google · HlynurOskar · Dec 6, 2023
diff --git a/php/laravel/CVE-2018-15133/Dockerfile b/php/laravel/CVE-2018-15133/Dockerfile
@@ -0,0 +1,57 @@
+FROM php:7.2.34-buster
+
+ENV COMPOSER_BIN /usr/local/bin/composer/composer.phar
+ENV APP_ROOT /var/www/html/laravel
+ENV ROUTES_DIR $APP_ROOT/routes
+
+RUN apt-get update
+RUN apt-get install -y autoconf pkg-config libssl-dev wget \
+  curl \
+  git \
+  grep \
+  nginx \
+  libmemcached-dev \
+  libxml2-dev \
+  autoconf \
+  vim
+
+RUN docker-php-ext-install mysqli mbstring pdo pdo_mysql tokenizer xml
+
+# Install Laravel dependencies
+RUN apt-get install -y \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        zlib1g-dev \
+        unzip \
+        git
+
+RUN docker-php-ext-install iconv mbstring \
+    && docker-php-ext-install zip \
+    && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \
+    && docker-php-ext-install gd
+
+# Install composer, a package manager for PHP. Note that Composer 1 is needed to
+# avoid installation error (https://github.com/composer/composer/issues/9340).
+RUN curl -sS https://getcomposer.org/installer | php \
+    && mkdir -p /usr/local/bin/composer \
+    && mv composer.phar $COMPOSER_BIN \
+    && $COMPOSER_BIN self-update --1
+
+# Clone the latest laravel/laravel repo but install the vulnerable
+# laravel/framework version
+RUN git clone --branch 'v5.6.33' https://github.com/laravel/laravel.git $APP_ROOT \
+    && cd $APP_ROOT \
+    && sed -i -e 's;.*laravel/framework.*";"laravel/framework": "5.6.29";g' composer.json \
+    && $COMPOSER_BIN install
+
+# Add a POST route so we can trigger the vulnerability:
+RUN mkdir -p $ROUTES_DIR
+RUN echo "Route::post('/', function() {return view('welcome');});" >> $ROUTES_DIR/web.php
+
+# Fix up local .env file
+RUN cp $APP_ROOT/.env.example $APP_ROOT/.env \
+    && sed -i -e "s;^APP_KEY=.*$;APP_KEY=base64:9UZUmEfHhV7WXXYewtNRtCxAYdQt44IAgJUKXk2ehRk=;" $APP_ROOT/.env \
+    && echo "WARNING: USING HARD CODED APP_KEY" && grep "^APP_KEY" $APP_ROOT/.env
+
+EXPOSE 8000 8000
+ENTRYPOINT ["/usr/local/bin/php", "/var/www/html/laravel/artisan", "serve", "--host=0.0.0.0"]
diff --git a/php/laravel/CVE-2018-15133/README.md b/php/laravel/CVE-2018-15133/README.md
@@ -0,0 +1,3 @@
+# Laravel CVE-2018-15133
+
+In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
diff --git a/php/laravel/CVE-2018-15133/challenge.yaml b/php/laravel/CVE-2018-15133/challenge.yaml
@@ -0,0 +1,18 @@
+apiVersion: kctf.dev/v1
+kind: Challenge
+metadata:
+  name: laravel-cve-2018-15133
+spec:
+  deployed: true
+  powDifficultySeconds: 0
+  network:
+    public: false
+    ports:
+    - protocol: "TCP"
+      targetPort: 80
+    - protocol: "HTTPS"
+      targetPort: 80
+  healthcheck:
+    # TIP: disable the healthcheck during development
+    enabled: true
+
diff --git a/php/laravel/CVE-2018-15133/challenge/Dockerfile b/php/laravel/CVE-2018-15133/challenge/Dockerfile
@@ -0,0 +1,60 @@
+FROM php:7.2.34-buster
+
+EXPOSE 80
+
+ENV COMPOSER_BIN /usr/local/bin/composer/composer.phar
+ENV APP_ROOT /var/www/html/laravel
+ENV ROUTES_DIR $APP_ROOT/routes
+
+RUN apt-get update
+RUN apt-get install -y autoconf pkg-config libssl-dev wget \
+  curl \
+  git \
+  grep \
+  nginx \
+  libmemcached-dev \
+  libxml2-dev \
+  autoconf \
+  vim
+
+RUN docker-php-ext-install mysqli mbstring pdo pdo_mysql tokenizer xml
+
+# Install Laravel dependencies
+RUN apt-get install -y \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        zlib1g-dev \
+        unzip \
+        git
+
+RUN docker-php-ext-install iconv mbstring \
+    && docker-php-ext-install zip \
+    && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \
+    && docker-php-ext-install gd
+
+# Install composer, a package manager for PHP. Note that Composer 1 is needed to
+# avoid installation error (https://github.com/composer/composer/issues/9340).
