Skip to content

Commit 7985a7f

Browse files
author
Sajjad Arshad
committed
Pwn2Win CTF 2020
1 parent 652eafe commit 7985a7f

File tree

78 files changed

+146
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

78 files changed

+146
-0
lines changed

Pwn2Win/2020/at_your_command/command

9.98 KB
Binary file not shown.
1.94 MB
Binary file not shown.

Pwn2Win/2020/butcher_bmc/README.txt

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
Description:
2+
3+
We discovered that the ButcherCorp has a data center in the city of
4+
Boston. Each server of this data center has a custom BMC (Baseboard Management
5+
Controller), named 'Butcher BMC' and they manage the servers remotely through an
6+
exposed IPMI interface. Luckly, the Rebelious Fingers were able to deploy a
7+
backdoor on this data center. Below is the information that they sent to us:
8+
9+
root@butcher:~# journalctl -b --no-pager | grep Echo
10+
May 25 00:45:49 butcher ipmid[234]: Registering OEM:[0X003039], Cmd:[0X7E] for Echo Commands
11+
12+
Instructions:
13+
14+
1- Install dependency, e.g.,:
15+
$ sudo apt install ipmitool
16+
17+
2- Connect to server, e.g.,:
18+
$ nc butcherbmc.pwn2.win 1337
19+
20+
3- Solve PoW, get your ipmi port, and wait for system initialization.
21+
22+
4- Use ipmitool to run commands, e.g.,:
23+
$ ipmitool -I lanplus -H butcherbmc.pwn2.win -p <ipmi port> -U root -P 0penBmc chassis status
24+
25+
Note that the credentials are the default (i.e., root:0penBmc).

Pwn2Win/2020/butcher_bmc/content

32 MB
Binary file not shown.
59.8 MB
Binary file not shown.

Pwn2Win/2020/butcher_bmc/run.py

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
#!/usr/bin/python3 -u
2+
import random
3+
import signal
4+
import string
5+
import subprocess
6+
import sys
7+
8+
def random_string(n):
9+
return ''.join(random.choice(string.ascii_lowercase) for _ in range(n))
10+
11+
def check_pow(bits):
12+
r = random_string(10)
13+
print(f"hashcash -mb{bits} {r}")
14+
solution = input("Solution: \n").strip()
15+
if subprocess.call(["hashcash", f"-cdb{bits}", "-r", r, solution],
16+
cwd="/tmp",
17+
stdout=subprocess.DEVNULL,
18+
stderr=subprocess.DEVNULL) != 0:
19+
raise Exception("Invalid PoW")
20+
21+
check_pow(25)
22+
23+
port = random.randint(1024, 65535)
24+
print(f"IPMI over lan will be listening on port {port}\n")
25+
26+
subprocess.call(["./qemu-system-arm",
27+
"-monitor", "/dev/null",
28+
"-m", "128M",
29+
"-M", "romulus-bmc",
30+
"-drive", "file=./content,format=raw,if=mtd,readonly",
31+
"-net", "nic",
32+
"-net", f"user,hostfwd=udp::{port}-:623",
33+
"-nographic"], stdin=subprocess.DEVNULL, timeout=200)
Binary file not shown.

Pwn2Win/2020/omnitmizer/Dockerfile

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
FROM mcr.microsoft.com/windows/servercore:ltsc2019
2+
3+
COPY /x64.release/ /omnitmizer/
4+
5+
WORKDIR /omnitmizer
6+
7+
RUN icacls flag.exe /setowner "user manager\containeruser"
8+
USER ContainerUser
9+
RUN icacls flag.exe /deny "user manager\containeruser":RX
10+
11+
ENTRYPOINT ["omnitmize.bat"]
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
https://github.com/v8/v8/tree/50dd84ca317ae35c926ed34d001a72b62aea6662
2+
diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc
3+
index b3f684ea61..ae2cbdabca 100644
4+
--- a/src/compiler/escape-analysis.cc
5+
+++ b/src/compiler/escape-analysis.cc
6+
@@ -726,29 +726,8 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current,
7+
break;
8+
}
9+
case IrOpcode::kCheckMaps: {
10+
- CheckMapsParameters params = CheckMapsParametersOf(op);
11+
- Node* checked = current->ValueInput(0);
12+
- const VirtualObject* vobject = current->GetVirtualObject(checked);
13+
- Variable map_field;
14+
- Node* map;
15+
- if (vobject && !vobject->HasEscaped() &&
16+
- vobject->FieldAt(HeapObject::kMapOffset).To(&map_field) &&
17+
- current->Get(map_field).To(&map)) {
18+
- if (map) {
19+
- Type const map_type = NodeProperties::GetType(map);
20+
- if (map_type.IsHeapConstant() &&
21+
- params.maps().contains(
22+
- map_type.AsHeapConstant()->Ref().AsMap().object())) {
23+
- current->MarkForDeletion();
24+
- break;
25+
- }
26+
- } else {
27+
- // If the variable has no value, we have not reached the fixed-point
28+
- // yet.
29+
- break;
30+
- }
31+
- }
32+
- current->SetEscaped(checked);
33+
+ //OmniTmizer - Improving performance
34+
+ current->MarkForDeletion();
35+
break;
36+
}
37+
case IrOpcode::kCompareMaps: {
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
console.log('OmniTmize me!');

0 commit comments

Comments
 (0)