Add misc challenges

misc/avatar/README.md

@@ -0,0 +1,6 @@
+The avatar is imprisoned in an ice jail. Can you help him awaken his powers?
+
+author: hweissi
+```
+nc chall.glacierctf.com 13384
+```

misc/avatar/chall.py

@@ -0,0 +1,9 @@
+print("You get one chance to awaken from the ice prison.")
+code = input("input: ").strip()
+whitelist = """gctf{"*+*(=>:/)*+*"}""" # not the flag
+if any([x not in whitelist for x in code]) or len(code) > 40000:
+    
+    print("Denied!")
+    exit(0)
+
+eval(eval(code, {'globals': {}, '__builtins__': {}}, {}), {'globals': {}, '__builtins__': {}}, {})

misc/glacier-military-daemon/README.md

@@ -0,0 +1,16 @@
+Deep in the glaciers, secret scientific laboratories of a secretive PMC are located. These laboratories are isolated from the rest of the humanity due to the nature of the experiments that are performed there. For infrastructure reasons, they developed a connectivity health check daemon which run in each basement of their complex.
+
+You've heard that the health check was developed by a scientist which disappeared short after the deployment of the daemons. The PMC assigned him the task of upgrading the daemons so they are able to recover from errors and corruptions. The scientist allegedly developed the 'glacier resilience' plug and play technology for the daemons.
+
+Years ago, you heard stories from other workers mentioning that the original developer was not aligned with the authoritative PMC actions and values. They suggested that it could be the reason why he 'disappeared'. Yesterday, one of the daemons went down due to a chain of errors.
+
+Now it's your turn to continue his job.
+
+PMC Soldier> "Scientist 0x814A, here is the connection to the server which hosts the daemon of our base. Here is also the access token, tied personally to you. You have readonly disk access as we don't trust you yet. The daemon is currently down, get familiar with the codebase and put it back online. Don't commit the same errors as the last one."
+
+author: ecomaikgolf
+```
+telnet chall.glacierctf.com 13386
+```
+
+**Token:** `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MzMsIm5vbmNlIjoiMzA5NjA3MGVlNDcxZTc1MmJhMDU1NjkzNzA4YTUyZTE3ZTBhN2RhYjIyYzgzYmRhMTZhMzVjMDM0Y2FlYTNlZCIsImhhc2giOiI5MzE3YjJlNDYxY2UzMjM4NjJmYjc5ODMyYTY5M2Q1NTg3MjM4ZjkyMjFmZmY5ZWE2OTlhZGZmMThkYTE2NzI0IiwiY2hhbGxlbmdlIjoiNmFhYzFmZWZlNDkwMzg0M2MyMTlkODM1OTlkM2ZiYjMzYWQzZDM5YzQzNTE5NzA3ODdmNDA4ZDdkOGFmZGVmMiIsInRpbWVmcmFtZSI6MzYwfQ.XeQk2zNNpvdEGAHyRwh71rCHIduTOP8JiOD9oJpevTtpQJ4F_xwR7b434NzYU1i6teLtgxV19iMNyQ-vlcNezNrcMX1PaGXJPYKEVFpBECSSXKCYHBUG4wT7nHNtwK2ROGb0wHeNfAWbHP2CDu4Gjao7n7rldnphMyR4ISqxmd7zcrfMMLPTfNedn7LSS_Ri9cRbUdtGTmJoREcvmwMzdUj2fUF5YkWjhLk9zKcmw1-dsCUpzUDrnMmA3z2jIYAzXStzAqVNujoJBVjmvclZ9UdV0XtyjQh5E-PfDlPkXvpj-Vz6nTpnhnp0SJ9Ezwu6LZdASNvJS6_0boyPkYnybqfGEzYZ2j-_QV08oO7-S1OeBwpyUXyPDECi1IjXSZPjYMAMD4Yqu2QuJZmtN7OVVlImFJGGbYimXdEp9Cjcbsx63JdY5xMZcyjuIMLtJbTgDFb0aUEclqHBt2BETA5tahi0qkF7oPt2hwSwOU0_Q-zpOmufIW1tgTk4ePAapCwmqtq0F4AJnV2VLeLdynwEQgCyCSPZRhGrhcjClesN-n2LFL56Kuf37Q0f_-DZYU4vPFQzT8-bMub0kzp8d0-sKn5u6qNcn6qng0fT3UFq4RDlYHT9NXyvFHs_ZIEhvKnV3uaJDxqwIuFreMavseIYL0kLl1R0qplFfGp1V0TuVOU`

misc/glacier-military-daemon/glacier-military-daemon/Dockerfile

@@ -0,0 +1,27 @@
+FROM debian:stable-slim
+
+RUN DEBIAN_FRONTEND=noninteractive; \
+    apt-get -y update; \
+    apt-get -y install zsh file; \
+    rm -rf /var/lib/apt/lists/*;
+
+RUN adduser --home /home/sci33098 --shell /bin/zsh sci33098
+RUN usermod --shell /sbin/nologin root
+
+COPY grhealth /sbin/
+RUN chown root:root /sbin/grhealth
+RUN chmod +s /sbin/grhealth
+RUN chmod +x /sbin/grhealth
+
+WORKDIR /home/sci33098
+
+COPY glacier-military-daemon-flag /flag.txt
+RUN chown root:root /flag.txt
+RUN chmod 700 /flag.txt
+
+COPY zshrc .zshrc
+COPY Makefile .
+COPY main.c .
+COPY glacier_resilience.h .
+
+CMD ["zsh"]

