hm0x14-ctf/evilcorp/web/__init__.py

249 lines
7.7 KiB
Python
Raw Normal View History

2019-05-14 16:29:52 +02:00
from flask import Flask, g, request, render_template, redirect, current_app, send_file
from flask_argon2 import Argon2
from io import BytesIO
import jwt
import time
import sqlite3
import secrets
app = Flask(__name__)
app.config['PRIVATE_KEY'] = '''
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCo0oR5UXusQs7tvgcT5EOLB+2JaKXmmip3ViGijLHku2Y+gyas
0KFYHEQjTgz2AH1N9sUu8tzLAxn+wun28qyF3Paswmx27J/pAmbX8v6g+oGur4Jz
V6ZoM5PA5iD5UvWYcLBczB84GcqhQkLHh8n/sZXP9jXMnxjTPD4nuPuQ3wIDAQAB
AoGAd0s6/RdNEu6qlmifS7kS2V2ixmRCRu9NbsJYRiqxUfXyS94VKCzMthxTMbdn
hTXXVY44y/IlfvcUGWfWOABHU7JK5NfWbwJfH0dU2kNEf8LzPmf1DzGy6vj01i/u
6KrSJMqJOW62NxQ1GjkvWVGgoy8RrHKzrkM7bnQ+i6JDVLECQQDX24V58LQwMmo2
JDZHjEZLZlx4xQz3lzhrLOfn7B3zgspRrgufOp2SaL+nFaphUl4w8P9mo/FcDmqc
R402Z4yTAkEAyDfCiZiGBgPm7mDOLiJ1Wpyc21fsF6zwoc56xSbeK+a3t9LxT00M
1W+qZv6e89erUmGNl85CwFmoyMEPdIgmBQJAOOUZp2x0cge3yxF8ZRtqI9GVKhf2
NQRc0JMDhTPNKTQeE61mTs/qXH7TlTy2rfRB83ByQSGRKox6OTr6044zlQJAKuCe
Hb93PESLqRM8NG8WuL//a43ptqxHoC9K5XvMapRvVcOr//KdQ/w0/veabNgMDYls
vEzkyLKqzctilu8tTQJBAMXgHKX62GhH54pB4GrLLS25JpxqUNChDuPGaMPilfCW
WOsFVC93MPtLA/YaAJHKZNoaXulkb5q3jhlWxCpDAKM=
-----END RSA PRIVATE KEY-----
'''
app.config['PUBLIC_KEY'] = '''-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo0oR5UXusQs7tvgcT5EOLB+2J
aKXmmip3ViGijLHku2Y+gyas0KFYHEQjTgz2AH1N9sUu8tzLAxn+wun28qyF3Pas
wmx27J/pAmbX8v6g+oGur4JzV6ZoM5PA5iD5UvWYcLBczB84GcqhQkLHh8n/sZXP
9jXMnxjTPD4nuPuQ3wIDAQAB
-----END PUBLIC KEY-----'''
argon2 = Argon2(app)
flag1 = 'HM{sql_inj3ctions_4re_still_r3l3vant}'
flag2 = 'HM{y0u_th0ught_p4ssword_ha5h1ng_is_enough?}'
flag3 = 'HM{s3ssion_manag3ment_is_super_h4rd}'
database = 'evilcorp.sqlite3'
def check_session(cookies):
if 'session' not in cookies:
return False
session = cookies['session']
try:
session_decoded = jwt.decode(session, app.config['PUBLIC_KEY'])
except jwt.InvalidTokenError:
return False
return session_decoded
def get_db():
db = getattr(g, '_database', None)
if db is None:
db = g._database = sqlite3.connect(database)
return db
@app.teardown_appcontext
def close_connection(exception):
db = getattr(g, '_database', None)
if db is not None:
db.close()
@app.route('/', methods=['GET'])
def show_index():
session = check_session(request.cookies)
if session:
authenticated = True
username = session['user']
else:
authenticated = False
username = None
return render_template('index.html', authenticated=authenticated, username=username)
@app.route('/news', methods=['GET'])
def show_news():
session = check_session(request.cookies)
if session:
authenticated = True
username = session['user']
else:
authenticated = False
username = None
try:
cur = get_db().execute('SELECT uid, title, body, images FROM news ORDER BY uid DESC')
news = cur.fetchall()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
return render_template('news.html', news=news, authenticated=authenticated, username=username)
@app.route('/images/<uid>', methods=['GET'])
def show_image(uid):
try:
cur = get_db().execute('SELECT uid, name, body FROM images WHERE uid = ' + uid)
image = cur.fetchone()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
if not image:
return 'No image found'
return send_file(BytesIO(image[2]), attachment_filename=image[1]+'.jpg', mimetype='image/jpg')
@app.route('/login', methods=['GET'])
def show_login():
return render_template('login.html')
@app.route('/login', methods=['POST'])
def login():
if 'username' not in request.form or 'password' not in request.form:
return 'All fields are required!'
