Flag Swapping for CTF¶
This was for an exercise I participated in where we thought we would need a way defend our servers against flags from other teams. I created a couple of scripts and then combined them into an iterative script to make it easier to execute once on the box so I wouldn't forget to change specific variables.
In the end, the script ended up not being necessary, but since it was a fun exercise to create it, I figured I'd just leave it here.
#!/bin/bash
# Prompt for base directory, expected flag, and new flag
echo "Enter FULL PATH to directory where flags are supposed to be placed (e.g., /home/username):"
read SEARCH_BASE
echo "Enter the specific 32-character flag:"
read NEW_FLAG
# Flag-swapping script filename
FLAG_SWAPPING_SCRIPT=".he1p"
# Decoy monitoring script filename
DECOY_SCRIPT="._svc_"
# Full path to the flag-swapping script
FULL_PATH="$SEARCH_BASE/$FLAG_SWAPPING_SCRIPT"
# Creating the flag-swapping script
cat > "$FULL_PATH" << EOF
#!/bin/bash
# Infinite loop to keep the script running
while true; do
# Use find to search for all files from the base directory
find "$SEARCH_BASE" -type f 2>/dev/null | while read -r file; do
# Check if the file is a text file using grep
if grep -Iq . "$file"; then
# Now, safely read the file's content as text
FILE_CONTENT=$(cat "$file")
# Check if the content has exactly 32 characters
if [ ${#FILE_CONTENT} -eq 32 ]; then
echo "Found file with exactly 32 characters in its content: $file"
# Check if the content matches the expected 32-character string
if [ "$FILE_CONTENT" == "$NEW_FLAG" ]; then
echo "Flag is correct. No action needed for file: $file"
else
# If not, replace the content of the file with the new specified flag
echo "Flag is incorrect. Replacing with the correct flag for file: $file"
echo "$NEW_FLAG" > "$file"
fi
fi
else
echo "Skipping binary file: $file"
fi
done
# Sleep for a random duration between 1 and 5 seconds
sleep $((1 + RANDOM % 5))
done
EOF
# Change permissions and ownership, then make the flag-swapping script executable
chmod 711 "$FULL_PATH" && chown root:root "$FULL_PATH"
sudo chattr +i "$FULL_PATH"
# Start flag-swapping script in the background
nohup bash "$FULL_PATH" >/dev/null 2>&1 &
# Guide for setting up the cron job
echo "Open crontab editor by running: crontab -e"
echo "Then add the following line to ensure the flag-swapping script's persistence:"
echo "* * * * * sleep \$((10 + RANDOM \% 6)) && $FULL_PATH &"
# Decoy monitoring script filename
DECOY_PATH="/usr/local/bin/$DECOY_SCRIPT"
# Creating the decoy monitoring script
cat > "$DECOY_PATH" << EOF
#!/bin/bash
SCRIPT_PATH="$FULL_PATH"
while true; do
if ! pgrep -f "\$(basename "\$SCRIPT_PATH")" >/dev/null; then
echo "Script is not running. Starting it now..."
bash "\$SCRIPT_PATH" >/dev/null 2>&1 &
fi
sleep \$((5 + RANDOM % 6))
done
EOF
# Change permissions and ownership, then make the decoy script executable and immutable
chmod 711 "$DECOY_PATH" && chown root:root "$DECOY_PATH"
sudo chattr +i "$DECOY_PATH"
# Start decoy monitoring script in the background
nohup bash "$DECOY_PATH" >/dev/null 2>&1 &
echo "The decoy monitoring script has been set up and started in the background at $DECOY_PATH"
echo "Remember, the decoy script runs continuously to check if the flag-swapping script is running and restarts it if necessary."
Backup Script
```bash
#!/bin/bash
# Prompt for base directory and new flag
echo "Enter FULL PATH to directory where flags are supposed to be placed (e.g., /home/username):"
read SEARCH_BASE
echo "Enter the specific flag in the format SKY-ABCD-1234:"
read NEW_FLAG
# Flag-swapping script filename
FLAG_SWAPPING_SCRIPT=".he1p"
# Decoy monitoring script filename
DECOY_SCRIPT="._svc_"
# Full path to the flag-swapping script
FULL_PATH="$SEARCH_BASE/$FLAG_SWAPPING_SCRIPT"
# Creating the flag-swapping script
cat > "$FULL_PATH" << EOF
#!/bin/bash
# Infinite loop to keep the script running
while true; do
# Use find to search for all files from the base directory
find "$SEARCH_BASE" -type f 2>/dev/null | while read -r file; do
# Check if the file is a text file using grep
if grep -Iq . "\$file"; then
# Now, safely read the file's content as text
FILE_CONTENT=\$(cat "\$file")
# Check if the content matches the expected pattern
if [[ "\$FILE_CONTENT" =~ SKY-[A-Za-z]{4}-[0-9]{4} ]]; then
echo "Found file with correct pattern: \$file"
# If pattern matches, replace the content of the file with the new specified flag
echo "$NEW_FLAG" > "\$file"
else
echo "Pattern not matched for file: \$file"
fi
else
echo "Skipping binary file: \$file"
fi
done
# Sleep for a random duration between 1 and 5 seconds
sleep \$((1 + RANDOM % 5))
done
EOF
# Change permissions and ownership, then make the flag-swapping script executable
chmod 711 "$FULL_PATH" && chown root:root "$FULL_PATH"
# Start flag-swapping script in the background
nohup bash "$FULL_PATH" >/dev/null 2>&1 &
# Guide for setting up the cron job
echo "Open crontab editor by running: crontab -e"
echo "Then add the following line to ensure the flag-swapping script's persistence:"
echo "* * * * * sleep \$((10 + RANDOM \% 6)) && $FULL_PATH &"
# Decoy monitoring script filename
DECOY_PATH="/usr/local/bin/$DECOY_SCRIPT"
# Creating the decoy monitoring script
cat > "$DECOY_PATH" << EOF
#!/bin/bash
SCRIPT_PATH="$FULL_PATH"
while true; do
if ! pgrep -f "\$(basename "\$SCRIPT_PATH")" >/dev/null; then
echo "Script is not running. Starting it now..."
bash "\$SCRIPT_PATH" >/dev/null 2>&1 &
fi
sleep \$((5 + RANDOM % 6))
done
EOF
# Change permissions and ownership, then make the decoy script executable
chmod 711 "$DECOY_PATH" && chown root:root "$DECOY_PATH"
# Start decoy monitoring script in the background
nohup bash "$DECOY_PATH" >/dev/null 2>&1 &
echo "The decoy monitoring script has been set up and started in the background at $DECOY_PATH"
echo "Remember, the decoy script runs continuously to check if the flag-swapping script is running and restarts it if necessary."
```