From 5a21bf8a591721b2e55927902309daf73248be84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= <anton@sijanec.eu>
Date: Wed, 4 Sep 2024 01:10:18 +0200
Subject: updated napad

---
 iv/orodja/napad/config                  |  96 ---------------------------
 iv/orodja/napad/exploit.sh              |   1 +
 iv/orodja/napad/genconfig.sh            | 114 ++++++++++++++++++++++++++++++++
 iv/orodja/napad/index.html              |   4 --
 iv/orodja/napad/nadzor.py               |  36 ++++++++++
 iv/orodja/napad/submission.py           |  95 +-------------------------
 iv/orodja/napad/templates/frontend.html |  58 ++++++++++++++++
 7 files changed, 212 insertions(+), 192 deletions(-)
 delete mode 100644 iv/orodja/napad/config
 create mode 100755 iv/orodja/napad/genconfig.sh
 delete mode 100644 iv/orodja/napad/index.html
 create mode 100755 iv/orodja/napad/nadzor.py
 create mode 100644 iv/orodja/napad/templates/frontend.html

(limited to 'iv')

diff --git a/iv/orodja/napad/config b/iv/orodja/napad/config
deleted file mode 100644
index dc165ce..0000000
--- a/iv/orodja/napad/config
+++ /dev/null
@@ -1,96 +0,0 @@
-# Common config for exploit.sh and submission.py.
-# It is to be sourced. It only sets environment variables.
-
-# ==========================
-# ========= COMMON =========
-
-export SUBMISSION_PORT=21502
-
-# ==========================
-# ======= EXPLOIT.SH =======
-
-# This regex is used to grep -Eo flags from stdout of exploits before submitting them
-export FLAG_REGEX_SEARCH="[A-Za-z0-9]{31}="
-
-# Where can exploit.sh find submission.py. Port is a common setting.
-export SUBMISSION_HOST=localhost
-### export SUBMISSION_HOST=k.4a.si
-
-# Must be precise, not less than round duration. Used to calculate round id.
-export ROUND_DURATION=120
-
-# When does the game start (in UTC). Used to calculate current round id.
-export GAME_START=2024-09-01T07:00:00
-
-# Team numbers to attack
-export GAME_TEAMS="2 69"
-###export GAME_TEAMS={0..10}
-
-# Flag IDs URL
-game_flag_ids_url()
-{
-	echo http://splet.4a.si/dir/flagids.txt
-	### echo "http://10.10.0.1:8081/flagIds?service=$1&team=$2&round=$3"
-}
-export -f game_flag_ids_url
-
-# Target IP from ID
-game_target_ip()
-{
-	echo 10.69.69.$1
-	### echo 10.60.$1.1
-}
-export -f game_target_ip
-
-# NOP TEAM ID
-export GAME_NOP_TEAM=0
-
-# For how many non-current rounds are flags valid at a time?
-# It doesn't make sense for this to be less than 0.
-# Setting to 0 means only the current round is valid.
-export GAME_VALID_ROUNDS=5
-
-# Function exploit.sh should call on errors.
-# Args:	service	team	pwd	usr@pc	message
-# 	1	2	3	4	5
-exploit_error_handler()
-{
-	notify-send --version > /dev/null && notify-send "exploit.sh ERROR" "$5" --urgency critical
-}
-export -f exploit_error_handler
-
-# Max exploit execution time
-export EXPLOIT_TIMEOUT=5
-
-# ==========================
-# ====== SUBMISSION.PY =====
-
-# This regex is used to verify flags before storing them
-# It can be .*, no problem, just make sure you're then not sending invalid flags
-# to submission TCP -- you shouldn't anyways, as submission expects flags neatly
-# line by line, it will not clean up random bullshit.
-# Don't just send exploit stdout to submission, use exploit.sh!
-export FLAG_REGEX_MATCH="^[A-Z0-9]{31}=$"
-
-# Where to store flags -- sqlite3 db
-export SUBMISSION_DB=flags.db
-
-# How much flags to send in one request.
-# With 2560, if it takes 37 bytes per flag, 2560*37=94720
-# Ostane nam torej še dobrih 5280 za headerje,
-# če je request limited na 100 kB
-export SUBMISSION_MAX_FLAGS=2560
-
-# PUT request, ECSC 2024 AD style
-export SUBMISSION_URL=http://z.4a.si/dir/submit.php
-### export SUBMISSION_URL=http://10.10.0.1:8080/flags
-
-# How many seconds to delay after a successful submission.
