Information*/알면도움됨

ctf 대회 서버 docker 세팅

ch4rli3kop 2018. 12. 29. 01:19
반응형

나중에 제대로 정리하갯음.

대충 디렉토리 안에 올릴 파일들 다 만들어줌.

각 각마다 xinetd 파일 하나씩, 디렉토리 이동에 필요한 스크립트 하나, 바이너리 파일과 플래그를 만들어줌.
그리고 Dockerfile도 하나씩 만듬.

root@kuality:/home/master/home/misc1# cat misc1.sh
#! /bin/bash
path="/home/misc1/";
cd $path;
/home/misc1/misc1

root@kuality:/home/master/home/misc1# cat xinetd
service misc1
{
    disable        = no
    type        = UNLISTED
    wait        = no
    server        = /home/misc1/misc1
    socket_type    = stream
    protocol    = tcp
    user        = misc1
    port        = 12345
    flags        = REUSE
}



$ docker pull ubuntu:latest 
$ docker run -it --name pwn ubuntu /bin/bash
$ docker ps -a
사용할 이미지 세팅
저장소 바꿔주고
xinetd, net-tools, vim 설치


도중에 exit로 나가서 컨테이너를 껏다면 다음 명령어로 다시 켤 수 있음. 컨테이너 안끄고 나가기는 ctrl+p & ctrl + q
$ docker start pwn
$ docker attach pwn


commit
세팅된 컨테이너를 커밋하여 이미지로 만들기
root@kuality:/home/master/home/misc1# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
e90cea516d9f        ubuntu              "/bin/bash"         29 minutes ago      Up 2 minutes                            pwn
root@kuality:/home/master/home/misc1# docker stop pwn
pwn
root@kuality:/home/master/home/misc1# docker commit pwn ubuntu:pwn
sha256:d44406607f756b2adec065ef4613c29f2f34f36827051270a09373362a4e9bcd
root@kuality:/home/master/home/misc1# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              pwn                 d44406607f75        7 seconds ago       213MB
ubuntu              latest              93fd78260bd1        12 days ago         86.2MB



원하는 환경 대충 만들어주고 컨터에너를 이미지로 만듬담에, 그 이미지로 이제 다른 이미지들을 만들어주는 거임. 나중에 사고났을 경우를 대비해서 각 각의 문제마다 이미지로 만들기로 함.

root@kuality:/home/master/home# cat Dockerfile
FROM ubuntu:pwn_env
RUN apt update
RUN useradd -mU misc1
WORKDIR /home/misc1
COPY ./servicefile_xinetd /etc/xinetd.d/servicefile_xinetd
RUN chown -R root:misc1 /home/misc1
CMD ["/usr/sbin/xinetd","-dontfork"]
root@kuality:/home/master/home# cat servicefile_xinetd
service !name
{
    disable        = no
    type        = UNLISTED
    wait        = no
    server        =/home/misc1/misc1
    socket_type    = stream
    protocol    = tcp
    user        = misc1
    port        = 12345
    flags        = REUSE
}
일단 저 파일들을 모두 만든 뒤에 각자 이미지 생성.

root@kuality:/home/master/home# docker build --tag misc:1 .           # 이미지 빌드
...
...
root@kuality:/home/master/home# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
misc                1                   da47d4baf4e5        5 seconds ago       214MB
ubuntu              pwn                 d44406607f75        3 hours ago         213MB
ubuntu              latest              93fd78260bd1        12 days ago         86.2MB


이제 파일을 옮겨주고 포트연결해주고, 디렉토리?도 연결해서 컨테이너 생성할거임

root@kuality:/home/master/home# docker run -it -p 12345:12345 -v /home/master/home/misc1:/home/misc1 --name misc1 misc:1 /bin/bash



혹시나 이런 에러가 발생한다면
root@kuality:/home/master/home# docker run -it --name misc1 misc:1 -p 12345:12345 -v /home/master/home/misc1:/home/misc1 /bin/bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"-p\": executable file not found in $PATH": unknown.

명령어 인자의 순서를 바꿔보도록 해라.


이제 /etc/xinetd.d/servicefile_xinetd 파일 내용을 수정해주고, 파일이름도 적당하게 바꿔준다.
다음으로 /etc/init.d/xinetd restart로 다시 실행해줌.
그리고 이제 /etc/services 파일에 포트내용을 추가해줌.

