Merge branch 'master' of github.com:cybermouflons/CCSC-CTF-2024

cybermouflons · May 1, 2024 · a4dc659 · a4dc659
2 parents 428195c + c6fdd83
commit a4dc659
Show file tree

Hide file tree

Showing 20 changed files with 14,060 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -87,6 +87,7 @@ Although some of the challenges may run as is, it is recommended that you have d
 | [Microbuns](./web/microbuns) | koks |
 | [Portal](./web/portal) | YetAnotherAlt123 |
 | [ShodanQL](./web/shodanql) | sAINT_barber |
+| [ShodanQL - Revenge](./web/shodanql_revenge) | sAINT_barber |
 | [Underground Watch - Part 1](./web/underground_watch_part_1) | sAINT_barber |
 | [Warriors Tech Shop](./web/warriors_tech_shop) | sAINT_barber |
 

diff --git a/web/shodanql_revenge/README.md b/web/shodanql_revenge/README.md
@@ -0,0 +1,27 @@
+# ShodanQL - Revenge
+
+[![Try in PWD](https://raw.githubusercontent.com/play-with-docker/stacks/master/assets/images/button.png)](https://labs.play-with-docker.com/?stack=https://raw.githubusercontent.com/cybermouflons/CCSC-CTF-2024/master/web/shodanql_revenge/docker-compose.yml)
+
+
+**Category**: web
+
+**Author**: sAINT_barber
+
+## Description
+
+We found this website that seems to list all systems OrionTech as owned.
+Can you access the admin page and take the site down for good?
+
+
+
+## Run locally
+
+Launch challenge:
+```
+curl -sSL https://raw.githubusercontent.com/cybermouflons/CCSC-CTF-2024/master/web/shodanql_revenge/docker-compose.yml | docker compose -f - up -d
+```
+
+Shutdown challenge:
+```
+curl -sSL https://raw.githubusercontent.com/cybermouflons/CCSC-CTF-2024/master/web/shodanql_revenge/docker-compose.yml | docker compose -f - down
+```
diff --git a/web/shodanql_revenge/challenge.yml b/web/shodanql_revenge/challenge.yml
@@ -0,0 +1,28 @@
+name: "ShodanQL - Revenge" 
+author: "sAINT_barber"
+category: web
+
+description: |
+  We found this website that seems to list all systems OrionTech as owned.
+  Can you access the admin page and take the site down for good?
+
+
+value: 500
+type: dynamic_docker
+extra:
+  initial: 500
+  minimum: 100
+  decay: 25
+  redirect_type: http
+  compose_stack: !filecontents docker-compose.yml
+
+
+flags:
+  - CCSC{pwn1nG_w1th_SQL1_1nj3ct10n_s1nc3_1998_for_real_this_time}
+
+tags:
+  - beginner
+
+
+state: visible
+version: "0.1"
diff --git a/web/shodanql_revenge/docker-compose.yml b/web/shodanql_revenge/docker-compose.yml
@@ -0,0 +1,16 @@
+
+
+services:
+
+  webapp:
+    image: ghcr.io/cybermouflons/ccsc2024/shodanql_revenge:latest # Add in prod
+    build: ./setup/
+    ports:
+      - 3003:3003 # Port should be changed
+    environment:
+      admin_username: admin
+      admin_password: Super_Secret_P@ssw0rd!@project-Echo_
+      flag: CCSC{pwn1nG_w1th_SQL1_1nj3ct10n_s1nc3_1998_for_real_this_time}
+
+
+
diff --git a/web/shodanql_revenge/public/.gitkeep b/web/shodanql_revenge/public/.gitkeep
diff --git a/web/shodanql_revenge/setup/.dockerignore b/web/shodanql_revenge/setup/.dockerignore
@@ -0,0 +1,2 @@
+node_modules
+Dockerfile
diff --git a/web/shodanql_revenge/setup/Dockerfile b/web/shodanql_revenge/setup/Dockerfile
@@ -0,0 +1,19 @@
+FROM node:20
+
+WORKDIR /app
+
+COPY package*.json ./
+
+COPY routes/ routes/
+COPY static/ static/
+COPY views/ views/
+COPY middleware/ middleware/
+COPY server.js server.js
+COPY database.js database.js
+
+RUN npm install
+
+EXPOSE 3003
+# CMD ["npm", "run", "dev"] # Develpment only
+
+CMD ["npm", "run", "start"] # prod
diff --git a/web/shodanql_revenge/setup/database.js b/web/shodanql_revenge/setup/database.js
@@ -0,0 +1,110 @@
+const sqlite = require('sqlite-async');
+const crypto = require('crypto');
+
+const generateRandomData = () => {
+    const cities = ['Nicosia', 'Limassol', 'Larnaca', 'Famagusta', 'Paphos'];