misc/glacier-military-daemon/glacier-military-daemon/Makefile

@@ -0,0 +1,31 @@
+.PHONY: default run clean
+default: compile
+
+BIN  := grhealth
+SRC  := main.c
+HDR  := glacier_resilience.h
+PMR := 0 10
+
+# Compile flags, pass PMC standards
+CFLAGS += -O2 -Werror -Wall -Wextra -Wformat=2 -Wno-unused-parameter           \
+-Wformat-overflow=2 -Wformat-truncation=2 -Wformat-security -Wnull-dereference \
+-Wstack-protector -Wtrampolines -Walloca -Wvla -Warray-bounds=2                \
+-Wimplicit-fallthrough=3 -Wshift-overflow=2 -Wcast-qual -Wstringop-overflow=4  \
+-Wconversion -Warith-conversion -Wlogical-op -Wduplicated-cond                 \
+-Wduplicated-branches -Wformat-signedness -Wshadow -Wstrict-overflow=4 -Wundef \
+-Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wstack-usage=1000000       \
+-Wcast-align=strict -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3                      \
+-fstack-protector-strong -fstack-clash-protection -fPIE -fsanitize=bounds      \
+-fsanitize-undefined-trap-on-error -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack  \
+-Wl,-z,separate-code # src: https://github.com/airbus-seclab/c-compiler-security
+
+compile: $(BIN)
+$(BIN): $(SRC) $(HDR)
+	$(CC) $(CFLAGS) $(SRC) -o $(BIN)
+	strip $(BIN)
+
+run: $(BIN)
+	./$< $(PMR)
+	
+clean:
+	rm -f $(BIN)

misc/glacier-military-daemon/glacier-military-daemon/glacier-military-daemon-flag

@@ -0,0 +1 @@
+gctf{TESTFLAG}

misc/glacier-military-daemon/glacier-military-daemon/glacier_resilience.h

@@ -0,0 +1,41 @@
+#pragma once
+
+#define RES_SLEEP 3
+#define handle_error()                                          \
+  do {                                                          \
+    sleep(RES_SLEEP);                                           \
+    fprintf(stderr,"[!] Restarting due to error in %s:%d %s\n", \
+        __FILE__, __LINE__, __FUNCTION__);                      \
+    execv(argv[0], argv);                                       \
+    exit(1);                                                    \
+  } while(0);
+
+// ./argv[0] <START> <MAX>
+// For example ./argv[0] 0 10 -> Retry 10 times in case of error
+if(argc != 3) {
+  fprintf(stderr, "[!] Initialize the daemon properly: %s 0 MAX\n", argv[0]);
+  return 1;
+}
+
+// Read maximum reboots our daemon should try before giving up
+long int max = strtol(argv[2], NULL, 10);
+if(max < 0)
+  max = 0;
+
+// Read current restart counter
+long int counter = strtol(argv[1], NULL, 10);
+if(counter < 0)
+  counter = 0;
+counter++;
+
+// Check if we reached the limit of restarts
+if(counter > max) {
+  fprintf(stderr, "[!] Maximum number of errors (%li) reached\n", max);
+  return 1;
+}
+
+// Update argv[1] with updated counter in case we have to restart
+char newargv1[20]; // 20 == ceil(log10(2^64))
+memset(newargv1, 0x0, sizeof(newargv1));
+snprintf(newargv1, sizeof(newargv1), "%li", counter);
+argv[1] = newargv1;

misc/glacier-military-daemon/glacier-military-daemon/main.c

@@ -0,0 +1,91 @@
+/* Copyr1ght (Ç) 2Ò4O Secret Glacier PMC - All Rights Preserved You may use,
+ * distribute and modify this code under the terms of the /dev/null license,
+ * which unfortunately won't be listed here.
+ *
+ * You should have received a copy of the /dev/null license with this file. If
+ * not, please write to: nobody:nogroup.
+ */
+
+#include <stdio.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#define PORT      80   // Listening PORT. Privileged so setuid
+#define PEND_CONN 5    // listen() `backlog`
+#define BUFLIM    64   // Max per-client conn read
+
+int main(int argc, char **argv) {
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stderr, NULL, _IONBF, 0);
+
+  //660bcae7 main.c (Scientist 0x7AB3 2042-02-08 10:55:20 +0000)
+  // Scientist 0x7AB3: Novel Plug and Make mechanism in C32
+  #if __has_include("glacier_resilience.h")
+    #include "glacier_resilience.h"
+  #else
+    #define handle_error()                             \
+      do {                                             \
+        fprintf(stderr, "[!] Something went wrong\n"); \
+        exit(1);                                       \
+      } while(0);
+  #endif
+
+  printf("[*] Launching %s service\n", argv[0]);
+
+  struct sockaddr_in listen_ad;
+  memset(&listen_ad, 0x00, sizeof(listen_ad));
+  listen_ad.sin_family = AF_INET;
+  listen_ad.sin_addr.s_addr = htonl(INADDR_ANY);
+  listen_ad.sin_port = htons(PORT);
+
+  int listen_fd = socket(AF_INET, SOCK_STREAM, 0);
+  if(listen_fd < 0)
+    handle_error();
+
+  // Bind to port PORT
+  if(bind(listen_fd, (struct sockaddr*)&listen_ad, sizeof(listen_ad)) < 0)
+    handle_error();
+
+  printf("[*] Listening on port %d\n", PORT);
+
+  if(listen(listen_fd, PEND_CONN) < 0)
+    handle_error();
+
+  while(1) {
+    printf("[*] Waiting for client connections\n");
+
+    int client = accept(listen_fd, (struct sockaddr*)NULL, NULL);
+    if(client < 0)
+      handle_error();
+
+    printf("[*] Received client connection\n");
+
+    char conbuf[BUFLIM];
+    memset(conbuf,0x00,BUFLIM);
+
+    ssize_t ret = read(client, conbuf, BUFLIM);
+    if(ret < 0)
+      handle_error();
+
+    printf("[*] Received client echo\n");
+
+    if(write(client, conbuf, (size_t)ret) < 0)
+      handle_error();
+
+    printf("[*] Replied to client echo\n");
+
+    if(shutdown(client, SHUT_RDWR) < 0)
+      handle_error();
+
+    if(close(client) < 0)
+      handle_error();
+
+    printf("[*] Closed client connection\n");
+  }
+
+  return 0;
+}

