├── src
    └── attachment
├── docker
    └── docker-compose.yml
├── README.md
├── service
    └── docker-entrypoint.sh
├── config
    └── ctf.xinetd
├── Dockerfile
└── .github
    └── workflows
        └── docker-image.yml


/src/attachment:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CTF-Archives/2023-fjdxssjan-pwn-fuduji/main/src/attachment


--------------------------------------------------------------------------------
/docker/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | services:
 3 |   test:
 4 |     build: ../
 5 |     environment:
 6 |       # 仅为测试用flag
 7 |       FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}"
 8 |     ports:
 9 |       # 设置了暴露端口
10 |       - 9999:9999
11 |     restart: unless-stopped
12 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # pwn-ubuntu_20.04
2 | 
3 | 赛事数据：[2023-fjsdxssjan/Pwn-调皮的复读姬/](https://github.com/CTF-Archives/2023-fjsdxssjan/tree/main/Pwn-%E8%B0%83%E7%9A%AE%E7%9A%84%E5%A4%8D%E8%AF%BB%E5%A7%AC)
4 | 
5 | > 复读姬是一种调皮的生物，你愿意和她玩游戏吗
6 | 
7 | 本项目使用动态flag，请使用$FLAG环境变量传入flag数据（如CTFd），题目环境位于9999端口
8 | 
9 | docker镜像发布于DockerHub：randark/2023-fjdxssjan-pwn-fuduji:main


--------------------------------------------------------------------------------
/service/docker-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | # Get the user
 4 | user=$(ls /home)
 5 | 
 6 | # Check the environment variables for the flag and assign to INSERT_FLAG
 7 | if [ "$DASFLAG" ]; then
 8 |     INSERT_FLAG="$DASFLAG"
 9 |     export DASFLAG=no_FLAG
10 |     DASFLAG=no_FLAG
11 | elif [ "$FLAG" ]; then
12 |     INSERT_FLAG="$FLAG"
13 |     export FLAG=no_FLAG
14 |     FLAG=no_FLAG
15 | elif [ "$GZCTF_FLAG" ]; then
16 |     INSERT_FLAG="$GZCTF_FLAG"
17 |     export GZCTF_FLAG=no_FLAG
18 |     GZCTF_FLAG=no_FLAG
19 | else
20 |     INSERT_FLAG="flag{TEST_Dynamic_FLAG}"
21 | fi
22 | 
23 | # 将FLAG写入文件 请根据需要修改
24 | echo $INSERT_FLAG | tee /home/$user/flag
25 | 
26 | # 赋予程序运行权限
27 | chmod 711 /home/ctf/attachment
28 | 
29 | /etc/init.d/xinetd start;
30 | sleep infinity;
31 | 


