ajout de trois solutions pour sadservers

devl00p · Mar 5, 2024 · 5e01b41 · 5e01b41
1 parent d73bbb1
commit 5e01b41
Show file tree

Hide file tree

Showing 3 changed files with 259 additions and 0 deletions.
diff --git a/_posts/2024-03-05-Solution-du-challenge-Ivujivik-de-SadServers.md b/_posts/2024-03-05-Solution-du-challenge-Ivujivik-de-SadServers.md
@@ -0,0 +1,106 @@
+---
+title: "Solution du challenge Ivujivik de SadServers.com"
+tags: [CTF,AdminSys,SadServers]
+---
+
+**Scenario:** "Ivujivik": Parlez-vous Français?
+
+**Level:** Medium
+
+**Type:** Do
+
+**Tags:** [csv](https://sadservers.com/tag/csv)   [sql](https://sadservers.com/tag/sql)   [realistic-interviews](https://sadservers.com/tag/realistic-interviews)  
+
+**Description:** Given the CSV file `/home/admin/table_tableau11.csv`, find the *Electoral District Name/Nom de circonscription* that has the largest number of *Rejected Ballots/Bulletins rejetés* and also has a population of less than 100,000.
+
+The initial CSV file may be corrupted or invalid in a way that can be fixed without changing its data.
+
+Installed in the VM are: Python3, Go, sqlite3, [miller](https://miller.readthedocs.io/en/latest/) directly and PostgreSQL, MySQL in Docker images.
+
+Save the solution in the `/home/admin/mysolution`, with the name as it is in the file, for example: `echo "Trois-Rivières" > ~/mysolution` (the solution must be terminated by newline).
+
+**Test:** `md5sum /home/admin/mysolution` returns e399d171f21839a65f8f8ab55ed1e1a1
+
+**Time to Solve:** 20 minutes.
+
+Commençons par regarder la structure du CSV :
+
+```console
+admin@i-0e3c248419faf2776:~$ ls
+agent  table_tableau11.csv
+admin@i-0e3c248419faf2776:~$ head table_tableau11.csv 
+Province,Electoral District Name/Nom de circonscription,Electoral District Number/Numéro de circonscription,Population,Electors/Électeurs,Polling Stations/Bureaux de scrutin,Valid Ballots/Bulletins valides,Percentage of Valid Ballots /Pourcentage des bulletins valides,Rejected Ballots/Bulletins rejetés,Percentage of Rejected Ballots /Pourcentage des bulletins rejetés,Total Ballots Cast/Total des bulletins déposés,Percentage of Voter Turnout/Pourcentage de la participation électorale,Elected Candidate/Candidat élu
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","Avalon",10001,81540,68487,220,42086,99.6,162,.4,42248,61.7,"McDonald, Ken Liberal/Libéral"
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","Bonavista--Burin--Trinity",10002,76704,62462,260,35092,99.5,173,.5,35265,56.5,"Foote, Judy M. Liberal/Libéral"
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","Coast of Bays--Central--Notre Dame",10003,78092,64226,233,35448,99.6,145,.4,35593,55.4,"Simms, Scott Liberal/Libéral"
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","Labrador",10004,26728,20045,84,12373,99.6,53,.4,12426,62,"Jones, Yvonne Liberal/Libéral"
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","Long Range Mountains",10005,87592,71918,253,41824,99.7,108,.3,41932,58.3,"Hutchings, Gudie Liberal/Libéral"
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","St. John's East/St. John's-Est",10006,81936,66304,186,44880,99.8,111,.2,44991,67.9,"Whalen, Nick Liberal/Libéral"
+"Newfoundland and Labrador/Terre-Neuve-et-Labrador","St. John's South--Mount Pearl/St. John's-Sud--Mount Pearl",10007,81944,67596,185,44801,99.7,133,.3,44934,66.5,"O'Regan, Seamus Liberal/Libéral"
+"Prince Edward Island/Île-du-Prince-Édouard","Cardigan",11001,36005,28889,90,22485,99.6,96,.4,22581,78.2,"MacAulay, Lawrence Liberal/Libéral"
+"Prince Edward Island/Île-du-Prince-Édouard","Charlottetown",11002,34562,28129,82,21165,99.5,99,.5,21264,75.6,"Casey, Sean Liberal/Libéral"
+```
+
+Avec Python, il est important de noter l'index de chaque section, par exemple en prenant l'un des enregistrements :
+
+```csv
+"British Columbia/Colombie-Britannique","Cowichan--Malahat--Langford",59010,99160,81888,227,61778,99.6,230,.4,62008,75.7,"MacGregor, Alistair NDP-New Democratic Party/NPD-Nouveau Parti démocratique"
+```
+
+Soir les colonnes suivantes :
+
+- Province: British Columbia/Colombie-Britannique
+
+- Electoral District Name/Nom de circonscription: Cowichan--Malahat--Langford
+
+- Electoral District Number/Numéro de circonscription: 59010
+
+- Population: 99160
+
+- Electors/Électeurs: 81888
+
+- Polling Stations/Bureaux de scrutin: 227
+
+- Valid Ballots/Bulletins valides: 61778
+
+- Percentage of Valid Ballots /Pourcentage des bulletins valides: 99.6
+
+- Rejected Ballots/Bulletins rejetés: 230
+
+- Percentage of Rejected Ballots /Pourcentage des bulletins rejetés: .4
+
+- Total Ballots Cast/Total des bulletins déposés: 62008
+
+- Percentage of Voter Turnout/Pourcentage de la participation électorale: 75.7
+
+- Elected Candidate/Candidat élu: MacGregor, Alistair NDP-New Democratic Party/NPD-Nouveau Parti démocratique
+
+Par conséquent, les index qui nous intéressent sont les 3 (population) et 8 (Bulletins rejetés).
