Saturday, January 26, 2013

Creation of a Simple CTF Scoreboard and DB

I created a simple PHP/MySQL Capture the Flag Scoreboard / Flag Submission web app.  It is simple and vulnerable to web exploits.  I designed this for a CS4740 class that I am teaching as we are learning Metasploitable.

Create MySQL Database and Tables for the CTF
create database ctf;





create table flagsFound(flagID VARCHAR(8) NOT NULL PRIMARY KEY, finderID INT);





create table students (studentID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, name VARCHAR(40));





create table flagsDB(flagID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, studentID INT, flagChecksum VARCHAR(50));

Populate Table with Participants
insert into students VALUES (1,"Ann");


insert into students VALUES (2,"Bob");


insert into students VALUES (3,"Curt");


insert into students VALUES (4,"Dan");



Create Text File with Flags and Call it flags.txt
Make it with 2 columns of data the owner of the flag and the keyword
1 Asteroid
2 You
3 Red
4 Blue

Create and Run Simple Bash Script to Populate SQL File for flagsDB
#!/bin/bash


# This script is used to generate the information to go into the flagsDB


# from a text file that has 2 columns. The column format is as follows:


# 1st Column: studentID or Owner of the Flag


# 2nd Column: flag keyword to be transformed into a checksum





textFile=flags.txt


outputFile=temp.sql


checkSumAlg=sha256sum





echo "USE ctf;" > $outputFile





while read line


do





studentID=`echo $line | awk '{print $1}'`


flagChecksum=`echo $line | awk '{print $2}' | $checkSumAlg | awk '{print $1}'`





echo "INSERT INTO flagsDB (studentID, flagChecksum) VALUES ($studentID,'$flagChecksum');" >> $outputFile





done < $textFile

Input the SQL File to the Database using the mysql username and password that you have
mysql -u root -p < temp.sql # Unless the output file has changed or the user account is not root


# Then at the next prompt put in your mysql users password

The following are files that are needed for the CTF PHP Page:
index.php, submitFlag.php, submitFlag_Submit.php, dbConnection.php, css/default.css, pageheader.php 

The file of stats.php was not included and can be removed...

index.php File
 <html>
<head>
<title>CTF</title>

<link rel="stylesheet" type="text/css" href="css/default.css">

<script type="text/JavaScript">

    function timedRefresh(timeoutPeriod) {
        setTimeout("location.reload(true);",timeoutPeriod);
    }

</script>
</head>

<BODY BGCOLOR=white onload="JavaScript:timedRefresh(300000);">

<!-- Add connection to database by including dbConnection.php -->
<?php include 'dbConnection.php'; ?>


<!-- Add Page Header with Login Options -->
<?php include 'pageheader.php'; ?>

<FORM ACTION="search_for_project.php" METHOD="post">

<CENTER>
<BR>
<TABLE style="border:1px solid;" CELLPADDING=15>
    <TR>
        <TD colspan=2>
            <CENTER>
            <FONT SIZE=2>
                <B>Scoreboard</B>
            </FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2>
            Student
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <FONT SIZE=2>
            Score
            </FONT>
            </CENTER>
        </TD>
    </TR>
        <?php

            $sqlScore = "SELECT s.name, count(f.finderID) as total FROM students s, flagsFound f WHERE s.studentID=f.finderID GROUP BY s.name ORDER BY total DESC";
            $sqlScoreResults = mysql_query($sqlScore);
            $numRows = mysql_num_rows($sqlScoreResults);
            if ($numRows < 1) {
                echo "<TR><TD COLSPAN=2><CENTER>No Scores to Report</CENTER></TD></TR>";
            }
            else {
                while ($rowScore = mysql_fetch_array($sqlScoreResults)) {

                    $name = $rowScore['name'];
                    $total = $rowScore['total'] * 10;

                    echo "<TR><TD><CENTER><FONT COLOR=GRAY SIZE=2>$name</FONT></CENTER></TD>";
                    echo "<TD><CENTER><FONT COLOR=GRAY SIZE=2>$total</FONT></CENTER></TD></TR>";   

                }                   

            }

        ?>
    </TR>
</TABLE>
<BR>
<BR>
<BR>
<FONT SIZE=2 COLOR=GRAY>This page will refresh every 5 minutes.</FONT>
</CENTER>
<BR>
<BR>
<BR>