실행파일 실행권한 주의하기!, 폴더에 그룹권한 조절!
#! /bin/bash
path="/home/misc1";
cd $path;
/home/misc1/misc1


root@022c0e2d72c6:/home/misc1# chown root:misc1 *
root@022c0e2d72c6:/home/misc1# chmod o-rx *


root@022c0e2d72c6:/home/misc1# ls -al         # 최종적으로 이렇게 되게 함!
total 32
drwxr-x--- 2 root misc1  4096 Dec  2 15:49 .
drwxr-xr-x 1 root root   4096 Dec  2 14:40 ..
-rw-r----- 1 root misc1    36 Dec  2 15:14 flag.txt
-rwxr-x--- 1 root misc1 13632 Dec  2 15:12 misc1
-rw-r-x--- 1 root misc1    61 Dec  2 15:49 misc1.sh


문제 파일 권한/setuid 확인
key 파일 권한 확인
주요 파일 chattr 걸기
문제 파일, 키 파일, 해당 디렉토리, .bash_history 등
chattr을 안 걸어 놓으면 권한획득 후 키 파일이나 문제파일을 고의로 삭제해 버릴 수 있음
chattr 대신 owner user를 root로 바꿔도 되겠죠
chattr 거시려면 chattr +ai ./* ; chattr +ai . 해주시면 됩니다
/tmp, /var/tmp/, /dev/shm 권한 확인 (chmod o-r /tmp 등)
read 권한이 열려있으면 다른 사용자들의 exploit이 노출됨
일반 유저가 dmesg 명령을 통해 segfault 정보를 볼 수 있음
chmod o-r /var/log/dmesg
문제 바이너리 strip 여부 체크
- 공개하는 파일이 의도했던대로 공개됐는지
- 플래그가 문제에 있는 것과 일치하는지
- 본인 익스플로잇 제대로 돌아가는지



두번째 문제 추가
root@kuality:/home/master/home# cat Dockerfile
FROM ubuntu:pwn
RUN apt update
RUN useradd -mU misc2
WORKDIR /home/misc2
COPY ./servicefile_xinetd /etc/xinetd.d/misc2
RUN chmod og-rwx /var/log
RUN chmod og-rwx /tmp
RUN chmod og-rwx /var/tmp
RUN chmod og-rwx /dev/shm
RUN chown -R root:misc2 /home/misc2
CMD ["/usr/sbin/xinetd","-dontfork"]

root@kuality:/home/master/home# docker build --tag misc:2 .
root@kuality:/home/master/home# docker run -it -p 12346:12346 -v /home/master/home/misc2:/home/misc2 --name misc2 misc:2 /bin/bash



권한 설정 잘해주고,
xinetd 재시작해주면 잘 됨.


pwn1
$ docker build --tag pwn:1 .


그대로 쭉쭉 함
root@kuality:/home/master/home# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
pwn                 5                   132be44d99af        14 seconds ago       214MB
pwn                 4                   3912e17cd3cb        About a minute ago   214MB
pwn                 3                   6895a42c0863        About a minute ago   214MB
pwn                 2                   d9202c41f05f        2 minutes ago        214MB
pwn                 1                   2058b2cb88bc        13 minutes ago       214MB
misc                2                   1d8a9a3b0c27        27 minutes ago       214MB
misc                1                   da47d4baf4e5        2 hours ago          214MB
ubuntu              pwn                 d44406607f75        5 hours ago          213MB
ubuntu              latest              93fd78260bd1        12 days ago          86.2MB


root@kuality:/home/master/home# cat Dockerfile
FROM ubuntu:pwn
RUN apt update
RUN useradd -mU pwn5
WORKDIR /home/pwn5
COPY ./pwn5/pwn5 /etc/xinetd.d/pwn5
RUN chmod og-rwx /var/log
RUN chmod og-rwx /tmp
RUN chmod og-rwx /var/tmp
RUN chmod og-rwx /dev/shm
RUN chown root:pwn5 .
RUN echo "pwn5 12354/tcp" >> /etc/services
CMD ["/usr/sbin/xinetd","-dontfork"]