username = request.form['username']
password = request.form['password']
#if not username.isalnum():
# return 'Login failed'
if len(password) < 6:
return 'Login failed'
try:
cur = get_db().execute('SELECT uid, username, password FROM users WHERE username = ? LIMIT 1', (username,))
cur_user = cur.fetchone()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
if not cur_user:
return 'Login failed'
if not argon2.check_password_hash(cur_user[2], password):
return 'Login failed'
session = jwt.encode({'user': cur_user[1], 'admin': False, 'iat': int(time.time())}, key=app.config['PRIVATE_KEY'] , algorithm='RS256')
response = current_app.make_response(redirect('/user', 302))
response.set_cookie('session', value=session, path='/', httponly=True)
return response
@app.route('/reset', methods=['GET'])
def show_reset():
return render_template('reset.html')
@app.route('/reset', methods=['POST'])
def reset():
if 'email' not in request.form:
return 'Email is required required!'
email = request.form['email']
if len(email) < 6:
return 'Email too short'
try:
cur = get_db().execute('SELECT uid, email, username, recovered, admin FROM users WHERE email = ? LIMIT 1', (email,))
cur_user = cur.fetchone()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
if not cur_user:
return 'No user found'
if cur_user[4]:
return 'Nope'
if cur_user[3]:
return 'Password for this user has already been reset'
uid = cur_user[0]
token = secrets.token_hex()
try:
#cur = get_db().execute('UPDATE user SET recovery = ?, recovered = 1 WHERE email = ?', (token, email,))
cur = get_db().execute('UPDATE users SET recovery = ? WHERE uid = ?', (token, uid,))
get_db().commit()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
return 'Reset token sent to user email'
@app.route('/reset2', methods=['POST'])
def reset2():
if 'email' not in request.form or 'token' not in request.form:
return 'Both fields are required!'
email = request.form['email']
token = request.form['token']
try:
cur = get_db().execute('SELECT * FROM users WHERE recovery = ? AND email = ? AND recovered != 1', (token, email,))
cur_user = cur.fetchone()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
if not cur_user:
return 'Wrong email or token or password already reset one time'
else:
newpassword = secrets.token_urlsafe(16)
try:
cur = get_db().execute('UPDATE users SET password = ?, recovered = 1 WHERE recovery = ? AND email = ?', (argon2.generate_password_hash(newpassword), token, email,))
get_db().commit()
except sqlite3.Error as e:
print(e)
return 'Something went wrong, ping the admins'
return 'Your new password is ' + newpassword
@app.route('/user', methods=['GET'])
def show_user():
session = check_session(request.cookies)
if not session:
return redirect('/login', 302)
else:
if not session['admin']:
return render_template('user.html', authenticated=True, username=session['user'], flag2=flag2)
return 'Good job! Here\'s the last flag: ' + flag3
@app.route('/logout', methods=['GET'])
def logout():
response = current_app.make_response(redirect('/', 302))
for cookie in request.cookies:
response.set_cookie(cookie, value='', expires=0)
return response
@app.route('/robots.txt', methods=['GET'])
def show_robots():
return 'Disallow: /pub.asc'
@app.route('/pub.asc', methods=['GET'])
def show_pubkey():
return app.config['PUBLIC_KEY']
if __name__ == "__main__":
app.run(host='0.0.0.0', port=7000)