* added docker compose, support for php and added flags

2025-09-17 12:09:49 +02:00 · 2025-09-17 12:09:49 +02:00 · 0d6e29b1e8
commit 0d6e29b1e8
parent a4b1f68e34
11 changed files with 49 additions and 9 deletions
--- a/config/base.sql
+++ b/config/base.sql
@ -0,0 +1,9 @@
+CREATE TABLE users 
+(
+    user_id int PRIMARY KEY,
+    username varchar(25) NOT NULL,
+    pass varchar(80) NOT NULL 
+);
+-- cleartext pass ? but why of course
+INSERT INTO users (user_id,username,pass)
+VALUES (0,'admin','X82v7>P./~vC');
--- a/config/creds.txt
+++ b/config/creds.txt
@ -0,0 +1 @@
+l33t:h4x0r
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -13,6 +13,7 @@ RUN apt update && apt upgrade -y && \
    mysql-server \
    sudo \
    cowsay \
+    php \
    && rm -rf /var/lib/apt/lists/*

 # the user players will need to have access as
@ -21,16 +22,16 @@ RUN apt update && apt upgrade -y && \
 RUN useradd -m -s /bin/bash l33t \
 && echo "l33t:h4x0r" | chpasswd

-# foothold user with no sudo perms. Only access to the l33t user home directory.
-
-RUN useradd webmaster
-
 # apache2 config to change default 80 port to 31337

 RUN sed -i 's/^Listen 80/Listen 31337/' /etc/apache2/ports.conf

 RUN sed -i 's/<VirtualHost \*:80>/<VirtualHost *:31337>/' /etc/apache2/sites-available/000-default.conf

+# enable php module
+RUN ls /etc/apache2/mods-enabled/
+RUN a2enmod php*
+
 # copy the app

 COPY ./www/ /var/www/html/
@ -45,6 +46,20 @@ RUN printf 'l33t ALL=(ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l\n' > /e
    chmod 0440 /etc/sudoers.d/l33t && \
    visudo -cf /etc/sudoers.d/l33t

+# copy the l33t user creds and set 777 suid
+
+COPY ./config/creds.txt /home/l33t/
+RUN chmod 777 /home/l33t/creds.txt
+
+# copy the flags and set suid
+
+COPY ./flags/user.txt /home/l33t/
+RUN chown l33t:l33t /home/l33t/user.txt
+
+COPY ./flags/root.txt /root/
+RUN chown root:root /root/root.txt
+
+
 # 22 port -> ssh, 31337 port (suggestion) -> vulnerable webserver players need to find using nmap port scans

 EXPOSE 22
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -0,0 +1,10 @@
+services:
+  app:
+    hostname: srv1prod
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    container_name: "ji-ctf-dockerized"
+    ports:
+      - "22:22"
+      - "31337:31337"
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -1,2 +0,0 @@
-#! /bin/bash
-
--- a/flags/root.txt
+++ b/flags/root.txt
@ -0,0 +1 @@
+epita{th3-sup3r-c0ws4y}
--- a/flags/user.txt
+++ b/flags/user.txt
@ -0,0 +1 @@
+epita{th3-tUx-g4ll3ry-1snT-4s-s3cUr3-4ft3r-4ll}
--- a/www/.htaccess
+++ b/www/.htaccess
@ -0,0 +1 @@
+DirectoryIndex index.php
--- a/www/include/nav.php
+++ b/www/include/nav.php
@ -10,5 +10,4 @@ echo "<nav class='navbar navbar-expand-lg navbar-light bg-light'>
        </li>
 </div>
    </nav>";
-
 ?>
--- a/www/index.php
+++ b/www/index.php
@ -22,7 +22,7 @@
                foreach (new DirectoryIterator('static/img/gallery') as $file) {
                    if($file->isDot()) continue;
                        print '<img class="tux-img" src="static/img/gallery/'. $file->getFilename() . '">'; // to do, is there an 'fstring' like for php ? just like in python
-                    }
+                    } // xss ? i call it a feature
            ?>
            </div>
        </section>
--- a/www/login.php
+++ b/www/login.php
@ -20,7 +20,12 @@
            <input type="button" class="btn btn-primary" value="Login">
        </form>
    </div>
-    <?php
+    <?php 
+    // to do :
+    // connect to mysql db
+    // add sqli vulnerable login functionnality
+    // ??
+    // profit
        if (! empty($_POST)) {
            $name = $_POST['username'];
            $password = $_POST['password'];
				`@ -0,0 +1 @@`
				`epita{th3-tUx-g4ll3ry-1snT-4s-s3cUr3-4ft3r-4ll}`