Final project

RelayBoardCTF/README.md

@@ -0,0 +1,30 @@
+# RelayBoard CTF
+
+RelayBoard is an original easy-medium web application CTF built around a shift
+handoff portal for operations teams.
+
+## What Is Included
+
+- `backend/`: all vulnerable backend code, templates, static assets, and snippet files
+- `solve.py`: proof-of-concept exploit script
+- `Vulnerability_Report.md`: formal report
+- `Dockerfile`: container entrypoint for public deployment
+- `docker-compose.yml`: simple public-server launch configuration
+
+## Goal
+
+Recover the flag stored in the private admin packet.
+
+## Live Challenge URL
+
+Players can access the challenge here:
+
+`https://hung-concessible-overjoyfully.ngrok-free.dev`
+
+## Intended Solve Path
+
+1. Register a normal user account.
+2. Abuse the packet preview include resolver to read `backend/config.py`.
+3. Recover the Flask secret key from the source.
+4. Forge an admin session cookie.
+5. Open `/admin/archive/1` and capture the flag.

RelayBoardCTF/Vulnerability_Report.md

@@ -0,0 +1,96 @@
+# Vulnerability Report
+
+## Context
+
+RelayBoard is a Flask-based web application intended for operations teams to
+prepare and review shift handoff packets. It is designed to run as a Linux
+userspace web service, stores data in a local SQLite database, and is shipped
+in this project as a modular backend package under
+`RelayBoardCTF/backend/`. The application exposes
+routes for registration, login, composing packet drafts, previewing draft
+content, and reviewing saved packets.
+
+The packet preview feature is relevant to the challenge. Operators can draft a
+packet and preview how shared snippet references render before saving. The UI
+documents a snippet syntax such as `[[include:ops-footer.txt]]`, and the
+backend replaces those directives with the contents of files from the local
+`backend/snippets/` directory.
+
+The program receives inputs over HTTP form posts. In particular, `/preview`
+accepts the user-controlled `title`, `body`, and `checklist` fields and renders
+them immediately. The challenge objective is to recover the flag stored in the
+private admin packet by exploiting the preview functionality. A proof-of-
+concept exploit is provided in `RelayBoardCTF/solve.py`.
+
+## Vulnerability
+
+The primary issue is a path traversal vulnerability, corresponding to CWE-22:
+Improper Limitation of a Pathname to a Restricted Directory. A secondary design
+weakness makes the impact worse: the Flask session secret is recoverable from
+the application source, allowing the attacker to forge a privileged cookie once
+an arbitrary file read is achieved.
+
+The vulnerability manifests in `render_handoff_preview()` in
+`RelayBoardCTF/backend/preview.py`, where the
+preview engine processes `[[include:...]]` directives. The `replace_include()`
+helper concatenates the user-supplied snippet name directly onto
+`SNIPPET_DIR` and calls `read_text()` without normalizing or constraining the
+resolved path.
+
+Because the `/preview` route passes attacker-controlled form fields directly
+into `render_handoff_preview()` in
+`RelayBoardCTF/backend/routes.py`, an
+authenticated low-privilege user can submit inputs such as
+`[[include:../config.py]]` and force the server to read files outside the
+intended snippet directory. Reading `backend/config.py` discloses the default
+Flask `SECRET_KEY` value, which is then used by the exploit script to mint a
+new cookie containing `role=admin`. The administrative authorization check that
+trusts this cookie is implemented in
+`RelayBoardCTF/backend/auth.py`.
+
+## Exploitation
+
+The overall exploitation path is:
+
+1. Create a normal account through `/register`.
+2. Submit a crafted preview request to `/preview` with `body=[[include:../app.py]]`.
+3. Parse the returned source code to recover the Flask secret key.
+4. Forge a signed Flask session cookie containing admin role data.
+5. Request `/admin/archive/1` and read the flag from the private admin packet.
+
+The first exploit primitive is arbitrary file disclosure relative to the
+application directory. This breaks the intended trust boundary around the
+`snippets/` directory and exposes source code and configuration material.
+
+The second exploit primitive is authenticated session forgery. Because the
+application trusts the client-side Flask session for authorization decisions,
+knowledge of the secret key is sufficient to create a cookie that passes the
+`admin_required` check. The proof-of-concept exploit in
+`RelayBoardCTF/solve.py` recovers the secret from
+the preview response, forges a valid cookie, installs it into the session jar,
+and then requests the admin-only archive route.
+
+Together, these primitives allow a low-privilege attacker to move from an
+ordinary user account to full administrative read access and recover the flag.
+
+## Remediation
+
+The preview include resolver should be constrained to an allowlisted snippet
+directory. A safe patch would resolve the requested path, reject absolute paths
+and traversal components, and verify that the final path remains under
+`SNIPPET_DIR` before opening it. If nested snippet folders are needed, the
+application should still compare the resolved path prefix against the snippet
+root after normalization.
+
+The application should also stop relying on client-controlled role claims for
+authorization. The server can store sessions server-side, or at minimum load
+fresh authorization data from the database on each request rather than trusting
+the cookie's `role` field. In addition, the Flask secret must not be hardcoded
+in source. It should be injected from an environment variable or dedicated
+secret store, and rotated if disclosure is suspected.
+
+Variant analysis for similar issues can be automated by searching for code that
+joins attacker-controlled path fragments onto filesystem roots and then opens
+the result without a resolved-path containment check. A second review pass
+should identify any logic that grants permissions directly from client-signed
+session contents instead of server-side authorization state.

