Skip to content

Commit

Permalink
starting to pwnshopize and rename things
Browse files Browse the repository at this point in the history
  • Loading branch information
@zardus
zardus committed Dec 12, 2024
1 parent e9a7459 commit d5e288d
Show file tree
Hide file tree
Showing 14 changed files with 78 additions and 39 deletions.
0 web-security/level-3/DESCRIPTION.md → ...security/auth-bypass-param/DESCRIPTION.md
View file
File renamed without changes.
0 web-security/level-3/server → web-security/auth-bypass-param/server
View file
File renamed without changes.
0 web-security/level-2/DESCRIPTION.md → web-security/cmdi-env/DESCRIPTION.md
View file
File renamed without changes.
0 web-security/level-2/server → web-security/cmdi-env/server
View file
File renamed without changes.
16 changes: 9 additions & 7 deletions web-security/cmdi-ls-filter/server
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ import os

app = flask.Flask(__name__)

@app.route("/", methods=["GET", "POST"])

@app.route("/", methods=["GET"])
def challenge():
directory = (
flask.request.args.get("directory", "/challenge")
Expand All @@ -23,11 +24,11 @@ def challenge():
command = f"ls -l {directory}"
print(f"DEBUG: {command=}")
listing = subprocess.run(
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin" # capture the resulting output as text
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin", # capture the resulting output as text
).stdout

return f"""
Expand All @@ -40,8 +41,9 @@ def challenge():
</body></html>
"""


os.setuid(os.geteuid())
os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
app.secret_key = os.urandom(8)
app.config['SERVER_NAME'] = f"challenge.localhost:80"
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
16 changes: 9 additions & 7 deletions web-security/cmdi-ls-pipe/server
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,18 @@ import os

app = flask.Flask(__name__)

@app.route("/", methods=["GET", "POST"])

@app.route("/", methods=["GET"])
def challenge():
directory = flask.request.args.get("directory", "/challenge").replace(";", "")
command = f"ls -l {directory}"
print(f"DEBUG: {command=}")
listing = subprocess.run(
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin" # capture the resulting output as text
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin", # capture the resulting output as text
).stdout

return f"""
Expand All @@ -29,8 +30,9 @@ def challenge():
</body></html>
"""


os.setuid(os.geteuid())
os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
app.secret_key = os.urandom(8)
app.config['SERVER_NAME'] = f"challenge.localhost:80"
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
16 changes: 9 additions & 7 deletions web-security/cmdi-ls-quote/server
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,18 @@ import os

app = flask.Flask(__name__)

@app.route("/", methods=["GET", "POST"])

@app.route("/", methods=["GET"])
def challenge():
directory = flask.request.args.get("directory", "/challenge")
command = f"ls -l '{directory}'"
print(f"DEBUG: {command=}")
listing = subprocess.run(
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin" # capture the resulting output as text
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin", # capture the resulting output as text
).stdout

return f"""
Expand All @@ -29,8 +30,9 @@ def challenge():
</body></html>
"""


os.setuid(os.geteuid())
os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
app.secret_key = os.urandom(8)
app.config['SERVER_NAME'] = f"challenge.localhost:80"
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
16 changes: 9 additions & 7 deletions web-security/cmdi-ls-semicolon/server
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,18 @@ import os

app = flask.Flask(__name__)

@app.route("/", methods=["GET", "POST"])

@app.route("/", methods=["GET"])
def challenge():
directory = flask.request.args.get("directory", "/challenge")
command = f"ls -l {directory}"
print(f"DEBUG: {command=}")
listing = subprocess.run(
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin" # capture the resulting output as text
command, # the command to run
shell=True, # use the shell to run this command
stdout=subprocess.PIPE, # capture the standard output
stderr=subprocess.STDOUT, # 2>&1
encoding="latin", # capture the resulting output as text
).stdout

return f"""
Expand All @@ -29,8 +30,9 @@ def challenge():
</body></html>
"""


os.setuid(os.geteuid())
os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
app.secret_key = os.urandom(8)
app.config['SERVER_NAME'] = f"challenge.localhost:80"
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
12 changes: 9 additions & 3 deletions web-security/module.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
name: Web Security
challenges:
- id: level-1
- id: path-traversal-1
transfer:
challenge: level-1
name: Path Traversal 1
- id: path-traversal-2
name: Path Traversal 2
Expand All @@ -10,13 +12,17 @@ challenges:
name: CMDi 2
- id: cmdi-ls-quote
name: CMDi 3
- id: level-2
- id: cmdi-env
transfer:
challenge: level-2
name: CMDi 4
- id: cmdi-touch-blind
name: CMDi 5
- id: cmdi-ls-filter
name: CMDi 6
- id: level-3
- id: auth-bypass-param
transfer:
challenge: level-3
name: Authentication Bypass 1
- id: auth-bypass-cookie
name: Authentication Bypass 2
Expand Down
0 web-security/level-1/DESCRIPTION.md → web-security/path-traversal-1/DESCRIPTION.md
View file
File renamed without changes.
0 web-security/level-1/files/index.html → ...ecurity/path-traversal-1/files/index.html
View file
File renamed without changes.
9 changes: 5 additions & 4 deletions web-security/level-1/server → web-security/path-traversal-1/server
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ import os

app = flask.Flask(__name__)

@app.route("/", methods=["GET", "POST"])
@app.route("/<path:path>", methods=["GET", "POST"])

@app.route("/", methods=["GET"])
@app.route("/<path:path>", methods=["GET"])
def challenge(path="index.html"):
requested_path = app.root_path + "/files/" + path
print(f"DEBUG: {requested_path=}")

try:
return open(requested_path).read()
except PermissionError:
Expand All @@ -20,6 +20,7 @@ def challenge(path="index.html"):
except Exception as e:
flask.abort(500, requested_path + ":" + str(e))


app.secret_key = os.urandom(8)
app.config['SERVER_NAME'] = f"challenge.localhost:80"
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
9 changes: 5 additions & 4 deletions web-security/path-traversal-2/server
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ import os

app = flask.Flask(__name__)

@app.route("/", methods=["GET", "POST"])
@app.route("/<path:path>", methods=["GET", "POST"])

@app.route("/", methods=["GET"])
@app.route("/<path:path>", methods=["GET"])
def challenge(path="index.html"):
requested_path = app.root_path + "/files/" + path.strip("/.")
print(f"DEBUG: {requested_path=}")

try:
return open(requested_path).read()
except PermissionError:
Expand All @@ -20,6 +20,7 @@ def challenge(path="index.html"):
except Exception as e:
flask.abort(500, requested_path + ":" + str(e))


app.secret_key = os.urandom(8)
app.config['SERVER_NAME'] = f"challenge.localhost:80"
app.config["SERVER_NAME"] = f"challenge.localhost:80"
app.run("challenge.localhost", 80)
23 changes: 23 additions & 0 deletions web-security/pwnshop.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
walkthrough: true
binary_name_prefix: web-security
build_image: pwncollege/challenge-legacy:latest
verify_image: pwncollege/challenge-legacy:latest
challenges:
- id: path-traversal-1
challenge: PathTraversal
binary_name: server
- id: path-traversal-2
challenge: PathTraversalStripped
binary_name: server
- id: cmdi-ls-semicolon
challenge: CommandInjectionLS
binary_name: server
- id: cmdi-ls-pipe
challenge: CommandInjectionLSPipe
binary_name: server
- id: cmdi-ls-quote
challenge: CommandInjectionLSQuote
binary_name: server
- id: cmdi-ls-filter
challenge: CommandInjectionLSFilter
binary_name: server

0 comments on commit d5e288d

Please sign in to comment.