Tools and scripts for CTF exploit/pwnable
challenge development.
- Each challenge goes in its own directory in challenges/${challenge}
- Each challenge must be packaged as a
docker
container and must have aDockerfile
- Challenges can share
binaries
or any other file for distribution after packaging through /shared (if exists during runtime). Checkstart.sh
inppc32-simple-fmt
challenge. - Challenge meta data must go in
challenges.json
Challenge developers must ensure that non-root privilege is obtained after exploiting target. Otherise the
server/socat
process will be killed by the attacker.
Currently we are using following socat
command line to fork and execute as a different user:
$ socat -dd TCP4-LISTEN:9000,fork,reuseaddr EXEC:/pwnable,pty,setuid=bob,echo=0,raw,iexten=0
The flag for each challenge will be available from process environment variable
. The name of the environment variable can be any of the following:
- FLAG
- PWNFLAG
- PFLAG
- FLAG-FOR-PWNS
Some challenges may still require flag to be in a file.
Create the virtual machine with Vagrant
$ vagrant up
Login with SSH and create ssh keys
$ vagrant ssh
$ ssh-keygen
The generated public need to be added to Bitbucket for repository access from inside the development environment. Do not forget to remove the keys from Bitbucket once development environment is no longer required.