From 81ddf4f172d3b099be5c8af0035a2c1421500544 Mon Sep 17 00:00:00 2001
From: letmein <nyomanpradipta120@gmail.com>
Date: Sun, 11 Nov 2018 21:37:06 +0800
Subject: [PATCH] tumpuk2 add

---
 README.md             |   2 ++
 tumpuk2/Dockerfile    |  38 ++++++++++++++++++++++++++++++++++++++
 tumpuk2/chall/tumpuk2 | Bin 0 -> 7516 bytes
 tumpuk2/soal.c        |  31 +++++++++++++++++++++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100644 tumpuk2/Dockerfile
 create mode 100755 tumpuk2/chall/tumpuk2
 create mode 100644 tumpuk2/soal.c

diff --git a/README.md b/README.md
index 4e4df31..cd0179b 100644
--- a/README.md
+++ b/README.md
@@ -40,3 +40,5 @@ Chall:
    --> 30802
 9. kesek-kesek
    --> 30902
+10. tumpuk2
+   --> 31002
diff --git a/tumpuk2/Dockerfile b/tumpuk2/Dockerfile
new file mode 100644
index 0000000..07c69ba
--- /dev/null
+++ b/tumpuk2/Dockerfile
@@ -0,0 +1,38 @@
+# Use ubuntu 16.04
+FROM ubuntu:16.04
+
+#RUN apt-get update && apt-get -y dist-upgrade --fix-missing --fix-broken
+#RUN apt-get update
+#RUN apt-get update && apt-get install -y apt-transport-https
+#RUN echo 'deb http://private-repo-1.hortonworks.com/HDP/ubuntu14/2.x/updates/2.4.2.0 HDP main' >> /etc/apt/sources.list.d/HDP.list
+#RUN echo 'deb http://private-repo-1.hortonworks.com/HDP-UTILS-1.1.0.20/repos/ubuntu14 HDP-UTILS main' >> /etc/apt/sources.list.d/HDP.list
+#RUN echo 'deb [arch=amd64] https://apt-mo.trafficmanager.net/repos/azurecore/ trusty main' >> /etc/apt/sources.list.d/azure-public-trusty.list
+
+# install socat editor ssh
+#RUN apt-get install curl netcat-openbsd vim nano openssh-server socat lib32ncurses5 python python-pip python-dev -y
+#RUN apt-get install socat lib32ncurses5 -y
+RUN apt-get update && apt-get install curl netcat-openbsd vim nano openssh-server socat lib32ncurses5 python python-pip python-dev -y
+
+RUN adduser --disabled-password --gecos "" ksl
+RUN echo "ksl:sebuahrahasiamas" | chpasswd
+
+ADD chall/. /chall
+WORKDIR /chall
+
+RUN echo 'KSL{R0P_G4dg3t_1s_P0w3rfull}'  > /chall/flag.txt # ubah isi flagnya
+
+# Secure ENV
+
+RUN echo 'alias kill="echo no kill please!"' >> ~/.bashrc
+RUN chmod 700 /tmp /var/tmp /usr/bin/* /bin/* /dev/shm
+RUN chmod 755 /usr/bin/env /bin/dash /bin/bash /bin/sh /bin/nc /bin/cat /usr/bin/curl /usr/bin/groups /usr/bin/id /bin/ls /usr/bin/python
+
+
+RUN chown root:ksl /chall/tumpuk2 # ubah nama file
+RUN chmod 775 /chall/tumpuk2 # ubah nama file
+
+# Run Service
+
