pwn出题

pwn

编写程序代码

写好程序代码之后C语言(或者其他)，编译成二进制可执行程序

如果只是编译的话

gcc your_file_name.c -o target_name

去除canary

gcc -fno-stack-protector your_file_name.c -o target_name 

去除pie

gcc -no-pie your_file_name.c -o target_name 

去除NX

gcc -z execstack  your_file_name.c -o target_name 

ctf_xinted部署

本地：

1. 在bin文件夹中放入要运行的二进制程序，flag内容自定

2. ctf_xinetd

   将./your_file替换为你的文件名，这里建议将port（容器内的端口）改为80，虽然不知道为什么，但貌似这样更快一点

service ctf
{
    disable = no
    socket_type = stream
    protocol    = tcp
    wait        = no
    user        = root
    type        = UNLISTED
    port        = 9999 #容器内的端口
    bind        = 0.0.0.0 #本地IP
    server      = /usr/sbin/chroot
    # replace helloworld to your program
    server_args = --userspec=1000:1000 /home/ctf ./your_file #!!!
    banner_fail = /etc/banner_fail
    # safety options
    per_source	= 10 # the maximum instances of this service per source IP address
    rlimit_cpu	= 20 # the maximum number of CPU seconds that the service may use
    #rlimit_as  = 1024M # the Address Space resource limit for the service
    #access_times = 2:00-9:00 12:00-24:00
}

1. Dockerfile
   如果要拉取ubuntu18.0以下的版本的话在注释的地方需要改一下，按原代码写

   要是上面改了容器端口的话，记得把下面的暴露端口也改掉 “EXPOSE 9999 #容器对外暴露的端口”

   FROM ubuntu:24.04   #拉取镜像版本
   
   RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \
       apt-get update && apt-get -y dist-upgrade && \
       apt-get install -y lib32z1 xinetd
   
   RUN useradd -m ctf
   
   WORKDIR /home/ctf
   
   RUN cp -R /usr/lib* /home/ctf  #这个地方和原文件有点不同，需要修改一下，原文件的写法只适合拉去ubuntu18.0以下的版本
   
   RUN mkdir /home/ctf/dev && \
       mknod /home/ctf/dev/null c 1 3 && \
       mknod /home/ctf/dev/zero c 1 5 && \
       mknod /home/ctf/dev/random c 1 8 && \
       mknod /home/ctf/dev/urandom c 1 9 && \
       chmod 666 /home/ctf/dev/*
   
   RUN mkdir /home/ctf/bin && \
       cp /bin/sh /home/ctf/bin && \
       cp /bin/ls /home/ctf/bin && \
       cp /bin/cat /home/ctf/bin
   
   COPY ./ctf.xinetd /etc/xinetd.d/ctf
   COPY ./start.sh /start.sh
   RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail
   
   RUN chmod +x /start.sh
   
   COPY ./bin/ /home/ctf/
   RUN chown -R root:ctf /home/ctf && \
       chmod -R 750 /home/ctf && \
       chmod 740 /home/ctf/flag
   
   CMD ["/start.sh"]
   
   EXPOSE 9999  #容器对外暴露的端口可能会用到的命令

2. 可能用到的命令：

   docker build  -t "pwn" .#用当前目录下的Dockerfile文件创建名为pwn的镜像
   docker run -d -p "0.0.0.0:1234:9999" -h "pwn" --name="pwn" pwn#将本地的1234端口映射到容器中的9999端口，并给容器内的主机起名为pwn，同时将这个容器也命名为pwn，方便管理，之后通过nc 0.0.0.0 1234就可以成功了
   docker ps #可以查看目前有哪些容器
   docker stop 容器名/ID #停止容器
   docker rm 容器名/ID #删除容器
   docker rmi 镜像名#删除镜像
   docker images#查看有哪些镜像
   docker exec -it  容器名/ID /bin/bash #进入容器

3. start.sh

   #!/bin/sh
   # Add your startup script
   
   # DO NOT DELETE
   /etc/init.d/xinetd start;
   sleep infinity;

GZ平台部署(动态flag)

1. 在部署动态flag的时候我把start.sh改为了flag.sh,对应的Dockerfile里的内容也要修改

2. ctf_xinted

   service ctf
   {
       disable = no
       socket_type = stream
       protocol    = tcp
       wait        = no
       user        = root
       type        = UNLISTED
       port        = 80
       bind        = 0.0.0.0
       server      = /usr/sbin/chroot
       # replace helloworld to your program
       server_args = --userspec=1001:1001 /home/ctf ./your_file
       banner_fail = /etc/banner_fail
       # safety options
       per_source	= 10 # the maximum instances of this service per source IP address
       rlimit_cpu	= 20 # the maximum number of CPU seconds that the service may use
       #rlimit_as  = 1024M # the Address Space resource limit for the service
       #access_times = 2:00-9:00 12:00-24:00
   }

3. Dockerfile

   FROM ubuntu:24.04
   
   RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \
       apt-get update && apt-get -y dist-upgrade && \
       apt-get install -y lib32z1 xinetd
   
   RUN useradd -m ctf
   
   WORKDIR /home/ctf
   
   RUN cp -R /usr/lib* /home/ctf
   
   RUN mkdir /home/ctf/dev && \
       mknod /home/ctf/dev/null c 1 3 && \
       mknod /home/ctf/dev/zero c 1 5 && \
       mknod /home/ctf/dev/random c 1 8 && \
       mknod /home/ctf/dev/urandom c 1 9 && \
       chmod 666 /home/ctf/dev/*
   
   RUN mkdir /home/ctf/bin && \
       cp /bin/sh /home/ctf/bin && \
       cp /bin/ls /home/ctf/bin && \
       cp /bin/cat /home/ctf/bin
   
   COPY ./ctf.xinetd /etc/xinetd.d/ctf
   COPY ./flag.sh /flag.sh
   RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail
   
   RUN chmod +x /flag.sh
   
   COPY ./bin/ /home/ctf/
   RUN chown -R root:ctf /home/ctf && \
       chmod -R 750 /home/ctf && \
       chmod 740 /home/ctf/flag
   
   CMD ["/flag.sh"]
   
   EXPOSE 80

4. flag.sh

   #!/bin/sh
   # Add your startup script
   echo $GZCTF_FLAG > /home/ctf/flag
   # 清除环境变量
   unset GZCTF_FLAG
   
   # DO NOT DELETE
   /etc/init.d/xinetd start;
   sleep infinity;

5. 之后

   docker build  -t "pwn" .#创建镜像

6. 将镜像push到github仓库里

   1. 现在github里弄一个Personal access tokens``Tokens(classic)，方便写入

   2. bash命令

      echo your_token | docker login ghcr.io --username your_id --password-stdin #your_id 为你的github的用户名
      docker tag name_of_package ghcr.io/your_id/app:latest # name_of_package为本地已经存在的镜像 app为你将要上传到仓库的名称 latest为标签
      docker push ghcr.io/your_id/app:latest #成功push

      完成之后便可以在github里看到push进来的镜像了

      

7. 在GZ平台上出题的时候将自己github里的镜像pull到平台里即可，记得按照自己镜像里的端口设置端口号

   

参考文章：

链接1

链接2

链接3

出题完成啦！！！