├── src ├── vuln ├── ld-2.31.so └── libc-2.31.so ├── service ├── docker-entrypoint.sh └── ctf.xinetd ├── docker └── docker-compose.yml ├── README.md ├── .github └── workflows │ ├── docker-dockerhub.yml │ └── docker-github.yml └── Dockerfile /src/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2023-hgame-week1-pwn-simple_shellcode/master/src/vuln -------------------------------------------------------------------------------- /src/ld-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2023-hgame-week1-pwn-simple_shellcode/master/src/ld-2.31.so -------------------------------------------------------------------------------- /src/libc-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CTF-Archives/2023-hgame-week1-pwn-simple_shellcode/master/src/libc-2.31.so -------------------------------------------------------------------------------- /service/docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo $FLAG > /home/ctf/flag 4 | 5 | export $FLAG=no_FLAG 6 | FLAG=no_FLAG 7 | 8 | /etc/init.d/xinetd start; 9 | sleep infinity; -------------------------------------------------------------------------------- /docker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | test: 4 | image: test 5 | # build: ../ 6 | environment: 7 | FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}" 8 | ports: 9 | - 9999:9999 10 | restart: unless-stopped -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 2022 HGAME WEEK1 simple_shellcode 2 | 3 | > 一次read不够多,为什么不再读一次呢? 4 | 5 | 本项目使用动态flag,请使用`$FLAG`环境变量传入flag数据(如`CTFd`),题目环境位于`9999`端口 6 | 7 | docker镜像发布于DockerHub:`randark/2023-hgame-week1-pwn-simple_shellcode:master` 8 | 9 | 源码储存于Github:https://github.com/CTF-Archives/2023-hgame-week1-pwn-simple_shellcode -------------------------------------------------------------------------------- /service/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | disable = no 4 | socket_type = stream 5 | protocol = tcp 6 | wait = no 7 | user = root 8 | type = UNLISTED 9 | port = 9999 10 | bind = 0.0.0.0 11 | server = /usr/sbin/chroot 12 | # replace helloworld to your program 13 | server_args = --userspec=1000:1000 /home/ctf ./vuln 14 | banner_fail = /etc/banner_fail 15 | # safety options 16 | per_source = 10 # the maximum instances of this service per source IP address 17 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 18 | #rlimit_as = 1024M # the Address Space resource limit for the service 19 | #access_times = 2:00-9:00 12:00-24:00 20 | } 21 | -------------------------------------------------------------------------------- /.github/workflows/docker-dockerhub.yml: -------------------------------------------------------------------------------- 1 | name: Publish Docker image to Dockerhub 2 | 3 | on: 4 | push: 5 | branches: [ "master" ] 6 | pull_request: 7 | branches: [ "master" ] 8 | 9 | jobs: 10 | push_to_registry: 11 | name: Push Docker image to Docker Hub 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Check out the repo 15 | uses: actions/checkout@v3 16 | 17 | - name: Log in to Docker Hub 18 | uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 19 | with: 20 | username: ${{ secrets.DOCKER_USERNAME }} 21 | password: ${{ secrets.DOCKER_PASSWORD }} 22 | 23 | - name: Extract metadata (tags, labels) for Docker 24 | id: meta 25 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 26 | with: 27 | images: randark/2023-hgame-week1-pwn-simple_shellcode 28 | 29 | - name: Build and push Docker image 30 | uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc 31 | with: 32 | context: . 33 | push: true 34 | tags: ${{ steps.meta.outputs.tags }} 35 | labels: ${{ steps.meta.outputs.labels }} 36 | - name: Docker Hub Description 37 | uses: peter-evans/dockerhub-description@v3 38 | with: 39 | username: ${{ secrets.DOCKER_USERNAME }} 40 | password: ${{ secrets.DOCKER_PASSWORD }} 41 | repository: randark/2023-hgame-week1-pwn-simple_shellcode -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | # 制作者信息 4 | LABEL auther_template="Randark_JMT" 5 | 6 | # apt更新,并安装相关依赖 7 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 8 | apt-get update && apt-get -y dist-upgrade && \ 9 | apt-get update && apt-get install -y lib32z1 xinetd wget netcat curl lsof systemctl supervisor 10 | 11 | # 新建用户,并进行权限限制 12 | RUN