* added docker compose, support for php and added flags
This commit is contained in:
		
							parent
							
								
									a4b1f68e34
								
							
						
					
					
						commit
						0d6e29b1e8
					
				
							
								
								
									
										9
									
								
								config/base.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								config/base.sql
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,9 @@ | |||||||
|  | CREATE TABLE users  | ||||||
|  | ( | ||||||
|  |     user_id int PRIMARY KEY, | ||||||
|  |     username varchar(25) NOT NULL, | ||||||
|  |     pass varchar(80) NOT NULL  | ||||||
|  | ); | ||||||
|  | -- cleartext pass ? but why of course | ||||||
|  | INSERT INTO users (user_id,username,pass) | ||||||
|  | VALUES (0,'admin','X82v7>P./~vC'); | ||||||
							
								
								
									
										1
									
								
								config/creds.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								config/creds.txt
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | |||||||
|  | l33t:h4x0r | ||||||
| @ -13,6 +13,7 @@ RUN apt update && apt upgrade -y && \ | |||||||
|     mysql-server \ |     mysql-server \ | ||||||
|     sudo \ |     sudo \ | ||||||
|     cowsay \ |     cowsay \ | ||||||
|  |     php \ | ||||||
|     && rm -rf /var/lib/apt/lists/* |     && rm -rf /var/lib/apt/lists/* | ||||||
| 
 | 
 | ||||||
| # the user players will need to have access as | # the user players will need to have access as | ||||||
| @ -21,16 +22,16 @@ RUN apt update && apt upgrade -y && \ | |||||||
| RUN useradd -m -s /bin/bash l33t \ | RUN useradd -m -s /bin/bash l33t \ | ||||||
| && echo "l33t:h4x0r" | chpasswd | && echo "l33t:h4x0r" | chpasswd | ||||||
| 
 | 
 | ||||||
| # foothold user with no sudo perms. Only access to the l33t user home directory. |  | ||||||
| 
 |  | ||||||
| RUN useradd webmaster |  | ||||||
| 
 |  | ||||||
| # apache2 config to change default 80 port to 31337 | # apache2 config to change default 80 port to 31337 | ||||||
| 
 | 
 | ||||||
| RUN sed -i 's/^Listen 80/Listen 31337/' /etc/apache2/ports.conf | RUN sed -i 's/^Listen 80/Listen 31337/' /etc/apache2/ports.conf | ||||||
| 
 | 
 | ||||||
| RUN sed -i 's/<VirtualHost \*:80>/<VirtualHost *:31337>/' /etc/apache2/sites-available/000-default.conf | RUN sed -i 's/<VirtualHost \*:80>/<VirtualHost *:31337>/' /etc/apache2/sites-available/000-default.conf | ||||||
| 
 | 
 | ||||||
|  | # enable php module | ||||||
|  | RUN ls /etc/apache2/mods-enabled/ | ||||||
|  | RUN a2enmod php* | ||||||
|  | 
 | ||||||
| # copy the app | # copy the app | ||||||
| 
 | 
 | ||||||
| COPY ./www/ /var/www/html/ | COPY ./www/ /var/www/html/ | ||||||
| @ -45,6 +46,20 @@ RUN printf 'l33t ALL=(ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l\n' > /e | |||||||
|     chmod 0440 /etc/sudoers.d/l33t && \ |     chmod 0440 /etc/sudoers.d/l33t && \ | ||||||
|     visudo -cf /etc/sudoers.d/l33t |     visudo -cf /etc/sudoers.d/l33t | ||||||
| 
 | 
 | ||||||
|  | # copy the l33t user creds and set 777 suid | ||||||
|  | 
 | ||||||
|  | COPY ./config/creds.txt /home/l33t/ | ||||||
|  | RUN chmod 777 /home/l33t/creds.txt | ||||||
|  | 
 | ||||||
|  | # copy the flags and set suid | ||||||
|  | 
 | ||||||
|  | COPY ./flags/user.txt /home/l33t/ | ||||||
|  | RUN chown l33t:l33t /home/l33t/user.txt | ||||||
|  | 
 | ||||||
|  | COPY ./flags/root.txt /root/ | ||||||
|  | RUN chown root:root /root/root.txt | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| # 22 port -> ssh, 31337 port (suggestion) -> vulnerable webserver players need to find using nmap port scans | # 22 port -> ssh, 31337 port (suggestion) -> vulnerable webserver players need to find using nmap port scans | ||||||
| 
 | 
 | ||||||
| EXPOSE 22 | EXPOSE 22 | ||||||
|  | |||||||
| @ -0,0 +1,10 @@ | |||||||
|  | services: | ||||||
|  |   app: | ||||||
|  |     hostname: srv1prod | ||||||
|  |     build: | ||||||
|  |       context: .. | ||||||
|  |       dockerfile: docker/Dockerfile | ||||||
|  |     container_name: "ji-ctf-dockerized" | ||||||
|  |     ports: | ||||||
|  |       - "22:22" | ||||||
|  |       - "31337:31337" | ||||||
| @ -1,2 +0,0 @@ | |||||||
| #! /bin/bash |  | ||||||
| 
 |  | ||||||
							
								
								
									
										1
									
								
								flags/root.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								flags/root.txt
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | |||||||
|  | epita{th3-sup3r-c0ws4y} | ||||||
							
								
								
									
										1
									
								
								flags/user.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								flags/user.txt
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | |||||||
|  | epita{th3-tUx-g4ll3ry-1snT-4s-s3cUr3-4ft3r-4ll} | ||||||
							
								
								
									
										1
									
								
								www/.htaccess
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								www/.htaccess
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | |||||||
|  | DirectoryIndex index.php | ||||||
| @ -10,5 +10,4 @@ echo "<nav class='navbar navbar-expand-lg navbar-light bg-light'> | |||||||
|         </li> |         </li> | ||||||
| </div> | </div> | ||||||
|     </nav>";
 |     </nav>";
 | ||||||
| 
 |  | ||||||
| ?>
 | ?>
 | ||||||
| @ -22,7 +22,7 @@ | |||||||
|                 foreach (new DirectoryIterator('static/img/gallery') as $file) { |                 foreach (new DirectoryIterator('static/img/gallery') as $file) { | ||||||
|                     if($file->isDot()) continue; |                     if($file->isDot()) continue; | ||||||
|                         print '<img class="tux-img" src="static/img/gallery/'. $file->getFilename() . '">'; // to do, is there an 'fstring' like for php ? just like in python
 |                         print '<img class="tux-img" src="static/img/gallery/'. $file->getFilename() . '">'; // to do, is there an 'fstring' like for php ? just like in python
 | ||||||
|                     } |                     } // xss ? i call it a feature
 | ||||||
|             ?>
 |             ?>
 | ||||||
|             </div> |             </div> | ||||||
|         </section> |         </section> | ||||||
|  | |||||||
| @ -20,7 +20,12 @@ | |||||||
|             <input type="button" class="btn btn-primary" value="Login"> |             <input type="button" class="btn btn-primary" value="Login"> | ||||||
|         </form> |         </form> | ||||||
|     </div> |     </div> | ||||||
|     <?php |     <?php  | ||||||
|  |     // to do :
 | ||||||
|  |     // connect to mysql db
 | ||||||
|  |     // add sqli vulnerable login functionnality
 | ||||||
|  |     // ??
 | ||||||
|  |     // profit
 | ||||||
|         if (! empty($_POST)) { |         if (! empty($_POST)) { | ||||||
|             $name = $_POST['username']; |             $name = $_POST['username']; | ||||||
|             $password = $_POST['password']; |             $password = $_POST['password']; | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 david
						david