Added Pixels Camp 2017 CTF W200 challenge

Author: bbarao

WebHacking/200-RegainSession/.gitignore

@@ -0,0 +1 @@
+/src/venv

WebHacking/200-RegainSession/README.md

@@ -0,0 +1,27 @@
+W200 - Regain Session
+==============
+
+We know a site was hacked and every new account is quicky taken over, with the hackers changing the victims password. Try to re-gain access to your account.
+
+
+Installing
+----------
+
+Requirements: `docker-compose`
+
+Copy the whole folder contents to, for instance, `/opt/ctf/w200/`.
+
+Then you just need to link the systemd service with `sudo ln -s /opt/ctf/w200/w200.service /etc/systemd/system/w200.service` and start it with `sudo systemdctl start w200.service`.
+
+You can configure the flag on `src/app.py`, and which port the service is available in the `docker-compose.yml` file. By default it will listen in the `30200` port.
+
+
+
+Known issues
+----------
+
+Sometimes uwsgi drops connections, and some resources aren't loaded on the first time. Uwsgi config might need some tuning, or putting a nginx on front of uwsgi might help.
+
+
+--
+**Pixels Camp 2017 CTF**

WebHacking/200-RegainSession/data/.keep

@@ -0,0 +1,22 @@
+version: "2"
+services:
+    redis:
+        image: "redis"
+        ports:
+            - "6379"
+        links:
+            - uwsgi
+        volumes:
+            - ./data:/data
+        command: redis-server --appendonly yes
+        restart: always
+    uwsgi:
+        build:
+            context: .
+            dockerfile: ./docker/uwsgi/Dockerfile
+        ports:
+            - "30200:8000"
+        volumes:
+            - ./src:/code
+        restart: always
+

WebHacking/200-RegainSession/docker-compose.yml

@@ -0,0 +1,27 @@
+FROM python:3.6-jessie
+
+ADD ./src/requirements.txt /
+
+# Install build deps, then run `pip install`, then remove unneeded build deps all in a single step. Correct the path to your production requirements file, if needed.
+RUN set -ex \
+    && python3 -m venv /venv \
+    && /venv/bin/pip install -U pip \
+    && UWSGI_PROFILE=gevent /venv/bin/pip install -U uwsgi \
+    && /venv/bin/pip install --no-cache-dir -r /requirements.txt
+
+# Copy your application code to the container (make sure you create a .dockerignore file if any large files or directories should be excluded)
+ADD ./src /code
+WORKDIR /code
+RUN ls /code
+
+# uWSGI will listen on this port
+EXPOSE 8000
+
+# uWSGI configuration (customize as needed):
+ENV UWSGI_VIRTUALENV=/venv UWSGI_HTTP=:8000 \
+    UWSGI_MASTER=1 UWSGI_WORKERS=4 \
+    UWSGI_WSGI_ENV_BEHAVIOR=holy UWSGI_VACUUM=1
+
+# Start uWSGI
+CMD ["/venv/bin/uwsgi", "--gevent", "100", "--file", "app.py"]
+

