的服务程序 + server = /usr/sbin/chroot + # 设置chroot的相关参数 + server_args = --userspec=1000:1000 /home/ctf ./attachment + banner_fail = /etc/banner_fail + # safety options + per_source = 10 # the maximum instances of this service per source IP address + rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use + #rlimit_as = 1024M # the Address Space resource limit for the service + #access_times = 2:00-9:00 12:00-24:00 +} diff --git a/pwn-ubuntu_22.04/docker/docker-compose.yml b/pwn-ubuntu_22.04/docker/docker-compose.yml new file mode 100644 index 0000000..a19ef47 --- /dev/null +++ b/pwn-ubuntu_22.04/docker/docker-compose.yml @@ -0,0 +1,11 @@ +version: '3' +services: + test: + build: ../ + environment: + # 仅为测试用flag + FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}" + ports: + # 设置了暴露端口 + - 9999:9999 + restart: unless-stopped diff --git a/pwn-ubuntu_22.04/service/docker-entrypoint.sh b/pwn-ubuntu_22.04/service/docker-entrypoint.sh new file mode 100644 index 0000000..4956089 --- /dev/null +++ b/pwn-ubuntu_22.04/service/docker-entrypoint.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +# Get the user +user=$(ls /home) + +# Check the environment variables for the flag and assign to INSERT_FLAG +if [ "$DASFLAG" ]; then + INSERT_FLAG="$DASFLAG" + export DASFLAG=no_FLAG + DASFLAG=no_FLAG +elif [ "$FLAG" ]; then + INSERT_FLAG="$FLAG" + export FLAG=no_FLAG + FLAG=no_FLAG +elif [ "$GZCTF_FLAG" ]; then + INSERT_FLAG="$GZCTF_FLAG" + export GZCTF_FLAG=no_FLAG + GZCTF_FLAG=no_FLAG +else + INSERT_FLAG="flag{TEST_Dynamic_FLAG}" +fi + +# 将FLAG写入文件 请根据需要修改 +echo $INSERT_FLAG | tee /home/$user/flag + +# 赋予程序运行权限 +chmod 711 /home/ctf/attachment + +/etc/init.d/xinetd start; +sleep infinity; diff --git a/pwn-ubuntu_22.04/src/attachment b/pwn-ubuntu_22.04/src/attachment new file mode 100644 index 0000000000000000000000000000000000000000..f72c77f832074df58ae3327db613ebc6563d8bad GIT binary patch literal 8608 zcmeHNYit}>6+XM`R}yEvNt4uhhzyW4n+i|Xsbd@>npwXxjy8`v>$V7-@p^Y`FYF`i z&Kf(aAjN4^3(`iw5C17b0)!A1Qhs6e2TAHEDF`IDQUR$5rG=oRPgg0C5o(rm?%cCG zJG(&@5)warotbmbch7h3xsRE>_fEdm7wPwUJiy5dj{<3-I!!?K9pJ`hp-QX^R)GfF zVH-3cQjeD=N=Vu{mdnyL%O+{(Ls^Gcm)8cmyqd_c+-AdAgPk}+l2l(gX)2o7b?mTkzpB>afGB~9;w6&N?uU%ST4%ISaSQQZFEJYzo=J3jdYC!^on~~ zk}ajOHoWl6S=rBq>0DmmKOu_u*i zOC>XfskW)E&bH1DHJ?@YiguHKvORQkNYuprsGvqMZ@`P@0F}QS{7d2K$v6Lb@vqq( zGr5cJFaGR>1H|PEv!6JvLCf_utO=`y??7CsVGr28I5npe^3!?COoL$%WaO<_&N9-m zWCoG(bT%Uq0}e$7x_gYh>RxppIrQQmwSoR{-VubUuqC;Q${w**SZ)~+IT}0a4^FLt z5s{_oOngp?1D8`v6zMbXHtFA~-`T8y{>){o{#Fmd`png)1!mf^xNkk06nAdGd&_nW zbEHpD;q4nmOgmSTPF3Ds6#8px6d1c;vjN)Q8<>6dq(1wWKJ&Mw_Z|H7l&`3Mh@jK{fV0PyL-jrrDe*! zOu79Hn48C(;0-Ta2tN^iJUm+r4~3(V^E-dpq+syp+en@mn7unN`+8*eO)*wiKK9)@ zghc(B_bjFT4Q_8__U*{*-Cp!i-0)|8X2GNHf2Z&^4dj=H!(Ryxhfju$g$w2Wxr5^? z{K=vAh*<|<#wW7Mt|!b?JexKZE35QG``f~~_(XEj%zt{9ERRkk^9ufpDVCYH6f-lK z%w;oaGh-=Z*_>04rG!Z`Gp=Masp(y?XEd4FlNS@mv(I9av8G zLA0kBz#r)Mw;pa;^Npr6aB$0khacJT8G^~C7q3o?XEy<1f8d4|e+%v_t!Df0Jm} zi%6e9KhEcqT&|>*9$4vtl^$5>ft4QkzwH5B+EBVtXG@{rjn|+on`OZ(KHF}s)UQfD zZx?xgwN;k${%DKTTXFeCiGH6carr;)6|M97;|wk@De-T$SVN%B>y1WH3h#C>4Z#Oq4)#_7z5vuM7ieFN~k zsU50>`F zPL7YBYWdt&;+r8@6W;=~eRL-u@LQ=|LeFCzd{`_ac8=b69(;?qz$|3nv6#-JhqWA8?K1IbmNtEa4Rw>u(JJwF?;0iGK3VH@J>vH$6Gf)c;q zKZm#?kjmRxfmhET9q|Bcu9`m&A-*1}pRZ#Auk=k?{66@%rGNLleI9Y8+70{=@pazK z5OU4uUl5Lw@^f7$xi2A3{XoYvl*HZ^d-rqn2Wd~| zK9t1X8s!^^D+IXG2Z&SrZa@FJkNs7|*F%l>WISi(t-{!t8pm_E!##sWWZ*>9Fd$*( z%<&|i*yRi>ZNyXAjG0G^MAjHjWk+KvBVlE8c_UVs0z4Wyl`<_ep?-ef{*Ky4##l0w zG-A12Y}&wMk=!(ljPK%Gq*)bIA-&iBq6vvX-fay9e5=*tpcjGX-_Dki@g>WCB#uCSrK9r6#5`=+Bl` z&MuiWbNOU8Q=u4GmNQc^BFNmSlm)72o{Cv@Jd3JjPT`&A6B=bjx2xuaoIw)_bi$fV zwWpHJ;QUwPXol6q(#bf+khRD?A~c37_9Lh`spQm;Qk^D1~k1H{e zxPFd@@v~S;{BGN!be{9N*R{CIt^DEVJ6S=t$QdoH^8yg%UYlN~O;yZ%cqKJO!@*w{q@(KBWM=mv$`Ml5J@5zgD z{AG8P;^BEP=c=E-7cNtyFuCJpo#h8;0OA_7ovOAa#J_HC0l@L3_eDSH(QO10h>#&ULc9_BM^