add another auth bypass level

pwncollege · Sep 1, 2024 · 70ecd59 · 70ecd59
1 parent 2193576
commit 70ecd59
Show file tree

Hide file tree

Showing 7 changed files with 74 additions and 4 deletions.
diff --git a/web-security/level-3/.config → web-security/auth-bypass-cookie/.config b/web-security/level-3/.config → web-security/auth-bypass-cookie/.config
diff --git a/web-security/auth-bypass-cookie/DESCRIPTION.md b/web-security/auth-bypass-cookie/DESCRIPTION.md
@@ -0,0 +1,3 @@
+Authentication bypasses are not always so trivial.
+Sometimes, the logic of the application might look correct, but again, the gap between what the developer expects to be true and what will actually be true rears its ugly head.
+Give this level a try, and remember: _you_ control the requests, including all the HTTP headers sent!
diff --git a/web-security/auth-bypass-cookie/server b/web-security/auth-bypass-cookie/server
@@ -0,0 +1,66 @@
+#!/opt/pwn.college/python
+
+import tempfile
+import sqlite3
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+class TemporaryDB:
+    def __init__(self):
+        self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
+
+    def execute(self, sql, parameters=()):
+        connection = sqlite3.connect(self.db_file.name)
+        connection.row_factory = sqlite3.Row
+        cursor = connection.cursor()
+        result = cursor.execute(sql, parameters)
+        connection.commit()
+        return result
+
+db = TemporaryDB()
+# https://www.sqlite.org/lang_createtable.html
+db.execute("""CREATE TABLE IF NOT EXISTS users AS SELECT "admin" AS username, ? as password""", [os.urandom(8).decode('latin1')])
+# https://www.sqlite.org/lang_insert.html
+db.execute("""INSERT INTO users SELECT "guest" as username, "password" as password""")
+
+@app.route("/", methods=["POST"])
+def challenge_post():
+    username = flask.request.form.get("username")
+    password = flask.request.form.get("password")
+    if not username:
+        flask.abort(400, "Missing `username` form parameter")
+    if not password:
+        flask.abort(400, "Missing `password` form parameter")
+
+    user = db.execute("SELECT rowid, * FROM users WHERE username = ? AND password = ?", (username, password)).fetchone()
+    if not user:
+        flask.abort(403, "Invalid username or password")
+
+    response = flask.redirect(flask.request.path)
+    response.set_cookie('session_user', username)
+    return response
+
+@app.route("/", methods=["GET"])
+def challenge_get():
+    page = "<html><body>"
+    if "session_user" not in flask.request.cookies:
+        page += "Welcome to the login service! Please log in as admin to get the flag."
+    else:
+        username = flask.request.cookies["session_user"]
+        page = f"<html><body>Hello, {username}!"
+        if username == "admin":
+            page += "<br>Here is your flag: " + open("/flag").read()
+
+    return page + """
+        <hr>
+        <form method=post>
+        User:<input type=text name=username>Pass:<input type=text name=password><input type=submit value=Submit>
+        </form>
+        </body></html>
+    """
+
+os.setuid(os.geteuid())
+app.secret_key = os.urandom(8)
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))
diff --git a/web-security/level-1/.config b/web-security/level-1/.config
diff --git a/web-security/level-2/.config b/web-security/level-2/.config
diff --git a/web-security/level-3/DESCRIPTION.md b/web-security/level-3/DESCRIPTION.md
@@ -2,6 +2,8 @@ Of course, web applications can have security vulnerabilities that have nothing
 A common type of vulnerability is an _Authentication Bypass_, where an attacker can bypass the typical authentication logic of an application and log in without knowing the necessary user credentials.
 
 This level challenges you to explore one such scenario.
+This specific scenario arises because, again, of a gap between what the developer expects (that the URL parameters set by the application will only be set by the application itself) and the reality (that attackers can craft HTTP requests to their hearts content).
+
 The goal here is not only to let you experience how such vulnerabilites might arise, but to familiarize you with _databases_: places where web applications stored structured data.
 As you'll see in this level, data is stored into and read from these databases using a language called the _Structured Query Language_, or SQL (often pronounced like "sequel") for short.
 SQL will become incredibly relevant later, but for now, it is an incidental part of the challenge.

diff --git a/web-security/module.yml b/web-security/module.yml
@@ -15,8 +15,9 @@ challenges:
 - id: cmdi-touch-blind
   name: CMDi 5
 - id: level-3
-  name: Authentication Bypass
-  description: Exploit an authentication bypass vulnerability 
+  name: Authentication Bypass 1
+- id: auth-bypass-cookie
+  name: Authentication Bypass 2
 - id: level-4
   name: SQLi 1
   description: Exploit a structured query language injection vulnerability to login