=======================================================

  126  vim Dockerfile
  127  docker build --tag pwn:2 .
  128  vim Dockerfile
  129  docker build --tag pwn:3 .
  130  vim Dockerfile
  131  docker build --tag pwn:4 .
  132  vim Dockerfile
  133  docker build --tag pwn:5 .
  134  docker images
  135  docker run -it -p 12351:12351 -v /home/master/home/pwn2:/home/pwn2 --name pwn2 pwn:2 /bin/bash
  136  docker run -it -p 12352:12352 -v /home/master/home/pwn3:/home/pwn3 --name pwn3 pwn:3 /bin/bash
  137  docker run -it -p 12353:12353 -v /home/master/home/pwn4:/home/pwn4 --name pwn4 pwn:4 /bin/bash
  138  docker run -it -p 12354:12354 -v /home/master/home/pwn5:/home/pwn5 --name pwn5 pwn:5 /bin/bash
  139  docker ps -a


=========================================================

root@kuality:/home/master/home# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS                      NAMES
84a9c1df1216        pwn:5               "/bin/bash"         About a minute ago   Up About a minute   0.0.0.0:12354->12354/tcp   pwn5
1e999cdcb6d4        pwn:4               "/bin/bash"         About a minute ago   Up About a minute   0.0.0.0:12353->12353/tcp   pwn4
9a15d7e92d9e        pwn:3               "/bin/bash"         2 minutes ago        Up 2 minutes        0.0.0.0:12352->12352/tcp   pwn3
7162967f6bc0        pwn:2               "/bin/bash"         2 minutes ago        Up 2 minutes        0.0.0.0:12351->12351/tcp   pwn2
08266f243825        pwn:1               "/bin/bash"         15 minutes ago       Up 15 minutes       0.0.0.0:12350->12350/tcp   pwn1
cd62d7c1e98d        misc:2              "/bin/bash"         30 minutes ago       Up 30 minutes       0.0.0.0:12346->12346/tcp   misc2
022c0e2d72c6        misc:1              "/bin/bash"         About an hour ago    Up About an hour    0.0.0.0:12345->12345/tcp   misc1






웹사이트를 바꿔주도록 하자. docker로
/etc/os-release 를 보면 alpine linux라는 것을 알 수 있다.
알파인 리눅스는 가볍고 간단하고 보안성을 목적으로 개발한 리눅스 배포판입니다.
용량을 줄이기 위해 시스템의 기본 C runtime을 glibc 대신 musl libc를 사용하며 다양한 쉘 명령어는 GNU util 대신 busybox 를 탑재하였습니다.
용량이 80M인 경량화된 배포판이므로 Embbeded 나 네트웍 서버등 특정 용도에 적합하며 특히 도커(docker)에 채택되어 5M 크기의 리눅스 이미지로 유명합니다.


apk add git
apk del git     이런식으로 사용

root@kuality:/home/kuality/CTFd# docker run -it -d -p 8000:8000 ctfd/ctfd /bin/bash
root@kuality:/home/kuality/CTFd# docker exec -it 896fa91c0c8d sh








뭐냐
파일 옮기고, 옮길 때 docker cp 명령어 사용하면 편함.
확인할 것!
/etc/xinetd.d/pwn4
/etc/services
pwn4.sh
디렉토리 권한





web 문제 올리기 ----
일단 winscp로 해당 파일들을 서버로 업로드했음.


root@kuality:/home/master/home/web1# ls -al
total 24
drwxr-xr-x  3 kuality kuality 4096 12월  6 17:22 .
drwxr-x--- 14 root    root    4096 12월  6 17:22 ..
drwxr-xr-x  3 kuality kuality 4096 12월  6 17:17 Can
-rw-r--r--  1 kuality kuality  405 12월  6 17:22 Dockerfile
-rw-r--r--  1 kuality kuality  169 12월  1 22:15 httpd-foreground
-rw-r--r--  1 kuality kuality   32 12월  4 23:15 index.html

root@kuality:/home/master/home/web1# docker build --tag web:1 .
'''
'''
root@kuality:/home/master/home/web1# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
web                 1                   30fff891138f        3 minutes ago       227MB
pwn                 5                   2b8a852da5b6        2 hours ago         269MB


root@kuality:/home/master/home/web3# chmod +x httpd-foreground
형준이가 한거에서 expose 다 빼줌.

