This challenges exposes two components:
The application is fairly simple, it exposes a basic CRUD app that allows to create and share text notes:
Notes can be shared with external users:
When a note is shared, the Flask application saves the note as a file inside the webroot:
The PHP application is hardened with a security module called Snuffleupagus.
It allows the developer to harden or disable specific PHP features.
It is injected in the PHP process through a native library (.so file) and hooks specific PHP functions to enforce its hardening.
The following configuration file is used for the challenge:
sp.global.secret_key("FCSC{FAKE_FLAG1}");
sp.xxe_protection.enable();
sp.unserialize_hmac.enable();
sp.disable_function.function("assert").drop();
sp.disable_function.function("create_function").drop();
sp.disable_function.function("mail").param("additional_params").value_r("\\\\-").drop();
sp.disable_function.function("system").drop();
sp.disable_function.function("shell_exec").drop();
sp.disable_function.function("exec").drop();
sp.disable_function.function("proc_open").drop();
sp.disable_function.function("passthru").drop();
sp.disable_function.function("popen").drop();
sp.disable_function.function("pcntl_exec").drop();
sp.disable_function.function("file_put_contents").drop();
sp.disable_function.function("rename").drop();
sp.disable_function.function("copy").drop();
sp.disable_function.function("move_uploaded_file").drop();
sp.disable_function.function("ZipArchive::__construct").drop();
sp.disable_function.function("DateInterval::__construct").drop();
It disables PHP sinks like system and exec which allow to execute system commands.