Saturday, January 26, 2013

Creation of a Simple CTF Scoreboard and DB

I created a simple PHP/MySQL Capture the Flag Scoreboard / Flag Submission web app.  It is simple and vulnerable to web exploits.  I designed this for a CS4740 class that I am teaching as we are learning Metasploitable.

Create MySQL Database and Tables for the CTF
create database ctf;





create table flagsFound(flagID VARCHAR(8) NOT NULL PRIMARY KEY, finderID INT);





create table students (studentID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, name VARCHAR(40));





create table flagsDB(flagID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, studentID INT, flagChecksum VARCHAR(50));

Populate Table with Participants
insert into students VALUES (1,"Ann");


insert into students VALUES (2,"Bob");


insert into students VALUES (3,"Curt");


insert into students VALUES (4,"Dan");



Create Text File with Flags and Call it flags.txt
Make it with 2 columns of data the owner of the flag and the keyword
1 Asteroid
2 You
3 Red
4 Blue

Create and Run Simple Bash Script to Populate SQL File for flagsDB
#!/bin/bash


# This script is used to generate the information to go into the flagsDB


# from a text file that has 2 columns. The column format is as follows:


# 1st Column: studentID or Owner of the Flag


# 2nd Column: flag keyword to be transformed into a checksum





textFile=flags.txt


outputFile=temp.sql


checkSumAlg=sha256sum





echo "USE ctf;" > $outputFile





while read line


do





studentID=`echo $line | awk '{print $1}'`


flagChecksum=`echo $line | awk '{print $2}' | $checkSumAlg | awk '{print $1}'`





echo "INSERT INTO flagsDB (studentID, flagChecksum) VALUES ($studentID,'$flagChecksum');" >> $outputFile





done < $textFile

Input the SQL File to the Database using the mysql username and password that you have
mysql -u root -p < temp.sql # Unless the output file has changed or the user account is not root


# Then at the next prompt put in your mysql users password

The following are files that are needed for the CTF PHP Page:
index.php, submitFlag.php, submitFlag_Submit.php, dbConnection.php, css/default.css, pageheader.php 

The file of stats.php was not included and can be removed...

index.php File
 <html>
<head>
<title>CTF</title>

<link rel="stylesheet" type="text/css" href="css/default.css">

<script type="text/JavaScript">

    function timedRefresh(timeoutPeriod) {
        setTimeout("location.reload(true);",timeoutPeriod);
    }

</script>
</head>

<BODY BGCOLOR=white onload="JavaScript:timedRefresh(300000);">

<!-- Add connection to database by including dbConnection.php -->
<?php include 'dbConnection.php'; ?>


<!-- Add Page Header with Login Options -->
<?php include 'pageheader.php'; ?>

<FORM ACTION="search_for_project.php" METHOD="post">

<CENTER>
<BR>
<TABLE style="border:1px solid;" CELLPADDING=15>
    <TR>
        <TD colspan=2>
            <CENTER>
            <FONT SIZE=2>
                <B>Scoreboard</B>
            </FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2>
            Student
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <FONT SIZE=2>
            Score
            </FONT>
            </CENTER>
        </TD>
    </TR>
        <?php

            $sqlScore = "SELECT s.name, count(f.finderID) as total FROM students s, flagsFound f WHERE s.studentID=f.finderID GROUP BY s.name ORDER BY total DESC";
            $sqlScoreResults = mysql_query($sqlScore);
            $numRows = mysql_num_rows($sqlScoreResults);
            if ($numRows < 1) {
                echo "<TR><TD COLSPAN=2><CENTER>No Scores to Report</CENTER></TD></TR>";
            }
            else {
                while ($rowScore = mysql_fetch_array($sqlScoreResults)) {

                    $name = $rowScore['name'];
                    $total = $rowScore['total'] * 10;

                    echo "<TR><TD><CENTER><FONT COLOR=GRAY SIZE=2>$name</FONT></CENTER></TD>";
                    echo "<TD><CENTER><FONT COLOR=GRAY SIZE=2>$total</FONT></CENTER></TD></TR>";   

                }                   

            }

        ?>
    </TR>
</TABLE>
<BR>
<BR>
<BR>
<FONT SIZE=2 COLOR=GRAY>This page will refresh every 5 minutes.</FONT>
</CENTER>
<BR>
<BR>
<BR>





</FORM>
</BODY>
</html>

submitFlag.php
<html>
<head>
<title>CTF</title>

<link rel="stylesheet" type="text/css" href="css/default.css">

</head>

<BODY BGCOLOR=white>

<!-- Add connection to database by including dbConnection.php -->
<?php include 'dbConnection.php'; ?>


<!-- Add Page Header with Login Options -->
<?php include 'pageheader.php'; ?>

<FORM ACTION="submitFlag_Submit.php" METHOD="post">

<CENTER>

<TABLE style="border:1px solid;" CELLPADDING=15>
    <TR>
        <TD colspan=2>
            <CENTER>
            <FONT SIZE=2>
                <B>Submit Flag</B>
            </FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            Identify Yourself
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <SELECT name="finderID">
            <?php

                $sqlStudents = "SELECT studentID, name FROM students";
                $sqlStudentsResults = mysql_query($sqlStudents);
                while ($rowStudents = mysql_fetch_array($sqlStudentsResults)) {           

                    $studentID = $rowStudents['studentID'];
                    $name = $rowStudents['name'];

                    echo "<option value=" . $studentID . ">" . $name . "</option>";

