Commit ee9e0dd8 authored by Benjamin Caure's avatar Benjamin Caure
Browse files

Initial commit

parents
Pipeline #3893 failed with stages
in 58 seconds
{
"presets": [
"es2015",
"react"
],
"plugins": [
["transform-react-jsx", { "pragma":"h" }]
]
}
\ No newline at end of file
\.idea/
out/
build
.gradle/
*.iml
node_modules
.vscode
app.log*
\ No newline at end of file
image: openjdk:8-stretch
stages:
- build
- deploy
build jar:
stage: build
script:
- chmod a+x ./gradlew
- ./gradlew -Pprod bootJar
artifacts:
paths:
- build/libs/*.jar
push to cloudfoundry:
stage: deploy
script:
- curl --location "https://cli.run.pivotal.io/stable?release=linux64-binary&source=github" | tar zx
- ./cf login -u $CF_USERNAME -p $CF_PASSWORD -a api.run.pivotal.io
- ./cf push
# Enoncé TP : Capture the flag
## Mission 1
Le but de cette mission est de récupérer un _indice précieux_.
Cette adresse est stocké dans les données internes de ce [site](https://capture-the-flag-surprised-klipspringer.cfapps.io/).
Heureusement vous avez eu accès au code source de l'application, bien que les infos clés comme le mot de passe de la base de données ne sont pas présentes.
Pour cette mission vous n'avez pas besoin d'outils de hacking ni de connaissance particulière dans ce domaine.
### Pour lancer l'appli en local
- exécuter la tâche Gradle bootRun et connectez-vous à http://localhost:8745
## Mission 2
La 2ème mission consiste à récupérer l'adresse du drapeau, qui ne peut être consulter qu'en se connectant à la la base de données.
Vous devez utiliser l'indice de la mission 1 pour y parvenir.
Pour cette mission vous n'avez pas besoin d'outils de hacking. Cette fois il faut cependant exploiter une vulnérabilité de type XSS pour trouver la faille.
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:2.0.5.RELEASE")
}
}
apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'idea'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'
group 'org.isima.tp'
version '1.0'
bootJar {
baseName = 'binome1'
version = '1.0'
}
repositories {
mavenCentral()
}
sourceCompatibility = 1.8
targetCompatibility = 1.8
dependencies {
compile 'org.springframework.boot:spring-boot-starter-web'
compile 'org.springframework.boot:spring-boot-starter-data-jpa'
compile 'com.h2database:h2:1.4.197'
compile 'org.glassfish.jaxb:jaxb-runtime:2.4.0-b180830.0438'
compile 'org.javassist:javassist:3.23.1-GA'
compile 'io.jsonwebtoken:jjwt-api:0.10.5'
compile 'io.jsonwebtoken:jjwt-impl:0.10.5'
compile 'io.jsonwebtoken:jjwt-jackson:0.10.5'
compile 'com.sendgrid:sendgrid-java:2.2.2'
}
#Wed Oct 31 21:50:57 CET 2018
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-4.8-all.zip
#!/usr/bin/env sh
##############################################################################
##
## Gradle start up script for UN*X
##
##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
PRG="$0"
# Need this for relative symlinks.
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG=`dirname "$PRG"`"/$link"
fi
done
SAVED="`pwd`"
cd "`dirname \"$PRG\"`/" >/dev/null
APP_HOME="`pwd -P`"
cd "$SAVED" >/dev/null
APP_NAME="Gradle"
APP_BASE_NAME=`basename "$0"`
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS=""
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD="maximum"
warn () {
echo "$*"
}
die () {
echo
echo "$*"
echo
exit 1
}
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
case "`uname`" in
CYGWIN* )
cygwin=true
;;
Darwin* )
darwin=true
;;
MINGW* )
msys=true
;;
NONSTOP* )
nonstop=true
;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD="java"
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
MAX_FD_LIMIT=`ulimit -H -n`
if [ $? -eq 0 ] ; then
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
MAX_FD="$MAX_FD_LIMIT"
fi
ulimit -n $MAX_FD
if [ $? -ne 0 ] ; then
warn "Could not set maximum file descriptor limit: $MAX_FD"
fi
else
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
fi
fi
# For Darwin, add options to specify how the application appears in the dock
if $darwin; then
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
fi
# For Cygwin, switch paths to Windows format before running java
if $cygwin ; then
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
JAVACMD=`cygpath --unix "$JAVACMD"`
# We build the pattern for arguments to be converted via cygpath
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
SEP=""
for dir in $ROOTDIRSRAW ; do
ROOTDIRS="$ROOTDIRS$SEP$dir"
SEP="|"
done
OURCYGPATTERN="(^($ROOTDIRS))"
# Add a user-defined pattern to the cygpath arguments
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
fi
# Now convert the arguments - kludge to limit ourselves to /bin/sh
i=0
for arg in "$@" ; do
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
else
eval `echo args$i`="\"$arg\""
fi
i=$((i+1))
done
case $i in
(0) set -- ;;
(1) set -- "$args0" ;;
(2) set -- "$args0" "$args1" ;;
(3) set -- "$args0" "$args1" "$args2" ;;
(4) set -- "$args0" "$args1" "$args2" "$args3" ;;
(5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
(6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
(7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
(8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
(9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
esac
fi
# Escape application args
save () {
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
echo " "
}
APP_ARGS=$(save "$@")
# Collect all arguments for the java command, following the shell quoting and substitution rules
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
cd "$(dirname "$0")"
fi
exec "$JAVACMD" "$@"
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
set DIRNAME=%~dp0
if "%DIRNAME%" == "" set DIRNAME=.
