search

blabla1337 / skf-labs

Repo for all the OWASP-SKF Docker lab examples
Apache License 2.0
439 stars 201 forks source link

move CMD python lab to CTF folder #192

Open NtAlexio2 opened 1 year ago

NtAlexio2 commented 1 year ago

This PR is an initial commit for ctf labs. From now we can add CTF-style training laboratories.

Roles to adding CTF-style labs:

Current changes for python CMD lab, which was an RCE case:

As I mentioned above, this is an initial idea. Please let me know if we can improve that anyhow ^^

RiieCco commented 1 year ago

In this context if you hit the regex by chance or because you got in the general direction but did not yet have a fully developed payload you already get the flag right?

I would suggest not working with regexes as much as possible but for each lab to find a way to have the flag on the server. And then find clever ways for them to jump through some hoops to get that flag eventually.

e.g.

For LFI you could store the flag on the server to retrieve. For SQLI you can store a flag in the DB For CMD you can also store the flag on the server and read it with the RCE For XSS do session hijacking and the admin account have the flag. Etc

What do you think? :-)

NtAlexio2 commented 1 year ago

Good idea, For this specific lab (CMD), we should undo all changes but flag.txt. User must find a way to find and read the content of flag.txt. One possible scenario would be:

  1. Find the RCE vulnerability.
  2. Find a directory that exposes our random files, by crawling site and/or checking web page source code and creating random files using echo test > ../site/path/random.txt in them. (in this lab it can be /static/ path)
  3. Verify that by opening http://127.0.0.1:5000/static/random.txt in browser.
  4. Find flag.txt file by executing ls > static/random.txt and checking result in browser.
  5. Read content of flag.txt by executing cat flag.txt > static/random.txt.
  6. Proof!

How is that? we apply similar approach for other labs, as you mentioned (no regex).