commit 8b8d3b179fa50419348608144862468ae8282f33
parent 82a8bd9686fd9c95d8bf9e5eaeca16b0fcbde996
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Tue, 24 Jan 2023 23:21:09 -0800
forgot-password bypass ctf instructions page
Diffstat:
5 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/pkg/web/handlers/data.go b/pkg/web/handlers/data.go
@@ -98,6 +98,10 @@ type byteRoadChallengeData struct {
SessionExp time.Duration
}
+type forgotPasswordBypassChallengeData struct {
+ ActiveTab string
+}
+
type forgotPasswordData struct {
Error string
Username string
diff --git a/pkg/web/handlers/handlers.go b/pkg/web/handlers/handlers.go
@@ -4107,6 +4107,12 @@ func ByteRoadChallengeHandler(c echo.Context) error {
return c.Render(http.StatusOK, "vip.byte-road-challenge", data)
}
+func ForgotPasswordBypassChallengeHandler(c echo.Context) error {
+ var data forgotPasswordBypassChallengeData
+ data.ActiveTab = "home"
+ return c.Render(http.StatusOK, "vip.forgot-password-bypass-challenge", data)
+}
+
func BHCHandler(c echo.Context) error {
/*
We have a script that check BHC wait room and kick any users that has not completed the dkf captcha.
diff --git a/pkg/web/public/views/pages/vip/forgot-password-bypass-challenge.gohtml b/pkg/web/public/views/pages/vip/forgot-password-bypass-challenge.gohtml
@@ -0,0 +1,24 @@
+{{ define "sub-content" }}
+ <h3>Forgot-Password Bypass</h3>
+ <p>
+ I have made a git branch named "forgot-password-bypass-ctf" in dkforest repository -><br />
+ <a href="http://yylovpz7taca7jfrub3wltxabzzjp34fngj5lpwl6eo47ekt5cxs6mid.onion/n0tr1v/dkforest/src/forgot-password-bypass-ctf">
+ http://yylovpz7taca7jfrub3wltxabzzjp34fngj5lpwl6eo47ekt5cxs6mid.onion/n0tr1v/dkforest/src/forgot-password-bypass-ctf
+ </a><br />
+ </p>
+ <p>
+ The goal of this CTF is to use the forgot-password form to reset another user's password.<br />
+ The code is vulnerable and allow for such thing to happen.<br />
+ </p>
+ <p>
+ Instructions:<br />
+ <ul>
+ <li>Install and run locally dkforest using the "forgot-password-bypass-ctf" branch.</li>
+ <li>Create a user</li>
+ <li>Setup a PGP key in that user's profile (to enable the password recovery feature)</li>
+ <li>Logout</li>
+ <li>Use the form "forgot-password" to reset that other user's password.</li>
+ <li>Login with the new user account.</li>
+ </ul>
+ </p>
+{{ end }}
+\ No newline at end of file
diff --git a/pkg/web/public/views/pages/vip/home.gohtml b/pkg/web/public/views/pages/vip/home.gohtml
@@ -9,6 +9,7 @@
<a href="/vip/challenges/byte-road">ByteRoad captcha challenge</a><br />
<a href="/vip/challenges/re-1">Reverse Engineering Challenge #1</a><br />
<a href="/vip/challenges/stego1">Stego #1</a><br />
+ <a href="/vip/challenges/forgot-password-bypass">Forgot-password bypass challenge</a><br />
</p>
<hr />
diff --git a/pkg/web/web.go b/pkg/web/web.go
@@ -263,6 +263,7 @@ func getMainServer() echo.HandlerFunc {
vipGroup.GET("/vip", handlers.VipHandler)
vipGroup.GET("/vip/challenges/stego1", handlers.Stego1ChallengeHandler)
vipGroup.POST("/vip/challenges/stego1", handlers.Stego1ChallengeHandler)
+ vipGroup.GET("/vip/challenges/forgot-password-bypass", handlers.ForgotPasswordBypassChallengeHandler)
vipGroup.GET("/vip/challenges/byte-road", handlers.ByteRoadChallengeHandler, middlewares.AuthRateLimitMiddleware(1*time.Minute, 500))
vipGroup.POST("/vip/challenges/byte-road", handlers.ByteRoadChallengeHandler, middlewares.AuthRateLimitMiddleware(1*time.Minute, 500))
vipGroup.GET("/vip/challenges/re-1", handlers.VipDownloadsHandler)