</FORM>
</BODY>
</html>

submitFlag.php
<html>
<head>
<title>CTF</title>

<link rel="stylesheet" type="text/css" href="css/default.css">

</head>

<BODY BGCOLOR=white>

<!-- Add connection to database by including dbConnection.php -->
<?php include 'dbConnection.php'; ?>


<!-- Add Page Header with Login Options -->
<?php include 'pageheader.php'; ?>

<FORM ACTION="submitFlag_Submit.php" METHOD="post">

<CENTER>

<TABLE style="border:1px solid;" CELLPADDING=15>
    <TR>
        <TD colspan=2>
            <CENTER>
            <FONT SIZE=2>
                <B>Submit Flag</B>
            </FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            Identify Yourself
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <SELECT name="finderID">
            <?php

                $sqlStudents = "SELECT studentID, name FROM students";
                $sqlStudentsResults = mysql_query($sqlStudents);
                while ($rowStudents = mysql_fetch_array($sqlStudentsResults)) {           

                    $studentID = $rowStudents['studentID'];
                    $name = $rowStudents['name'];

                    echo "<option value=" . $studentID . ">" . $name . "</option>";

                }
            ?>
            </SELECT>
            &nbsp;&nbsp; <FONT COLOR=RED SIZE=1><I>Choose wisely my friend.</I></FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            Flag Checksum
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <INPUT TYPE=text NAME=checksum SIZE=50>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD COLSPAN=2>
            <CENTER>
            <INPUT TYPE=submit VALUE=Submit>
            </CENTER>
        </TD>
    </TR>
</TABLE>

</CENTER>
<BR>




</FORM>
</BODY>
</html>

submitFlag_Submit.php
<html>
<head>
<title>CTF</title>

<link rel="stylesheet" type="text/css" href="css/default.css">

</head>

<BODY BGCOLOR=white>

<!-- Add connection to database by including dbConnection.php -->
<?php include 'dbConnection.php'; ?>


<!-- Add Page Header with Login Options -->
<?php include 'pageheader.php'; ?>

<CENTER>

<TABLE style="border:1px solid;" CELLPADDING=15>
    <TR>
        <TD colspan=2>
            <CENTER>
            <FONT SIZE=2>
                <B>Submitted the Following Flag</B>
            </FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            And the finder was...
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <?php
                $finderID = $_POST['finderID'];
                $sqlName = "SELECT name FROM students WHERE studentID=$finderID";
                $sqlNameResults = mysql_query($sqlName);
                while ($rowName = mysql_fetch_array($sqlNameResults)) {

                    $name = $rowName['name'];

                    echo $name;

                }

            ?>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            Flag Checksum
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <?php
                $checksum = $_POST['checksum'];
                echo $checksum;
            ?>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD COLSPAN=2>
            <CENTER>
            <?php
                $sqlValidChecksum = "SELECT flagID, studentID FROM flagsDB WHERE flagChecksum='$checksum'";
                $sqlValidResults = mysql_query($sqlValidChecksum);
                $sqlValidNumRows = mysql_num_rows($sqlValidResults);

                if ($sqlValidNumRows < 1) {
                    echo "<FONT COLOR=RED>Sorry! This flag was not found in the database.</FONT>";
                }
                else {
                    echo "Congradulations!";
              
                    while ($rowValid = mysql_fetch_array($sqlValidResults)) {
                        $flagID = $rowValid['flagID'];
                        $studentID = $rowValid['studentID'];
                    }

                    $sqlInsertFinding = "INSERT INTO flagsFound VALUES ('$studentID-$flagID-$finderID',$finderID)";
                    mysql_query($sqlInsertFinding);
                }


            ?>
            </CENTER>
        </TD>
    </TR>
</TABLE>

</CENTER>
<BR>




</BODY>
</html>
pageheader.php
<table width=100% bgcolor="#EEEEEE">
<tr>
<td width=20%>
</td>
<td width=50%>
<center>
<FONT SIZE=5 COLOR="Gray">
<B>CTF</B>
</FONT>
<BR>
<FONT SIZE=2 COLOR="Gray">
Get the Flags - Get the Points
</FONT>
</center>
</td>
<td width-30%>


</td></tr>
<tr><td colspan=3>
<center>

<!-- Menu Bar Table -->
<table width=96% id="menuBar" cellspacing="1px" cellpadding="3px"><tr>

<td width=33% bgcolor="#485e49"><center>
<a href="index.php">Home</a>
</center></td>

<td width=33% bgcolor="#485e49"><center>
<a href="submitFlag.php">Submit Flag</a>
</center></td>

