├── src
    └── vuln
├── service
    ├── docker-entrypoint.sh
    └── ctf.xinetd
├── docker
    └── docker-compose.yml
├── README.md
├── Dockerfile
└── .github
    └── workflows
        └── docker-image.yml


/src/vuln:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CTF-Archives/2023-hgame-week4-pwn-without_hook/master/src/vuln


--------------------------------------------------------------------------------
/service/docker-entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | echo $FLAG > /home/ctf/flag
4 | 
5 | export $FLAG=no_FLAG
6 | FLAG=no_FLAG
7 | 
8 | /etc/init.d/xinetd start;
9 | sleep infinity;


--------------------------------------------------------------------------------
/docker/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3'
 2 | services:
 3 |   test:
 4 |     image: test
 5 |     # build: ../
 6 |     environment:
 7 |       FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}"
 8 |     ports:
 9 |       - 9999:9999
10 |     restart: unless-stopped


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 2022 HGAME WEEK4 without_hook
2 | 
3 | > without_hook
4 | 
5 | 本项目使用动态flag，请使用`$FLAG`环境变量传入flag数据（如`CTFd`），题目环境位于`9999`端口
6 | 
7 | docker镜像发布于DockerHub：`randark/2023-hgame-week4-pwn-without_hook:master`
8 | 
9 | 源码储存于Github：https://github.com/CTF-Archives/2023-hgame-week4-pwn-without_hook


--------------------------------------------------------------------------------
/service/ctf.xinetd:
--------------------------------------------------------------------------------
 1 | service ctf
 2 | {
 3 |     disable = no
 4 |     socket_type = stream
 5 |     protocol    = tcp
 6 |     wait        = no
 7 |     user        = root
 8 |     type        = UNLISTED
 9 |     port        = 9999
10 |     bind        = 0.0.0.0
11 |     server      = /usr/sbin/chroot
12 |     # replace helloworld to your program
13 |     server_args = --userspec=1000:1000 /home/ctf ./vuln
14 |     banner_fail = /etc/banner_fail
15 |     # safety options
16 |     per_source	= 10 # the maximum instances of this service per source IP address
17 |     rlimit_cpu	= 20 # the maximum number of CPU seconds that the service may use
18 |     #rlimit_as  = 1024M # the Address Space resource limit for the service
19 |     #access_times = 2:00-9:00 12:00-24:00
20 | }
21 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:20.04
 2 | 
 3 | # 制作者信息
 4 | LABEL auther_template="Randark_JMT"
 5 | 
 6 | # apt更新，并安装相关依赖
 7 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \
 8 |     apt-get update && apt-get -y dist-upgrade && \
 9 |     apt-get update && apt-get install -y lib32z1 xinetd wget netcat curl lsof systemctl supervisor
10 | 
11 | # 新建用户，并进行权限限制
12 | RUN useradd -m ctf
13 | WORKDIR /home/ctf
14 | 
15 | # 复制相关glibc，并处理环境
16 | RUN cp -R /usr/lib* /home/ctf
17 | 
18 | RUN mkdir /home/ctf/dev && \
19 |     mknod /home/ctf/dev/null c 1 3 && \
20 |     mknod /home/ctf/dev/zero c 1 5 && \
21 |     mknod /home/ctf/dev/random c 1 8 && \
22 |     mknod /home/ctf/dev/urandom c 1 9 && \
23 |     chmod 666 /home/ctf/dev/*
24 | 
25 | RUN mkdir /home/ctf/bin && \
26 |     cp /bin/sh /home/ctf/bin && \
27 |     cp /bin/ls /home/ctf/bin && \
28 |     cp /bin/cat /home/ctf/bin 
29 | 
30 | #remove not have
31 | RUN rm -rf /home/ctf/lib/apt /home/ctf/lib/cpp /home/ctf/lib/gnupg /home/ctf/lib/init /home/ctf/lib/lsb /home/ctf/lib/os-release /home/ctf/lib/rsyslog /home/ctf/lib/tc /home/ctf/lib/udev /home/ctf/lib/binfmt.d /home/ctf/lib/dpkg /home/ctf/lib/gold-ld /home/ctf/lib/initramfs-tools /home/ctf/lib/ldscripts /home/ctf/lib/mime /home/ctf/lib/python2.7 /home/ctf/lib/systemd /home/ctf/lib/terminfo /home/ctf/lib/compat-ld /home/ctf/lib/gcc /home/ctf/lib/ifupdown /home/ctf/lib/insserv /home/ctf/lib/locale /home/ctf/lib/modules-load.d /home/ctf/lib/python3 /home/ctf/lib/tar /home/ctf/lib/tmpfiles.d
32 | 
33 | # 部署xinetd服务
34 | COPY ./service/ctf.xinetd /etc/xinetd.d/ctf
35 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail
36 | 
37 | # 复制容器启动脚本
38 | COPY ./service/docker-entrypoint.sh /
39 | RUN chmod +x /docker-entrypoint.sh
40 | 
41 | # 部署程序，并初始化flag
42 | COPY ./src/ /home/ctf/
43 | RUN chown -R root:ctf /home/ctf && \
44 |     chmod -R 750 /home/ctf && \
45 |     touch /home/ctf/flag && \
46 |     chmod 777 /home/ctf/flag
47 | 
48 | EXPOSE 9999
49 | ENTRYPOINT ["/bin/bash","/docker-entrypoint.sh"]
50 | 
51 | 