+RUN echo '#!/bin/bash'"\n(socat TCP-LISTEN:7000,reuseaddr,fork EXEC:"/chall/tumpuk2,su=nobody")" > /var/tmp/.start.sh && chmod +x /var/tmp/.start.sh
+
+CMD ["/var/tmp/.start.sh"]
diff --git a/tumpuk2/chall/tumpuk2 b/tumpuk2/chall/tumpuk2
new file mode 100755
index 0000000000000000000000000000000000000000..5ed25604a143c5797b0a3974fd1aa2df495cfc64
GIT binary patch
literal 7516
zcmeHMZE#f889tlc$Xb_mgDKywx0+~hU=1`%Dt2T;!bh7x3<26vyxe3r*&X(4cJETc
z)RwqK!H|}59NSKvkxn~0(?V-o$FbB>bb-{?v1mJX#vfEia2AVWEEX~r*gnrW_k^23
zXFC1W9~^l1J<oZc^PY3xd(Q5APQKaJzTD&S2wkd#S4i|NpT7x>`(`RjlQ6`!qCtFC
zd`4V@Cfb^|g99<pf#O3O#S7^M?jH2{DK`L9XhX9UC?U|7vdJ$5rJ8LaW%pk%g#Rg@
zpVEj<cSATX?NwB;hhU?Wfhn}>ImE$_V{A$*+9}%BdD4zP3G$N<`}~yqVWVjKy|4pb
zR_GtYi!RvR^BY4Oh5h+_w<i-lw<n_ul8JO-YdD_?FH$!4rG3Tfb@)_q;<K=@Z!Lte
zqy2YB#dP0{`V0T~(|64FS<U6YW~XJzy%s_rGFFB#P?c@_zx?hY*4<@+3rs`(#z}bg
zBz(&xykru7z=aLeTU?m_xh8a}LFGC~67l7;)i831OE2Sbr!ZHoG4pmbkv0qYSXA`K
z?7ZmfOBV8Rk+*Zb*#VKwCDL{uP&8ApMSdV}$5O&H=>k2ioNcD8L|Uw9U)8eAToi7E
ztv{7XJ2sQ^s2cyL>WrI5{!{OfoKPY$mDX+olrgNQYw)7aQ)5jA_WJx&&@n`f7f?%$
zmo$?a4>p$?FT<doBE;I_X@B_~91WJ9nJdIlaja6Q>^Njsmmfl7@v#5C5{DTtl{<Xs
zS*iEqlZ};nju>b4)Z6G<sprUX+D;vlm@|lTDV;hbF=rCzE<N?E#GFywAl@r6XBKZD
z-Xk%eux}5rEDJw)VAngv6QiBoUFDn6GFTd&BgAmA^Sw%?bGSHq66)UdBZpq!;q!Nv
ze+Ca956!JB_3csr_M927ss^`_EiW`<_%HIqu6uzaA{KMj?K)XJT^na><yi4>=#|p0
zv%@dmO7of0@N;q<I#~8!K;}zhRl8n(>HQl$$6g<^jRVrx8}<z8E7Yl+y&;_q+qclq
z^Q3H-V~c{~`O8T>!O?2^^Sn|T-g4P^aJTXAkK%J}`H$#c{SG$C;Di2y2VVQ6FnjR9
z!2aVO9xT+1ynHu2bnPmYcVDbjiidrBhBlsmr6jvO&Tc<Z-99|H|9Bx(;r{^0Yb4o!
ziCjFrwEPD&4wkl|!*FqcQ7?~OkUocs=P}tK(OEvH8iw0m>@5H5Qhm7isO0}%HeGUC
z=H{!u6&}mqg$Eh-jin(UU)#D3>(`by$RVeIP&^$NO4c<D|0)1t`5rhLF8WcOcl4!;
zRXfhw^$RO1j>XfybrrjAzLdv*Lr!tTgK&T0V&UE5;lO<lm>X3*ojq^{z6MJ_n&m8d
zey@43&u$kz*tOW^9ag@ud9#%^`jS?^ahD;awxU+jiW~L$Pmw>zyW}g-te-$Ec0zZ<
z?LO!qL)*~X@F<6%e*t|0`Z%;7`}Gb?a6a^E=yvFC=uObiLGOdE1((IMtxI^m?)S_I
z_<TFj&W(kAD;nUR-?uCVq!H4MIb@+l(7!ww_|o;)*}kpfp4m%oTU2)w`|&$uFF4$+
zECwVF`6YZUh8B^ae@9iz)appln>$j%h>EitrX%3U?`sz)?&3TP&THUoaQkU3daKqb
z66gFEhzHM)m|q%e-4Qts=l3z>6ZqiwG0RE_V|5yB8`&Vojsydbcq75k!@fwcwphJ7
zXe5Glkzhk>aDHpBu_I`#2-ZeQ!BFIAFc29D`Xfhza44T2z68eCaihzt<!S`3M&N1$
zu14T$1pc2R5JG<YHqN~K38MrcokgD?hXc`#GYo%Ic@{--EYE7lokRebzq|ZB{pZC>
zW*^R)JeMUO!r1}(Rbb{WDG1L({EhrHgoXK#Kn}^@%0>wD5vFZ3AO^-|Jp|2j75nl0
z%)A0WubEN!M;epiJV&A50!H<JDm*{yj!$5`ry<WnjzZpqya&<tEaH%ZY=Nv;w(KsW
zVO>ulZ5NEi;m?N~7c5#_kZ|EQ7B+_)o93xz-FcGcy#Sk>+Xi`7S6F2aJIC!ZQi8En
zc9p#_whGIWu#CCFjJyy!CSHL<846=Y?Uhkfu~nESY87*Z`Nq_{SD0@O=LjbbUb!;h
