发布日期: 2022-01-12

hxp CTF 2021

PWN

sandboxgrind

调试

给容器更换国内源

ADD sources.list /etc/apt/

# 在 Dockerfile 同目录下创建 sources.list:
# deb http://mirrors.aliyun.com/debian/ bullseye main non-free contrib
# deb-src http://mirrors.aliyun.com/debian/ bullseye main non-free contrib
# deb http://mirrors.aliyun.com/debian-security/ bullseye-security main
# deb-src http://mirrors.aliyun.com/debian-security/ bullseye-security main
# deb http://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
# deb-src http://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
# deb http://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib
# deb-src http://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib
# 如果用 https 的话可能有认证之类的问题

在 Dockerfile 中加入

RUN apt-get -y update
RUN apt-get install -y gdb gdbserver
RUN apt-get install -y procps

完整 Dockerfile

# Running locally:
# 1) echo 'hxp{FLAG}' > flag.txt
# 2) docker build -t sandboxgrind .
# 3) docker run -p 9001:1024 --privileged --rm --cap-add=SYS_ADMIN --security-opt apparmor=unconfined -it sandboxgrind
#  docker run -p 2001:2001 --privileged --rm --cap-add=SYS_ADMIN --security-opt apparmor=unconfined -it sandboxgrind /bin/sh
# Move to a new, leaner container for the challenge
FROM debian:bullseye

# Copy the sandbox
COPY /sandboxgrind-build.tar.gz /
RUN tar -xzf /sandboxgrind-build.tar.gz && \
    rm /sandboxgrind-build.tar.gz && \
    chown -R root:root /sandboxgrind/ && \
    chmod -R a-w,ug-rx /sandboxgrind/

# Set up ynetd
RUN useradd --create-home --shell /bin/bash ctf
COPY ynetd /sbin/
RUN chmod 555 /home/ctf/ && \
    chown -R root:root /home/ctf/ && \
    chmod 500 /sbin/ynetd

# Set up flag
COPY flag.txt docker-stuff/readflag /
RUN chown root:1337 /flag.txt /readflag && \
    chmod 040 /flag.txt && \
    chmod 2555 /readflag

# Set up submission environment
COPY submission.sh /home/ctf/
RUN chmod 005 /home/ctf/submission.sh

# We're paranoid
RUN chmod 1703 /tmp
RUN find / -ignore_readdir_race -type f \( -perm -4000 -o -perm -2000 \) -not -wholename /readflag -delete
USER ctf
RUN (find --version && id --version && sed --version && grep --version) > /dev/null
RUN ! find / -writable -or -user $(id -un) -or -group $(id -Gn|sed -e 's/ / -or -group /g') 2> /dev/null | grep -Ev -m 1 '^(/dev/|/run/|/proc/|/sys/|/tmp|/var/tmp|/var/lock|/var/mail|/var/spool/mail)'

# Run
USER root
WORKDIR /home/ctf
EXPOSE 1024
CMD ynetd -np y -lm -1 -lt 10 -t 15 -sh n -lpid 16 /home/ctf/submission.sh & \
    while true; do sleep 20s; find /tmp/ -type f -cmin +1 -delete; done

# Debug
ADD sources.list /etc/apt/
RUN apt-get -y update
RUN apt-get install -y gdb gdbserver
RUN apt-get install -y procps