diff --git a/config/base.sql b/config/base.sql new file mode 100644 index 0000000..e3ea94d --- /dev/null +++ b/config/base.sql @@ -0,0 +1,9 @@ +CREATE TABLE users +( + user_id int PRIMARY KEY, + username varchar(25) NOT NULL, + pass varchar(80) NOT NULL +); +-- cleartext pass ? but why of course +INSERT INTO users (user_id,username,pass) +VALUES (0,'admin','X82v7>P./~vC'); \ No newline at end of file diff --git a/config/creds.txt b/config/creds.txt new file mode 100644 index 0000000..2edec14 --- /dev/null +++ b/config/creds.txt @@ -0,0 +1 @@ +l33t:h4x0r \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index f140f1e..c2f75b9 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -13,6 +13,7 @@ RUN apt update && apt upgrade -y && \ mysql-server \ sudo \ cowsay \ + php \ && rm -rf /var/lib/apt/lists/* # the user players will need to have access as @@ -21,16 +22,16 @@ RUN apt update && apt upgrade -y && \ RUN useradd -m -s /bin/bash l33t \ && echo "l33t:h4x0r" | chpasswd -# foothold user with no sudo perms. Only access to the l33t user home directory. - -RUN useradd webmaster - # apache2 config to change default 80 port to 31337 RUN sed -i 's/^Listen 80/Listen 31337/' /etc/apache2/ports.conf RUN sed -i 's///' /etc/apache2/sites-available/000-default.conf +# enable php module +RUN ls /etc/apache2/mods-enabled/ +RUN a2enmod php* + # copy the app COPY ./www/ /var/www/html/ @@ -45,6 +46,20 @@ RUN printf 'l33t ALL=(ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l\n' > /e chmod 0440 /etc/sudoers.d/l33t && \ visudo -cf /etc/sudoers.d/l33t +# copy the l33t user creds and set 777 suid + +COPY ./config/creds.txt /home/l33t/ +RUN chmod 777 /home/l33t/creds.txt + +# copy the flags and set suid + +COPY ./flags/user.txt /home/l33t/ +RUN chown l33t:l33t /home/l33t/user.txt + +COPY ./flags/root.txt /root/ +RUN chown root:root /root/root.txt + + # 22 port -> ssh, 31337 port (suggestion) -> vulnerable webserver players need to find using nmap port scans EXPOSE 22 diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index e69de29..8d69532 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -0,0 +1,10 @@ +services: + app: + hostname: srv1prod + build: + context: .. + dockerfile: docker/Dockerfile + container_name: "ji-ctf-dockerized" + ports: + - "22:22" + - "31337:31337" \ No newline at end of file diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh deleted file mode 100644 index f682536..0000000 --- a/docker/entrypoint.sh +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/bash - diff --git a/flags/root.txt b/flags/root.txt new file mode 100644 index 0000000..0e636dd --- /dev/null +++ b/flags/root.txt @@ -0,0 +1 @@ +epita{th3-sup3r-c0ws4y} \ No newline at end of file diff --git a/flags/user.txt b/flags/user.txt new file mode 100644 index 0000000..650d065 --- /dev/null +++ b/flags/user.txt @@ -0,0 +1 @@ +epita{th3-tUx-g4ll3ry-1snT-4s-s3cUr3-4ft3r-4ll} \ No newline at end of file diff --git a/www/.htaccess b/www/.htaccess new file mode 100644 index 0000000..2f6aa62 --- /dev/null +++ b/www/.htaccess @@ -0,0 +1 @@ +DirectoryIndex index.php \ No newline at end of file diff --git a/www/include/nav.php b/www/include/nav.php index a1bc887..3dac8c2 100644 --- a/www/include/nav.php +++ b/www/include/nav.php @@ -10,5 +10,4 @@ echo ""; - ?> \ No newline at end of file diff --git a/www/index.php b/www/index.php index d4c1054..ba6d174 100644 --- a/www/index.php +++ b/www/index.php @@ -22,7 +22,7 @@ foreach (new DirectoryIterator('static/img/gallery') as $file) { if($file->isDot()) continue; print ''; // to do, is there an 'fstring' like for php ? just like in python - } + } // xss ? i call it a feature ?> diff --git a/www/login.php b/www/login.php index a0aa4a0..4947bec 100644 --- a/www/login.php +++ b/www/login.php @@ -20,7 +20,12 @@ -