-# With 15, we send at most 4 requests per minute out of 15 allowed.
-export SUBMISSION_DELAY=15
-
-# This is sent in X-Team-Token in requests to SUBMISSION_URL
-export SUBMISSION_TEAM_TOKEN=e5152d70a4d18093cae8844f4e959cf1
-
-# Where to bind to. Use SUBMISSION_PORT in common settings for port.
-export SUBMISSION_BIND=::
diff --git a/iv/orodja/napad/exploit.sh b/iv/orodja/napad/exploit.sh
index b482c06..9e2cafb 100755
--- a/iv/orodja/napad/exploit.sh
+++ b/iv/orodja/napad/exploit.sh
@@ -25,6 +25,7 @@ Set the following environment variables to alter behaviour:
 		waiting for the next round. Only valid for loop subcommand.
 	EXPLOIT_VERBOSE=1: print _every_ line executed by $0 (set -x)
 	EXPLOIT_NOTPARALLEL=1: disable parallel even if parallel is available
+$EXPLOIT_ADDITIONAL_HELP_TEXT
 EOF
 	exit 1
 fi
diff --git a/iv/orodja/napad/genconfig.sh b/iv/orodja/napad/genconfig.sh
new file mode 100755
index 0000000..825da18
--- /dev/null
+++ b/iv/orodja/napad/genconfig.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+set -xeuo pipefail
+statusresp=`curl --fail-with-body --no-progress-meter https://ad.ecsc2024.it/api/status`
+starttime=`jq --raw-output .start <<<"$statusresp"`
+roundtime=`jq --raw-output .roundTime <<<"$statusresp"`
+team_names=`jq --raw-output .teams.[].shortname <<<"$statusresp" | tr $'\n' ' '`
+team_numbers=`jq --raw-output .teams.[].id <<<"$statusresp" | tr $'\n' ' '`
+services=`jq --raw-output .services.[].shortname <<<"$statusresp" | tr $'\n' ' '`
+cat <<EOF
+# THIS CONFIG IS AUTOGENERATED BY genconfig.sh, edit config values there!
+# Common config for exploit.sh, submission.py and nadzor.py
+# It is to be sourced. It only sets environment variables.
+
+# ==========================
+# ========= COMMON =========
+
+export SUBMISSION_PORT=21502
+
+# ==========================
+# ======= EXPLOIT.SH =======
+
+# Additional help text
+export EXPLOIT_ADDITIONAL_HELP_TEXT="Services: $services"
+
+# This regex is used to grep -Eo flags from stdout of exploits before submitting them
+export FLAG_REGEX_SEARCH="[A-Za-z0-9]{31}="
+
+# Where can exploit.sh find submission.py. Port is a common setting.
+export SUBMISSION_HOST=localhost
+### export SUBMISSION_HOST=k.4a.si
+
+# Must be precise, not less than round duration. Used to calculate round id.
+export ROUND_DURATION=$roundtime
+
+# When does the game start (in UTC). Used to calculate current round id.
+export GAME_START=$starttime
+
+# Team numbers to attack
+export GAME_TEAMS="$team_numbers"
+###export GAME_TEAMS={0..10}
+EOF
+cat <<'EOF'
+# Flag IDs URL
+game_flag_ids_url()
+{
+	echo http://splet.4a.si/dir/flagids.txt
+	### echo "http://10.10.0.1:8081/flagIds?service=$1&team=$2&round=$3"
+}
+export -f game_flag_ids_url
+
+# Target IP from ID
+game_target_ip()
+{
+	echo 10.69.69.$1
+	### echo 10.60.$1.1
+}
+export -f game_target_ip
+
+# NOP TEAM ID
+export GAME_NOP_TEAM=0
+
+# For how many non-current rounds are flags valid at a time?
+# It doesn't make sense for this to be less than 0.
+# Setting to 0 means only the current round is valid.
+export GAME_VALID_ROUNDS=4
+
+# Function exploit.sh should call on errors.
+# Args:	service	team	pwd	usr@pc	message
+# 	1	2	3	4	5
+exploit_error_handler()
+{
+	notify-send --version > /dev/null && notify-send "exploit.sh ERROR" "$5" --urgency critical
+}
+export -f exploit_error_handler
+
+# Max exploit execution time
+export EXPLOIT_TIMEOUT=5
+
+# ==========================
+# ====== SUBMISSION.PY =====
+
+# This regex is used to verify flags before storing them
+# It can be .*, no problem, just make sure you're then not sending invalid flags
+# to submission TCP -- you shouldn't anyways, as submission expects flags neatly
+# line by line, it will not clean up random bullshit.