misc/glacier-military-daemon/glacier-military-daemon/run-challenge-local.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+ENGINE=podman
+if ! [ -x "$(command -v podman)" ]; then
+  ENGINE=docker
+  if ! [ -x "$(command -v docker)" ]; then
+    echo "[!] Please install a container engine such as podman or docker."
+    exit 1
+  fi
+fi
+
+$ENGINE build -t glacier-military-daemon .
+$ENGINE run -it \
+  --log-driver=none \
+  --env PWD=/home/sci33098 \
+  --read-only-tmpfs=true \
+  --restart no \
+  --uts=private \
+  --pull never \
+  --read-only \
+  --no-hosts \
+  --network none \
+  --memory 5m \
+  --user sci33098 \
+  --hostname pmclab006 \
+  --rm localhost/glacier-military-daemon:latest \
+  /bin/zsh
+  #--timeout=300

misc/glacier-military-daemon/glacier-military-daemon/zshrc

@@ -0,0 +1,17 @@
+export TERM='xterm-256color'
+PROMPT="%F{209}[%F{green}%n@%M %F{116}%(3~|../%2~|%~)%F{209}]$%f "
+
+clear
+
+echo ""
+echo ".--------------------------------------------------------------------."
+echo "|   [ Welcome to pwn/glacier-military-daemon from GlacierCTF2023 ]   |"
+echo "|                                                                    |"
+echo "| - Don't try to take infra down. Don't be Eve                       |"
+echo "| - You have zsh as shell & this is Debian 12 slim                   |"
+echo "| - There is a flag in /flag.txt and a binary in /sbin/grhealth      |"
+echo "| - This instance is unique and has a timeout of 5 minutes           |"
+echo "| - chall.zip has a local version without PoW, JWT or timeouts       |"
+echo "|                                                                    |"
+echo "·--------------------------------------------------------------------·"
+echo ""

misc/icy-riffs/README.md

@@ -0,0 +1 @@
+At the last halloween party we played some guitar hero, which was a whole lot of fun and helped me to get over my fear of ghosts. Eventually we played through all the songs the game had to offer, so I decided to create one of my own. I also added a Warmup Map called Invincible, so that you can easily shred through the other one. I hope you enjoy it!

