Skip to content

ziaddevv/db-security-ctf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
vuln1
vuln1
 
 
vuln2
vuln2
 
 
vuln3
vuln3
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Database Security – CTF Vulnerability Lab

SEC304 / CN5134 – Database Security Assignment 1

A Dockerized CTF-style lab environment containing three distinct database vulnerabilities spanning multiple course topics. Each vulnerability is exploitable and has a unique flag that proves successful exploitation.

🏗️ Architecture

┌──────────────────────────────────────────────────────────────────┐
│                        Docker Compose                            │
│                                                                  │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐  │
│  │  vuln1-app      │  │  vuln2-app      │  │  vuln3-redis    │  │
│  │  Flask :8082    │  │  Flask :8081    │  │  Redis :6379   │  │
│  │  (NoSQL Inj.)   │  │  (Priv Esc.)    │  │  SSH   :8083   │  │
│  │       │         │  │       │         │  │  (RCE)          │  │
│  │       ▼         │  │       ▼         │  │                 │  │
│  │  vuln1-mongo    │  │  vuln2-postgres │  │                 │  │
│  │  MongoDB :27017 │  │  PostgreSQL     │  │                 │  │
│  │                 │  │  :5433          │  │                 │  │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘  │
│     vuln1-net            vuln2-net            vuln3-net          │
└──────────────────────────────────────────────────────────────────┘

📋 Vulnerability Summary

# Name Category DB Severity Flag
1 NoSQL Injection Injection MongoDB 6.0 High (7.5) FLAG{nosql_injection_mongo_bypass}
2 SECURITY DEFINER Priv Esc Privilege Escalation PostgreSQL 15 High (8.8) FLAG{security_definer_privesc_pg}
3 Unauthenticated Redis RCE In-Memory Database Redis Critical (9.8) FLAG{redis_unauthenticated_rce_config_write}

🚀 Quick Start

Prerequisites

  • Docker & Docker Compose (v2+)
  • Python 3.8+ (for solve scripts)
  • ssh-keygen and ssh client (for Vuln 3)

Setup

# Clone the repository
git clone <repo-url>
cd assignment1-vuln-lab

# Start all services
docker compose up --build -d

# Verify services are running
docker compose ps

Verify Services

Service URL / Port Expected Response
Vuln 1 (Web) http://localhost:8081 Login page
Vuln 1 (Health) http://localhost:8081/health {"status":"ok"}
Vuln 2 (Web) http://localhost:8082 Employee search
Vuln 2 (Health) http://localhost:8082/health {"status":"ok"}
Vuln 3 (Redis) redis-cli -p 6379 PING PONG

Stop

docker compose down -v

🏴 Exploitation

Each vulnerability has:

  • A WRITEUP.md with full root cause analysis, kill chain, and exploitation steps
  • A solve/exploit.py script that captures the flag automatically

Vuln 1 – NoSQL Injection

cd vuln1/solve
pip install requests
python exploit.py

Vuln 2 – SECURITY DEFINER Privilege Escalation

cd vuln2/solve
pip install requests
python exploit.py

Vuln 3 – Redis Unauthenticated RCE

cd vuln3/solve
python exploit.py

📁 Repository Structure

assignment1-vuln-lab/
├── docker-compose.yml
├── README.md
├── vuln1/                          # NoSQL Injection (MongoDB)
│   ├── Dockerfile
│   ├── WRITEUP.md
│   ├── src/
│   │   ├── app.py                  # Vulnerable Flask app
│   │   └── requirements.txt
│   ├── init/
│   │   └── init-mongo.js           # MongoDB seed data
│   └── solve/
│       └── exploit.py              # Automated exploit
├── vuln2/                          # Privilege Escalation (PostgreSQL)
│   ├── Dockerfile
│   ├── WRITEUP.md
│   ├── src/
│   │   ├── app.py                  # Flask app calling SECURITY DEFINER func
│   │   └── requirements.txt
│   ├── init/
│   │   └── init.sql                # Schema with vulnerable function
│   └── solve/
│       └── exploit.py              # Automated exploit
├── vuln3/                          # In-Memory DB RCE (Redis)
│   ├── Dockerfile
│   ├── WRITEUP.md
│   ├── src/
│   │   └── entrypoint.sh           # Starts Redis + SSH
│   ├── config/
│   │   └── redis.conf              # Insecure Redis config
│   └── solve/
│       └── exploit.py              # Automated exploit (SSH key write)
└── report/
    └── (Assignment1 Report.pdf)    # Penetration testing report

🛠️ Technologies Used

Component Technology Version
Container Docker Compose v2+
Vuln 1 DB MongoDB 6.0
Vuln 2 DB PostgreSQL 15
Vuln 3 DB Redis Latest
App Framework Flask (Python) 3.0.0
Language Python 3.11

About

Dockerized CTF-style lab with 3 exploitable database vulnerabilities:

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages