├── .gitignore
├── LICENSE
├── README.md
├── docker-compose.yaml
├── vhost.conf
├── web1
    ├── Dockerfile
    ├── flag
    └── www
    │   ├── docker-entrypoint.sh
    │   ├── html
    │       └── index.html
    │   ├── index.html
    │   ├── nginx.conf
    │   ├── redirect.php
    │   └── rsyncd.conf
└── web2
    ├── Dockerfile
    └── www
        ├── docker-entrypoint.sh
        ├── index.php
        └── nginx.conf


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 CTFTraining
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CTF学习交流入群题 Web 20180626
 2 | 
 3 | ## Run
 4 | 
 5 | 	docker-compose up -d
 6 | 
 7 | then, open http://127.0.0.1:10002
 8 | 
 9 | **Maybe you can use Nginx**
10 | 
11 | copy `vhost.conf` to Nginx's conf and rename for you like
12 | 
13 | then, you can open http://473831530.local.virzz.com for it
14 | 
15 | **Domain DNS Record**
16 | 
17 | 	A *.local.virzz.com 127.0.0.1
18 | 
19 | ## ChangeLog
20 | 
21 | - Add DockerHub Repo [2018-10-15]
22 | 
23 | ## LICENSE
24 | 
25 | [MIT License](LICENSE)
26 | 


--------------------------------------------------------------------------------
/docker-compose.yaml:
--------------------------------------------------------------------------------
 1 | # CTF学习交流Web入群题
 2 | # Author : Virink
 3 | version: "3"
 4 | services:
 5 | 
 6 |   web1:
 7 |     image: ctftraining/ctf473831530_2018_web_virink:web1
 8 |     build: ./web1
 9 |     volumes:
10 |       - ./logs:/var/log/nginx
11 |     networks:
12 |       ctf473831530:
13 |         ipv4_address: 172.16.233.111
14 |     restart: always
15 |     environment:
16 |       - FLAG=flag{test_flag}
17 | 
18 |   web2:
19 |     image: ctftraining/ctf473831530_2018_web_virink:web2
20 |     build: ./web2
21 |     ports:
22 |       - "127.0.0.1:10002:80"
23 |     volumes:
24 |       - ./logs:/var/log/nginx
25 |     networks:
26 |       ctf473831530:
27 |         ipv4_address: 172.16.233.222
28 |     restart: always
29 | 
30 | networks:
31 |   ctf473831530:
32 |     driver: bridge
33 |     ipam:
34 |       driver: default
35 |       config:
36 |         - subnet: 172.16.233.0/24
37 | 


--------------------------------------------------------------------------------
/vhost.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen       80;
 3 |     server_name  473831530.local.virzz.com;
 4 |     
 5 |     access_log /var/log/nginx/ctf473831530.log;
 6 | 
 7 |     location / {
 8 |         proxy_pass http://127.0.0.1:10002;
 9 |         proxy_set_header Host $host;
10 |         # X-Forwarded-For
11 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
12 |     }
13 | 
14 |     location ~ /\.ht {
15 |        deny  all;
16 |     }
17 | }
18 | 
19 | 
20 | 


--------------------------------------------------------------------------------
/web1/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM nginx:1.15.0
 2 | 
 3 | MAINTAINER Virink <virink@outlook.com>
 4 | 
 5 | ADD www /www
 6 | 
 7 | ADD flag /7h1s_i5_f14g
 8 | 
 9 | RUN apt-get update \
10 |     && apt-get install --no-install-recommends -y php7.0-fpm rsync \
11 |     && sed -i "s/www-data/nobody/" /etc/php/7.0/fpm/pool.d/www.conf \
12 |     && sed -i "s/group = nobody/group = nogroup/" /etc/php/7.0/fpm/pool.d/www.conf \
13 |     && sed -i "s/\/run\/php\/php7.0-fpm.sock/9000/" /etc/php/7.0/fpm/pool.d/www.conf \
14 |     && sed -i "s/;access.log = log\/\$pool.access.log/access.log = \/var\/log\/nginx\/fpm.access.log/" /etc/php/7.0/fpm/pool.d/www.conf \
15 |     && mkdir /run/php \
16 |     && mv /www/nginx.conf /etc/nginx/conf.d/default.conf \
17 |     && mv /www/rsyncd.conf /etc/rsyncd.conf \
18 |     && mv /www/docker-entrypoint.sh /docker-entrypoint.sh \
19 |     && chmod -r /var/log/nginx \
20 |     && chmod +x /docker-entrypoint.sh \
21 |     # root
22 |     && chmod 500 /7h1s_i5_f14g \
23 |     && rm -rf /var/lib/apt/lists/*
24 | 
25 | CMD ["/docker-entrypoint.sh"]
26 | 