misc/icy-riffs/icyriffs/Invincible/notes.chart

@@ -0,0 +1,205 @@
+[Song]
+{
+  Name = "Invincible"
+  Artist = "DEAF KEV"
+  Charter = "LetsFailNoob"
+  Album = "NoCopyRightSounds"
+  Year = ", 2015"
+  Offset = 0
+  Resolution = 192
+  Player2 = bass
+  Difficulty = 0
+  PreviewStart = 0
+  PreviewEnd = 0
+  Genre = "Glitch Hop"
+  MediaType = "YouTube"
+  MusicStream = "song.ogg"
+}
+[SyncTrack]
+{
+  0 = TS 4
+  0 = B 100000
+}
+[Events]
+{
+  288 = E "phrase_start"
+  384 = E "lyric a"
+  480 = E "phrase_end"
+  490 = E "phrase_start"
+  576 = E "lyric b"
+  624 = E "phrase_end"
+  672 = E "phrase_start"
+  768 = E "lyric c"
+  864 = E "phrase_end"
+  883 = E "phrase_start"
+  960 = E "lyric d"
+  1056 = E "phrase_end"
+  1075 = E "phrase_start"
+  1152 = E "lyric e"
+  1248 = E "phrase_end"
+  1267 = E "phrase_start"
+  1344 = E "lyric f"
+  1440 = E "phrase_end"
+  1459 = E "phrase_start"
+  1536 = E "lyric g"
+  1632 = E "phrase_end"
+  1651 = E "phrase_start"
+  1728 = E "lyric h"
+  1824 = E "phrase_end"
+  1843 = E "phrase_start"
+  1920 = E "lyric i"
+  2016 = E "phrase_end"
+  2035 = E "phrase_start"
+  2112 = E "lyric j"
+  2208 = E "phrase_end"
+  2227 = E "phrase_start"
+  2304 = E "lyric k"
+  2400 = E "phrase_end"
+  2419 = E "phrase_start"
+  2496 = E "lyric l"
+  2592 = E "phrase_end"
+  2611 = E "phrase_start"
+  2688 = E "lyric m"
+  2784 = E "phrase_end"
+  2803 = E "phrase_start"
+  2880 = E "lyric n"
+  2976 = E "phrase_end"
+  2995 = E "phrase_start"
+  3072 = E "lyric o"
+  3168 = E "phrase_end"
+  3187 = E "phrase_start"
+  3264 = E "lyric p"
+  3360 = E "phrase_end"
+  3379 = E "phrase_start"
+  3456 = E "lyric q"
+  3552 = E "phrase_end"
+  3571 = E "phrase_start"
+  3648 = E "lyric r"
+  3744 = E "phrase_end"
+  3763 = E "phrase_start"
+  3840 = E "lyric s"
+  3936 = E "phrase_end"
+  3955 = E "phrase_start"
+  4032 = E "lyric t"
+  4128 = E "phrase_end"
+  4147 = E "phrase_start"
+  4224 = E "lyric u"
+  4320 = E "phrase_end"
+  4339 = E "phrase_start"
+  4416 = E "lyric v"
+  4512 = E "phrase_end"
+  4531 = E "phrase_start"
+  4608 = E "lyric w"
+  4704 = E "phrase_end"
+  4723 = E "phrase_start"
+  4800 = E "lyric x"
+  4896 = E "phrase_end"
+  4915 = E "phrase_start"
+  4992 = E "lyric y"
+  5088 = E "phrase_end"
+  5107 = E "phrase_start"
+  5184 = E "lyric z"
+  5280 = E "phrase_end"
+  5299 = E "phrase_start"
+  5376 = E "lyric {"
+  5472 = E "phrase_end"
+  5491 = E "phrase_start"
+  5568 = E "lyric }"
+  5664 = E "phrase_end"
+  5683 = E "phrase_start"
+  5760 = E "lyric !"
+  5856 = E "phrase_end"
+  5875 = E "phrase_start"
+  5952 = E "lyric _"
+  6048 = E "phrase_end"
+  6067 = E "phrase_start"
+  6144 = E "lyric 3"
+  6240 = E "phrase_end"
+  6259 = E "phrase_start"
+  6336 = E "lyric 4"
+  6432 = E "phrase_end"
+}
+[ExpertSingle]
+{
+  384 = N 7 0
+  576 = N 0 0
+  768 = N 1 0
+  960 = N 2 0
+  1152 = N 3 0
+  1344 = N 4 0
+  1536 = N 0 0
+  1536 = N 1 0
+  1728 = N 0 0
+  1728 = N 2 0
+  1920 = N 0 0
+  1920 = N 3 0
+  2112 = N 0 0
+  2112 = N 4 0
+  2304 = N 1 0
+  2304 = N 2 0
+  2496 = N 1 0
+  2496 = N 3 0
+  2688 = N 1 0
+  2688 = N 4 0
+  2880 = N 2 0
+  2880 = N 3 0
+  3072 = N 2 0
+  3072 = N 4 0
+  3264 = N 3 0
+  3264 = N 4 0
+  3456 = N 0 0
+  3456 = N 1 0
+  3456 = N 2 0
+  3648 = N 0 0
+  3648 = N 1 0
+  3648 = N 3 0
+  3840 = N 0 0
+  3840 = N 1 0
+  3840 = N 4 0
+  4032 = N 0 0
+  4032 = N 2 0
+  4032 = N 3 0
+  4224 = N 0 0
+  4224 = N 2 0
+  4224 = N 4 0
+  4416 = N 0 0
+  4416 = N 3 0
+  4416 = N 4 0
+  4608 = N 1 0
+  4608 = N 2 0
+  4608 = N 3 0
+  4800 = N 1 0
+  4800 = N 2 0
+  4800 = N 4 0
+  4992 = N 1 0
+  4992 = N 3 0
+  4992 = N 4 0
+  5184 = N 2 0
+  5184 = N 3 0
+  5184 = N 4 0
+  5376 = N 0 0
+  5376 = N 1 0
+  5376 = N 2 0
+  5376 = N 3 0
+  5568 = N 0 0
+  5568 = N 1 0
+  5568 = N 2 0
+  5568 = N 4 0
+  5760 = N 0 0
+  5760 = N 1 0
+  5760 = N 3 0
+  5760 = N 4 0
+  5952 = N 0 0
+  5952 = N 2 0
+  5952 = N 3 0
+  5952 = N 4 0
+  6144 = N 1 0
+  6144 = N 2 0
+  6144 = N 3 0
+  6144 = N 4 0
+  6336 = N 0 0
+  6336 = N 1 0
+  6336 = N 2 0
+  6336 = N 3 0
+  6336 = N 4 0
+}

misc/icy-riffs/icyriffs/Invincible/song.ini

@@ -0,0 +1,24 @@
+[Song]
+name = Invincible
+artist = DEAF KEV
+album = NoCopyRightSounds
+genre = Glitch Hop
+year = 2015
+song_length = 20024
+charter = LetsFailNoob
+diff_band = 0
+diff_guitar = 0
+diff_rhythm = 0
+diff_bass = 0
+diff_drums = 0
+diff_keys = 0
+diff_guitarghl = 0
+diff_bassghl = 0
+diff_rhythmghl = 0
+preview_start_time = 0
+icon = 0
+playlist_track = 
+track = 
+album_track = 
+delay = 0
+loading_phrase = 

