├── src ├── getcap ├── setcap ├── sudoers └── sshd_config ├── docker └── docker-compose.yml ├── Dockerfile ├── service └── docker-entrypoint.sh └── .github └── workflows └── docker-image.yml /src/getcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2023-NISA2023-capabilities/master/src/getcap -------------------------------------------------------------------------------- /src/setcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2023-NISA2023-capabilities/master/src/setcap -------------------------------------------------------------------------------- /docker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | test: 4 | # image: test 5 | build: ../ 6 | environment: 7 | GZCTF_FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}" 8 | ports: 9 | - 9999:22 10 | restart: unless-stopped -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | sed -i "s/http:\/\/security.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list 5 | 6 | RUN apt-get update && \ 7 | apt-get -y install sudo openssh-server vim 8 | 9 | RUN useradd -m ctf && echo "ctf:ctf" && \ 10 | echo "ctf:ctf" | chpasswd 11 | 12 | RUN ssh-keygen -A && \ 13 | /etc/init.d/ssh start && \ 14 | chsh -s /bin/bash ctf 15 | 16 | COPY ./src/sudoers /etc/sudoers 17 | COPY ./service/docker-entrypoint.sh / 18 | COPY ./src/sshd_config /etc/ssh/sshd_config 19 | 20 | COPY ./src/getcap /usr/bin 21 | COPY ./src/setcap /usr/bin 22 | 23 | ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"] -------------------------------------------------------------------------------- /service/docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | user=$(ls /home) 4 | if [ ! $DASFLAG ]; then 5 | if [ ! $FLAG ]; then 6 | if [ ! $GZCTF_FLAG ]; then 7 | echo flag{TEST_DASFLAG} | tee /home/$user/flag /flag 8 | else 9 | echo $GZCTF_FLAG > /home/$user/flag 10 | export $GZCTF_FLAG=no_FLAG 11 | GZCTF_FLAG=no_FLAG 12 | fi 13 | else 14 | echo $FLAG > /home/$user/flag 15 | export $FLAG=no_FLAG 16 | FLAG=no_FLAG 17 | fi 18 | else 19 | echo $DASFLAG > /home/$user/flag 20 | export $DASFLAG=no_FLAG 21 | DASFLAG=no_FLAG 22 | fi 23 | 24 | chmod 720 /home/$user/flag 25 | 26 | chmod 777 /usr/bin/* 27 | 28 | cp /usr/bin/vim /home/ctf/vim 29 | setcap 'CAP_SETUID+ep' /home/ctf/vim 30 | 31 | /etc/init.d/ssh start 32 | rm -f /docker-entrypoint.sh 33 | tail -f /dev/null -------------------------------------------------------------------------------- /src/sudoers: -------------------------------------------------------------------------------- 1 | # 2 | # This file MUST be edited with the 'visudo' command as root. 3 | # 4 | # Please consider adding local content in /etc/sudoers.d/ instead of 5 | # directly modifying this file. 6 | # 7 | # See the man page for details on how to write a sudoers file. 8 | # 9 | Defaults env_reset 10 | Defaults mail_badpass 11 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" 12 | Defaults use_pty 13 | 14 | # This preserves proxy settings from user environments of root 15 | # equivalent users (group sudo) 16 | #Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" 17 | 18 | # This allows running arbitrary commands, but so does ALL, and it means 19 | # different sudoers have their choice of editor respected. 20 | #Defaults:%sudo env_keep += "EDITOR" 21 | 22 | # Completely harmless preservation of a user preference. 23 | #Defaults:%sudo env_keep += "GREP_COLOR" 24 | 25 | # While you shouldn't normally run git as root, you need to with etckeeper 26 | #Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" 27 | 28 | # Per-user preferences; root won't have sensible values for them. 29 | #Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" 30 | 31 | # "sudo scp" or "sudo rsync" should be able to use your SSH agent. 