diff --git a/README.md b/README.md index 4e4df31..cd0179b 100644 --- a/README.md +++ b/README.md @@ -40,3 +40,5 @@ Chall: --> 30802 9. kesek-kesek --> 30902 +10. tumpuk2 + --> 31002 diff --git a/tumpuk2/Dockerfile b/tumpuk2/Dockerfile new file mode 100644 index 0000000..07c69ba --- /dev/null +++ b/tumpuk2/Dockerfile @@ -0,0 +1,38 @@ +# Use ubuntu 16.04 +FROM ubuntu:16.04 + +#RUN apt-get update && apt-get -y dist-upgrade --fix-missing --fix-broken +#RUN apt-get update +#RUN apt-get update && apt-get install -y apt-transport-https +#RUN echo 'deb http://private-repo-1.hortonworks.com/HDP/ubuntu14/2.x/updates/2.4.2.0 HDP main' >> /etc/apt/sources.list.d/HDP.list +#RUN echo 'deb http://private-repo-1.hortonworks.com/HDP-UTILS-1.1.0.20/repos/ubuntu14 HDP-UTILS main' >> /etc/apt/sources.list.d/HDP.list +#RUN echo 'deb [arch=amd64] https://apt-mo.trafficmanager.net/repos/azurecore/ trusty main' >> /etc/apt/sources.list.d/azure-public-trusty.list + +# install socat editor ssh +#RUN apt-get install curl netcat-openbsd vim nano openssh-server socat lib32ncurses5 python python-pip python-dev -y +#RUN apt-get install socat lib32ncurses5 -y +RUN apt-get update && apt-get install curl netcat-openbsd vim nano openssh-server socat lib32ncurses5 python python-pip python-dev -y + +RUN adduser --disabled-password --gecos "" ksl +RUN echo "ksl:sebuahrahasiamas" | chpasswd + +ADD chall/. /chall +WORKDIR /chall + +RUN echo 'KSL{R0P_G4dg3t_1s_P0w3rfull}' > /chall/flag.txt # ubah isi flagnya + +# Secure ENV + +RUN echo 'alias kill="echo no kill please!"' >> ~/.bashrc +RUN chmod 700 /tmp /var/tmp /usr/bin/* /bin/* /dev/shm +RUN chmod 755 /usr/bin/env /bin/dash /bin/bash /bin/sh /bin/nc /bin/cat /usr/bin/curl /usr/bin/groups /usr/bin/id /bin/ls /usr/bin/python + + +RUN chown root:ksl /chall/tumpuk2 # ubah nama file +RUN chmod 775 /chall/tumpuk2 # ubah nama file + +# Run Service + +RUN echo '#!/bin/bash'"\n(socat TCP-LISTEN:7000,reuseaddr,fork EXEC:"/chall/tumpuk2,su=nobody")" > /var/tmp/.start.sh && chmod +x /var/tmp/.start.sh + +CMD ["/var/tmp/.start.sh"] diff --git a/tumpuk2/chall/tumpuk2 b/tumpuk2/chall/tumpuk2 new file mode 100755 index 0000000..5ed2560 Binary files /dev/null and b/tumpuk2/chall/tumpuk2 differ diff --git a/tumpuk2/soal.c b/tumpuk2/soal.c new file mode 100644 index 0000000..e90607e --- /dev/null +++ b/tumpuk2/soal.c @@ -0,0 +1,31 @@ +//gcc -m32 -mpreferred-stack-boundary=2 -fno-stack-protector -no-pie -fno-builtin -o tumpuk2 soal.c +#include +#include +#include + +char *pager ="/"; +char *bin = "bin"; +char *sh = "sh"; +char binsh[8]; + +void flag(int y,int w){ + if( y == 0xfacebabe && w == 0xbeefdead) + system(binsh); +} + +void ramuan(int x, char *dest, char *src){ + if( x == 0xdeadbeef ) + strcpy(dest,src); +} + +void vuln(){ + char buf[64]; + printf("Masukkan flag : "); + fflush(stdout); + gets(buf); + printf("flag adalah %s\n", buf); +} + +int main(){ + vuln(); +}