RelayBoardCTF/backend/Dockerfile

@@ -0,0 +1,13 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+ENV PORT=5000
+EXPOSE 5000
+
+CMD ["sh", "-c", "gunicorn --bind 0.0.0.0:${PORT:-5000} backend.wsgi:app"]

RelayBoardCTF/backend/__init__.py

@@ -0,0 +1,20 @@
+from flask import Flask
+
+from .auth import auth_bp
+from .config import Config
+from .db import close_db, init_db
+from .routes import main_bp
+
+
+def create_app():
+    app = Flask(__name__, template_folder="templates", static_folder="static")
+    app.config.from_object(Config)
+
+    app.register_blueprint(auth_bp)
+    app.register_blueprint(main_bp)
+    app.teardown_appcontext(close_db)
+
+    with app.app_context():
+        init_db()
+
+    return app

RelayBoardCTF/backend/__main__.py

@@ -0,0 +1,9 @@
+import os
+
+from .wsgi import app
+
+
+if __name__ == "__main__":
+    host = os.environ.get("HOST", "0.0.0.0")
+    port = int(os.environ.get("PORT", "5000"))
+    app.run(host=host, port=port, debug=False)

RelayBoardCTF/backend/auth.py

@@ -0,0 +1,101 @@
+import sqlite3
+from functools import wraps
+
+from flask import Blueprint, abort, g, redirect, render_template, request, session, url_for
+from werkzeug.security import check_password_hash, generate_password_hash
+
+from .db import get_db
+
+
+auth_bp = Blueprint("auth", __name__)
+
+
+def current_user():
+    user_id = session.get("user_id")
+    if user_id is None:
+        return None
+    return get_db().execute("SELECT * FROM users WHERE id = ?", (user_id,)).fetchone()
+
+
+def login_required(view):
+    @wraps(view)
+    def wrapped_view(**kwargs):
+        if current_user() is None:
+            return redirect(url_for("auth.login"))
+        return view(**kwargs)
+
+    return wrapped_view
+
+
+def admin_required(view):
+    @wraps(view)
+    def wrapped_view(**kwargs):
+        if session.get("role") != "admin":
+            abort(403)
+        return view(**kwargs)
+
+    return wrapped_view
+
+
+@auth_bp.before_app_request
+def load_logged_in_user():
+    g.user = current_user()
+
+
+@auth_bp.route("/register", methods=["GET", "POST"])
+def register():
+    error = None
+    if request.method == "POST":
+        username = request.form.get("username", "").strip()
+        password = request.form.get("password", "")
+
+        if not username or not password:
+            error = "Username and password are required."
+        else:
+            db = get_db()
+            try:
+                db.execute(
+                    "INSERT INTO users (username, password_hash, role) VALUES (?, ?, ?)",
+                    (username, generate_password_hash(password), "user"),
+                )
+                db.commit()
+                user = db.execute(
+                    "SELECT * FROM users WHERE username = ?",
+                    (username,),
+                ).fetchone()
+                session.clear()
+                session["user_id"] = user["id"]
+                session["username"] = user["username"]
+                session["role"] = user["role"]
+                return redirect(url_for("main.index"))
+            except sqlite3.IntegrityError:
+                error = "That username is already taken."
+    return render_template("register.html", error=error)
+
+
+@auth_bp.route("/login", methods=["GET", "POST"])
+def login():
+    error = None
+    if request.method == "POST":
+        username = request.form.get("username", "").strip()
+        password = request.form.get("password", "")
+        user = get_db().execute(
+            "SELECT * FROM users WHERE username = ?",
+            (username,),
+        ).fetchone()
+
+        if user is None or not check_password_hash(user["password_hash"], password):
+            error = "Invalid credentials."
+        else:
+            session.clear()
+            session["user_id"] = user["id"]
+            session["username"] = user["username"]
+            session["role"] = user["role"]
+            return redirect(url_for("main.index"))
+    return render_template("login.html", error=error)
+
+
+@auth_bp.route("/logout")
+def logout():
+    session.clear()
+    return redirect(url_for("main.index"))

RelayBoardCTF/backend/config.py

@@ -0,0 +1,19 @@
+import os
+from pathlib import Path
+
+
+PACKAGE_ROOT = Path(__file__).resolve().parent
+PROJECT_ROOT = PACKAGE_ROOT.parent
+
+
+class Config:
+    SECRET_KEY = os.environ.get(
+        "RELAYBOARD_SECRET",
+        "relayboard-dev-secret-please-rotate",
+    )
+    DB_PATH = PROJECT_ROOT / "relayboard.db"
+    SNIPPET_DIR = PACKAGE_ROOT / "snippets"
+    FLAG_VALUE = os.environ.get(
+        "RELAYBOARD_FLAG",
+        "flag{night_shift_packets_need_real_boundaries}",
+    )