--------------------------------------------------------------------------------
/web1/flag:
--------------------------------------------------------------------------------
1 | flag{*************}


--------------------------------------------------------------------------------
/web1/www/docker-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo $FLAG > /7h1s_i5_f14g
 4 | export FLAG=not_flag
 5 | FLAG=not_flag
 6 | 
 7 | set -ex
 8 | 
 9 | chmod -r /var/log/nginx
10 | 
11 | service php7.0-fpm restart
12 | 
13 | service nginx restart
14 | 
15 | rm /var/run/rsyncd.pid || echo 1
16 | 
17 | exec rsync --no-detach --daemon --config /etc/rsyncd.conf
18 | 


--------------------------------------------------------------------------------
/web1/www/html/index.html:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CTFTraining/ctf473831530_2018_web_virink/8eada6c5d99c6c0076588fb3787f0f08bca9c2ce/web1/www/html/index.html


--------------------------------------------------------------------------------
/web1/www/index.html:
--------------------------------------------------------------------------------
1 | <meta http-equiv="refresh" content="1; url='/redirect.php'">


--------------------------------------------------------------------------------
/web1/www/nginx.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen       80;
 3 |     server_name  localhost;
 4 | 
 5 |     root   /www;
 6 |     index  index.html index.php;
 7 |     
 8 |     access_log /var/log/nginx/ctf473831530_web1.log;
 9 |     error_log /var/log/nginx/ctf473831530_web1_error.log;
10 | 
11 |     location ~ \.php$ {
12 |         root           /www;
13 |         fastcgi_pass   127.0.0.1:9000;
14 |         fastcgi_index  index.php;
15 |         fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
16 |         include        fastcgi_params;
17 |     }
18 | 
19 |     location ~ /\.ht {
20 |        deny  all;
21 |     }
22 | }


--------------------------------------------------------------------------------
/web1/www/redirect.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $ip = $_SERVER['REMOTE_ADDR'];
3 | header("Location: https://www.virzz.com/?ip=$ip");


--------------------------------------------------------------------------------
/web1/www/rsyncd.conf:
--------------------------------------------------------------------------------
 1 | # https://github.com/vulhub/vulhub/tree/master/rsync/common
 2 | 
 3 | uid = root
 4 | gid = root
 5 | use chroot = no
 6 | max connections = 4
 7 | syslog facility = local5
 8 | pid file = /var/run/rsyncd.pid
 9 | log file = /var/log/nginx/rsyncd.log
10 | 
11 | [src]
12 | path = /
13 | comment = src path
14 | read only = yes
15 | 
16 | # For this
17 | hosts allow = 127.0.0.1


--------------------------------------------------------------------------------
/web2/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM nginx:1.15.0
 2 | 
 3 | MAINTAINER Virink <virink@outlook.com>
 4 | 
 5 | ADD www /www
 6 | 
 7 | RUN apt-get update \
 8 |     && apt-get install --no-install-recommends -y php7.0-fpm python3 \
 9 |     && sed -i "s/user  nginx;/user  www-data;/" /etc/nginx/nginx.conf \
10 |     && mkdir /run/php \
11 |     && mv /www/nginx.conf /etc/nginx/conf.d/default.conf \
12 |     # Fix PHP
13 |     && sed -i "s/pm.max_children = 5/pm.max_children = 10/" /etc/php/7.0/fpm/pool.d/www.conf \
14 |     && sed -i "s/;request_terminate_timeout = 0/request_terminate_timeout = 5/" /etc/php/7.0/fpm/pool.d/www.conf \
15 |     && mv /www/docker-entrypoint.sh /docker-entrypoint.sh \
16 |     # Permission Control
17 |     && mkdir /www/sandbox \
18 |     && chmod -r /www/sandbox \
19 |     && chmod -r /var/log/nginx \
20 |     && chown -R www-data /www/sandbox \
21 |     && chmod +x /docker-entrypoint.sh \
22 |     && rm -rf /var/lib/apt/lists/*
23 | 
24 | CMD ["/docker-entrypoint.sh"]
25 | 