### history
  956  docker images
  957  ls
  958  vim Dockerfile
  959  docker build --tag web:1 .
  960  docker run -it -p 12362:80 --name web1 web:1 /bin/bash
  961  cd ..
  962  ls
  963  cd web2
  964  ls
  965  chmod +x httpd-foreground
  966  ls
  967  vim Dockerfile
  968  docker build --tag web:2 .
  969  docker run -it -p 12363:80 --name web2 web:2 /bin/bash
  970  ls
  971  vim Dockerfile
  972  cat Dockerfile
  973  ls
  974  docker cp hunter.png web2:/var/www/html/.
  975  cd ..
  976  ls
  977  cd web3
  978  ls
  979  chmod +x httpd-foreground
  980  vim Dockerfile
  981  ls
  982  docker build --tag web:3 .
  983  ls
  984  docker images
  985  docker ps -a
  986  docker run -it -p 12364:80 --name web3 web:3 /bin/bash
  987  ls
  988  docker ps -a
  989  cd ..
  990  ls
  991  cd web4
  992  ls
  993  chmod +x httpd-foreground
  994  ls
  995  vim Dockerfile
  996* docker run -i
  997  docker run -it -p 12365:80 --name web4 web:4 /bin/bash



pwn1 하는중
pwn1 안에 디렉토리를 또 만들어서 shared 용으로 만들어 놓으면 편함. pwn1 안에 Dockerfile이랑 xinetd 파일을 만들어 놓고 쓰면 좋음. shared 안에는 pwn1이랑 pwn1.sh 넣어놓고. 

root@kuality:/home/master/home/pwn1# ls
Dockerfile  pwn1_xinetd  shared

root@kuality:/home/master/home/pwn1# docker build --tag pwn:1 .

root@kuality:/home/master/home/pwn1# docker run -it -p 12350:12350 -v /home/master/home/pwn1/shared/:/home/pwn1 --name pwn1 pwn:1 /bin/bash

/etc/init.d/xinetd start
* Starting internet superserver xinetd                                  [ OK ]


pwn2
  889  mv pwn1_xinetd pwn2_xinetd
  890  vim pwn2_xinetd
  891  ls -al
  892  cd shared/
  893  ls
  894  cd ..
  895  ls
  896  mv pwn2 shared/.
  897  cp ../pwn1/shared/pwn1.sh .
  898  ls
  899  vim pwn1.sh
  900  mv pwn1.sh pwn2.sh
  901  cp pwn2.sh ./shared/.
  902  cd shared/
  903  ls
  904  ls -al
  905  cd ..
  906  ls
  907  vim Dockerfile
  908  docker build --tag pwn:2 .
  909  docker ps -a
  910  docker images


root@f065fb4bf57b:/home/pwn2# /etc/init.d/xinetd start
* Starting internet superserver xinetd                                                                                                                             [ OK ]
root@f065fb4bf57b:/home/pwn2# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:12351           0.0.0.0:*               LISTEN      67/xinetd      


misc1
root@732906120f2c:/home/misc1# history
    1  ls
    2  ls -al
    3  chgrp misc1 .
    4  ls -al
    5  chgrp misc1 *
    6  ls -al
    7  su misc1
    8  /etc/init.d/xinetd start
    9  netstat -tnlp
   10  history