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS=
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto init
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto init
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:init
@rem Get command-line arguments, handling Windows variants
if not "%OS%" == "Windows_NT" goto win9xME_args
:win9xME_args
@rem Slurp the command line arguments.
set CMD_LINE_ARGS=
set _SKIP=2
:win9xME_args_slurp
if "x%~1" == "x" goto execute
set CMD_LINE_ARGS=%*
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
:end
@rem End local scope for the variables with windows NT shell
if "%ERRORLEVEL%"=="0" goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
exit /b 1
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega
---
applications:
- name: capture-the-flag
random-route: true
memory: 1G
path: build/libs/binome1-1.0.jar
env:
SPRING_PROFILES_ACTIVE: cloud
JBP_CONFIG_JMX: '{enabled: true}'
This diff is collapsed.
{
"name": "tp-front",
"version": "1.0.0",
"description": "Preact front tp capture-the-flag ISIMA",
"author": "Benjamin CAURE",
"license": "MIT",
"dependencies": {
"preact": "^8.1.0",
"preact-router": "^2.4.1"
},
"devDependencies": {
"babel-core": "^6.22.1",
"babel-loader": "^6.2.10",
"babel-plugin-transform-react-jsx": "^6.22.0",
"babel-preset-es2015": "^6.22.0",
"babel-preset-react": "^6.22.0",
"css-loader": "^0.26.1",
"extract-text-webpack-plugin": "2.0.0",
"html-webpack-plugin": "^2.28.0",
"http-server": "^0.9.0",
"offline-plugin": "^4.6.1",
"style-loader": "^0.13.2",
"svg-inline-loader": "^0.7.1",
"webpack": "^3.0.0",
"webpack-dev-server": "^2.5.0"
},
"scripts": {
"start": "webpack-dev-server --config ./webpack/webpack.config.dev.babel.js --env=developement",
"prod:linux": "NODE_ENV=production webpack --config ./webpack/webpack.config.prod.babel.js --env=production",
"prod:windows": "set NODE_ENV=production && webpack --config ./webpack/webpack.config.prod.babel.js --env=production",
"prod:start": "http-server src/main/resources/assets/"
}
}
rootProject.name = 'binome1'
package org.isima.tp;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Configuration;
@SpringBootApplication
@Configuration
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
package org.isima.tp;
import org.isima.tp.model.AppUser;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.stereotype.Component;
@Component
@Scope(value="request", proxyMode= ScopedProxyMode.TARGET_CLASS)
public class CurrentUser {
private AppUser appUser;
public AppUser getAppUser() {
return appUser;
}
@SuppressWarnings("UnusedReturnValue")
public CurrentUser setAppUser(AppUser appUser) {
this.appUser = appUser;
return this;
}
}
package org.isima.tp;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.sendgrid.SendGrid;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
@Configuration
@Profile("cloud")
public class Mail {
private static final Logger LOG = LoggerFactory.getLogger(Mail.class);
@Bean
public SendGrid mailSender() {
String vcapServicesJson = System.getenv("VCAP_SERVICES");
ObjectMapper mapper = new ObjectMapper();
SendGrid sendgrid = null;
try {
JsonNode actualObj = mapper.readTree(vcapServicesJson);
JsonNode sendgridNode = actualObj.get("sendgrid");
JsonNode credentialsNode = sendgridNode.elements().next().get("credentials");
LOG.error(credentialsNode.get("password").asText());
sendgrid = new SendGrid(credentialsNode.get("username").asText(), credentialsNode.get("password").asText());
} catch (IOException e) {
LOG.error(null, e);
}
return sendgrid;
}
}
package org.isima.tp;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.Keys;
import java.io.IOException;
import java.util.Optional;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.isima.tp.model.AppUser;
import org.isima.tp.repository.CommunityRepository;
import org.isima.tp.repository.UserRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
@Component
public class SecurityFilter extends OncePerRequestFilter {
private static final Logger LOG = LoggerFactory.getLogger(SecurityFilter.class);
@Value("${security.jwt.uri:/auth/**}")
private String uri;
@Value("${security.jwt.prefix:Bearer }")
private String prefix;
@Value("${security.jwt.secret}")
private String secret;
@Autowired
private UserRepository userRepository;
@Autowired
private CommunityRepository communityRepository;
@Autowired
CurrentUser currentUser;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
// 1. get the authentication header. Tokens are supposed to be passed in the authentication header
String header = request.getHeader("Authorization");
// 2. validate the header and check the prefix
if (header == null || !header.startsWith("Bearer")) {
chain.doFilter(request, response); // If not valid, go to the next filter.
return;
}
// If there is no token provided and hence the user won't be authenticated.
// It's Ok. Maybe the user accessing a public path or asking for a token.
// All secured paths that needs a token are already defined and secured in config class.
// And If user tried to access without access token, then he won't be authenticated and an exception will be thrown.
// 3. Get the token
String token = header.replace("Bearer", "");
try { // exceptions might be thrown in creating the claims if for example the token is expired
// 4. Validate the token
Jws<Claims> claims = Jwts.parser().setSigningKey(Keys.hmacShaKeyFor(secret.getBytes()))
.parseClaimsJws(token);
String email = claims.getBody().getSubject();
if (email != null) {
// 5. Create auth object
// Now, user is authenticated
Optional<AppUser> optional = userRepository.findById(email);
optional.ifPresent(appUser -> currentUser.setAppUser(appUser));
}
} catch (Exception e) {
LOG.error(null, e);
// In case of failure. Make sure it's clear; so guarantee user won't be authenticated
currentUser.setAppUser(null);
}
// go to the next filter in the filter chain
chain.doFilter(request, response);
}
}
package org.isima.tp.controller;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.isima.tp.CurrentUser;
import org.isima.tp.model.Community;
import org.isima.tp.model.Config;
import org.isima.tp.repository.ConfigRepository;
import org.isima.tp.util.Cipher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;