2025-09-23 19:05:50 +02:00
11 changed files with 49 additions and 9 deletions
--- a/config/base.sql
+++ b/config/base.sql
@ -0,0 +1,9 @@
 CREATE TABLE users 
 (
    user_id int PRIMARY KEY,
    username varchar(25) NOT NULL,
    pass varchar(80) NOT NULL 
 );
 -- cleartext pass ? but why of course
 INSERT INTO users (user_id,username,pass)
 VALUES (0,'admin','X82v7>P./~vC');
--- a/config/creds.txt
+++ b/config/creds.txt
@ -0,0 +1 @@
 l33t:h4x0r
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -13,6 +13,7 @@ RUN apt update && apt upgrade -y && \
    mysql-server \
    sudo \
    cowsay \
    php \
    && rm -rf /var/lib/apt/lists/*
 # the user players will need to have access as
@ -21,16 +22,16 @@ RUN apt update && apt upgrade -y && \
 RUN useradd -m -s /bin/bash l33t \
 && echo "l33t:h4x0r" | chpasswd
 # foothold user with no sudo perms. Only access to the l33t user home directory.
 RUN useradd webmaster
 # apache2 config to change default 80 port to 31337
 RUN sed -i 's/^Listen 80/Listen 31337/' /etc/apache2/ports.conf
 RUN sed -i 's/<VirtualHost \*:80>/<VirtualHost *:31337>/' /etc/apache2/sites-available/000-default.conf
 # enable php module
 RUN ls /etc/apache2/mods-enabled/
 RUN a2enmod php*
 # copy the app
 COPY ./www/ /var/www/html/
@ -45,6 +46,20 @@ RUN printf 'l33t ALL=(ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l\n' > /e
    chmod 0440 /etc/sudoers.d/l33t && \
    visudo -cf /etc/sudoers.d/l33t
 # copy the l33t user creds and set 777 suid
 COPY ./config/creds.txt /home/l33t/
 RUN chmod 777 /home/l33t/creds.txt
 # copy the flags and set suid
 COPY ./flags/user.txt /home/l33t/
 RUN chown l33t:l33t /home/l33t/user.txt
 COPY ./flags/root.txt /root/
 RUN chown root:root /root/root.txt
 # 22 port -> ssh, 31337 port (suggestion) -> vulnerable webserver players need to find using nmap port scans
 EXPOSE 22
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -0,0 +1,10 @@
 services:
  app:
    hostname: srv1prod
    build:
      context: ..
      dockerfile: docker/Dockerfile
    container_name: "ji-ctf-dockerized"
    ports:
      - "22:22"
      - "31337:31337"
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -1,2 +0,0 @@
 #! /bin/bash
--- a/flags/root.txt
+++ b/flags/root.txt
@ -0,0 +1 @@
 epita{th3-sup3r-c0ws4y}
--- a/flags/user.txt
+++ b/flags/user.txt
@ -0,0 +1 @@
 epita{th3-tUx-g4ll3ry-1snT-4s-s3cUr3-4ft3r-4ll}
--- a/www/.htaccess
+++ b/www/.htaccess
@ -0,0 +1 @@
 DirectoryIndex index.php
--- a/www/include/nav.php
+++ b/www/include/nav.php
@ -10,5 +10,4 @@ echo "<nav class='navbar navbar-expand-lg navbar-light bg-light'>
        </li>
 </div>
    </nav>";
 ?>
--- a/www/index.php
+++ b/www/index.php
@ -22,7 +22,7 @@
                foreach (new DirectoryIterator('static/img/gallery') as $file) {
                    if($file->isDot()) continue;
                        print '<img class="tux-img" src="static/img/gallery/'. $file->getFilename() . '">'; // to do, is there an 'fstring' like for php ? just like in python
-                    }
+                    } // xss ? i call it a feature
            ?>
            </div>
        </section>
--- a/www/login.php
+++ b/www/login.php
@ -21,6 +21,11 @@
        </form>
    </div>
    <?php 
    // to do :
    // connect to mysql db
    // add sqli vulnerable login functionnality
    // ??
    // profit
        if (! empty($_POST)) {
            $name = $_POST['username'];
            $password = $_POST['password'];
		`@ -0,0 +1 @@`
							`epita{th3-tUx-g4ll3ry-1snT-4s-s3cUr3-4ft3r-4ll}`