misc/icy-riffs/icyriffs/Randy Newman - Monsters, Inc. (JoeyD)/notes.chart

@@ -0,0 +1,638 @@
+[Song]
+{
+  Name = "Monsters, Inc."
+  Artist = "Randy Newman"
+  Charter = "JoeyD"
+  Album = "Monsters, Inc (Original Motion Picture Soundtrack)"
+  Year = ", 2001"
+  Offset = 0
+  Resolution = 192
+  Player2 = bass
+  Difficulty = 0
+  PreviewStart = 0
+  PreviewEnd = 0
+  Genre = "Jazz"
+  MediaType = "cd"
+  MusicStream = "C:\Users\zippy\Documents\glacier\Randy Newman - Monsters, Inc. (JoeyD)\song.ogg"
+}
+[SyncTrack]
+{
+  0 = TS 5
+  0 = B 115000
+  768 = B 220000
+  960 = TS 4
+  80832 = B 219000
+  82368 = B 150000
+}
+[Events]
+{
+  768 = E "section Intro"
+  4032 = E "section Chorus 1A"
+  16320 = E "section Chorus 1B"
+  28608 = E "section Verse"
+  34752 = E "section Chorus 2"
+  42432 = E "section Clarinet Solo"
+  56256 = E "section Trombone Solo"
+  68544 = E "section Piano Solo"
+  74688 = E "section Chorus 3"
+  82368 = E "section Outro"
+}
+[ExpertSingle]
+{
+  768 = N 0 0
+  768 = N 1 0
+  768 = N 6 0
+  896 = N 2 0
+  960 = N 3 0
+  1088 = N 4 0
+  1152 = N 3 0
+  1280 = N 2 0
+  1344 = N 1 0
+  1344 = N 6 0
+  1536 = N 0 0
+  1600 = N 1 0
+  1664 = N 2 0
+  1728 = N 3 0
+  1856 = N 4 0
+  2112 = N 0 0
+  2112 = N 2 0
+  2112 = N 3 0
+  2112 = N 6 0
+  2304 = N 0 0
+  2400 = N 1 0
+  2448 = N 2 0
+  2496 = N 3 0
+  2624 = N 2 0
+  2816 = N 3 0
+  2880 = N 4 0
+  2880 = N 6 0
+  3024 = N 0 0
+  3024 = N 1 0
+  3024 = N 2 0
+  3024 = N 3 0
+  3024 = N 6 0
+  3392 = N 1 0
+  3456 = N 2 0
+  3584 = N 0 0
+  4352 = N 2 0
+  4416 = N 2 0
+  4544 = N 3 0
+  4608 = N 4 0
+  4736 = N 1 0
+  4928 = N 1 336
+  5312 = N 4 528
+  5888 = N 2 0
+  5952 = N 2 0
+  6080 = N 3 0
+  6144 = N 4 0
+  6288 = N 0 0
+  6288 = N 2 0
+  6288 = N 3 0
+  6288 = N 6 0
+  6720 = N 4 0
+  6848 = N 2 0
+  6912 = N 3 0
+  7040 = N 2 288
+  7488 = N 1 0
+  7616 = N 2 0
+  7680 = N 3 0
+  7808 = N 4 0
+  8016 = N 0 0
+  8016 = N 2 0
+  8016 = N 6 0
+  8768 = N 2 0
+  8832 = N 2 0
+  8960 = N 2 0
+  9152 = N 4 0
+  9408 = N 0 0
+  9408 = N 1 0
+  9408 = N 3 0
+  9408 = N 6 0
+  10368 = N 2 0
+  10496 = N 0 0
+  10752 = N 2 0
+  10752 = N 4 0
+  10752 = N 6 0
+  10880 = N 1 0
+  11072 = N 1 208
+  11328 = N 4 0
+  11456 = N 3 0
+  11520 = N 2 0
+  11648 = N 3 0
+  11904 = N 2 0
+  12096 = N 2 0
+  12224 = N 3 0
+  12432 = N 0 0
+  12432 = N 2 0
+  12432 = N 4 0
+  12432 = N 6 0
+  13056 = N 3 0
+  13184 = N 2 208
+  13584 = N 0 0
+  13584 = N 1 0
+  13584 = N 6 0
+  13776 = N 0 0
+  13776 = N 2 0
+  13776 = N 6 0
+  14016 = N 3 0
+  14064 = N 4 0
+  14112 = N 3 0
+  14160 = N 2 0
+  14208 = N 1 0
+  14336 = N 0 0
+  14400 = N 1 0
+  14528 = N 2 208
+  14784 = N 0 0
+  14784 = N 2 0
+  14784 = N 3 0
+  14784 = N 4 0
+  14784 = N 6 0
+  16064 = N 0 0
+  16128 = N 1 0
+  16192 = N 2 0
+  16256 = N 3 0
+  16320 = N 4 0
+  16640 = N 2 0
+  16704 = N 2 0
+  16832 = N 3 0
+  16896 = N 4 0
+  17024 = N 1 0
+  17216 = N 1 288
+  17664 = N 3 0
+  17696 = N 4 0
+  17792 = N 3 336
+  18176 = N 2 0
+  18240 = N 2 0
+  18368 = N 3 0
+  18432 = N 4 0
+  18624 = N 0 0
+  18624 = N 2 0
+  18624 = N 3 0
+  18624 = N 6 0
+  19584 = N 1 0
+  19712 = N 1 0
+  19904 = N 2 0
+  19968 = N 3 0
+  20096 = N 4 0
+  20288 = N 1 544
+  21120 = N 1 0
+  21248 = N 1 0
+  21440 = N 4 0
+  21504 = N 0 0
+  21632 = N 3 864
+  22656 = N 0 0
+  22656 = N 2 0
+  22656 = N 6 0
+  22784 = N 2 0
+  22848 = N 2 0
+  22976 = N 3 0
+  23040 = N 4 0
+  23168 = N 1 0
+  23360 = N 1 640
+  24192 = N 2 0
+  24320 = N 2 0
+  24512 = N 3 0
+  24576 = N 4 0
+  24704 = N 0 640
+  25728 = N 1 0
+  25728 = N 2 0
+  25728 = N 3 0
+  25728 = N 4 0
+  25728 = N 6 0
+  26304 = N 3 0
+  26432 = N 2 0
+  26496 = N 1 0
+  26624 = N 0 0