--------------------------------------------------------------------------------
/.github/workflows/docker-image.yml:
--------------------------------------------------------------------------------
 1 | name: Publish Docker image
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [ "master" ]
 6 | 
 7 | env:
 8 |   REGISTRY_GITHUB: ghcr.io
 9 |   REGISTRY_DOCKERHUB: randark
10 |   IMAGE_NAME_GITHUB: ${{ github.repository }}
11 | 
12 | jobs:
13 |   push_to_registries:
14 |     name: Push Docker image to multiple registries
15 |     runs-on: ubuntu-latest
16 |     permissions:
17 |       contents: read
18 |       packages: write
19 | 
20 |     steps:
21 | 
22 |       - name: Check out the repo
23 |         uses: actions/checkout@v3
24 | 
25 |       - name: Log in to Docker Hub
26 |         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
27 |         with:
28 |           username: ${{ secrets.DOCKER_USERNAME }}
29 |           password: ${{ secrets.DOCKER_PASSWORD }}
30 | 
31 |       - name: Log into registry ${{ env.REGISTRY_GITHUB }}
32 |         if: github.event_name != 'pull_request'
33 |         uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
34 |         with:
35 |           registry: ${{ env.REGISTRY_GITHUB }}
36 |           username: ${{ github.actor }}
37 |           password: ${{ secrets.GITHUB_TOKEN  }}
38 | 
39 |       - name: Get repository name
40 |         id: repo-name
41 |         uses: MariachiBear/get-repo-name-action@v1.1.0
42 |         with:
43 |           string-case: lowercase
44 | 
45 |       - name: Extract metadata (tags, labels) for Docker
46 |         id: meta
47 |         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
48 |         with:
49 |           images: |
50 |             ${{ env.REGISTRY_DOCKERHUB }}/${{ steps.repo-name.outputs.repository-name }}
51 |             ${{ env.REGISTRY_GITHUB }}/${{ env.IMAGE_NAME_GITHUB }}
52 | 
53 |       - name: Build and push Docker images
54 |         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
55 |         with:
56 |           context: .
57 |           push: true
58 |           tags: ${{ steps.meta.outputs.tags }}
59 |           labels: ${{ steps.meta.outputs.labels }}
60 | 
61 |       - name: Docker Hub Description
62 |         uses: peter-evans/dockerhub-description@v3
63 |         with:
64 |           username: ${{ secrets.DOCKER_USERNAME }}
65 |           password: ${{ secrets.DOCKER_PASSWORD }}
66 |           repository: ${{ env.REGISTRY_DOCKERHUB }}/${{ steps.repo-name.outputs.repository-name }}


--------------------------------------------------------------------------------