+
+```python
+import csv
+from hashlib import md5
+
+with open('table_tableau11.csv') as csvfile:
+    reader = csv.reader(csvfile)
+    next(reader)
+    max_rejected = 0
+    solution = ""
+    for row in reader:
+        population = int(row[3])
+        if population < 100000:
+            rejected = float(row[8])
+            if rejected > max_rejected:
+                solution = row[1]
+                max_rejected = rejected
+    print(solution)
+    print(md5(solution + "\n").hexdigest())
+```
+
+Solution :
+
+```console
+admin@i-0bd86aa83a6d8e57b:~$ python3 find.py 
+Montcalm
+e399d171f21839a65f8f8ab55ed1e1a1
+```
diff --git a/_posts/2024-03-05-Solution-du-challenge-Paris-de-SadServers.md b/_posts/2024-03-05-Solution-du-challenge-Paris-de-SadServers.md
@@ -0,0 +1,76 @@
+---
+title: "Solution du challenge Paris de SadServers.com"
+tags: [CTF,AdminSys,SadServers]
+---
+
+**Scenario:** "Paris": Where is my webserver?
+
+**Level:** Medium
+
+**Type:** Hack
+
+**Tags:** [unusual-tricky](https://sadservers.com/tag/unusual-tricky)  
+
+**Description:** A developer put an important password on his webserver localhost:5000 . However, he can't find a way to recover it. This scenario is easy to solve once you realize the one "trick".
+
+Find the password and save it in `/home/admin/mysolution` , for example: `echo "somepassword" > ~/mysolution`
+
+Scenario credit: PuppiestDoggo
+
+**Test:** `md5sum ~/mysolution` returns d8bee9d7f830d5fb59b89e1e120cce8e
+
+**Time to Solve:** 15 minutes.
+
+Le fichier `webserver.py` est la propriété de root mais présent dans notre dossier, on peut donc le déplacer :
+
+```console
+admin@i-0914c01abdff80d82:~$ ls -al
+total 44
+drwxr-xr-x 6 admin admin 4096 Sep 24 23:20 .
+drwxr-xr-x 3 root  root  4096 Sep 17 16:44 ..
+drwx------ 3 admin admin 4096 Sep 20 15:52 .ansible
+-rw------- 1 admin admin  121 Mar  4 20:40 .bash_history
+-rw-r--r-- 1 admin admin  220 Aug  4  2021 .bash_logout
+-rw-r--r-- 1 admin admin 3526 Aug  4  2021 .bashrc
+drwxr-xr-x 3 admin admin 4096 Sep 20 15:56 .config
+-rw-r--r-- 1 admin admin  807 Aug  4  2021 .profile
+drwx------ 2 admin admin 4096 Sep 17 16:44 .ssh
+drwxr-xr-x 2 admin root  4096 Sep 24 23:20 agent
+-rwxrwx--- 1 root  root   360 Sep 24 23:20 webserver.py
+admin@i-0914c01abdff80d82:~$ mv webserver.py yolo
+admin@i-0914c01abdff80d82:~$ cat yolo
+cat: yolo: Permission denied
+admin@i-0914c01abdff80d82:~$ ls -al
+total 44
+drwxr-xr-x 6 admin admin 4096 Mar  4 20:40 .
+drwxr-xr-x 3 root  root  4096 Sep 17 16:44 ..
+drwx------ 3 admin admin 4096 Sep 20 15:52 .ansible
+-rw------- 1 admin admin  194 Mar  4 20:40 .bash_history
+-rw-r--r-- 1 admin admin  220 Aug  4  2021 .bash_logout
+-rw-r--r-- 1 admin admin 3526 Aug  4  2021 .bashrc
+drwxr-xr-x 3 admin admin 4096 Sep 20 15:56 .config
+-rw-r--r-- 1 admin admin  807 Aug  4  2021 .profile
+drwx------ 2 admin admin 4096 Sep 17 16:44 .ssh
+drwxr-xr-x 2 admin root  4096 Sep 24 23:20 agent
+-rwxrwx--- 1 root  root   360 Sep 24 23:20 yolo
+```
+
+En revanche, il n'est pas possible de modifier les permissions et je ne vois aucune astuce pour résoudre le problème.