+  26688 = N 1 0
+  26816 = N 2 208
+  27072 = N 0 0
+  27264 = N 1 0
+  27328 = N 2 0
+  27392 = N 3 0
+  27456 = N 4 0
+  27584 = N 3 0
+  27776 = N 0 0
+  27840 = N 1 0
+  27968 = N 0 0
+  28032 = N 1 0
+  28160 = N 2 0
+  28224 = N 3 0
+  28352 = N 4 0
+  28800 = N 3 0
+  28928 = N 2 0
+  28992 = N 3 0
+  29184 = N 3 0
+  29312 = N 2 0
+  29376 = N 3 0
+  29504 = N 4 400
+  29952 = N 3 0
+  30016 = N 4 0
+  30080 = N 1 0
+  30144 = N 2 0
+  30336 = N 2 0
+  30464 = N 1 0
+  30528 = N 2 0
+  30656 = N 3 0
+  30720 = N 1 0
+  30848 = N 2 832
+  31808 = N 1 0
+  32000 = N 0 0
+  32064 = N 1 272
+  32384 = N 0 0
+  32448 = N 1 0
+  32576 = N 2 512
+  33152 = N 3 0
+  33216 = N 4 0
+  33344 = N 3 0
+  33408 = N 2 0
+  33536 = N 1 0
+  33920 = N 2 0
+  33984 = N 3 0
+  34112 = N 2 0
+  34176 = N 1 0
+  34320 = N 0 0
+  34320 = N 2 0
+  34320 = N 3 0
+  34320 = N 4 0
+  34320 = N 6 0
+  35072 = N 2 0
+  35136 = N 2 0
+  35264 = N 3 0
+  35472 = N 1 0
+  35472 = N 4 0
+  35472 = N 6 0
+  35648 = N 1 784
+  36480 = N 2 0
+  36672 = N 2 0
+  36672 = N 4 0
+  36672 = N 6 0
+  36992 = N 0 832
+  38016 = N 1 0
+  38208 = N 0 0
+  38208 = N 2 0
+  38208 = N 4 0
+  38208 = N 6 0
+  38592 = N 2 0
+  38592 = N 3 0
+  38592 = N 6 0
+  38736 = N 2 0
+  38784 = N 1 0
+  38912 = N 0 0
+  38976 = N 1 0
+  39104 = N 2 256
+  39552 = N 1 0
+  39744 = N 2 0
+  39872 = N 4 208
+  40128 = N 0 0
+  40128 = N 1 0
+  40128 = N 2 0
+  40128 = N 3 0
+  40128 = N 4 0
+  40128 = N 6 0
+  40512 = N 1 0
+  40640 = N 2 256
+  41088 = N 1 0
+  41280 = N 2 0
+  41408 = N 4 208
+  41664 = N 3 0
+  41712 = N 4 0
+  41760 = N 3 0
+  41808 = N 2 0
+  41856 = N 1 0
+  41984 = N 0 0
+  42048 = N 1 0
+  42176 = N 2 208
+  42432 = N 1 0
+  42560 = N 4 208
+  42816 = N 3 0
+  42944 = N 1 0
+  43008 = N 2 144
+  43200 = N 4 0
+  43328 = N 2 0
+  43392 = N 3 144
+  43584 = N 2 0
+  43712 = N 0 0
+  43776 = N 1 144
+  43968 = N 2 0
+  44160 = N 2 0
+  44288 = N 3 0
+  44352 = N 4 0
+  44496 = N 0 0
+  44496 = N 1 0
+  44496 = N 3 0
+  44496 = N 4 0
+  44496 = N 6 0
+  44736 = N 2 0
+  44736 = N 3 0
+  44736 = N 6 0
+  44928 = N 3 0
+  45120 = N 3 0
+  45312 = N 3 0
+  45504 = N 3 224
+  46080 = N 3 0
+  46144 = N 4 656
+  46848 = N 4 0
+  46976 = N 3 0
+  47040 = N 2 0
+  47136 = N 4 0
+  47184 = N 3 0
+  47232 = N 2 0
+  47360 = N 1 0
+  47424 = N 0 0
+  47552 = N 2 0
+  47616 = N 3 0
+  47808 = N 1 0
+  48000 = N 3 0
+  48192 = N 0 272
+  48576 = N 0 0
+  48576 = N 1 0
+  48576 = N 4 0
+  48576 = N 6 0
+  48896 = N 4 0
+  48960 = N 3 0
+  49024 = N 4 0
+  49088 = N 3 0
+  49152 = N 2 0
+  49280 = N 1 0
+  49344 = N 0 0
+  49472 = N 1 0
+  49536 = N 2 0
+  49600 = N 1 0
+  49664 = N 2 0
+  49728 = N 3 0
+  49856 = N 4 208
+  50112 = N 3 0
+  50304 = N 3 224
+  50624 = N 0 0
+  50688 = N 1 0
+  50752 = N 2 0
+  50816 = N 3 0
+  51008 = N 4 736
+  51840 = N 3 0
+  52032 = N 2 0
+  52160 = N 0 0
+  52224 = N 1 0
+  52352 = N 3 208
+  52608 = N 2 0
+  52736 = N 1 0
+  52800 = N 0 0
+  52928 = N 2 0
+  52992 = N 1 0
+  53120 = N 0 0
+  53184 = N 1 0
+  53312 = N 3 0
+  53568 = N 0 0
+  53568 = N 2 0
+  53568 = N 3 0
+  53568 = N 4 0
+  53568 = N 6 0
+  54144 = N 3 0
+  54192 = N 4 0
+  54336 = N 3 0
+  54464 = N 2 0
+  54528 = N 1 0
+  54656 = N 2 0
+  54720 = N 0 0
+  54784 = N 1 0
+  54848 = N 2 0
+  54912 = N 3 0
+  55040 = N 2 0
+  55104 = N 3 0
+  55232 = N 4 0
+  55424 = N 2 0
+  55488 = N 3 0
+  55584 = N 4 0
+  55632 = N 3 0
+  55680 = N 2 0
+  55808 = N 3 0
+  55872 = N 2 0
+  56000 = N 0 0
+  56064 = N 1 144
+  56256 = N 0 0
+  56384 = N 4 0
+  56448 = N 4 0
+  56544 = N 3 0
+  56640 = N 4 0
+  56736 = N 3 0
+  56832 = N 4 0
+  56928 = N 2 0
+  57024 = N 3 0
+  57120 = N 1 0
+  57216 = N 3 0
