Share
## https://sploitus.com/exploit?id=31C32BF5-F1A7-5713-9CC5-1FF04BDCBF9E
# Database Security โ€“ CTF Vulnerability Lab

## SEC304 / CN5134 โ€“ Database Security Assignment 1

A Dockerized CTF-style lab environment containing **three distinct database vulnerabilities** spanning multiple course topics. Each vulnerability is exploitable and has a unique flag that proves successful exploitation.

---

## ๐Ÿ—๏ธ Architecture

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                        Docker Compose                            โ”‚
โ”‚                                                                  โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚  vuln1-app      โ”‚  โ”‚  vuln2-app      โ”‚  โ”‚  vuln3-redis    โ”‚  โ”‚
โ”‚  โ”‚  Flask :8081    โ”‚  โ”‚  Flask :8082    โ”‚  โ”‚  Redis :6379   โ”‚  โ”‚
โ”‚  โ”‚  (NoSQL Inj.)   โ”‚  โ”‚  (Priv Esc.)    โ”‚  โ”‚  SSH   :8083   โ”‚  โ”‚
โ”‚  โ”‚       โ”‚         โ”‚  โ”‚       โ”‚         โ”‚  โ”‚  (RCE)          โ”‚  โ”‚
โ”‚  โ”‚       โ–ผ         โ”‚  โ”‚       โ–ผ         โ”‚  โ”‚                 โ”‚  โ”‚
โ”‚  โ”‚  vuln1-mongo    โ”‚  โ”‚  vuln2-postgres โ”‚  โ”‚                 โ”‚  โ”‚
โ”‚  โ”‚  MongoDB :27017 โ”‚  โ”‚  PostgreSQL     โ”‚  โ”‚                 โ”‚  โ”‚
โ”‚  โ”‚                 โ”‚  โ”‚  :5433          โ”‚  โ”‚                 โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ”‚     vuln1-net            vuln2-net            vuln3-net          โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## ๐Ÿ“‹ Vulnerability Summary

| #   | Name                          | Category            | DB          | Severity   | Flag |
|-----|-------------------------------|---------------------|-------------|------------|------|
| 1   | NoSQL Injection               | Injection           | MongoDB 6.0 | Critical (9.8) | `FLAG{nosql_injection_mongo_bypass}` |
| 2   | SECURITY DEFINER Priv Esc     | Privilege Escalation| PostgreSQL 15| High (8.8) | `FLAG{security_definer_privesc_pg}` |
| 3   | Unauthenticated Redis RCE     | In-Memory Database  | Redis       | Critical (9.8) | `FLAG{redis_unauthenticated_rce_config_write}` |

## ๐Ÿš€ Quick Start

### Prerequisites

- Docker & Docker Compose (v2+)
- Python 3.8+ (for solve scripts)
- `ssh-keygen` and `ssh` client (for Vuln 3)

### Setup

```bash
# Clone the repository
git clone 
cd assignment1-vuln-lab

# Start all services
docker compose up --build -d

# Verify services are running
docker compose ps
```

### Verify Services

| Service        | URL / Port                     | Expected Response |
|----------------|-------------------------------|-------------------|
| Vuln 1 (Web)   | http://localhost:8081          | Login page        |
| Vuln 1 (Health) | http://localhost:8081/health  | `{"status":"ok"}` |
| Vuln 2 (Web)   | http://localhost:8082          | Employee search   |
| Vuln 2 (Health) | http://localhost:8082/health  | `{"status":"ok"}` |
| Vuln 3 (Redis)  | `redis-cli -p 6379 PING`     | `PONG`            |

### Stop

```bash
docker compose down -v
```

---

## ๐Ÿด Exploitation

Each vulnerability has:
- A `WRITEUP.md` with full root cause analysis, kill chain, and exploitation steps
- A `solve/exploit.py` script that captures the flag automatically

### Vuln 1 โ€“ NoSQL Injection

```bash
cd vuln1/solve
pip install requests
python exploit.py
```

### Vuln 2 โ€“ SECURITY DEFINER Privilege Escalation

```bash
cd vuln2/solve
pip install requests
python exploit.py
```

### Vuln 3 โ€“ Redis Unauthenticated RCE

```bash
cd vuln3/solve
python exploit.py
```

---

## ๐Ÿ“ Repository Structure

```
assignment1-vuln-lab/
โ”œโ”€โ”€ docker-compose.yml
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ vuln1/                          # NoSQL Injection (MongoDB)
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ”œโ”€โ”€ WRITEUP.md
โ”‚   โ”œโ”€โ”€ src/
โ”‚   โ”‚   โ”œโ”€โ”€ app.py                  # Vulnerable Flask app
โ”‚   โ”‚   โ””โ”€โ”€ requirements.txt
โ”‚   โ”œโ”€โ”€ init/
โ”‚   โ”‚   โ””โ”€โ”€ init-mongo.js           # MongoDB seed data
โ”‚   โ””โ”€โ”€ solve/
โ”‚       โ””โ”€โ”€ exploit.py              # Automated exploit
โ”œโ”€โ”€ vuln2/                          # Privilege Escalation (PostgreSQL)
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ”œโ”€โ”€ WRITEUP.md
โ”‚   โ”œโ”€โ”€ src/
โ”‚   โ”‚   โ”œโ”€โ”€ app.py                  # Flask app calling SECURITY DEFINER func
โ”‚   โ”‚   โ””โ”€โ”€ requirements.txt
โ”‚   โ”œโ”€โ”€ init/
โ”‚   โ”‚   โ””โ”€โ”€ init.sql                # Schema with vulnerable function
โ”‚   โ””โ”€โ”€ solve/
โ”‚       โ””โ”€โ”€ exploit.py              # Automated exploit
โ”œโ”€โ”€ vuln3/                          # In-Memory DB RCE (Redis)
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ”œโ”€โ”€ WRITEUP.md
โ”‚   โ”œโ”€โ”€ src/
โ”‚   โ”‚   โ””โ”€โ”€ entrypoint.sh           # Starts Redis + SSH
โ”‚   โ”œโ”€โ”€ config/
โ”‚   โ”‚   โ””โ”€โ”€ redis.conf              # Insecure Redis config
โ”‚   โ””โ”€โ”€ solve/
โ”‚       โ””โ”€โ”€ exploit.py              # Automated exploit (SSH key write)
โ””โ”€โ”€ report/
    โ””โ”€โ”€ (Assignment1 Report.pdf)    # Penetration testing report
```

## ๐Ÿ› ๏ธ Technologies Used

| Component   | Technology         | Version |
|-------------|--------------------|---------|
| Container   | Docker Compose     | v2+     |
| Vuln 1 DB   | MongoDB            | 6.0     |
| Vuln 2 DB   | PostgreSQL         | 15      |
| Vuln 3 DB   | Redis              | Latest  |
| App Framework| Flask (Python)    | 3.0.0   |
| Language     | Python             | 3.11    |