+# Don't just send exploit stdout to submission, use exploit.sh!
+export FLAG_REGEX_MATCH="^[A-Z0-9]{31}=$"
+
+# Where to store flags -- sqlite3 db
+export SUBMISSION_DB=flags.db
+
+# How much flags to send in one request.
+# With 2560, if it takes 37 bytes per flag, 2560*37=94720
+# Ostane nam torej še dobrih 5280 za headerje,
+# če je request limited na 100 kB
+export SUBMISSION_MAX_FLAGS=2560
+
+# PUT request, ECSC 2024 AD style
+export SUBMISSION_URL=http://z.4a.si/dir/submit.php
+### export SUBMISSION_URL=http://10.10.0.1:8080/flags
+
+# How many seconds to delay after a successful submission.
+# With 15, we send at most 4 requests per minute out of 15 allowed.
+export SUBMISSION_DELAY=15
+
+# This is sent in X-Team-Token in requests to SUBMISSION_URL
+export SUBMISSION_TEAM_TOKEN=e5152d70a4d18093cae8844f4e959cf1
+
+# Where to bind to. Use SUBMISSION_PORT in common settings for port.
+export SUBMISSION_BIND=::
+
+# ==========================
+# ======== NADZOR.PY =======
+EOF
diff --git a/iv/orodja/napad/index.html b/iv/orodja/napad/index.html
deleted file mode 100644
index 6c5d495..0000000
--- a/iv/orodja/napad/index.html
+++ /dev/null
@@ -1,4 +0,0 @@
-<meta name=viewport content='width=device-width, initial-scale=1.0'>
-<meta charset=utf-8 />
-<title>submission.py</title>
-<h1>submission.py</h1>
diff --git a/iv/orodja/napad/nadzor.py b/iv/orodja/napad/nadzor.py
new file mode 100755
index 0000000..515aa3e
--- /dev/null
+++ b/iv/orodja/napad/nadzor.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+from flask import Flask, render_template, request
+import os
+import sqlite3
+import sys
+
+
+app = Flask(__name__)
+
+@app.route("/", methods=["GET"])
+def frontend():
+	return render_template("frontend.html")
+
+@app.route("/sql", methods=["POST"])
+def sql():
+	with sqlite3.connect(os.getenv("SUBMISSION_DB", "flags.db")) as db:
+		db.setconfig(sqlite3.SQLITE_DBCONFIG_DEFENSIVE, True)
+		rows = []
+		for row in db.execute(request.data.decode()):
+			columns = []
+			for column in row:
+				if type(column) == bytes:
+					columns.append(column.decode("utf-8", errors="surrogateescape"))
+				else:
+					columns.append(column)
+			rows.append(columns)
+		return rows
+
+if __name__ == "__main__":
+	port = 21503
+	host = "::"
+	if len(sys.argv) > 1:
+		port = int(sys.argv[1])
+	if len(sys.argv) > 2:
+		host = sys.argv[2]
+	app.run(port=port, debug=True, host=host)
diff --git a/iv/orodja/napad/submission.py b/iv/orodja/napad/submission.py
index 4a44947..c345bdb 100755
--- a/iv/orodja/napad/submission.py
+++ b/iv/orodja/napad/submission.py
@@ -5,9 +5,8 @@ import re
 import sqlite3
 import aiohttp
 import traceback
-import json
 db = sqlite3.connect(os.getenv("SUBMISSION_DB", "flags.db"))
-db.execute("CREATE TABLE IF NOT EXISTS flags (id INTEGER PRIMARY KEY, flag TEXT NOT NULL UNIQUE, team INTEGER, service BLOB, round INTEGER, context BLOB, sent INTEGER NOT NULL DEFAULT 0, date TEXT DEFAULT (strftime('%FT%R:%f', 'now')) NOT NULL, status TEXT, msg TEXT) STRICT")
+db.execute("CREATE TABLE IF NOT EXISTS flags (id INTEGER PRIMARY KEY, flag TEXT NOT NULL UNIQUE, team INTEGER, service BLOB, round INTEGER, context BLOB, sent INTEGER NOT NULL DEFAULT 0, date TEXT DEFAULT (strftime('%FT%R:%f', 'now')) NOT NULL, status TEXT, msg TEXT, submitted TEXT) STRICT") # submitted is date
 flag_regex = re.compile(os.getenv("FLAG_REGEX_MATCH", "^[A-Z0-9]{31}=$").encode(), re.ASCII | re.DOTALL | re.VERBOSE)
 async def submitter ():
 	while True:
@@ -40,18 +39,14 @@ async def submitter ():
 							break
 						cursor = db.cursor()
 						for obj in await response.json():