crypto1
root@kuality:/home/master/home# ls
Dockerfile  libc.so.6  misc1  misc1.sh  misc2  misc3  pwn1  pwn2  pwn3  pwn4  pwn5  servicefile_xinetd  web1  web2  web3  web4
root@kuality:/home/master/home# mkdir crypto1
root@kuality:/home/master/home# cd crypto1/
root@kuality:/home/master/home/crypto1# cp ../Dockerfile .
root@kuality:/home/master/home/crypto1# cp ../servicefile_xinetd .
root@kuality:/home/master/home/crypto1# mkdir shared
root@kuality:/home/master/home/crypto1# vim Dockerfile
root@kuality:/home/master/home/crypto1# mv servicefile_xinetd crypto1_xinetd
root@kuality:/home/master/home/crypto1# vim crypto1_xinetd
root@kuality:/home/master/home/crypto1# cat Dockerfile
FROM ubuntu:pwn_env
RUN apt update
RUN useradd -mU crypto1
WORKDIR /home/crypto1
COPY ./crypto1_xinetd /etc/xinetd.d/crypto1
RUN chmod og-rwx /var/log
RUN chmod og-rwx /tmp
RUN chmod og-rwx /var/tmp
RUN chmod og-rwx /dev/shm
RUN chown root:crypto1 .
RUN echo "crypto1    12358/tcp" >> /etc/services
CMD ["/usr/sbin/xinetd","-dontfork"]
root@kuality:/home/master/home/crypto1# cat crypto1_xinetd
service crypto1
{
    disable        = no
    type        = UNLISTED
    wait        = no
        server        = /home/crypto1/crypto1.sh
    socket_type    = stream
    protocol    = tcp
    user        = crypto1
        port        = 12358
    flags        = REUSE
}
root@kuality:/home/master/home/crypto1#
root@kuality:/home/master/home/crypto1# docker build --tag crypto:1 .
Sending build context to Docker daemon  3.584kB
Step 1/12 : FROM ubuntu:pwn_env
---> 2982f2dd0e73
Step 2/12 : RUN apt update
---> Using cache
---> 3811b63ef52c
Step 3/12 : RUN useradd -mU crypto1
---> Running in 5a810927ae8a
Removing intermediate container 5a810927ae8a
---> 763d9ad8fca8
Step 4/12 : WORKDIR /home/crypto1
---> Running in 9e04f20da228
Removing intermediate container 9e04f20da228
---> f89601cb8a9f
Step 5/12 : COPY ./crypto1_xinetd /etc/xinetd.d/crypto1
---> ac9966a4bbf7
Step 6/12 : RUN chmod og-rwx /var/log
---> Running in adb15102437e
Removing intermediate container adb15102437e
---> 9764196c9388
Step 7/12 : RUN chmod og-rwx /tmp
---> Running in 5c521a9b74ef
Removing intermediate container 5c521a9b74ef
---> 00aefac6dd43
Step 8/12 : RUN chmod og-rwx /var/tmp
---> Running in 2f55acaf8512
Removing intermediate container 2f55acaf8512
---> 575e61c3caf3
Step 9/12 : RUN chmod og-rwx /dev/shm
---> Running in 06911586cd45
Removing intermediate container 06911586cd45
---> 3d39f2ee4662
Step 10/12 : RUN chown root:crypto1 .
---> Running in 8a8eff50da95
Removing intermediate container 8a8eff50da95
---> 76c1bf086766
Step 11/12 : RUN echo "crypto1    12358/tcp" >> /etc/services
---> Running in cebb5880b8ea
Removing intermediate container cebb5880b8ea
---> 3b00b838d42d
Step 12/12 : CMD ["/usr/sbin/xinetd","-dontfork"]
---> Running in 15c420b3673d
Removing intermediate container 15c420b3673d
---> de3a181187f5
Successfully built de3a181187f5
Successfully tagged crypto:1
root@kuality:/home/master/home/crypto1# ls
crypto1_xinetd  Dockerfile  shared
root@kuality:/home/master/home/crypto1# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
crypto              1                   de3a181187f5        11 seconds ago      269MB
misc                2                   2642ab45889c        About an hour ago   269MB
misc                1                   2a2d7aa7d287        2 hours ago         269MB
pwn                 2                   868609076b2d        2 hours ago         269MB
pwn                 1                   4b44eb127d63        3 hours ago         269MB
web                 4                   d2153f10e0d1        8 hours ago         227MB
web                 3                   f489ac80ea7e        8 hours ago         227MB
web                 2                   7ee58a4000c4        8 hours ago         227MB
web                 1                   2ea48df1d684        8 hours ago         227MB
pwn                 5                   2b8a852da5b6        11 hours ago        269MB
pwn                 4                   595e99368599        13 hours ago        269MB
ubuntu              pwn_env             2982f2dd0e73        13 hours ago        268MB
ctfd                01                  880e760e6d81        3 days ago          460MB
ctfd_ctfd           latest              d00440f9d292        3 days ago          460MB
ctfd/ctfd           latest              276fd8db9ecb        4 days ago          454MB
<none>              <none>              3912e17cd3cb        4 days ago          214MB
ubuntu              pwn                 d44406607f75        4 days ago          213MB
mariadb             10.4                a310b633fb41        2 weeks ago         369MB
ubuntu              16.04               a51debf7e1eb        2 weeks ago         116MB
ubuntu              trusty              f17b6a61de28        2 weeks ago         188MB
ubuntu              latest              93fd78260bd1        2 weeks ago         86.2MB
redis               4                   a38ee13679d8        2 weeks ago         83.4MB
python              2.7-alpine          f901fc789b69        2 weeks ago         58.8MB





반응형

'Information* > 알면도움됨' 카테고리의 다른 글

Atom syntax theme 잘 적용이 안될 때  (0) 2019.02.25
Visual Studio Code 환경 세팅  (0) 2019.02.13
Docker 사용법  (0) 2018.12.28
CUPS 와 ipp protocol  (0) 2018.11.30
Kali linux sources.list repositories 수정  (0) 2018.11.19