Skip to content

Example Web Problem

Jump to bottom
rugo edited this page Feb 22, 2017 · 2 revisions

In this tutorial, a Berlyne problem will be created.

If you don't know what a Berlyne problem is, please refer to the Creating problems page.

Our problem will be a simple message archive web service written in PHP.

The full example problem can be found here.

The service

Our example service will consist of one website, written in PHP, that has a remote file inclusion vulnerability.

Therefore we create a folder in Berlynes deployment path (VAGR_DEPLOYMENT_PATH in settings.py).

$mkdir tuttask
$cd tuttask

This folder name is the problem's unique slug!

content

The content folder will contain everything the problem needs to run in a virtual machine.

# Inside tuttask
$mkdir content

Every problem needs a folder called content. A subfolder called dl_only can be created. That dl_only folder won't be synced to the virtual machine, but is accessible for downloads (see config.json).

The file tuttask/content/index.php looks like this:

<html><head><title>Mailbox</title></head><body>
<?php
$fn = "welcome";
$path = "letters";
if ($_GET) {
    $fn = $_GET['fn']; 
}
// Scan for letters
$files = scandir($path);
// Remove . and ..
$files = array_diff(scandir($path), array('.', '..'));

// List letters
foreach ($files as $letter) {
	// Without extension
	$letter = basename($letter, "txt");
	echo "<a href='?fn=${letter}'>${letter}</a><br/>";
}
echo "Here is your message:<br/>";
echo file_get_contents("${path}/${fn}.txt");
?>
</body></html>

As you can see, the above script delivers content of txt files from the system. This script is vulnerable to path traversal.

Opened with, lets say index.php?fn=../../somepath different files could be viewed.

To make the script work, we also add the file tuttask/content/letters/welcome.txt

with the content:

This script gives you archived letters! Unicorns!

Admittedly, not a very convenient service. But good enough for this demonstration.

The tuttask directory now looks like this:

tuttask/
└── content/
    └── index.php
    └── letters/
        └── welcome.txt

config.json

The main configuration file is called config.json and also lies in the tuttask directory.

For the full functionality see the documentation in Creating problems. We only need a subset for our task.

The configuration for our task is stored as tuttask/config.json, is written in JSON format and looks like this:

{
 "category": "Web",
 "desc": "<a href='http://{HOST}:{PORT_80}/'>This</a> service delivers letters. Deliver me the file <strong>/opt/flag.txt</strong>!<br><a href='{DL_source}'>Source</a>",
 "ports": [{"guest": 80,
 "desc": "Website",
 "host": 0}],
 "points": 50,
 "downloads": { "source": "index.php" },
 "tags": ["web", "PHP", "remote file inc"],
 "name": "Tutorial Problem"
}

The fields category and name are displayed in the WebUI.

The tags are used for finding problems.

The field desc is the raw description of the problem. Raw because placeholders are used. They will be replaced by the actual values when the description is shown in a course.

The port field is an array of port bindings. The guest key is the TCP port used for the service in the virtual machine, it is replaced by the host port that is used in the port binding. For details, see the Creating problems. In our example, the host port is set to 0, so a random free port is chosen.

The downloads field is an object. The key (source) is transferred into a placeholder for the download link to the file (relative path) given in the key (index.php).

The flag field is not used, which means that Berlyne will automatically create a flag and place it in /opt/flag.txt. This should always be preferred. The flag field is only for special tasks that can't read the flag from the filesystem.

Setup

The last file needed for our problem, is the setup or "provisioning" file.

It will run as root on first start and rebuild of our problem.

Keep in mind, that the virtual machine runs Ubuntu.

Our setup script is the file tuttask/setup and looks like this:

#!/bin/bash
# Make noninteractive
export DEBIAN_FRONTEND=noninteractive

# install apache webserver and PHP
apt-get install -y libapache2-mod-php5 apache2

# Delete default page
rm -r /var/www/html/*

# Move script and letters to webserver directory
mv $CONTENT_DIR/*.php /var/www/html
mv $CONTENT_DIR/letters /var/www/html

Note: The variable CONTENT_DIR is provided by Berlyne and usually contains "/opt/problem".

And that's it!

The problems folder now looks like this:

tuttask
└── content
    └── index.php
    └── letters
        └── welcome.txt
└── config.json
└── setup

and can be installed/used via Berlynes WebUI:

Screeshot Berlyne Tuttask

Clone this wiki locally