-							cursor.execute("UPDATE flags SET sent=?, status=?, msg=? WHERE flag=?", [int(obj.get("status") != "RESUBMIT"), obj.get("status"), obj.get("msg"), obj.get("flag")])
+							cursor.execute("UPDATE flags SET sent=?, status=?, msg=?, submitted=strftime('%FT%R:%f', 'now') WHERE flag=?", [int(obj.get("status") != "RESUBMIT"), obj.get("status"), obj.get("msg"), obj.get("flag")])
 						db.commit()
 				except Exception as e:
 					traceback.print_exc()
 		await asyncio.sleep(int(os.getenv("SUBMISSION_DELAY", "15")))
 async def handle_client (reader, writer):
-	linenumber = -1
-	http_request = None
-	http_headers = dict()
 	while True:
-		linenumber += 1
-		try:
+		try: # SUBMISSION LINE FORMAT: "flag teamnumber roundnumber service any other context"
 			incoming = await reader.readuntil(b'\n')
 		except asyncio.exceptions.IncompleteReadError as e:
 			if int(str(e).split(" ")[0]) == 0:
@@ -60,93 +55,9 @@ async def handle_client (reader, writer):
 		if len(incoming) == 0:
 			break
 		buffer = incoming.replace(b'\r', b'').replace(b'\n', b'')
-		if http_request:
-			if len(buffer) == 0:
-				if http_request[1] == b"/":
-					with open("index.html", "rb") as index:
-						if http_request[0] != b"GET":
-							writer.write(b'HTTP/1.0 405 Method Not Allowed\r\nContent-Type: text/plain\r\n\r\n405 Method Not Allowed. Try GET.\r\n')
-							break
-						writer.write(b'HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n')
-						writer.write(index.read())
-						break
-				elif http_request[1] == b"/python":
-					if http_request[0] != b"POST":
-						writer.write(b'HTTP/1.0 405 Method Not Allowed\r\nContent-Type: text/plain\r\n\r\n405 Method Not Allowed. Try POST.\r\n')
-						break
-					if b'content-length' not in http_headers.keys():
-						writer.write(b'HTTP/1.0 411 Length Required\r\nContent-Type: text/plain\r\n\r\n411 Length Required.\r\n')
-						break
-					post_body = None
-					try:
-						post_body = await reader.read(int(http_headers.get(b'content-length').decode()))
-					except Exception as e:
-						writer.write(b'HTTP/1.0 400 Bad Request\r\nContent-Type: text/plain\r\n\r\nBad request. ' + str(e).encode() + b"\r\n")
-						raise e
-						break
-					try:
-						writer.write(b"HTTP/1.0 200 OK\r\nContent-Type: application/json\r\n\r\n" + eval(post_body))
-						break
-					except Exception as e:
-						writer.write(b"HTTP/1.0 500 Internal Server Error\r\nContent-Type: text/plain\r\n\r\n" + str(e).encode() + b"\r\n")
-						raise e
-						break
-				elif http_request[1] == b"/sql":
-					if http_request[0] != b'POST':
-						writer.write(b'HTTP/1.0 405 Method Not Allowed\r\nContent-Type: text/plain\r\n\r\n405 Method Not Allowed. Try POST.\r\n')
-						break
-					if b'content-length' not in http_headers.keys():
-						writer.write(b'HTTP/1.0 411 Length Required\r\nContent-Type: text/plain\r\n\r\n411 Length Required.\r\n')
-						break
-					post_body = None
-					try:
-						post_body = (await reader.read(int(http_headers.get(b'content-length').decode()))).decode()
-					except Exception as e:
-						writer.write(b'HTTP/1.0 400 Bad Request\r\nContent-Type: text/plain\r\n\r\nBad request. ' + str(e).encode() + b"\r\n")
-						raise e
-						break
-					try:
-						rows = []
-						for row in db.execute(post_body):
-							columns = []
-							for column in row:
-								if type(column) == bytes:
-									columns.append(column.decode("utf-8", errors="surrogateescape"))
-								else:
-									columns.append(column)
-							rows.append(columns)
-						response = json.dumps(rows, ensure_ascii=False, indent=1)
-					except Exception as e:
-						writer.write(b'HTTP/1.0 500 Internal Server Error\r\nContent-Type: text/plain\r\n\r\n500 Internal Server Error. ' + str(e).encode() + b"\r\n")
