Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

move CMD python lab to CTF folder #192

Open
wants to merge 1 commit into
base: styling-improvement
Choose a base branch
from
Open

move CMD python lab to CTF folder #192

wants to merge 1 commit into from

Conversation

NtAlexio2
Copy link
Contributor

This PR is an initial commit for ctf labs. From now we can add CTF-style training laboratories.

Roles to adding CTF-style labs:

  • Add your language folder to CTF folder in root directory of project, if not exists. for example: mkdir CTF\python
  • Add new lab to created directory. for example: CTF\python\RCE-lab-level-1
  • Done!

Current changes for python CMD lab, which was an RCE case:

  • New lab has a flag.txt file which contains the flag string.
  • New lab has a ctf.py file which handles the ctf logic and returns the flag string if user successfully exploited the vulnerability.
  • Show up the flag to user, if lab completed successfully!

As I mentioned above, this is an initial idea. Please let me know if we can improve that anyhow ^^

@RiieCco
Copy link
Collaborator

RiieCco commented Apr 17, 2023

In this context if you hit the regex by chance or because you got in the general direction but did not yet have a fully developed payload you already get the flag right?

I would suggest not working with regexes as much as possible but for each lab to find a way to have the flag on the server.
And then find clever ways for them to jump through some hoops to get that flag eventually.

e.g.

For LFI you could store the flag on the server to retrieve.
For SQLI you can store a flag in the DB
For CMD you can also store the flag on the server and read it with the RCE
For XSS do session hijacking and the admin account have the flag.
Etc

What do you think? :-)

@NtAlexio2
Copy link
Contributor Author

Good idea,
For this specific lab (CMD), we should undo all changes but flag.txt. User must find a way to find and read the content of flag.txt. One possible scenario would be:

  1. Find the RCE vulnerability.
  2. Find a directory that exposes our random files, by crawling site and/or checking web page source code and creating random files using echo test > ../site/path/random.txt in them. (in this lab it can be /static/ path)
  3. Verify that by opening http://127.0.0.1:5000/static/random.txt in browser.
  4. Find flag.txt file by executing ls > static/random.txt and checking result in browser.
  5. Read content of flag.txt by executing cat flag.txt > static/random.txt.
  6. Proof!

How is that? we apply similar approach for other labs, as you mentioned (no regex).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NtAlexio2 @RiieCco