add blind cmdi

web-security/cmdi-touch-blind/DESCRIPTION.md

@@ -0,0 +1,3 @@
+Programs tend to shell out to do complex internal computation.
+This means that you might not always get sent the resulting output, and you will need to do your attack _blind_.
+Try it in this level: without the output of your injected command, get the flag!

web-security/cmdi-touch-blind/server

@@ -0,0 +1,30 @@
+#!/opt/pwn.college/python
+
+import subprocess
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+@app.route("/", methods=["GET", "POST"])
+def challenge():
+    filepath = flask.request.args.get("filepath", "/challenge")
+    subprocess.run(
+        f"touch {filepath}",        # the command to run
+        shell=True,                 # use the shell to run this command
+        stdout=subprocess.PIPE,     # capture the standard output
+        stderr=subprocess.STDOUT,   # 2>&1
+        encoding="latin"            # capture the resulting output as text
+    )
+
+    return f"""
+        <html><body>
+        Welcome to the touch service! Please choose a file to touch:
+        <form><input type=text name=filepath><input type=submit value=Submit></form>
+        <hr>
+        <b>Ran the command: touch {filepath}</b>
+        </body></html>
+        """
+
+app.secret_key = open("/flag").read().strip()
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))