+
+En regardant l'indice ça devient plus clair :
+
+> **1.** The user agent of the client you are using against the web server may play a role here.
+
+Testons avec le User-Agent "admin" :
+
+```console
+admin@i-0914c01abdff80d82:~$ curl -D- -H "User-Agent: admin" http://127.0.0.1:5000/
+HTTP/1.1 200 OK
+Server: Werkzeug/2.3.7 Python/3.9.2
+Date: Mon, 04 Mar 2024 20:51:32 GMT
+Content-Type: text/html; charset=utf-8
+Content-Length: 35
+Connection: close
+
+Welcome! Password is FDZPmh5AX3oiJt
+```
diff --git a/_posts/2024-03-05-Solution-du-challenge-Unimak-Island-de-SadServers.md b/_posts/2024-03-05-Solution-du-challenge-Unimak-Island-de-SadServers.md
@@ -0,0 +1,77 @@
+---
+title: "Solution du challenge Unimak Island de SadServers.com"
+tags: [CTF,AdminSys,SadServers]
+---
+
+Scenario:** "Unimak Island": Fun with Mr Jason
+
+**Level:** Medium
+
+**Type:** Do
+
+**Tags:** [json](https://sadservers.com/tag/json)   [realistic-interviews](https://sadservers.com/tag/realistic-interviews)  
+
+**Description:** Using the file `station_information.json` , find the `station_id` where `has_kiosk` is `false` and `capacity` is greater than 30.
+
+Save the `station_id` of the solution in the `/home/admin/mysolution` file, for example: `echo "ec040a94-4de7-4fb3-aea0-ec5892034a69" > ~/mysolution`
+
+You can use the installed utilities [jq](https://jqlang.github.io/jq/), [gron](https://github.com/tomnomnom/gron), [jid](https://github.com/simeji/jid) as well as [Python3](https://docs.python.org/3/library/json.html) and [Golang](https://gobyexample.com/json).
+
+**Test:** `md5sum /home/admin/mysolution` returns `8d8414808b15d55dad857fd5aeb2aebc`
+
+**Time to Solve:** 15 minutes.
+
+Voyons voir à quoi ressemble ce fichier JSON :
+
+```console
+f9a69:~$ ls -alh
+total 1.2M
+drwxr-xr-x 6 admin admin 4.0K Sep 26 21:49 .
+drwxr-xr-x 3 root  root  4.0K Sep 17 16:44 ..
+drwx------ 3 admin admin 4.0K Sep 20 15:52 .ansible
+-rw------- 1 admin admin  119 Mar  4 20:04 .bash_history
+-rw-r--r-- 1 admin admin  220 Aug  4  2021 .bash_logout
+-rw-r--r-- 1 admin admin 3.5K Aug  4  2021 .bashrc
+drwxr-xr-x 3 admin admin 4.0K Sep 20 15:56 .config
+-rw-r--r-- 1 admin admin  807 Aug  4  2021 .profile
+drwx------ 2 admin admin 4.0K Sep 17 16:44 .ssh
+drwxr-xr-x 2 admin root  4.0K Sep 26 21:49 agent
+-rw-r--r-- 1 admin admin 1.1M Sep 26 21:49 station_information.json
+admin@i-02bb40c710bff9a69:~$ cat station_information.json | python3 -m json.tool | head -20
+{
+    "data": {
+        "stations": [
+            {
+                "eightd_has_key_dispenser": false,
+                "rental_methods": [
+                    "KEY",
+                    "CREDITCARD"
+                ],
+                "external_id": "c00ef46d-fcde-48e2-afbd-0fb595fe3fa7",
+                "station_id": "c00ef46d-fcde-48e2-afbd-0fb595fe3fa7",
+                "rental_uris": {
+                    "ios": "https://bkn.lft.to/lastmile_qr_scan",
+                    "android": "https://bkn.lft.to/lastmile_qr_scan"
+                },
+                "region_id": "71",
+                "capacity": 3,
+                "short_name": "4920.13",
+                "electric_bike_surcharge_waiver": false,
+                "has_kiosk": true,
+```
+
+Il faut donc énumérer le contenu de `data > stations`, ce qui se fait très bien avec Python :
+
+```console
+admin@i-02bb40c710bff9a69:~$ cat read.py 
+import json
+
+with open("station_information.json") as fd:
+    data = json.load(fd)
+    for station in data["data"]["stations"]:
+        if station["has_kiosk"] is False and station["capacity"] > 30:
+            print(station["station_id"])
+admin@i-02bb40c710bff9a69:~$ python3 read.py 
+05c5e17c-7aa9-49b7-9da3-9db4858ec1fc
+admin@i-02bb40c710bff9a69:~$ echo 05c5e17c-7aa9-49b7-9da3-9db4858ec1fc > mysolution
+```