--------------------------------------------------------------------------------
/web2/www/docker-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | export FLAG=not_flag
 4 | FLAG=not_flag
 5 | 
 6 | set -ex
 7 | 
 8 | chmod -r /www/sandbox
 9 | chmod -r /var/log
10 | 
11 | service php7.0-fpm restart
12 | 
13 | service nginx restart
14 | 
15 | exec tail -f /var/log/nginx/ctf473831530_web2.log
16 | 


--------------------------------------------------------------------------------
/web2/www/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Hitcon2017 BabyFirst Revenge By Orange
 4 |  */
 5 | error_reporting(0);
 6 | 
 7 | $source = '<?php
 8 |     $sandbox = \'/www/sandbox/\' . md5(\'orange\' . $_SERVER[\'REMOTE_ADDR\']);
 9 |     mkdir($sandbox);
10 |     chdir($sandbox);
11 |     if (isset($_GET[\'cmd\']) && strlen($_GET[\'cmd\']) <= 20) {
12 |         exec($_GET[\'cmd\']);
13 |     } else if (isset($_GET[\'reset\'])) {
14 |         exec(\'/bin/rm -rf \' . $sandbox);
15 |     }
16 |     echo "<br /> IP : {\$_SERVER[\'REMOTE_ADDR\']}";
17 | ?>';
18 | 
19 | $sandbox = '/www/sandbox/' . md5('orange' . $_SERVER['REMOTE_ADDR']);
20 | mkdir($sandbox);
21 | chdir($sandbox);
22 | if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 20) {
23 | 	exec($_GET['cmd']);
24 | } else if (isset($_GET['reset'])) {
25 | 	exec('/bin/rm -rf ' . $sandbox);
26 | }
27 | 
28 | ?>
29 | <html>
30 |     <head>
31 |         <title>GetShell for Next</title>
32 |     </head>
33 |     <body>
34 |         <h2>Hint</h2>
35 |         <hr>
36 |         <div>
37 |             <ul>
38 |                 <li>1. flag is not here (this server)</li>
39 |                 <li>2. python3</li>
40 |                 <li>3. 脚本要骚才能 getflag</li>
41 |                 <li><b>不准暴力！不准暴力！！不准暴力！！！</b></li>
42 |             </ul>
43 |         </div>
44 |         <hr>
45 |         <h2>Source</h2>
46 |         <hr>
47 |         <div>
48 |             <?php highlight_string($source);?>
49 |         </div>
50 |         <hr>
51 |         <h2>Your IP</h2>
52 |         <hr>
53 |         <div>
54 |             <?php echo "IP : {$_SERVER['REMOTE_ADDR']}"; ?>
55 |         </div>
56 |     </body>
57 | </html>
58 | 


--------------------------------------------------------------------------------
/web2/www/nginx.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen       80;
 3 |     server_name  localhost;
 4 | 
 5 |     root   /www;
 6 |     index  index.html index.php;
 7 |     
 8 |     access_log /var/log/nginx/ctf473831530_web2.log;
 9 |     error_log /var/log/nginx/ctf473831530_web2_error.log;
10 | 
11 |     location ~ \.php$ {
12 |         root           /www;
13 |         fastcgi_pass   unix:/run/php/php7.0-fpm.sock;
14 |         fastcgi_index  index.php;
15 |         fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
16 |         include        fastcgi_params;
17 |         fastcgi_connect_timeout 300; 
18 |         fastcgi_send_timeout 300; 
19 |         fastcgi_read_timeout 300; 
20 |         fastcgi_buffers 32 128k;  
21 |         fastcgi_buffer_size 128k;  
22 |         fastcgi_busy_buffers_size 256k;  
23 |         fastcgi_temp_file_write_size 256k;  
24 |         # X-Forwarded-For
25 |         # set_real_ip_from 172.16.233.0/24;
26 |         # real_ip_header X-Forwarded-For;
27 |         # real_ip_recursive on;
28 |     }
29 | 
30 |     location ~ /\.ht {
31 |        deny  all;
32 |     }
33 | }


--------------------------------------------------------------------------------