Closed sammite closed 2 months ago
ok so I've got it mostly figured out in my head, but I think I'll have a robots.txt file in here with a secret code that can be worth a point or two, and then the actual flag will be gated behind some other info in that robots.txt file that you need to combine with the current form of the application to get into the admin panel.
I'll stick it all in a docker image and a shell wrapper for the docker image. To make just logging into the docker image and catting out the source a bit harder, we'll have the login user in docker not have a shell or something similar, so you have to actively docker exec as root to do that. Not that I think we'll get there, but that to me sounds like a decently solid way to mitigate a cheese, but still leave enough room for someone who wants to solve in a clever manner.
orrr I just give them source and have them pwn it that way. Might be better to do that and keep this one kind of on the simpler side because I really want them to read the code and understand what it does.
gonna do a couple more checks, but final solution- I'll host the actual app, and give them one with a redacted flag, so they will be able to analyze the logic.
looks good, I may or may not stick it in docker but gonna call it good.
basically we want an app similar to the understandvulns/hello_1.php but more difficult to break- we can have cookies/jwts, or like a weak password, something like that.
Done definition:
App that will output the flag when properly pwned.