- Build the Docker image:
docker build -t mini-ctf . - Run the Docker container:
docker run -d -p 8080:80 mini-ctf - Access the web challenge in your browser at http://localhost:8080 or through the console with
docker exec -it <container_id> /bin/bash
Description: A web application with a login form vulnerable to SQL injection.
Walkthrough:
- Navigate to http://localhost:8080.
- Enter
' OR '1'='1'--as the username and anything as the password. - This should bypass the login and display the flag.
Flag: flag{web_exploitation_success}
Description: A binary file that requires a specific input to produce the flag.
Walkthrough:
- Access the Docker container:
docker exec -it <container_id> /bin/bash - Use strings and gdb to analyze the reverseme binary.
gdb reverseme- Identify the correct input by analyzing the binary. The correct input is reverseme.
(gdb) break main
Breakpoint 1 at 0x11ba: file /ctf/reverseme.c, line 14.
(gdb) run
Starting program: /ctf/reverseme
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main () at /ctf/reverseme.c:14
14 /ctf/reverseme.c: No such file or directory.
(gdb) break check_point
Function "check_point" not defined.
Make breakpoint pending on future shared library load? (y or [n]) n
(gdb) break check_password
Breakpoint 2 at 0x555555555175: file /ctf/reverseme.c, line 5.
(gdb) continue
Continuing.
Enter the password: password
Breakpoint 2, check_password (password=0x7fffffffea30 "password") at /ctf/reverseme.c:5
5 in /ctf/reverseme.c
(gdb) disassemble check_password
Dump of assembler code for function check_password:
0x0000555555555169 <+0>: push %rbp
0x000055555555516a <+1>: mov %rsp,%rbp
0x000055555555516d <+4>: sub $0x10,%rsp
0x0000555555555171 <+8>: mov %rdi,-0x8(%rbp)
=> 0x0000555555555175 <+12>: mov -0x8(%rbp),%rax
0x0000555555555179 <+16>: lea 0xe88(%rip),%rdx # 0x555555556008
0x0000555555555180 <+23>: mov %rdx,%rsi
0x0000555555555183 <+26>: mov %rax,%rdi
0x0000555555555186 <+29>: call 0x555555555050 <strcmp@plt>
0x000055555555518b <+34>: test %eax,%eax
--Type <RET> for more, q to quit, c to continue without paging--
0x000055555555518d <+36>: jne 0x5555555551a0 <check_password+55>
0x000055555555518f <+38>: lea 0xe82(%rip),%rax # 0x555555556018
0x0000555555555196 <+45>: mov %rax,%rdi
0x0000555555555199 <+48>: call 0x555555555030 <puts@plt>
0x000055555555519e <+53>: jmp 0x5555555551af <check_password+70>
0x00005555555551a0 <+55>: lea 0xea8(%rip),%rax # 0x55555555604f
0x00005555555551a7 <+62>: mov %rax,%rdi
0x00005555555551aa <+65>: call 0x555555555030 <puts@plt>
0x00005555555551af <+70>: nop
0x00005555555551b0 <+71>: leave
0x00005555555551b1 <+72>: ret
--Type <RET> for more, q to quit, c to continue without paging--
End of assembler dump.
(gdb) break *0x555555555186
Breakpoint 3 at 0x555555555186: file /ctf/reverseme.c, line 5.
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /ctf/reverseme
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main () at /ctf/reverseme.c:14
14 in /ctf/reverseme.c
(gdb) continue
Continuing.
Enter the password: password
Breakpoint 2, check_password (password=0x7fffffffea30 "password") at /ctf/reverseme.c:5
5 in /ctf/reverseme.c
(gdb) continue
Continuing.
Breakpoint 3, 0x0000555555555186 in check_password (password=0x7fffffffea30 "password") at /ctf/reverseme.c:5
5 in /ctf/reverseme.c
(gdb) x/s 0x555555556008
0x555555556008: "reverseme"- Run the binary with the correct input:
./reverseme reverseme
Flag: flag{reverse_engineering_is_fun}
Description: An image file that contains hidden data using steganography.
Walkthrough:
- Access the Docker container:
docker exec -it <container_id> /bin/bash - Extract the hidden message using steghide:
steghide extract -sf not_a_flag.jpg - Enter the passphrase (password) as ``. (empty)
- Open the extracted file (flag.txt) to view the flag:
cat flag.txt
Flag: flag{stego_is_fun}
Description: An encrypted message using a Caesar cipher with a shift of 3.
Walkthrough:
- Access the Docker container:
docker exec -it <container_id> /bin/bash - The encrypted message is in the crypto.txt file:
cat crypto.txt - Decrypt the message by shifting each letter 3 places back in the alphabet.
def decrypt_caesar_cipher(text, shift):
result = ""
for char in text:
if char.isalpha():
shift_base = ord('a') if char.islower() else ord('A')
result += chr((ord(char) - shift_base - shift) % 26 + shift_base)
else:
result += char
return result
encrypted_message = "Wkh Iodj lv: Iodj{vlpsoh_fdhvdu_flskhu}"
# Decrypt the message with a shift of 3
decrypted_message = decrypt_caesar_cipher(encrypted_message, 3)
print("Decrypted message:", decrypted_message)- Decrypted message:
The flag is: flag{simple_caesar_cipher}
Flag: flag{simple_caesar_cipher}
Description: A vulnerable program that can be exploited via buffer overflow.
Walkthrough:
- Access the Docker container:
docker exec -it <container_id> /bin/bash - Analyze the vuln binary with gdb to identify the buffer overflow vulnerability:
gdb vuln - Or type
strings vulnto see the hardcoded flag.
root@78874e355351:/ctf# strings vuln
/lib64/ld-linux-x86-64.so.2
puts
gets
__libc_start_main
__cxa_finalize
printf
libc.so.6
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
Congratulations! The flag is: flag{buffer_overflow_success}
Enter your input:Flag: flag{binary_exploitation_success}