--------------------------------------------------------------------------------
/config/ctf.xinetd:
--------------------------------------------------------------------------------
 1 | service ctf
 2 | {
 3 |     disable = no
 4 |     socket_type = stream
 5 |     protocol    = tcp
 6 |     wait        = no
 7 |     user        = root
 8 |     type        = UNLISTED
 9 |     port        = 9999
10 |     bind        = 0.0.0.0
11 |     # 设置xinetd连接启动后的服务程序
12 |     server      = /usr/sbin/chroot
13 |     # 设置chroot的相关参数
14 |     server_args = --userspec=1000:1000 /home/ctf ./attachment
15 |     banner_fail = /etc/banner_fail
16 |     # safety options
17 |     per_source	= 10 # the maximum instances of this service per source IP address
18 |     rlimit_cpu	= 20 # the maximum number of CPU seconds that the service may use
19 |     #rlimit_as  = 1024M # the Address Space resource limit for the service
20 |     #access_times = 2:00-9:00 12:00-24:00
21 | }
22 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:20.04
 2 | 
 3 | # 制作者信息
 4 | LABEL auther_template="CTF-Archives"
 5 | 
 6 | # apt更换镜像源，并安装相关依赖
 7 | RUN sed -i 's@//.*archive.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list && \
 8 |     sed -i 's@//.*security.ubuntu.com@//mirrors.ustc.edu.cn@g' /etc/apt/sources.list
 9 | RUN apt-get update && apt-get -y dist-upgrade && \
10 |     apt-get install -y lib32z1 xinetd
11 | 
12 | # 新建用户，并进行账户改变
13 | RUN useradd -m ctf
14 | WORKDIR /home/ctf
15 | 
16 | # 复制相关lib，并处理环境
17 | RUN cp -R /usr/lib* /home/ctf
18 | 
19 | # 配置特殊管道映射
20 | RUN mkdir /home/ctf/dev && \
21 |     mknod /home/ctf/dev/null c 1 3 && \
22 |     mknod /home/ctf/dev/zero c 1 5 && \
23 |     mknod /home/ctf/dev/random c 1 8 && \
24 |     mknod /home/ctf/dev/urandom c 1 9 && \
25 |     chmod 666 /home/ctf/dev/*
26 | 
27 | # 设置xinetd启动之后，chroot限制能使用的bin程序
28 | RUN mkdir /home/ctf/bin && \
29 |     cp /bin/sh /home/ctf/bin && \
30 |     cp /bin/ls /home/ctf/bin && \
31 |     cp /bin/cat /home/ctf/bin && \
32 |     cp /usr/bin/timeout /home/ctf/bin
33 | 
34 | # 部署xinetd服务
35 | COPY ./config/ctf.xinetd /etc/xinetd.d/ctf
36 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail
37 | 
38 | # 复制容器启动脚本
39 | COPY ./service/docker-entrypoint.sh /
40 | RUN chmod +x /docker-entrypoint.sh
41 | 
42 | # 部署程序
43 | COPY ./src/attachment /home/ctf/attachment
44 | 
45 | # 初始化flag
46 | RUN chown -R root:ctf /home/ctf && \
47 |     chmod -R 750 /home/ctf && \
48 |     touch /home/ctf/flag && \
49 |     chmod 744 /home/ctf/flag
50 | 
51 | # [可选]指定对外暴露端口，对于GZCTF等平台，强制EXPOSE可能会造成非预期端口泄露，请酌情启用
52 | # EXPOSE 9999
53 | 
54 | # 指定容器入口点
55 | ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"]
56 | 


--------------------------------------------------------------------------------
/.github/workflows/docker-image.yml:
--------------------------------------------------------------------------------
 1 | name: Publish Docker image
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [ "master","main" ]
 6 | 
 7 | env:
 8 |   REGISTRY_GITHUB: ghcr.io
 9 |   REGISTRY_DOCKERHUB: randark
10 |   IMAGE_NAME_GITHUB: ${{ github.repository }}
11 | 
12 | jobs:
13 |   push_to_registries:
14 |     name: Push Docker image to multiple registries
15 |     runs-on: ubuntu-latest
16 |     permissions:
17 |       contents: read
18 |       packages: write
19 | 
20 |     steps:
21 | 
22 |       - name: Check out the repo
23 |         uses: actions/checkout@v3
24 | 
25 |       - name: Log in to Docker Hub
26 |         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
27 |         with:
28 |           username: ${{ secrets.DOCKER_USERNAME }}
29 |           password: ${{ secrets.DOCKER_PASSWORD }}
30 | 
31 |       - name: Log into registry ${{ env.REGISTRY_GITHUB }}
32 |         if: github.event_name != 'pull_request'
33 |         uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
34 |         with:
35 |           registry: ${{ env.REGISTRY_GITHUB }}
36 |           username: ${{ github.actor }}
37 |           password: ${{ secrets.GITHUB_TOKEN  }}
38 | 
39 |       - name: Get repository name
40 |         id: repo-name
41 |         uses: MariachiBear/get-repo-name-action@v1.1.0
42 |         with:
43 |           string-case: lowercase
44 | 
45 |       - name: Extract metadata (tags, labels) for Docker
46 |         id: meta
47 |         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
48 |         with:
49 |           images: |
50 |             ${{ env.REGISTRY_DOCKERHUB }}/${{ steps.repo-name.outputs.repository-name }}
51 |             ${{ env.REGISTRY_GITHUB }}/${{ env.IMAGE_NAME_GITHUB }}
52 | 
53 |       - name: Build and push Docker images
54 |         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
55 |         with:
56 |           context: .
57 |           push: true
58 |           tags: ${{ steps.meta.outputs.tags }}
59 |           labels: ${{ steps.meta.outputs.labels }}
60 | 
61 |       - name: Docker Hub Description
62 |         uses: peter-evans/dockerhub-description@v3
63 |         with:
64 |           username: ${{ secrets.DOCKER_USERNAME }}
65 |           password: ${{ secrets.DOCKER_PASSWORD }}
66 |           repository: ${{ env.REGISTRY_DOCKERHUB }}/${{ steps.repo-name.outputs.repository-name }}


--------------------------------------------------------------------------------