├── pwn1 ├── flag └── pwn1 ├── README.md └── deploy.py /pwn1/flag: -------------------------------------------------------------------------------- 1 | flag{this_is_the_flag_for_pwn1} -------------------------------------------------------------------------------- /pwn1/pwn1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/veritas501/my-ctf-xinetd/HEAD/pwn1/pwn1 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # my-ctf-xinetd 2 | fast deploy pwn , using docker & ctf_xinted 3 | 4 | --- 5 | 6 | # 致谢 7 | 感谢ctf\_xinetd提供的方法:[https://github.com/Eadom/ctf_xinetd](https://github.com/Eadom/ctf_xinetd) 8 | 9 | 通过包装,使pwn的搭建更加便捷。 10 | 11 | # 使用方法 12 | 13 | 初始目录环境: 14 | 15 | ``` 16 | . 17 | ├── deploy.py 18 | └── pwn1 19 | ├── flag 20 | └── pwn1 21 | ``` 22 | 23 | `pwn1`为二进制文件的名字,创建相同的文件名名字,结构如上。 24 | 25 | --- 26 | 27 | 当前目录执行命令: 28 | 29 | ``` 30 | #usage: ./deploy.py ProjectPath ExposePort LinuxVersion [timeout(120 for default, 0 to cancel timeout)] 31 | ./deploy.py pwn1 10001 ubuntu:16.04 32 | ./deploy.py pwn1 10001 ubuntu:16.04 60 33 | ./deploy.py pwn1 10001 ubuntu:16.04 0 34 | ``` 35 | 36 | --- 37 | 38 | 搭建完成后的文件目录: 39 | 40 | ``` 41 | . 42 | ├── ctf_xinetd 43 | │   ├── bin 44 | │   │   ├── flag 45 | │   │   └── pwn1 46 | │   ├── ctf.xinetd 47 | │   ├── Dockerfile 48 | │   └── start.sh 49 | ├── deploy.py 50 | ├── pwn1 51 | │   ├── flag 52 | │   └── pwn1 53 | └── libc 54 | ├── libc32.so 55 | └── libc64.so 56 | ``` 57 | 58 | libc为docker环境中的libc,提供给选手使用。 59 | 60 | # END 61 | 62 | enjoy :) -------------------------------------------------------------------------------- /deploy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf8 3 | 4 | import os 5 | from os import system 6 | from os import popen 7 | import sys 8 | from time import sleep 9 | if (len(sys.argv) != 4) and (len(sys.argv) != 5): 10 | print 'usage: %s ProjectPath ExposePort LinuxVersion [timeout(120 for default, 0 to cancel timeout)]' % sys.argv[0] 11 | exit(0) 12 | 13 | dockerfile='''FROM %s 14 | 15 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.163.com/g" /etc/apt/sources.list && \ 16 | sed -i "s/http:\/\/security.ubuntu.com/http:\/\/mirrors.163.com/g" /etc/apt/sources.list && \ 17 | apt-get update && apt-get -y dist-upgrade && \ 18 | apt-get install -y lib32z1 xinetd 19 | 20 | RUN useradd -m ctf 21 | 22 | COPY ./bin/ /home/ctf/ 23 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 24 | COPY ./start.sh /start.sh 25 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 26 | 27 | RUN chmod +x /start.sh && \ 28 | chown -R root:ctf /home/ctf && \ 29 | chmod -R 750 /home/ctf && \ 30 | chmod 740 /home/ctf/flag && \ 31 | cp -R /lib* /home/ctf && \ 32 | cp -R /usr/lib* /home/ctf 33 | 34 | RUN mkdir /home/ctf/dev && \ 35 | mknod /home/ctf/dev/null c 1 3 && \ 36 | mknod /home/ctf/dev/zero c 1 5 && \ 37 | mknod /home/ctf/dev/random c 1 8 && \ 38 | mknod /home/ctf/dev/urandom c 1 9 && \ 39 | chmod 666 /home/ctf/dev/* 40 | 41 | RUN mkdir /home/ctf/bin && \ 42 | cp /bin/sh /home/ctf/bin && \ 43 | cp /bin/ls /home/ctf/bin && \ 44 | cp /bin/cat /home/ctf/bin && \ 45 | cp /usr/bin/timeout /home/ctf/bin 46 | 47 | WORKDIR /home/ctf 48 | 49 | CMD ["/start.sh"] 50 | 51 | EXPOSE 9999 52 | ''' %sys.argv[3] 53 | 54 | startsh='''#!