+  57312 = N 2 0
+  57408 = N 3 0
+  57504 = N 2 0
+  57600 = N 3 0
+  57696 = N 0 0
+  57744 = N 1 0
+  57792 = N 2 0
+  57888 = N 1 0
+  57984 = N 2 0
+  58080 = N 1 0
+  58176 = N 2 0
+  58272 = N 1 0
+  58368 = N 2 0
+  58560 = N 1 0
+  58688 = N 0 0
+  58752 = N 1 0
+  58880 = N 2 0
+  58944 = N 3 0
+  59136 = N 2 0
+  59264 = N 1 0
+  59328 = N 0 0
+  59456 = N 0 0
+  59520 = N 1 0
+  59648 = N 2 0
+  59712 = N 3 0
+  59840 = N 4 480
+  60416 = N 3 0
+  60608 = N 4 0
+  60672 = N 3 0
+  60800 = N 1 0
+  60864 = N 2 0
+  60992 = N 0 0
+  61056 = N 1 0
+  61184 = N 3 0
+  61248 = N 2 0
+  61376 = N 3 0
+  61440 = N 1 0
+  61568 = N 0 0
+  61632 = N 4 0
+  61760 = N 3 0
+  61824 = N 2 0
+  61952 = N 1 0
+  62016 = N 0 144
+  62208 = N 1 0
+  62336 = N 2 240
+  62624 = N 3 0
+  62784 = N 4 0
+  63104 = N 2 208
+  63360 = N 3 0
+  63488 = N 4 0
+  63744 = N 1 336
+  64128 = N 3 0
+  64320 = N 4 0
+  64512 = N 3 0
+  64640 = N 2 0
+  64768 = N 4 0
+  64896 = N 3 0
+  65024 = N 2 256
+  65600 = N 1 160
+  65856 = N 3 0
+  66048 = N 1 0
+  66240 = N 2 144
+  66432 = N 1 0
+  66624 = N 2 0
+  66752 = N 0 0
+  66816 = N 1 0
+  66944 = N 2 144
+  67136 = N 1 0
+  67328 = N 0 0
+  67488 = N 3 0
+  67584 = N 4 0
+  67680 = N 3 0
+  67776 = N 2 0
+  67872 = N 1 0
+  67968 = N 0 0
+  68064 = N 4 0
+  68160 = N 3 0
+  68256 = N 2 0
+  68352 = N 1 0
+  68448 = N 2 0
+  68544 = N 0 0
+  68736 = N 0 0
+  68736 = N 1 0
+  68736 = N 2 0
+  68736 = N 3 0
+  68736 = N 4 0
+  68736 = N 6 0
+  69248 = N 2 0
+  69248 = N 3 0
+  69248 = N 6 0
+  69312 = N 2 0
+  69440 = N 1 0
+  69504 = N 2 0
+  69632 = N 4 0
+  69824 = N 3 0
+  70016 = N 1 0
+  70080 = N 2 0
+  70080 = N 6 0
+  70208 = N 0 0
+  70272 = N 1 0
+  70400 = N 4 0
+  70464 = N 3 0
+  70592 = N 1 0
+  70656 = N 2 0
+  70784 = N 3 0
+  70848 = N 1 0
+  70976 = N 2 0
+  71040 = N 1 0
+  71168 = N 0 0
+  71232 = N 1 0
+  71360 = N 3 0
+  71616 = N 2 0
+  71808 = N 0 0
+  72000 = N 0 0
+  72000 = N 2 0
+  72000 = N 3 0
+  72000 = N 4 0
+  72000 = N 6 0
+  72128 = N 0 0
+  72192 = N 1 0
+  72320 = N 2 0
+  72384 = N 3 0
+  72512 = N 1 0
+  72576 = N 2 0
+  72704 = N 3 0
+  72768 = N 0 0
+  72896 = N 4 0
+  73088 = N 3 0
+  73152 = N 2 0
+  73280 = N 3 0
+  73344 = N 2 0
+  73472 = N 3 0
+  73472 = N 4 0
+  73664 = N 2 0
+  73664 = N 4 0
+  73856 = N 2 0
+  73920 = N 2 0
+  73920 = N 3 0
+  74048 = N 1 0
+  74112 = N 2 0
+  74240 = N 0 352
+  74240 = N 2 352
+  74240 = N 3 352
+  74688 = N 0 0
+  74688 = N 1 0
+  74688 = N 4 0
+  74688 = N 6 0
+  74880 = N 2 0
+  75072 = N 2 0
+  75216 = N 2 0
+  75216 = N 3 0
+  75216 = N 6 0
+  75392 = N 1 0
+  75584 = N 1 784
+  76416 = N 2 0
+  76608 = N 2 0
+  76608 = N 4 0
+  76608 = N 6 0
+  76928 = N 0 832
+  77952 = N 1 0
+  78144 = N 2 0
+  78272 = N 4 208
+  78528 = N 3 0
+  78576 = N 4 0
+  78624 = N 3 0
+  78672 = N 2 0
+  78720 = N 1 0
+  78848 = N 0 0
+  78912 = N 1 0
+  79040 = N 2 256
+  79488 = N 1 0
+  79680 = N 2 0
+  79808 = N 4 208
+  80064 = N 3 0
+  80112 = N 4 0
+  80160 = N 3 0
+  80208 = N 2 0
+  80256 = N 1 0
+  80384 = N 0 0
+  80448 = N 1 0
+  80576 = N 2 256
+  81024 = N 1 0
+  81216 = N 2 0
+  81344 = N 4 208
+  81600 = N 3 0
+  81648 = N 4 0
+  81696 = N 3 0
+  81744 = N 2 0
+  81792 = N 1 0
+  81920 = N 0 0
+  81984 = N 1 0
+  82112 = N 2 208
+  82368 = N 1 0
+  82368 = N 2 0
+  82368 = N 3 0
+  82368 = N 6 0
+  82944 = N 0 0
+  82992 = N 1 0
+  83040 = N 2 0
+  83040 = N 4 0
+  83184 = N 3 0
+  83328 = N 2 0
+  83456 = N 1 0
+  83584 = N 1 0
+  83584 = N 2 0
+  83744 = N 0 0
+  83904 = N 0 384
+  83952 = N 1 336
+  84000 = N 3 288
+  84384 = N 0 0
+  84384 = N 1 0
+  84384 = N 2 0
+  84384 = N 4 0
+  84384 = N 6 0
+  84608 = N 3 1792
+  84608 = N 4 1792
+}