                }
            ?>
            </SELECT>
            &nbsp;&nbsp; <FONT COLOR=RED SIZE=1><I>Choose wisely my friend.</I></FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            Flag Checksum
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <INPUT TYPE=text NAME=checksum SIZE=50>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD COLSPAN=2>
            <CENTER>
            <INPUT TYPE=submit VALUE=Submit>
            </CENTER>
        </TD>
    </TR>
</TABLE>

</CENTER>
<BR>




</FORM>
</BODY>
</html>

submitFlag_Submit.php
<html>
<head>
<title>CTF</title>

<link rel="stylesheet" type="text/css" href="css/default.css">

</head>

<BODY BGCOLOR=white>

<!-- Add connection to database by including dbConnection.php -->
<?php include 'dbConnection.php'; ?>


<!-- Add Page Header with Login Options -->
<?php include 'pageheader.php'; ?>

<CENTER>

<TABLE style="border:1px solid;" CELLPADDING=15>
    <TR>
        <TD colspan=2>
            <CENTER>
            <FONT SIZE=2>
                <B>Submitted the Following Flag</B>
            </FONT>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            And the finder was...
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <?php
                $finderID = $_POST['finderID'];
                $sqlName = "SELECT name FROM students WHERE studentID=$finderID";
                $sqlNameResults = mysql_query($sqlName);
                while ($rowName = mysql_fetch_array($sqlNameResults)) {

                    $name = $rowName['name'];

                    echo $name;

                }

            ?>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD>
            <CENTER>
            <FONT SIZE=2 COLOR=GRAY>
            Flag Checksum
            </FONT>
            </CENTER>
        </TD>
        <TD>
            <CENTER>
            <?php
                $checksum = $_POST['checksum'];
                echo $checksum;
            ?>
            </CENTER>
        </TD>
    </TR>
    <TR>
        <TD COLSPAN=2>
            <CENTER>
            <?php
                $sqlValidChecksum = "SELECT flagID, studentID FROM flagsDB WHERE flagChecksum='$checksum'";
                $sqlValidResults = mysql_query($sqlValidChecksum);
                $sqlValidNumRows = mysql_num_rows($sqlValidResults);

                if ($sqlValidNumRows < 1) {
                    echo "<FONT COLOR=RED>Sorry! This flag was not found in the database.</FONT>";
                }
                else {
                    echo "Congradulations!";
              
                    while ($rowValid = mysql_fetch_array($sqlValidResults)) {
                        $flagID = $rowValid['flagID'];
                        $studentID = $rowValid['studentID'];
                    }

                    $sqlInsertFinding = "INSERT INTO flagsFound VALUES ('$studentID-$flagID-$finderID',$finderID)";
                    mysql_query($sqlInsertFinding);
                }


            ?>
            </CENTER>
        </TD>
    </TR>
</TABLE>

</CENTER>
<BR>




</BODY>
</html>
pageheader.php
<table width=100% bgcolor="#EEEEEE">
<tr>
<td width=20%>
</td>
<td width=50%>
<center>
<FONT SIZE=5 COLOR="Gray">
<B>CTF</B>
</FONT>
<BR>
<FONT SIZE=2 COLOR="Gray">
Get the Flags - Get the Points
</FONT>
</center>
</td>
<td width-30%>


</td></tr>
<tr><td colspan=3>
<center>

<!-- Menu Bar Table -->
<table width=96% id="menuBar" cellspacing="1px" cellpadding="3px"><tr>

<td width=33% bgcolor="#485e49"><center>
<a href="index.php">Home</a>
</center></td>

<td width=33% bgcolor="#485e49"><center>
<a href="submitFlag.php">Submit Flag</a>
</center></td>

<td width=33% bgcolor="#485e49"><center>
<a href="stats.php">CTF Stats</a>
</center></td>


</tr>
</table>
</center>
<!-- End Table for Menu Bar -->
</td></tr>
</table>
<BR>

dbConnection.php
<?php

$dbHost = "localhost";
$dbUser = "root";
$dbPass = "strongpassword";
$dbName = "ctf";
$db = mysql_connect($dbHost,$dbUser,$dbPass);
mysql_select_db($dbName,$db);

?>

css/default.css
a {text-decoration: none}

table#menuBar a {

        text-decoration: none;
        color:#eee;
}

table#menuBar a:hover {

color:lightblue

}

table#menuBar td {


        width:12%;
        background:#485e49;

}


#pageheaderDropDown
{    margin: 0;
    padding: 0;
    z-index: 30}

#pageheaderDropDown li
{    margin: 0;
    padding: 0;
    list-style: none;
    float: left;}

#pageheaderDropDown li a
{    display: block;
    margin: 0 1px 0 0;
    padding: 4px 10px;
    width: 60px;
    color: #EEEEEE;
    text-align: center;
    text-decoration: none}

#pageheaderDropDown li a:hover
{    color: lightblue}


#pageheaderDropDown div
{    position: absolute;
    visibility: hidden;
    margin: 0;
    padding: 0;
    background: gray;
    border: 1px solid #5970B2}

    #pageheaderDropDown div a
    {    position: relative;
        display: block;
        margin: 0;
        padding: 5px 10px;
        width: auto;
        white-space: nowrap;
        text-align: left;
        text-decoration: none;
        background: #EAEBD8;
        color: #2875DE;
        font: 11px arial}

    #pageheaderDropDown div a:hover
    {    background: #49A3FF;
        color: #FFF}


No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...