You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Extract config/fetch-gh-release.sh helper; 6 Dockerfile RUN blocks
(opengrep, cutter, ghidra, retdec, imhex, pwninit) now call it
instead of repeating curl+jq+wget+empty-check inline.
* MOTD: echo '\n...' → printf so newlines render in /etc/motd.
* IDA Free: replace dead regex check with `file ... | grep ELF`
and add post-install ida64 binary check.
* Ghidra: replace `mv /opt/ghidra_*` glob with explicit `find`
plus ghidraRun executable check.
* Binary Ninja: add existence check before symlink.
* retdec: validate /opt/retdec/bin exists and only symlink
actual executables; error if none found.
* zsh_history: COPY moved after oh-my-zsh install with --chown
so the installer can't overwrite the pre-populated history.
* MOTD: rephrase decomp2dbg note (not installed; user installs).
* Set PWNDBG_NO_AUTOUPDATE=1 — /opt/pwndbg is root-owned, so the
ctf user otherwise sees a "Permission denied" wall on every
gdb-pwndbg launch.
CI:
* New shellcheck step via ludeeus/action-shellcheck.
* Trivy vuln scan (HIGH/CRITICAL, ignore-unfixed) after smoke test.
* Smoke test now functionally invokes each tool (r2 -qv, pwn
checksec, pwntools/capstone/keystone/unicorn import via the pipx
venv python, gdb-multiarch -nx --batch, gdb-pwndbg --batch).
Docs:
* README: new "Security & Trade-offs" section covering passwordless
sudo, unpinned git plugins, and the Wayback IDA snapshot.
* README: fix checksec example (apt pkg not installed) → pwn checksec;
same fix in config/zsh_history.
* README: remove duplicate pwninit row; add ImHex to GUI tools list.
* config/gdbinit: one-line purpose comment.
Requires X11 forwarding. On Linux this works natively; on macOS install [XQuartz](https://www.xquartz.org/), on Windows install [VcXsrv](https://sourceforge.net/projects/vcxsrv/) or use WSLg.
122
122
@@ -132,6 +132,7 @@ ida64 ./binary # launch IDA Free
Hit Ctrl+R and search. 78 commands covering all installed tools are already in your history -- no need to remember syntax.
206
207
208
+
## Security & Trade-offs
209
+
210
+
This image is built for **local CTF use**, not for hosting as a shared service. Three deliberate trade-offs to be aware of:
211
+
212
+
-**Passwordless sudo for `ctf`.** The `ctf` user has `NOPASSWD:ALL` so contestants can `apt-get install` extra packages mid-CTF. There is no privilege boundary inside the container — only the Docker isolation around it. Do **not** expose this container as a network service (e.g., via `socat`/`ncat`) without dropping sudo first.
213
+
-**GDB plugins (pwndbg, GEF, PEDA) and a few other git-cloned tools track the latest default branch.** This keeps the image fresh as CTF tooling evolves; the **weekly CI rebuild + smoke test** catches upstream breakage. The remaining risk is a malicious upstream commit shipping straight into a rebuild — pin a specific image digest (see *Reproducibility & Verification* above) if that's a concern.
214
+
-**IDA Free is fetched from a Wayback Machine snapshot** because Hex-Rays removed v8.4 from their CDN. The build validates that the downloaded blob is an ELF executable of plausible size, but cannot SHA-pin without access to the original asset. If the snapshot ever disappears the build fails loudly rather than silently producing a broken image.
215
+
216
+
CI runs **Trivy** against every build (fails on HIGH/CRITICAL OS/library CVEs with fixes available) and **shellcheck** on every shipped shell script, so regressions in either dimension block the push.
217
+
207
218
## Project Structure
208
219
209
220
```
@@ -213,6 +224,8 @@ config/
213
224
gdb-gef # GDB launcher (GEF)
214
225
gdb-peda # GDB launcher (PEDA)
215
226
gdb-switch # Set default GDB plugin
227
+
gdbinit # Shared GDB plugin init (loaded by wrappers)
228
+
fetch-gh-release.sh # GitHub release asset fetcher (shared in Dockerfile)
216
229
jd-gui # java -jar wrapper
217
230
start-cutter.sh # GUI launcher with $DISPLAY check
218
231
start-ghidra.sh # GUI launcher with $DISPLAY check
0 commit comments