First commit

1c99af9e · Raul Barreras · 1c99af9e · 1c99af9e · 1c99af9e · 1c99af9e
Commit 1c99af9e authored 1 year ago by Raul Barreras
--- a/.gitignore
+++ b/.gitignore
+# Based on https://www.toptal.com/developers/gitignore/api/python,visualstudiocode
+# 
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+# C extensions
+*.so
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+# Translations
+*.mo
+*.pot
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+# Flask stuff:
+instance/
+.webassets-cache
+# Scrapy stuff:
+.scrapy
+# Sphinx documentation
+docs/_build/
+# PyBuilder
+.pybuilder/
+target/
+# Jupyter Notebook
+.ipynb_checkpoints
+# IPython
+profile_default/
+ipython_config.py
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+# SageMath parsed files
+*.sage.py
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+# Spyder project settings
+.spyderproject
+.spyproject
+# Rope project settings
+.ropeproject
+# mkdocs documentation
+/site
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+# Pyre type checker
+.pyre/
+# pytype static type analyzer
+.pytype/
+# Cython debug symbols
+cython_debug/
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+### Python Patch ###
+# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration
+poetry.toml
+# ruff
+.ruff_cache/
+# LSP config files
+pyrightconfig.json
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+# Local History for Visual Studio Code
+.history/
+# Built Visual Studio Code Extensions
+*.vsix
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+### Dot env
+.envrc
+### Flakehaeven
+.flakeheaven_cache
\ No newline at end of file
--- a/Dockerfile
+++ b/Dockerfile
+FROM python:3.12-slim-bookworm
+RUN apt update \
+      && apt-get clean \
+      && rm -rf /var/lib/apt/lists/* 
+WORKDIR /app
+COPY src/app/ /app
+COPY src/requirements.txt /tmp/requirements.txt
+RUN python -m pip install --upgrade pip \
+      && pip install --no-cache-dir -r /tmp/requirements.txt
+RUN echo "FLAG{$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)}" > /app/flag.txt
+ENV FLAG_PATH /app/flag.txt
+EXPOSE 5000
+CMD [ "python", "app.py" ]
--- a/Makefile
+++ b/Makefile
+APP=opt-out-enigma.py
+PORT=5000
+help: ## Show this help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nusage:  make \033[36m\033[0m<target>\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+.PHONY: help
+build: ## Build container
+	@echo -e "\033[1;33m\n[i] Building the program\033[0m\n"
+	@docker build --rm --tag=${APP} .
+	@echo -e "\033[1;32m\n[i] Done! Program is ready to run\033[0m\n"
+.PHONY: build
+run: build ## Run application
+	docker run -p ${PORT}:5000 --rm ${APP}
+.PHONY: run
+stop: ## Stop the application
+	@docker stop ${APP} 2>/dev/null || true
+.PHONY: stop
+run-daemon: build stop ## Run application in background
+	@echo -n "\033[1;33m\n[i] Starting container "
+	@docker run -d -p 5000:5000 --rm --name ${APP} ${APP} 
+	@echo "Visit: http://$$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${APP}):${PORT}/ and enjoy the app!"
+.PHONY: run-daemon
+clean:
+	docker image rm ${APP}
--- a/src/app/app.py
+++ b/src/app/app.py
+import os
+from flask import Flask, request, render_template
+from markupsafe import escape
+from jinja2 import Environment
+app = Flask(__name__)
+Jinja2 = Environment()
+@app.route("/")
+def index():
+    return render_template('index.html')
+@app.route("/email-settings/opt-out")
+def email_opt_out():
+    email = request.values.get("email")
+    output = Jinja2.from_string('You have opted out ' + email + 
+                                ' from our service.' + 
+                                '<p>Go back to <a href="/">home</a>.</p>').render()
+    return output
+@app.route("/source-code")
+def source_code():
+    current_file_path = os.path.abspath(__file__)
+    with open(current_file_path, "r", encoding="utf-8") as file:
+        app_code = file.read()
+    escaped_code = escape(app_code)
+    return render_template('source_code.html', escaped_code=escaped_code, app_name=os.path.basename(current_file_path))
+if __name__ == "__main__":
+    app.run(host="0.0.0.0", port=5000, debug=True)
--- a/src/app/templates/index.html
+++ b/src/app/templates/index.html
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Email Opt-Out</title>
+</head>
+<body>
+    <h1>Email Opt-Out</h1>
+    <form action="/email-settings/opt-out" method="GET">
+        <label for="email">Enter your email if you don't want to receive our newsletter:</label>
+        <input type="email" id="email" name="email" required>
+        <button type="submit">Opt-Out</button>
+    </form>
+    <br>
+    <p>or just capture the flag...<p>
+    <hr>
+    <p>Show <a href="/source-code">application code</a>.</p>
+</body>
+</html>
--- a/src/app/templates/source_code.html
+++ b/src/app/templates/source_code.html
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{{app_name}}</title>
+</head>
+<body>
+    <h1>{{app_name}}</h1>
+    <pre><code>{{ escaped_code }}</code></pre>
+    <br>
+    <p>Go back to <a href="/">home</a>.</p>
+</body>
+</html>
--- a/src/requirements.txt
+++ b/src/requirements.txt
+blinker==1.7.0
+click==8.1.7
+Flask==3.0.0
+itsdangerous==2.1.2
+Jinja2==3.1.2
+MarkupSafe==2.1.3
+Werkzeug==3.0.1