diff options
| -rw-r--r-- | flags/Makefile | 21 | ||||
| -rwxr-xr-x | flags/exec | bin | 0 -> 6477 bytes | |||
| -rw-r--r-- | flags/exec.c | 41 | ||||
| -rwxr-xr-x | flags/format | bin | 0 -> 5387 bytes | |||
| -rw-r--r-- | flags/format.c | 36 | ||||
| -rwxr-xr-x | flags/make-keys.rsa | 11 | ||||
| -rwxr-xr-x | flags/rsa-runner | bin | 0 -> 5794 bytes | |||
| -rw-r--r-- | flags/rsa-runner.c | 24 | ||||
| -rwxr-xr-x | flags/rsa.py | 81 | ||||
| -rwxr-xr-x | flags/simple | bin | 0 -> 5266 bytes | |||
| -rw-r--r-- | flags/simple.c | 23 | ||||
| -rw-r--r-- | flags/simple.not.the.flag | 1 |
12 files changed, 238 insertions, 0 deletions
diff --git a/flags/Makefile b/flags/Makefile new file mode 100644 index 0000000..17fd13d --- /dev/null +++ b/flags/Makefile @@ -0,0 +1,21 @@ +all: exec format rsa-runner simple + +exec: exec.c + gcc -o exec exec.c + chown root:exec exec + chmod 2755 exec + +format: format.c + gcc -o format format.c + chown root:format format + chmod 2755 format + +rsa-runner: rsa-runner.c + gcc -o rsa-runner rsa-runner.c + chown root:rsa rsa-runner + chmod 2755 rsa-runner + +simple: simple.c + gcc -o simple simple.c + chown root:simple simple + chmod 2755 simple diff --git a/flags/exec b/flags/exec Binary files differnew file mode 100755 index 0000000..9e35dbc --- /dev/null +++ b/flags/exec diff --git a/flags/exec.c b/flags/exec.c new file mode 100644 index 0000000..24daf7d --- /dev/null +++ b/flags/exec.c @@ -0,0 +1,41 @@ +#include <sys/types.h> +#include <sys/wait.h> +#include <stdio.h> +#include <fcntl.h> +#include <unistd.h> + +char flag[32]; + +int main(int argc, char **argv) { + int fd; + pid_t pid; + int status; + + fprintf(stderr, "real %d:%d effective %d:%d\n", + getuid(), getgid(), geteuid(), getegid()); + + fd = open("exec.flag", O_RDONLY); + if(-1 != fd) { + // load flag into memory where nobody will ever find it + read(fd, flag, sizeof(flag)); + } + // we'll even run something for you! + if(argc != 2) { + fprintf(stderr, "give me something to run\n"); + return -1; + } + pid = fork(); + if(pid < 0) { + perror("fork failed"); + } + if(0 == pid) { + // drop privs + seteuid(getuid()); + setegid(getgid()); + // exec tears down the address space, goodbye flag! + execlp(argv[1], argv[1], NULL); + perror("exec failed"); + } + waitpid(pid, &status, 0); + return 0; +} diff --git a/flags/format b/flags/format Binary files differnew file mode 100755 index 0000000..e0f5d4e --- /dev/null +++ b/flags/format diff --git a/flags/format.c b/flags/format.c new file mode 100644 index 0000000..4fc30fd --- /dev/null +++ b/flags/format.c @@ -0,0 +1,36 @@ +#include <stdlib.h> +#include <stdio.h> +#include <string.h> + +void hax(char *shellcode) { + int stack; + printf(shellcode, &stack); +} + +int main(int argc, char **argv) { + char *buf, *p; + int i; + + if(argc != 2) { + printf("What? Are you chicken?\n"); + return -1; + } + // remove %n from format string, we're not *that* stupid + buf = strdup(argv[1]); + for(p = argv[1], i = 0; p[0]; ++p) { + if(p[0] == '%' && p[1] == 'n') { + ++p; + if(p[0]) { + continue; + } else { + break; + } + } + buf[i++] = p[0]; + } + buf[i] = '\0'; + hax(buf); + free(buf); + putchar('\n'); + return 0; +} diff --git a/flags/make-keys.rsa b/flags/make-keys.rsa new file mode 100755 index 0000000..e6fba64 --- /dev/null +++ b/flags/make-keys.rsa @@ -0,0 +1,11 @@ +#!