ig-ctf-solutions/write-ups-challenges-2024-2025
3
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

feat: add dockersecrets challenge

Browse Source
This commit is contained in:
Abel Stuker 2024-11-25 22:29:08 +01:00
parent 9a67c1c317
commit 371eafecfd
4 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
dockersecrets/README.md Normal file
View File

@ -0,0 +1,7 @@
# dockersecrets
## Text
A company complained about their passwords being leaked from this file. One of their "users" has the flag set as their password. Can you find the leak?
## Files
[dockersecrets](dockersecrets)
## How to Deploy
n/a

8
dockersecrets/SOLUTION.md Normal file
View File

@ -0,0 +1,8 @@
## Difficulty
??
## Category
Forensics
## How To Solve
First, load the Docker image using `docker load -i dockersecrets`. You can then explore the image layers with `docker history dockersecrets`. Observe that two environment variables are set in the Docker image, a Postgres URL and a Postgres key. Use the flag `--no-trunc` to show the entire variables, instead of their truncated version. You can see from the URL that these values belong to a Supabase instance. When you connect to the database, you will see that the table `users` contains three columns: `id`, `has_flag`, and `password`. The password field of the record where the has_flag option is set contains a base64 encoded version of the flag. Use CyberChef to learn this password encoding. You can use a [simple Python script](writeup.py) to extract the flag.
## Flag
`IGCTF{N0t_th3_s4f3st_w4y_t0_st0r3_p4ssw0rds_h4H4}`

BIN
dockersecrets/dockersecrets Normal file
View File

Binary file not shown.

25
dockersecrets/writeup.py Normal file
View File

@ -0,0 +1,25 @@
import os
from supabase import create_client, Client
import base64
# Leaked
url = "https://ybolulzygysmsjytomha.supabase.co"
key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Inlib2x1bHp5Z3lzbXNqeXRvbWhhIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTczMDQ5NDkwOCwiZXhwIjoyMDQ2MDcwOTA4fQ.7XfwK3MZ8MaOa4g5T5Pg663nZJvnfQpd-Y91z9FWHj0"
supabase = create_client(url, key)
# Explore the schema by fetching some users
print("Some users to explore the schema:")
some_users = supabase.table("users").select("*").limit(5).execute()
print(some_users)
# Find the flag user
print("Only user with the flag as password:")
flag_user = supabase.table("users").select("*").is_("has_flag", True).execute()
print(flag_user)
# Decode the flag password
password_enc = flag_user.data[0]["password"]
ascii_password = password_enc.encode("ascii")
password_dec = base64.b64decode(ascii_password).decode("ascii")
print(f"Flag password: {password_dec}")