/bin/sh 55 | # Add your startup script 56 | 57 | # DO NOT DELETE 58 | /etc/init.d/xinetd start; 59 | sleep infinity; 60 | ''' 61 | 62 | ctf_xinetd='''service ctf 63 | { 64 | disable = no 65 | socket_type = stream 66 | protocol = tcp 67 | wait = no 68 | user = root 69 | type = UNLISTED 70 | port = 9999 71 | bind = 0.0.0.0 72 | server = /usr/sbin/chroot 73 | server_args = --userspec=1000:1000 /home/ctf ./run.sh 74 | banner_fail = /etc/banner_fail 75 | # safety options 76 | per_source = 5 # the maximum instances of this service per source IP address 77 | rlimit_cpu = 3 # the maximum number of CPU seconds that the service may use 78 | #rlimit_as = 1024M # the Address Space resource limit for the service 79 | #access_times = 2:00-9:00 12:00-24:00 80 | } 81 | ''' 82 | 83 | timeout = 120 84 | 85 | if len(sys.argv) == 5: 86 | timeout = int(sys.argv[4]) 87 | 88 | if timeout == 0: 89 | runsh=''' 90 | #!/bin/sh 91 | # 92 | exec 2>/dev/null 93 | ./%s 94 | ''' % sys.argv[1] 95 | else: 96 | runsh=''' 97 | #!/bin/sh 98 | # 99 | exec 2>/dev/null 100 | timeout %d ./%s 101 | ''' % (timeout,sys.argv[1]) 102 | 103 | 104 | system('rm -rf ctf_xinetd') 105 | system('rm -rf libc') 106 | system('mkdir ctf_xinetd') 107 | system('mkdir ctf_xinetd/bin') 108 | 109 | open('ctf_xinetd/Dockerfile','w').write(dockerfile) 110 | open('ctf_xinetd/ctf.xinetd','w').write(ctf_xinetd) 111 | open('ctf_xinetd/start.sh','w').write(startsh) 112 | open('ctf_xinetd/bin/run.sh','w').write(runsh) 113 | 114 | system('cp %s/* ctf_xinetd/bin/'%sys.argv[1]) 115 | system('chmod +x ctf_xinetd/bin/%s'%sys.argv[1]) 116 | system('chmod +x ctf_xinetd/bin/run.sh') 117 | system('chmod +x ctf_xinetd/start.sh') 118 | 119 | if popen("sudo docker images -q %s" % sys.argv[1]).read() == '': 120 | system('sudo docker build -t "%s" ./ctf_xinetd'%sys.argv[1]) 121 | else: 122 | if_rm = raw_input("\033[0;31mimage already exist, remove or just run it ?[rm/run]\n\033[0m") 123 | system('sudo docker stop $(sudo docker ps -aq --filter "name=%s")' % sys.argv[1]) 124 | system('sudo docker rm $(sudo docker ps -aq --filter "name=%s")' % sys.argv[1]) 125 | if if_rm == 'rm': 126 | system('sudo docker rmi $(sudo docker images -q %s)' % sys.argv[1]) 127 | system('sudo docker build -t "%s" ./ctf_xinetd'%sys.argv[1]) 128 | 129 | sleep(1) 130 | system('sudo docker run --ulimit nproc=1024:2048 -d -p "0.0.0.0:%s:9999" -h "%s" --name="%s" %s'%(sys.argv[2],sys.argv[1],sys.argv[1],sys.argv[1])) 131 | 132 | 133 | ###### 134 | system('mkdir libc') 135 | system('sudo docker cp --follow-link %s:lib/x86_64-linux-gnu/libc.so.6 libc/libc64.so'%sys.argv[1]) 136 | system('sudo docker cp --follow-link %s:lib32/libc.so.6 libc/libc32.so'%sys.argv[1]) 137 | 138 | print '''\033[0;32m 139 | ============================ 140 | || [+] Deploy finish :) || 141 | ============================ 142 | 143 | try nc 0 %s\033[0m 144 | '''%sys.argv[2] 145 | --------------------------------------------------------------------------------