<td width=33% bgcolor="#485e49"><center>
<a href="stats.php">CTF Stats</a>
</center></td>


</tr>
</table>
</center>
<!-- End Table for Menu Bar -->
</td></tr>
</table>
<BR>

dbConnection.php
<?php

$dbHost = "localhost";
$dbUser = "root";
$dbPass = "strongpassword";
$dbName = "ctf";
$db = mysql_connect($dbHost,$dbUser,$dbPass);
mysql_select_db($dbName,$db);

?>

css/default.css
a {text-decoration: none}

table#menuBar a {

        text-decoration: none;
        color:#eee;
}

table#menuBar a:hover {

color:lightblue

}

table#menuBar td {


        width:12%;
        background:#485e49;

}


#pageheaderDropDown
{    margin: 0;
    padding: 0;
    z-index: 30}

#pageheaderDropDown li
{    margin: 0;
    padding: 0;
    list-style: none;
    float: left;}

#pageheaderDropDown li a
{    display: block;
    margin: 0 1px 0 0;
    padding: 4px 10px;
    width: 60px;
    color: #EEEEEE;
    text-align: center;
    text-decoration: none}

#pageheaderDropDown li a:hover
{    color: lightblue}


#pageheaderDropDown div
{    position: absolute;
    visibility: hidden;
    margin: 0;
    padding: 0;
    background: gray;
    border: 1px solid #5970B2}

    #pageheaderDropDown div a
    {    position: relative;
        display: block;
        margin: 0;
        padding: 5px 10px;
        width: auto;
        white-space: nowrap;
        text-align: left;
        text-decoration: none;
        background: #EAEBD8;
        color: #2875DE;
        font: 11px arial}

    #pageheaderDropDown div a:hover
    {    background: #49A3FF;
        color: #FFF}


Python or Perl Quick Notes on Creating a String

To use python from the command line to create a string of characters:

python -c 'print "A"*5' - This will print a string of 5 A's

To use perl from the command line to create a string of characters:

perl -e 'print "A"x5 - This will print a string of 5 A's


Wednesday, January 23, 2013

Comparing 2 Nessus Scans

I had to face a challenge today of comparing 2 nessus reports and identifying the progress made towards fixing the vulnerabilities.

First, I used nessus to export each report respectively to a csv file.

Second, I removed the first line of the csv file.

Third, I built 2 tables to accept the input with the following sql respectively:

create table nessusScan1(pluginID INT, CVE VARCHAR(40), CVSS VARCHAR(40), risk VARCHAR(40), ip VARCHAR(40), protocol VARCHAR(40), port INT, name mediumblob, synopsis mediumblob, description mediumblob, solution mediumblob, pluginoutput mediumblob);

create table nessusScan2(pluginID INT, CVE VARCHAR(40), CVSS VARCHAR(40), risk VARCHAR(40), ip VARCHAR(40), protocol VARCHAR(40), port INT, name mediumblob, synopsis mediumblob, description mediumblob, solution mediumblob, pluginoutput mediumblob);

Forth, I inserted the data from the csv file into the respective table:

load data local infile 'Nessus1.csv' into table nessusScan1 fields terminated by ',' enclosed by '"' lines terminated by '\n'; 

load data local infile 'Nessus2.csv' into table nessusScan2 fields terminated by ',' enclosed by '"' lines terminated by '\n'; 

Fifth, I built 2 tables to collect the results of a query due to not wanting to wait for a join:

create table Totals1 (name mediumblob, risk VARCHAR(20), totals INT);

create table Totals2 (name mediumblob, risk VARCHAR(20), totals INT);

Sixth, I populated the table I created with the results of critical and high risk items:

INSERT INTO Totals1 (name, risk, totals) select name, risk, count(DISTINCT ip) AS total FROM nessusScan1 WHERE (risk='Critical' OR risk='High') GROUP BY name ORDER BY risk,total DESC;

INSERT INTO Totals2 (name, risk, totals) select name, risk, count(DISTINCT ip) AS total FROM nessusScan2 WHERE (risk='Critical' OR risk='High') GROUP BY name ORDER BY risk,total DESC;

Seventh, then I was able to do a join on the totals table to see the progress that had been made between the scans (This does not show the new vulnerabilities that were identified in the more recent scan):

SELECT a.name, a.risk, a.totals AS "Totals1", b.totals AS "Totals2" FROM Totals1 a, Totals2 b WHERE a.name=b.name;

There probably is an easier way to accomplish this, however I wanted to document this so I can use it in the future also.

Enjoy...

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...