dc2021f - shooow-your-shell
This was a King-of-the-Hill challenge, part of dc2021f.
Points: 1,000
You may spawn the server:
On your laptop
- Install docker
docker pull archiveooo/pub:shooow-your-shell(docker-saved download)docker run -d --name shooow-your-shell archiveooo/pub:shooow-your-shell- Local IP:
docker inspect shooow-your-shell -f '{{ .NetworkSettings.Networks.bridge.IPAddress }}' - Connect to that IP:9090 —
Remember to
docker rm -fwhen done.
On your laptop (full source)
Hosted by OOO
Right now we're asking players to login first.Description
|
This challenge was part of the finals During finals, scoring happens per-round based on attack (steal flags from others) and defense (patch the service to prevent others from pwning you) points. Patching is not currently simulated on the archive, but keep in mind that most services only allowed a limited amount of bytes to be changed from the original binary. Scoring rules for 2019 2020 2021. | |
|
King of the Hill points are also awarded per-round, with only the top-ranking teams getting points. Teams were informed of game events, with redacted info on the last day. In 2019 players could see traffic pcaps only after some time, in 2020 and 2021 they had the choice the stealth their traffic or not (for half the points). | |
Can you out-shellcraft your opponents? Only the worthy will hold the hill!
The shortest shellcode we know of is just two bytes (!).
But this is not just a shellcoding challenge! Can you see a situation in which you'd overtake someone without actually having better shellcode than the latest?
That part is better done locally, so you can set different team IDs for yourself.
service.py shuffl runner-x86_64 runner-aarch64 runner-riscv64 banner_fail Dockerfile service.conf wrapper
Hints
Hint 1
Could you build your shellcode in stages?Hint 2
Where could you read a second stage of shellcode from?Hint 3
There is no locking or synchronization, can you use that to your advantage?If you wish, you can contribute more.