CTF出题

CTF

怎么出题部署环境?

docker部署

  1. 首先肯定是安装docker
1
sudo apt install docker.io
  1. 写题目
1
2
3
4
5
chall
├── flag.txt
├── vuln
├── vuln.c
└── Makefile
  1. docker 部署,在同级目录添加 Dockerfile,同时配合 xinetd
    • 修改文件中内容,看注释
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive

RUN apt-get -y update --fix-missing && apt-get -y dist-upgrade
RUN apt-get -y install lib32z1 xinetd
RUN groupadd -r pwn && useradd -r -g pwn pwn

RUN echo '#!/bin/bash\n    \
service xinetd restart && /bin/sleep infinity' > /etc/init.sh

###### change server
RUN echo 'service pwn\n       \
{\n                           \
  type = UNLISTED\n           \
  disable = no\n              \
  socket_type = stream\n      \
  protocol = tcp\n            \
  wait = no\n                 \
  user = pwn\n                \
  bind = 0.0.0.0\n            \
  port = 9999\n               \
  server = /home/pwn/vuln\n   \         
}' > /etc/xinetd.d/pwn

RUN chmod 500 /etc/init.sh
RUN chmod 444 /etc/xinetd.d/pwn 
RUN chmod 1733 /tmp /var/tmp /dev/shm

ADD chall/flag.txt /flag.txt            ####### change flag
RUN chmod 444 /flag.txt               
RUN mv /flag.txt /flag-$(md5sum flag.txt | awk '{print $1}').txt

WORKDIR /home/pwn
ADD chall/vuln .                        ###### change chall file
RUN chmod 550 vuln

RUN chown -R root:pwn /home/pwn
RUN service xinetd restart
  1. docker-compose.yml
    • 自己更改端口就行
1
2
3
4
5
6
7
8
9
10
11
version: '3'
services:
  vuln:                       # change name
    build: .
    ulimits:
      nproc: 65535
      core: 0
    ports:
      - "1234:9999"           # change port
    entrypoint: /etc/init.sh
    restart: unless-stopped

启动

1
docker-compose up

坑点:docker部署题目时,在程序里必须将缓冲器置为0,否则不会显示?

ctf_xinetd

下载这个链接 ctf_xinetd,部署比较简单。

  • 修改 bin目录 里的 二进制文件和 flag 文件
  • dockerfile 修改一行
1
2
3
4
5
RUN cp -R /lib* /home/ctf && \
    cp -R /usr/lib* /home/ctf

# 改为
RUN cp -R /usr/lib* /home/ctf

ctf.xinetd 修改

1
2
3
4
server_args = --userspec=1000:1000 /home/ctf ./helloworld

# 修改
server_args = --userspec=1000:1000 /home/ctf 自己的漏洞程序

最后执行README 里的 两条命令就行,比如

1
2
3
4
docker build -t "vuln" .

# 将pub_port 自己想要的端口
docker run -d -p "0.0.0.0:pub_port:9999" -h "vuln" --name="vuln" vuln

查看了一眼其内容,使用 chroot沙盒,将文件系统的根目录转化为原先的 /home/ctf 目录,所以要在dockerfile中将lib全部拷贝一份

1
server      = /usr/sbin/chroot

pwn_deploy_chroot

kernel

  • 内核题目部署,使用 ctf_xinetd 举例
1
2
3
4
5
6
7
8
9
chall  
├── ctf.xinetd  
├── Dockerfile  
├── bin  
│ ├── run.sh  
│ ├── bzImage  
│ └── rootfs.cpio  
├── README.md
└── start.sh

docker 安装环境

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
FROM ubuntu:20.04  

DEBIAN_FRONTEND=noninteractive

RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \  
	apt-get update && apt-get -y dist-upgrade && \  
	apt-get install -y lib32z1 xinetd git libglib2.0-dev libfdt-dev \
	libpixman-1-dev zlib1g-dev qemu qemu-system-x86  
  
RUN useradd -m pwn
  
WORKDIR /
  
COPY ./ctf.xinetd /etc/xinetd.d/ctf
COPY ./start.sh /start.sh 
RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail
  
RUN chmod +x /start.sh  
  
COPY ./chall/ /  
  
CMD ["/run.sh"]  
  
EXPOSE 25000

重要的是修改 ctf.xinetd 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
service ctf  
{  
disable = no  
socket_type = stream  
protocol = tcp  
wait = no  
user = pwn  
type = UNLISTED  
port = 25000  
bind = 0.0.0.0  
server = /run.sh    # 修改处
# replace helloworld to your program  
banner_fail = /etc/banner_fail  
# safety options  
per_source = 10 # the maximum instances of this service per source IP address  
rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use  
#rlimit_as = 1024M # the Address Space resource limit for the service  
#access_times = 2:00-9:00 12:00-24:00  
}