-						raise e
-						break
-					else:
-						writer.write(b'HTTP/1.0 200 OK\r\nContent-Type: application/json\r\n\r\n' + response.encode())
-						break
-				else:
-					writer.write(b'HTTP/1.0 404 Not Found\r\nContent-Type: text/plain\r\n\r\n404 Not Found')
-					break
-			splitbuf = buffer.split(b': ')
-			headername = splitbuf.pop(0).lower()
-			http_headers[headername] = b': '.join(splitbuf)
-			continue
-		if linenumber == 0 and re.match(b'[A-Z]+ [/A-Za-z0-9?&=%+~]+ HTTP/[0-9.]+', buffer):
-			http_request = buffer.split(b' ')
-			continue
-		if buffer.startswith(b' '):
-			for row in db.execute(buffer[1:].decode()):
-				writer.write(str(row).encode() + b'\n')
-			continue
-		if buffer.startswith(b'@'):
-			writer.write(str(db.execute(buffer[1:].decode()).fetchall()).encode() + b'\n')
-			continue
-		if buffer.startswith(b'#'):
-			writer.write(str(len(db.execute(buffer[1:].decode()).fetchall())).encode() + b'\n')
-			continue
 		if re.match(flag_regex, buffer.split(b' ')[0]) == None:
 			writer.write(b'BAD_FLAG\n')
 			continue
-		# SUBMISSION LINE FORMAT: "flag teamnumber roundnumber service any other context"
 		flag = buffer.split(b' ')[0].decode()
 		context = b' '.join(buffer.split(b' ')[1:])
 		try:
diff --git a/iv/orodja/napad/templates/frontend.html b/iv/orodja/napad/templates/frontend.html
new file mode 100644
index 0000000..8f0389d
--- /dev/null
+++ b/iv/orodja/napad/templates/frontend.html
@@ -0,0 +1,58 @@
+<meta name=viewport content='width=device-width, initial-scale=1.0'>
+<meta charset=utf-8 />
+<style>
+table, td, tr, th {
+	border: 1px solid red;
+}
+</style>
+<title>napad/nadzor.py</title>
+<h1>napad/nadzor.py</h1>
+<table>
+<tr>
+<th>
+ime podatka
+</th>
+<th>
+vrednost
+</th>
+</tr>
+<tr><td>čas zadnje ACCEPTED zastavice</td><td id=lastaccepteddate></td></tr>
+<tr><td>neposlanih zastavic</td><td id=notsentcount></td></tr>
+</table>
+<div id=groupbymsg></div>
+<label for=customquery>
+<h3>custom query</h3>
+</label>
+<textarea cols=80 id=customquery placeholder="select * from flags limit 10">select flag,date,msg from flags limit 10</textarea>
+<div id=customqueryres></div>
+<script>
+function htmltablefromquery (rows) {
+	let table = document.createElement("table");
+	for (let i = 0; i < rows.length; i++) {
+		let tr = document.createElement("tr");
+		for (let j = 0; j < rows[i].length; j++) {
+			let td = document.createElement("td");
+			td.innerText = rows[i][j];
+			tr.appendChild(td);
+		}
+		let td = document.createElement("td");
+		td.innerText = rows[i][1];
+		table.appendChild(tr);
+	}
+	return table;
+}
+async function refreshview () {
+	fetch("sql", {"method": "post", "body": "select count(flag) from flags where sent=0"}).then((r) => {r.json().then((t)=>{notsentcount.innerText = t[0][0]})});
+	let msgskip = 6; // 36 v dejanski igri
+	fetch("sql", {"method": "post", "body": "select substr(msg, " + msgskip + "),count(substr(msg, " + msgskip + ")) from flags group by substr(msg, " + msgskip + ")"}).then((r) => {r.json().then((rows)=>{
+		groupbymsg.innerHTML = "";
+		groupbymsg.appendChild(htmltablefromquery(rows));
+	})});
+	fetch("sql", {"method": "post", "body": "select submitted from flags where status='ACCEPTED' order by submitted desc limit 1"}).then((r) => {r.json().then((t)=>{lastaccepteddate.innerText = t[0][0]})});
+	fetch("sql", {"method": "post", "body": customquery.value}).then((r) => {r.json().then((rows)=>{
+		customqueryres.innerHTML = "";
+		customqueryres.appendChild(htmltablefromquery(rows));
+	})});
+}
+setInterval(refreshview, 5555);
+</script>
-- 
cgit v1.2.3