WebHacking/200-RegainSession/docker/uwsgi/Dockerfile

@@ -0,0 +1,214 @@
+
+from gevent import monkey; monkey.patch_all()
+
+import bottle
+import json
+import jwt
+from bottle_redis import RedisPlugin
+from uuid import uuid4
+from random import randint
+
+app = bottle.Bottle()
+FLAG = "flag{Y-ARHq29rhchpFJjyJyr}"
+
+@app.get('/api/users/<username>')
+def callback(username, rdb):
+    "Returns if an username exists"
+    user = rdb.get("user:%s" % username)
+
+    if user is None:
+        bottle.abort(404, "The user does not exist")
+    user = json.loads(user)
+
+    auth_header = bottle.request.headers.get('Authorization')
+    auth = False
+    if auth_header is not None and auth_header.startswith("Bearer "):
+        jwt_header = auth_header.split(" ")[1]
+        try:
+            user_jwt = jwt.decode(jwt_header, user.get('token'), algorithms=['HS256'])
+            if user_jwt.get('username') == username and \
+               user_jwt.get('timestamp', 0) > user.get('last_timestamp', 0):
+
+                user['last_timestamp'] = max(user.get('timestamp', 0), user_jwt.get('timestamp', 0))
+                rdb.set("user:%s" % user.get('username'), json.dumps(user))
+
+                auth = True
+            print(repr(user_jwt))
+        except jwt.exceptions.DecodeError as err:
+            print(repr(err))
+
+    if auth and user is not None:
+
+        if user.get('show_flag', False):
+            user['locked'] = False
+            rdb.set("user:%s" % user.get('username'), json.dumps(user))
+
+        return {
+            "name": user.get('name'),
+            "username": user.get('username'),
+            "token": user.get('token')
+        }
+    else:
+        return {
+            'exists': user is not None
+        }
+
+@app.get('/api/usert/<token>')
+def callback(token, rdb):
+    "Returns the username that belongs to the token"
+    username = rdb.get("token:%s" % token)
+    if username is None:
+        bottle.abort(404, "The user does not exist.")
+    return {
+        'username': username.decode('utf-8')
+    }
+
+@app.post('/api/users')
+def callback(rdb):
+    "Creates a new user"
+
+    data = bottle.request.json
+
+    fields = ["name", "username", "password"]
+    missing_fields = []
+    for field in fields:
+        if field not in data or len(data.get(field)) <= 0:
+            missing_fields.append(field)
+
+    if len(missing_fields) > 0:
+        return {"success": False, "message": "All fields are required. Missing fields: %s" % ', '.join(missing_fields)}
+
+    user = rdb.get("user:%s" % data.get('username'))
+    if user is not None:
+        return {"success": False, "message": "This username already exists."}
+
+    token_generated = False
+    while not token_generated:
+        token = uuid4().hex
+        rtoken = rdb.get("token:%s" % token)
+        if rtoken is None:
+            token_generated = True
+
+    rdb.set("user:%s" % data.get('username'), json.dumps({
+        "name": data.get("name"),
+        "username": data.get("username"),
+        "password": data.get("password"),
+        "token": token,
+        "metric_count": 0,
+        "locked": False,
+        "show_flag": False,
+        "last_timestamp": 0
+    }))
+    rdb.set("token:%s" % token, data.get("username"))
+
+    return {"success": True}
+
+
+@app.post('/api/authenticate')
+def callback(rdb):
+    "Logins a user"
+
+    data = bottle.request.json
+    if 'username' not in data or 'password' not in data:
+        return {"success": False, "message": "Username and Password required"}
+
+    user = rdb.get("user:%s" % data.get('username'))
+
+    success = False
+    if user is not None:
+        user = json.loads(user)
+        if user.get('password') == data.get('password'):
+            success = True
+
+    if success:
+        return {
+            "success": True, "data": {
+                "name": user.get('name'),
+                "username": user.get('username'),
+                "token": user.get('token')
+            }
+        }
+    else:
+        return {"success": False, "message": "Invalid username or password"}
+
+@app.get('/api/metrics')
+def callback(rdb):
+
+    auth_header = bottle.request.headers.get('Authorization')
+
+    if auth_header is None or not auth_header.startswith("Bearer "):
+        bottle.abort(403, "Forbidden")
+
+    jwt_header = auth_header.split(" ")[1]
+    try:
+        unvalidated_jwt = jwt.decode(jwt_header, verify=False)
+        if unvalidated_jwt is None or 'username' not in unvalidated_jwt:
+            bottle.abort(403, "Forbidden")
+
+        user = rdb.get("user:%s" % unvalidated_jwt.get('username'))
+        if user is None:
+            bottle.abort(403, "Forbidden")
+
+        user = json.loads(user)
+        user_jwt = jwt.decode(jwt_header, user.get('token'), algorithms=['HS256'])
+
+        if user.get('last_timestamp', 0) >= user_jwt.get('timestamp', 0):
+            bottle.abort(403, "Forbidden")
+
+        user['last_timestamp'] = max(user.get('timestamp', 0), user_jwt.get('timestamp', 0))
+        user['metric_count']   = user.get('metric_count', 0) + 1
+        if user['metric_count'] >= 3 and not user.get('show_flag', False):
+            user['locked'] = True
+            user['show_flag'] = True
+            user['password'] = "9X%DuAHDj!!PjhQK%p^gPjSgG9"
+
+        rdb.set("user:%s" % user.get('username'), json.dumps(user))
+
+        print(repr(user_jwt))
+        print(repr(user))
+    except jwt.exceptions.DecodeError as e:
+        bottle.abort(403, "Forbidden")
+
+    if user.get('locked', False):
+        return {"success": False, "message": "Detected an unknown access location. For your security we changed your password and logged you out."}
+
+    metrics = {
+        'metrics': [
+            {'name': 'Current Users', 'value': randint(52, 57)},
+            {'name': 'Max Users', 'value': 133},
+            {'name': 'Current Ping', 'value': randint(52, 2333)},
+            {'name': 'Max Ping', 'value': 80082}
+        ]
+    }
+
+    if user.get('show_flag', False):
+        metrics['metrics'].append({'name': 'Flag', 'value': 'flag{Y-ARHq29rhchpFJjyJyr}'})
+
+    return metrics
+
+@app.get('/')
+def callback():
+    response = bottle.static_file("index.html", "./static")
+    response.set_header("Cache-Control", "public, max-age=1")
+    return response
+
+@app.get('/<path:path>')
+def callback(path):
+    response =  bottle.static_file(path, "./static")
+    response.set_header("Cache-Control", "public, max-age=1")
+    return response
+
+
+if __name__ == '__main__':
+    app.install(RedisPlugin(host="localhost"))
+    app.run(
+        host='localhost',
+        port=8080,
+        debug=True,
+        reloader=True
+    )
+else:
+    app.install(RedisPlugin(host="redis"))
+    application = app
+
+

WebHacking/200-RegainSession/src/app.py

@@ -0,0 +1,6 @@
+bottle==0.12.13
+bottle-redis==0.2.3
+gevent==1.2.2
+greenlet==0.4.12
+PyJWT==1.5.3
+redis==2.10.6

WebHacking/200-RegainSession/src/requirements.txt

@@ -0,0 +1,3 @@
+a {
+    cursor: pointer;
+}