feat: add dockersecrets challenge
This commit is contained in:
Abel Stuker
parent
9a67c1c317
commit
371eafecfd
7
dockersecrets/README.md
Normal file
7
dockersecrets/README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# dockersecrets
|
||||
## Text
|
||||
A company complained about their passwords being leaked from this file. One of their "users" has the flag set as their password. Can you find the leak?
|
||||
## Files
|
||||
[dockersecrets](dockersecrets)
|
||||
## How to Deploy
|
||||
n/a
|
||||
8
dockersecrets/SOLUTION.md
Normal file
8
dockersecrets/SOLUTION.md
Normal file
@ -0,0 +1,8 @@
|
||||
## Difficulty
|
||||
??
|
||||
## Category
|
||||
Forensics
|
||||
## How To Solve
|
||||
First, load the Docker image using `docker load -i dockersecrets`. You can then explore the image layers with `docker history dockersecrets`. Observe that two environment variables are set in the Docker image, a Postgres URL and a Postgres key. Use the flag `--no-trunc` to show the entire variables, instead of their truncated version. You can see from the URL that these values belong to a Supabase instance. When you connect to the database, you will see that the table `users` contains three columns: `id`, `has_flag`, and `password`. The password field of the record where the has_flag option is set contains a base64 encoded version of the flag. Use CyberChef to learn this password encoding. You can use a [simple Python script](writeup.py) to extract the flag.
|
||||
## Flag
|
||||
`IGCTF{N0t_th3_s4f3st_w4y_t0_st0r3_p4ssw0rds_h4H4}`
|
||||
BIN
dockersecrets/dockersecrets
Normal file
BIN
dockersecrets/dockersecrets
Normal file
Binary file not shown.
25
dockersecrets/writeup.py
Normal file
25
dockersecrets/writeup.py
Normal file
@ -0,0 +1,25 @@
|
||||
import os
|
||||
from supabase import create_client, Client
|
||||
import base64
|
||||
|
||||
# Leaked
|
||||
url = "https://ybolulzygysmsjytomha.supabase.co"
|
||||
key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Inlib2x1bHp5Z3lzbXNqeXRvbWhhIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTczMDQ5NDkwOCwiZXhwIjoyMDQ2MDcwOTA4fQ.7XfwK3MZ8MaOa4g5T5Pg663nZJvnfQpd-Y91z9FWHj0"
|
||||
|
||||
supabase = create_client(url, key)
|
||||
|
||||
# Explore the schema by fetching some users
|
||||
print("Some users to explore the schema:")
|
||||
some_users = supabase.table("users").select("*").limit(5).execute()
|
||||
print(some_users)
|
||||
|
||||
# Find the flag user
|
||||
print("Only user with the flag as password:")
|
||||
flag_user = supabase.table("users").select("*").is_("has_flag", True).execute()
|
||||
print(flag_user)
|
||||
|
||||
# Decode the flag password
|
||||
password_enc = flag_user.data[0]["password"]
|
||||
ascii_password = password_enc.encode("ascii")
|
||||
password_dec = base64.b64decode(ascii_password).decode("ascii")
|
||||
print(f"Flag password: {password_dec}")
|
||||
Loading…
Reference in New Issue
Block a user