32 | #Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" 33 | 34 | # Ditto for GPG agent 35 | #Defaults:%sudo env_keep += "GPG_AGENT_INFO" 36 | 37 | # Host alias specification 38 | 39 | # User alias specification 40 | 41 | # Cmnd alias specification 42 | 43 | # User privilege specification 44 | root ALL=(ALL:ALL) ALL 45 | ctf ALL=(ALL) 46 | 47 | # Members of the admin group may gain root privileges 48 | %admin ALL=(ALL) ALL 49 | 50 | # Allow members of group sudo to execute any command 51 | %sudo ALL=(ALL:ALL) ALL 52 | 53 | # See sudoers(5) for more information on "@include" directives: 54 | 55 | @includedir /etc/sudoers.d 56 | -------------------------------------------------------------------------------- /.github/workflows/docker-image.yml: -------------------------------------------------------------------------------- 1 | name: Publish Docker image 2 | 3 | on: 4 | push: 5 | branches: [ "master" ] 6 | 7 | env: 8 | REGISTRY_GITHUB: ghcr.io 9 | REGISTRY_DOCKERHUB: randark 10 | IMAGE_NAME_GITHUB: ${{ github.repository }} 11 | 12 | jobs: 13 | push_to_registries: 14 | name: Push Docker image to multiple registries 15 | runs-on: ubuntu-latest 16 | permissions: 17 | contents: read 18 | packages: write 19 | 20 | steps: 21 | 22 | - name: Check out the repo 23 | uses: actions/checkout@v3 24 | 25 | - name: Log in to Docker Hub 26 | uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 27 | with: 28 | username: ${{ secrets.DOCKER_USERNAME }} 29 | password: ${{ secrets.DOCKER_PASSWORD }} 30 | 31 | - name: Log into registry ${{ env.REGISTRY_GITHUB }} 32 | if: github.event_name != 'pull_request' 33 | uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c 34 | with: 35 | registry: ${{ env.REGISTRY_GITHUB }} 36 | username: ${{ github.actor }} 37 | password: ${{ secrets.GITHUB_TOKEN }} 38 | 39 | - name: Get repository name 40 | id: repo-name 41 | uses: MariachiBear/get-repo-name-action@v1.1.0 42 | with: 43 | string-case: lowercase 44 | 45 | - name: Extract metadata (tags, labels) for Docker 46 | id: meta 47 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 48 | with: 49 | images: | 50 | ${{ env.REGISTRY_DOCKERHUB }}/${{ steps.repo-name.outputs.repository-name }} 51 | ${{ env.REGISTRY_GITHUB }}/${{ env.IMAGE_NAME_GITHUB }} 52 | 53 | - name: Build and push Docker images 54 | uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc 55 | with: 56 | context: . 57 | push: true 58 | tags: ${{ steps.meta.outputs.tags }} 59 | labels: ${{ steps.meta.outputs.labels }} 60 | 61 | - name: Docker Hub Description 62 | uses: peter-evans/dockerhub-description@v3 63 | with: 64 | username: ${{ secrets.DOCKER_USERNAME }} 65 | password: ${{ secrets.DOCKER_PASSWORD }} 66 | repository: ${{ env.REGISTRY_DOCKERHUB }}/${{ steps.repo-name.outputs.repository-name }} -------------------------------------------------------------------------------- /src/sshd_config: -------------------------------------------------------------------------------- 1 | 2 | # This is the sshd server system-wide configuration file. See 3 | # sshd_config(5) for more information. 4 | 5 | # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games 6 | 7 | # The strategy used for options in the default sshd_config shipped with 8 | # OpenSSH is to specify options with their default value where 9 | # possible, but leave them commented. Uncommented options override the 10 | # default value. 