misc/icy-riffs/icyriffs/Randy Newman - Monsters, Inc. (JoeyD)/song.ini

@@ -0,0 +1,24 @@
+[song]
+name=Monsters, Inc.
+artist=Randy Newman
+album=Monsters, Inc. (Original Motion Picture Soundtrack)
+genre=Jazz
+year=2001
+diff_band=-1
+diff_guitar=2
+diff_rhythm=-1
+diff_bass=-1
+diff_drums=-1
+diff_keys=-1
+diff_guitarghl=-1
+diff_bassghl=-1
+preview_start_time=54580
+icon=antihero2
+album_track=2
+playlist_track=1
+video_start_time=0
+charter=JoeyD
+delay=0
+modchart=0
+song_length=127463
+loading_phrase=Before this soundtrack, Randy Newman held the dubious record of most Oscar nominations without a win (15). <i>Monsters, Inc.</i> broke the losing streak.

misc/silent-snake/Dockerfile

@@ -0,0 +1,22 @@
+FROM debian:bullseye-slim AS base
+
+EXPOSE 1337
+
+RUN DEBIAN_FRONTEND=noninteractive; \
+    apt-get -y update; \
+    apt-get -y install python3; \
+    apt-get -y install socat; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    useradd -u 4242 -md /app ctf;
+
+WORKDIR /app
+
+COPY --chmod=444 chall/flag.txt .
+COPY --chmod=555 chall/silent_snake.py .
+COPY --chmod=555 chall/repl.py .
+
+ENV DEBUG=0
+
+CMD [ "socat", "TCP-LISTEN:1337,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python3 -u /app/silent_snake.py\"" ]
+

misc/silent-snake/README.md

@@ -0,0 +1,10 @@
+Our favorite protagonist Sloppy Python, was able to sneak into the base of the baddies. Their internal system hosts containts a critical key that needs to be exfiltrated, but all their systems are locked down.
+
+Except for one: An ancient terminal with broken screen and enough ink for a single ls.
+
+Can you help Sloppy Python to steal the key?
+
+author: huksys
+```
+nc chall.glacierctf.com 13391
+```

misc/silent-snake/chall/flag.txt

@@ -0,0 +1 @@
+gctf{this_is_not_the_flag_you_seek}

misc/silent-snake/chall/repl.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import code
+
+DEBUG = os.environ.get("DEBUG", "0") == "1"
+
+cpipe = os.fdopen(int(sys.argv[1]), "w", buffering=1)
+devnull = open("/dev/null", mode="w")
+
+print("""
+Welcome to silent-snake, the blind REPL!
+
+You've got a single ls that you can redeem using
+`run_command('ls <directory_to_ls>')`
+
+To exit the jail, use `exit()` or `run_command('exit')`
+
+Have fun!
+""")
+
+if not DEBUG:
+    sys.stdout.close()
+    sys.stderr.close()
+    os.close(1)
+    os.close(2)
+    sys.stdout = devnull
+    sys.stderr = devnull
+
+else:
+    print(50*"=")
+    print("WARNING: Debugging mode is *ON*. stdout and stderr are available here, but you won't be able to see the REPL's output during the challenge.")
+    print(50*"=")
+
+    # Redirect stderr to stdout
+    os.dup2(1, 2, inheritable=True)
+
+def run_command(cmd: str):
+    cpipe.write(cmd + "\n")
+
+code.interact(local=locals())
+
+run_command("exit")

misc/silent-snake/chall/silent_snake.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+
+import os
+import random
+import subprocess
+import time
+
+DEBUG = os.environ.get("DEBUG", "0") == "1"
+
+def drop_to_unprivileged(uid: int, gid: int):
+    # Drop to a unprivileged user and group.
+    assert uid != 0 and gid != 0
+    os.setresgid(uid, uid, uid)
+    os.setresuid(gid, gid, gid)
+
+def drop_to_ctf_uid_gid():
+    drop_to_unprivileged(4242, 4242)
+
+(r, w) = os.pipe()
+os.set_inheritable(w, True)
+
+repl = subprocess.Popen(["./repl.py", str(w)], close_fds=False, preexec_fn=drop_to_ctf_uid_gid)
+
+os.close(w)
+ppipe = os.fdopen(r, "r", buffering=1)
+
+allowed = {
+    "ls": True,
+}
+
+
+try:
+    while repl.poll() == None:
+        cmd = ppipe.readline()
+        if cmd == "":
+            break
+
+        cmd = cmd.strip().split(" ")
+        if DEBUG:
+            print("RECEIVED COMMAND:", cmd)
+
+        if cmd[0] == "exit":
+            break
+        elif cmd[0] == "ls" and allowed["ls"] and len(cmd) == 2:
+            valid = True
+            resolved = []
+            path = cmd[1]
+
+            if not path.startswith("-") and os.path.isdir(path):
+                cmd = ["ls", "-l", path]
+                if DEBUG:
+                    print(cmd)
+
+                subprocess.run(cmd, stderr=(subprocess.STDOUT if DEBUG else subprocess.DEVNULL), preexec_fn=drop_to_ctf_uid_gid)
+
+            allowed["ls"] = False
+except Exception as ex:
+    if DEBUG:
+        import traceback
+        traceback.print_exc()
+
+if DEBUG:
+    print("Terminating REPL process...")
+
+repl.kill()
+repl.wait()
+
+if DEBUG:
+    print("REPL terminated - waiting...")
+
+time.sleep(random.randrange(300, 600))

misc/silent-snake/docker-compose.yml

@@ -0,0 +1,10 @@
+version: "3"
+services:
+  app:
+    build: .
+    ports:
+      - 1337:1337
+    read_only: false
+
+    pids_limit: 8
+    mem_limit: 20971520