+    const operatingSystems = ['Windows', 'Linux', 'Android', 'iOS'];
+
+    // Generate random IP address
+    const generateRandomIpAddress = () => {
+        const octets = Array.from({ length: 4 }, () => Math.floor(Math.random() * 256));
+        return octets.join('.');
+    };
+
+    // Generate random data and insert into the systems table
+    const ip_address = generateRandomIpAddress();
+    const country = 'Cyprus';
+    const city = cities[Math.floor(Math.random() * cities.length)];
+    const os = operatingSystems[Math.floor(Math.random() * operatingSystems.length)];
+
+    return { ip_address, country, city, os }
+};
+
+
+class Database {
+    constructor(db_file) {
+        this.db_file = db_file;
+        this.db = undefined;
+    }
+
+    async connect() {
+        this.db = await sqlite.open(this.db_file);
+    }
+
+    async migrate() {
+        var username = process.env.admin_username
+        var password = process.env.admin_password + crypto.randomBytes(3).toString("hex")
+
+        // Users Table Init
+        this.db.exec(`
+        DROP TABLE IF EXISTS users;
+            CREATE TABLE IF NOT EXISTS users (
+                id         INTEGER NOT  NULL PRIMARY KEY AUTOINCREMENT,
+                username   VARCHAR(255) NOT NULL UNIQUE,
+                password   VARCHAR(255) NOT NULL,
+                is_admin   tinyint NOT NULL
+            );
+            INSERT INTO users (username, password, is_admin) VALUES
+                ('${username}', '${password}', 1)
+        `);
+
+        this.db.exec(`
+        DROP TABLE IF EXISTS systems;
+            CREATE TABLE IF NOT EXISTS systems (
+                id           INTEGER NOT  NULL PRIMARY KEY AUTOINCREMENT,
+                ip_address   VARCHAR(255) NOT NULL UNIQUE,
+                country      VARCHAR(255) NOT NULL,
+                city         VARCHAR(255) NOT NULL,
+                os           VARCHAR(255) NOT NULL
+            );
+        `);
+
+
+        for (let i = 1; i <= 30; i++) {
+            const { ip_address, country, city, os } = generateRandomData();
+            this.db.exec(`
+            INSERT INTO systems (ip_address, country, city, os) VALUES
+                ('${ip_address}', '${country}', '${city}', '${os}');
+            `)
+        }
+
+        return;
+    }
+
+    // User Functions
+    async login(user, pass) {
+        return new Promise(async(resolve, reject) => {
+            try {
+                let stmt = await this.db.prepare('SELECT * FROM users WHERE username = ? and password = ?');
+                resolve(await stmt.get(user, pass));
+            } catch (e) {
+                reject(e);
+            }
+        });
+    }
+
+    async search(ip_address) {
+        return new Promise(async(resolve, reject) => {
+            try {
+                let system = await this.db.all(`SELECT * FROM systems WHERE ip_address = '${ip_address}'`);
+                resolve(system);
+            } catch (e) {
+                reject(e)
+            }
+        });
+    }
+
+    async getSystems() {
+        return new Promise(async(resolve, reject) => {
+            try {
+                const items = await this.db.all('SELECT * FROM systems');
+                resolve(items);
+            } catch (e) {
+                reject(e);
+            }
+        });
+    }
+
+}
+
+module.exports = Database;
diff --git a/web/shodanql_revenge/setup/middleware/authMiddleware.js b/web/shodanql_revenge/setup/middleware/authMiddleware.js
@@ -0,0 +1,22 @@
+
+function isAdmin(req, res, next){
+
+
+    if(req.session.user && req.session.user.is_admin){
+
+        next()
+
+    }else{
+        return res.render('login.html', { error: 'Log in as admin!'} )
+
+    }
+
+
+
+}
+
+
+module.exports = {
+    isAdmin
+};
+