11 | 12 | Include /etc/ssh/sshd_config.d/*.conf 13 | 14 | # Port and ListenAddress options are not used when sshd is socket-activated, 15 | # which is now the default in Ubuntu. See sshd_config(5) and 16 | # /usr/share/doc/openssh-server/README.Debian.gz for details. 17 | #Port 22 18 | #AddressFamily any 19 | #ListenAddress 0.0.0.0 20 | #ListenAddress :: 21 | 22 | #HostKey /etc/ssh/ssh_host_rsa_key 23 | #HostKey /etc/ssh/ssh_host_ecdsa_key 24 | #HostKey /etc/ssh/ssh_host_ed25519_key 25 | 26 | # Ciphers and keying 27 | #RekeyLimit default none 28 | 29 | # Logging 30 | #SyslogFacility AUTH 31 | #LogLevel INFO 32 | 33 | # Authentication: 34 | 35 | #LoginGraceTime 2m 36 | #PermitRootLogin prohibit-password 37 | #StrictModes yes 38 | #MaxAuthTries 6 39 | #MaxSessions 10 40 | 41 | #PubkeyAuthentication yes 42 | 43 | # Expect .ssh/authorized_keys2 to be disregarded by default in future. 44 | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 45 | 46 | #AuthorizedPrincipalsFile none 47 | 48 | #AuthorizedKeysCommand none 49 | #AuthorizedKeysCommandUser nobody 50 | 51 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 52 | #HostbasedAuthentication no 53 | # Change to yes if you don't trust ~/.ssh/known_hosts for 54 | # HostbasedAuthentication 55 | #IgnoreUserKnownHosts no 56 | # Don't read the user's ~/.rhosts and ~/.shosts files 57 | #IgnoreRhosts yes 58 | 59 | # To disable tunneled clear text passwords, change to no here! 60 | #PasswordAuthentication yes 61 | #PermitEmptyPasswords no 62 | 63 | # Change to yes to enable challenge-response passwords (beware issues with 64 | # some PAM modules and threads) 65 | KbdInteractiveAuthentication no 66 | 67 | # Kerberos options 68 | #KerberosAuthentication no 69 | #KerberosOrLocalPasswd yes 70 | #KerberosTicketCleanup yes 71 | #KerberosGetAFSToken no 72 | 73 | # GSSAPI options 74 | #GSSAPIAuthentication no 75 | #GSSAPICleanupCredentials yes 76 | #GSSAPIStrictAcceptorCheck yes 77 | #GSSAPIKeyExchange no 78 | 79 | # Set this to 'yes' to enable PAM authentication, account processing, 80 | # and session processing. If this is enabled, PAM authentication will 81 | # be allowed through the KbdInteractiveAuthentication and 82 | # PasswordAuthentication. Depending on your PAM configuration, 83 | # PAM authentication via KbdInteractiveAuthentication may bypass 84 | # the setting of "PermitRootLogin without-password". 85 | # If you just want the PAM account and session checks to run without 86 | # PAM authentication, then enable this but set PasswordAuthentication 87 | # and KbdInteractiveAuthentication to 'no'. 88 | UsePAM yes 89 | 90 | #AllowAgentForwarding yes 91 | #AllowTcpForwarding yes 92 | #GatewayPorts no 93 | X11Forwarding yes 94 | #X11DisplayOffset 10 95 | #X11UseLocalhost yes 96 | #PermitTTY yes 97 | PrintMotd no 98 | #PrintLastLog yes 99 | #TCPKeepAlive yes 100 | #PermitUserEnvironment no 101 | #Compression delayed 102 | #ClientAliveInterval 0 103 | #ClientAliveCountMax 3 104 | #UseDNS no 105 | #PidFile /run/sshd.pid 106 | #MaxStartups 10:30:100 107 | #PermitTunnel no 108 | #ChrootDirectory none 109 | #VersionAddendum none 110 | 111 | # no default banner path 112 | #Banner none 113 | 114 | # Allow client to pass locale environment variables 115 | AcceptEnv LANG LC_* 116 | 117 | # override default of no subsystems 118 | Subsystem sftp /usr/lib/openssh/sftp-server 119 | 120 | # Example of overriding settings on a per-user basis 121 | #Match User anoncvs 122 | # X11Forwarding no 123 | # AllowTcpForwarding no 124 | # PermitTTY no 125 | # ForceCommand cvs server 126 | --------------------------------------------------------------------------------