+RUN curl -sS https://getcomposer.org/installer | php \
+    && mkdir -p /usr/local/bin/composer \
+    && mv composer.phar $COMPOSER_BIN \
+    && $COMPOSER_BIN self-update --1
+
+# Clone the latest laravel/laravel repo but install the vulnerable
+# laravel/framework version
+RUN git clone --branch 'v5.6.33' https://github.com/laravel/laravel.git $APP_ROOT \
+    && cd $APP_ROOT \
+    && sed -i -e 's;.*laravel/framework.*";"laravel/framework": "5.6.29";g' composer.json \
+    && $COMPOSER_BIN install
+
+# Add a POST route so we can trigger the vulnerability:
+RUN mkdir -p $ROUTES_DIR
+RUN echo "Route::post('/', function() {return view('welcome');});" >> $ROUTES_DIR/web.php
+
+# Fix up local .env file
+RUN cp $APP_ROOT/.env.example $APP_ROOT/.env \
+    && sed -i -e "s;^APP_KEY=.*$;APP_KEY=base64:9UZUmEfHhV7WXXYewtNRtCxAYdQt44IAgJUKXk2ehRk=;" $APP_ROOT/.env \
+    && echo "WARNING: USING HARD CODED APP_KEY" && grep "^APP_KEY" $APP_ROOT/.env
+
+COPY ./start.sh /tmp    
+
+CMD kctf_setup && /tmp/start.sh
diff --git a/php/laravel/CVE-2018-15133/challenge/start.sh b/php/laravel/CVE-2018-15133/challenge/start.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+/usr/local/bin/php /var/www/html/laravel/artisan serve --host=0.0.0.0 --port=80
diff --git a/php/laravel/CVE-2018-15133/laravel-2018-15133.yaml b/php/laravel/CVE-2018-15133/laravel-2018-15133.yaml
@@ -0,0 +1,40 @@
+# k8s LoadBalancer Service exposing the vulnerable Laravel app.
+apiVersion: v1
+kind: Service
+metadata:
+  name: laravel-cve-2018-15133
+  labels:
+    app: laravel-cve-2018-15133
+spec:
+  ports:
+  - port: 8000
+    name: http
+  selector:
+    app: laravel-cve-2018-15133
+  type: LoadBalancer
+---
+# The Laravel app.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: laravel-cve-2018-15133
+  labels:
+    app: laravel-cve-2018-15133
+spec:
+  selector:
+    matchLabels:
+      app: laravel-cve-2018-15133
+      tier: frontend
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: laravel-cve-2018-15133
+        tier: frontend
+    spec:
+      containers:
+      - name: laravel-cve-2018-15133
+        image: gcr.io/tsunami-testbed/exposed_laravel_app:latest
+        ports:
+        - containerPort: 8000
diff --git a/php/phpunit/CVE-2017-9841/challenge.yaml b/php/phpunit/CVE-2017-9841/challenge.yaml
@@ -0,0 +1,28 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kctf.dev/v1
+kind: Challenge
+metadata:
+  name: phpunit-cve-2017-9841
+spec:
+  deployed: true
+  powDifficultySeconds: 0
+  network:
+    public: false
+    ports:
+      - protocol: "TCP"
+        targetPort: 80
+      - protocol: "HTTPS"
+        targetPort: 80
diff --git a/php/phpunit/CVE-2017-9841/challenge/Dockerfile b/php/phpunit/CVE-2017-9841/challenge/Dockerfile
@@ -0,0 +1,15 @@
+FROM php:7.2-alpine3.9
+
+EXPOSE 80
+
+# Install composer
+RUN curl -sS https://getcomposer.org/installer | php
+RUN mv composer.phar /usr/local/bin/composer
+
+# Install vulnerable package
+RUN composer require phpunit/phpunit:5.6.2
+
+# Start up the application when the container is started
+COPY ./start.sh /tmp    
+
+CMD kctf_setup && /tmp/start.sh
diff --git a/php/phpunit/CVE-2017-9841/challenge/start.sh b/php/phpunit/CVE-2017-9841/challenge/start.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+php -S 0.0.0.0:80