/usr/bin/env python + +from Crypto.PublicKey import RSA +import pickle + +keys = {} +keys['Alice'] = RSA.generate(1024) +keys['Bob'] = RSA.generate(1024).publickey() + +with open('rsa.keys', 'w') as f: + pickle.dump(keys, f) diff --git a/flags/rsa-runner b/flags/rsa-runner Binary files differnew file mode 100755 index 0000000..a6069f7 --- /dev/null +++ b/flags/rsa-runner diff --git a/flags/rsa-runner.c b/flags/rsa-runner.c new file mode 100644 index 0000000..2b8c9d2 --- /dev/null +++ b/flags/rsa-runner.c @@ -0,0 +1,24 @@ +#include <sys/types.h> +#include <sys/wait.h> +#include <stdio.h> +#include <fcntl.h> +#include <unistd.h> + +int main(int argc, char **argv) { + pid_t pid; + int status; + + fprintf(stderr, "real %d:%d effective %d:%d\n", + getuid(), getgid(), geteuid(), getegid()); + + pid = fork(); + if(pid < 0) { + perror("fork failed"); + } + if(0 == pid) { + execlp("/flags/rsa.py", "rsa.py", NULL); + perror("exec failed"); + } + waitpid(pid, &status, 0); + return 0; +} diff --git a/flags/rsa.py b/flags/rsa.py new file mode 100755 index 0000000..96fc947 --- /dev/null +++ b/flags/rsa.py @@ -0,0 +1,81 @@ +#!/usr/bin/env python + +# Load up the goods. +with open('rsa.flag', 'r') as f: + flag = f.read(32) + +from Crypto.PublicKey import RSA +from Crypto.Hash import MD5 +from Crypto import Random +from SocketServer import TCPServer, StreamRequestHandler +import pickle + +# Load up our keystore. +# This should be a dict of names (strings) to RSA keys. +with open('/flags/rsa.keys', 'r') as f: + keys = pickle.load(f) + +def keyid(key): + return MD5.new(key.publickey().exportKey('DER')).digest() + +def getkey(by_id): + for key in keys.values(): + if keyid(key) == by_id: + return key + +def digest(msg): + buf = MD5.new(msg.keyid + ':' + msg.request).digest() + print "Message digest is {0}".format(buf.encode('hex')) + return buf + +def sign(msg): + rng = Random.new().read + return getkey(msg.keyid).sign(digest(msg), rng) + +def verify(msg): + return getkey(msg.keyid).verify(digest(msg), msg.signature) + +class Request: + pass + +class Handler(StreamRequestHandler): + def start(self): + # Ask Bob for his flag, this should be fun. + msg = Request() + msg.name = 'Alice' + msg.request = 'get_flag' + msg.keyid = keyid(keys[msg.name]) + msg.signature = sign(msg) + pickle.dump(msg, self.wfile) + + def get_flag(self, request): + # Make sure it's from someone we trust + if(request.name not in keys.keys() + or request.keyid not in + [keyid(key) for key in keys.values()] + or request.name == 'Alice'): + print "We don't trust this person" + return + # Verify the signature + if(not verify(request)): + print "This message was altered" + return + # Send the goods. + pickle.dump(flag, self.wfile) + + def handle(self): + request = pickle.load(self.rfile) + print "we got: {0}".format(request) + if(request.request == 'start'): + self.start() + if(request.request == 'get_flag'): + self.get_flag(request) + +for port in range(6666, 6999): + try: + server = TCPServer(('localhost', port), Handler) + print 'server running at port {0}'.format(port) + break + except: + continue +server.serve_forever() diff --git a/flags/simple b/flags/simple Binary files differnew file mode 100755 index 0000000..3a9efaf --- /dev/null +++ b/flags/simple diff --git a/flags/simple.c b/flags/simple.c new file mode 100644 index 0000000..e69e8e5 --- /dev/null +++ b/flags/simple.c @@ -0,0 +1,23 @@ +#include <fcntl.h> +#include <stdio.h> + +// this one is really simple +int main() { + int fd; + char buff[32]; + int len; + + fd = open("simple.not.the.flag", O_RDONLY); + if(-1 == fd) { + perror("open failed"); + return -1; + } + len = read(fd, buff, sizeof(buff)); + if(len < 0) { + perror("read failed"); + return -1; + } + write(1, buff, len); + putchar('\n'); + return 0; +} diff --git a/flags/simple.not.the.flag b/flags/simple.not.the.flag new file mode 100644 index 0000000..73fe8ce --- /dev/null +++ b/flags/simple.not.the.flag @@ -0,0 +1 @@ +7db61f4aafe27bd210359d445241587a |