useradd -m ctf 13 | WORKDIR /home/ctf 14 | 15 | # 复制相关glibc,并处理环境 16 | RUN cp -R /usr/lib* /home/ctf 17 | 18 | RUN mkdir /home/ctf/dev && \ 19 | mknod /home/ctf/dev/null c 1 3 && \ 20 | mknod /home/ctf/dev/zero c 1 5 && \ 21 | mknod /home/ctf/dev/random c 1 8 && \ 22 | mknod /home/ctf/dev/urandom c 1 9 && \ 23 | chmod 666 /home/ctf/dev/* 24 | 25 | RUN mkdir /home/ctf/bin && \ 26 | cp /bin/sh /home/ctf/bin && \ 27 | cp /bin/ls /home/ctf/bin && \ 28 | cp /bin/cat /home/ctf/bin 29 | 30 | #remove not have 31 | RUN rm -rf /home/ctf/lib/apt /home/ctf/lib/cpp /home/ctf/lib/gnupg /home/ctf/lib/init /home/ctf/lib/lsb /home/ctf/lib/os-release /home/ctf/lib/rsyslog /home/ctf/lib/tc /home/ctf/lib/udev /home/ctf/lib/binfmt.d /home/ctf/lib/dpkg /home/ctf/lib/gold-ld /home/ctf/lib/initramfs-tools /home/ctf/lib/ldscripts /home/ctf/lib/mime /home/ctf/lib/python2.7 /home/ctf/lib/systemd /home/ctf/lib/terminfo /home/ctf/lib/compat-ld /home/ctf/lib/gcc /home/ctf/lib/ifupdown /home/ctf/lib/insserv /home/ctf/lib/locale /home/ctf/lib/modules-load.d /home/ctf/lib/python3 /home/ctf/lib/tar /home/ctf/lib/tmpfiles.d 32 | 33 | # 部署xinetd服务 34 | COPY ./service/ctf.xinetd /etc/xinetd.d/ctf 35 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 36 | 37 | # 复制容器启动脚本 38 | COPY ./service/docker-entrypoint.sh / 39 | RUN chmod +x /docker-entrypoint.sh 40 | 41 | # 部署程序,并初始化flag 42 | COPY ./src/ /home/ctf/ 43 | RUN mv ./ld-2.31.so ./lib && \ 44 | mv ./libc-2.31.so ./lib 45 | RUN chown -R root:ctf /home/ctf && \ 46 | chmod -R 750 /home/ctf && \ 47 | touch /home/ctf/flag && \ 48 | chmod 777 /home/ctf/flag 49 | 50 | EXPOSE 9999 51 | ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"] 52 | 53 | -------------------------------------------------------------------------------- /.github/workflows/docker-github.yml: -------------------------------------------------------------------------------- 1 | name: Publish Docker image to Github 2 | 3 | on: 4 | push: 5 | branches: [ "master" ] 6 | # Publish semver tags as releases. 7 | tags: [ 'v*.*.*' ] 8 | pull_request: 9 | branches: [ "master" ] 10 | 11 | env: 12 | # Use docker.io for Docker Hub if empty 13 | REGISTRY: ghcr.io 14 | # github.repository as / 15 | IMAGE_NAME: ${{ github.repository }} 16 | 17 | 18 | jobs: 19 | build: 20 | 21 | runs-on: ubuntu-latest 22 | permissions: 23 | contents: read 24 | packages: write 25 | # This is used to complete the identity challenge 26 | # with sigstore/fulcio when running outside of PRs. 27 | id-token: write 28 | 29 | steps: 30 | - name: Checkout repository 31 | uses: actions/checkout@v3 32 | 33 | # Install the cosign tool except on PR 34 | # https://github.com/sigstore/cosign-installer 35 | - name: Install cosign 36 | if: github.event_name != 'pull_request' 37 | uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 38 | with: 39 | cosign-release: 'v1.11.0' 40 | 41 | 42 | # Workaround: https://github.com/docker/build-push-action/issues/461 43 | - name: Setup Docker buildx 44 | uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf 45 | 46 | # Login against a Docker registry except on PR 47 | # https://github.com/docker/login-action 48 | - name: Log into registry ${{ env.REGISTRY }} 49 | if: github.event_name != 'pull_request' 50 | uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c 51 | with: 52 | registry: ${{ env.REGISTRY }} 53 | username: ${{ github.actor }} 54 | password: ${{ secrets.RANDARK_TOKEN }} 55 | 56 | # Extract metadata (tags, labels) for Docker 57 | # https://github.com/docker/metadata-action 58 | - name: Extract Docker metadata 59 | id: meta 60 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 61 | with: 62 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 63 | 64 | # Build and push Docker image with Buildx (don't push on PR) 65 | # https://github.com/docker/build-push-action 66 | - name: Build and push Docker image 67 | id: build-and-push 68 | uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a 69 | with: 70 | context: . 71 | push: ${{ github.event_name != 'pull_request' }} 72 | tags: ${{ steps.meta.outputs.tags }} 73 | labels: ${{ steps.meta.outputs.labels }} 74 | cache-from: type=gha 75 | cache-to: type=gha,mode=max --------------------------------------------------------------------------------