zZya-lpkVD#c}0*)t{G~tz(oa095JKz%D1WR9u(%A#<_Fc&Nr^s8nsuxd9~IQ=1Rf*
zo%iN-RuoTl%06A%xwaJMiV~u39P_9s1W!QJULmtZR%P*u*>e4B>=PeVxED4#&sT-#
z;}h<6;m-kc@30T;%ys1n3)%z!%b~efpnz-Te&Bv1CVv2$dyCkE=lvclPT}}m=eiI-
z1#tgP%~$bq+xG+L@wjsi0_%8r5U&wnJs$0E0rMUR3Z+JTK;^{8gB|I`1Ug~o%AAJz
z-aw4!<w~4Z6%^kF*6}sOOfk<jVa{&JB-}9xZv@_kcrdr8{~lodenRk<1#ZH8I9?5K
z0=UtIrvmdk3TE`bUZj9|K4n7<;-3fZfd2*39u(Vvb>aMW1MB&7yzfu4|I~#I@DBht
zIPs~enkhzr-S<3iy7=^e26z<X^Nhjg`!#f{(?5jyc@fy9h^LG%;`tc+JL`%3IWTbl
zsOJxfn@DsDcTW@WrFhK}OM!V`!IjPaZNTpXvkTwXeZccw@v~h0`8+A$>ELr6v;PIm
zhrb1~KflR)b9UY?^!0^%MKqR+^(SySl{4*>*_+IyV|iRfMKfl9GSg!v&8VHp<xQ)w
zRrF?3*<{R)MZ=31H7~p}$?Qv{6Q-5RSp#M)ZRZ9=U(QO!%xEE%8bB8pGQqSbQ1clp
zi7A=p@~%ino7uLy)ii-7@S?(O{p#vS$Esx$E%HhYO}KkB+g3UrR<?Etb4B}_mPos~
zX8H29ZQW*fq@}%$UgbqxZ@wUB47|1Z&M>a=%xte|#|!Dr;hwF|9p2KVmoDkl9iO{}
zSATB2rI1VuGZwXMOI{V=x&XHY2tvWay@9+Nbkh-PFx9P}b4xhUJmFFh?0m+ITj^*r
zHu(<nvb)8Je#W1d;S^>xY35?dOs{3fIJlkYHM0r$?8}<*uQ|7t6CL#A^UgHo#pM+u
zW+7r$e=LV+c6Tgu-XE_;gb3#cQnu9tZReDZ>l&^}W4Wvdr!#ge9BEm#z(xm!`qPDQ
zPa%P;=tNY6iQ*Q58IBI5;ZJEhrz~4yxqKp%o&ZeP@Ra1MN;YYWuna&L)o_0X(2i}z
zC)X`F8TsDAvADBR<59TKNOe_9R`t+z3}B@ay%;=W(=(>V_a8>gL>T)fg}uPt_um!f
zX#5JnHdcRw0AT*43vDdC?__pBp8Q(@3<m1Ds7ynMg=o+`<|Vu*s?#KB&1*&dEb=k>
zW4^+BCIfYqp(q}?t0BxP$YUP!DtLQQXXb*c^v9fUJ%rg0dCV!3sH9NWg<KZi%QGJ&
zk9p5qs4z>=<FcKy8N&RLb>>5(s2Hfb#|0GIAk2!$V-6a^Bsd@KkI%p_!y<&d76@}z
z13c!k<T2~eJl=0{t{jKoqn+U0jJhu5u{;9NJmy>5!OKdE`rsVMeGH;`%)>^(lV8q?
zChNpMaPj2t2|9Q2p`1d0EI)*3fBYTo#za+?CC%gS_Zf#r7yLbngSSXg<fnd)pSyVS
zZ%p9be+AxeT|DN0W8lR(5vOQ>Bf!kL@R;gvVn`{qja1ete}*vIB#-$|;6L#G20Mn5
zJmy9GTUyy^gOa`&zb7D^4*fB|90SiCXFV?aYM#uS5ZF4j>7scbp+WPQZ`6Tzr8u7h
zkK=G${;oHJ#~f4_`eQi{p}$4~6!LCURryJq7T0SRQSgqz3D0ixA@qkPxt2MmE=@SB
X<y;-<i-kFdoA)#pd$l&grmO!3-q2~v

literal 0
HcmV?d00001

diff --git a/tumpuk2/soal.c b/tumpuk2/soal.c
new file mode 100644
index 0000000..e90607e
--- /dev/null
+++ b/tumpuk2/soal.c
@@ -0,0 +1,31 @@
+//gcc -m32 -mpreferred-stack-boundary=2 -fno-stack-protector -no-pie -fno-builtin -o tumpuk2 soal.c
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+char *pager ="/";
+char *bin = "bin";
+char *sh  = "sh";
+char binsh[8];
+ 
+void flag(int y,int w){
+    if( y == 0xfacebabe && w == 0xbeefdead)
+        system(binsh);
+}
+ 
+void ramuan(int x, char *dest, char *src){
+    if( x == 0xdeadbeef )
+        strcpy(dest,src);
+}
+ 
+void vuln(){
+    char buf[64];
+    printf("Masukkan flag : ");
+    fflush(stdout);
+    gets(buf);
+    printf("flag adalah %s\n", buf);
+}
+ 
+int main(){
+    vuln();
+}