├── victim-binary ├── run-victim-binary.sh ├── .github └── workflows │ └── master_gittestwtm.yml └── README.md /victim-binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offensi/CTF-challenge/HEAD/victim-binary -------------------------------------------------------------------------------- /run-victim-binary.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # https://github.com/offensi/CTF-challenge/run-victim-binary.sh. 3 | # wtm@offensi.com 4 | 5 | # need root to listen on privileged ports 6 | if [[ $EUID -ne 0 ]]; then 7 | echo "This script must be run as root" 8 | exit 1 9 | fi 10 | 11 | # initial setup 12 | mkdir -p /static_content/ 13 | touch /static_content/theia_etags 14 | 15 | 16 | export BASE_SERVER_URL='https://someserver' 17 | export EMAIL='xxx@gmail.com' 18 | export HOME='/root' 19 | export HOSTNAME='victim-binary' 20 | export OAUTH_CLIENT_ID='xxx.apps.googleusercontent.com' 21 | export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' 22 | export PWD='/' 23 | 24 | ./victim-binary 25 | -------------------------------------------------------------------------------- /.github/workflows/master_gittestwtm.yml: -------------------------------------------------------------------------------- 1 | # Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy 2 | # More GitHub Actions for Azure: https://github.com/Azure/actions 3 | 4 | name: Build and deploy Node.js app to Azure Web App - gittestwtm 5 | 6 | on: 7 | push: 8 | branches: 9 | - master 10 | workflow_dispatch: 11 | 12 | jobs: 13 | build: 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - uses: actions/checkout@v2 18 | 19 | - name: Set up Node.js version 20 | uses: actions/setup-node@v1 21 | with: 22 | node-version: '14.x' 23 | 24 | - name: npm install, build, and test 25 | run: | 26 | npm install 27 | npm run build --if-present 28 | npm run test --if-present 29 | 30 | - name: Upload artifact for deployment job 31 | uses: actions/upload-artifact@v2 32 | with: 33 | name: node-app 34 | path: . 35 | 36 | deploy: 37 | runs-on: ubuntu-latest 38 | needs: build 39 | environment: 40 | name: 'Production' 41 | url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} 42 | 43 | steps: 44 | - name: Download artifact from build job 45 | uses: actions/download-artifact@v2 46 | with: 47 | name: node-app 48 | 49 | - name: 'Deploy to Azure Web App' 50 | id: deploy-to-webapp 51 | uses: azure/webapps-deploy@v2 52 | with: 53 | app-name: 'gittestwtm' 54 | slot-name: 'Production' 55 | publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_10A352B147E24A3A92D561A99A4C0454 }} 56 | package: . 57 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF-challenge - CTF players and bughunters united! 2 | 3 | ## Introduction 4 | Bug bounty hunting and playing CTF games are 2 distinct things. CTF players are known for their incredible in depth knowledge on very specific topics. Bug bounty hunters are known for their patience in doing recon. Most CTF players however dislike doing recon and bug bounty hunters sometimes miss the expertise to solve the last piece of a puzzle that's needed in order to complete a full blown exploit chain. 5 | 6 | ## The Idea 7 | If we as bug bounty hunters present small chunks of work in the form of a CTF challenge, we might be able to bridge the gap between CTF players and bug bounty hunters. The CTF player would not have to waste time on doing recon and the bug bounty hunter gets an extra helping hand in solving the last piece of a puzzle. Both the CTF player and the bug bounty hunter could profit from bounties that would normally be out of reach for them. The company/target would receive high(er) quality reports. 8 | 9 | ## The Objective 10 | In this repository you will find a golang binary named 'victim-binary'. This binary in fact is a custom webserver that plays a major role in Google's Cloudshell. If authentication can be bypassed on this webserver, we _might_ be able to complete a full exploit chain and submit a report to Google VRP. Note that this webserver runs on a remote host, so ENV vars can not be changed. The bypass has to work remotely. 11 | 12 | ## Running the binary 13 | git clone https://github.com/offensi/CTF-challenge 14 | cd CTF-challenge 15 | bash run-victim-binary.sh 16 | 17 | curl -k https://localhost:980 -v 18 | 19 | Good luck! 20 | 21 | 22 | 23 | ## Rules 24 | - I can only authorize testing on this binary ;) 25 | - I will collaborate with the first CTF player to contact me with a working authentication bypass on this binary (DM or e-mail me) 26 | - If you can complete a full exploit chain yourself, you don't need my help. Just let me know you've succeeded and report it to the Google VRP directly 27 | - Don't be evil 28 | 29 | 30 | ## Credits 31 | This idea was born out of the comments posted by @the_st0rm on Twitter in reaction to @LiveOverflow's new video, featuring a bug i did discover. Thanks to @GoogleVRP and @sirdarckcat, i had the opportunity to talk to several of the worlds top CTF players in London last year. My assumptions on CTF games and players are based on these conversations. 32 | 33 | 34 | #### Contact 35 | - e-mail : wtm@offensi.com 36 | - website: https://offensi.com 37 | - twitter: https://twitter.com/wtm_offensi 38 | 39 | 40 | 41 | 42 | 43 | --------------------------------------------------------------------------------