So dumbass me, who only messes with CTFd in the week or so leading up to the monthly meeting, of course forgot the username and password for my administrator account on my CTFd server. [This is the server that keeps track of scores for people who have solved exploit challenges].
Of course the damn thing is in a Docker container, and everyone knows I’m a Docker n00b. But I’m determined, so I forge ahead.
I get into the docker container…
docker exec -it /bin/sh
I know it’s not running a database server, so I start poking around in the CTFd directory, and find ctfd.db, a sqlite database file. Jackpot.
I copy the file out of the docker container, because the sqlite command-line tools are not installed:
# docker cp (docker id):/opt/CTFd/CTFd/ctfd.db /tmp
At that point I just opened SQLite to it…
sqlite3 /tmp/ctfd.db
Let’s see what the schema looks like.
.schema
OK, so there’s a users table, but no admins table. Let’s look at users:
select * from users;
OK, there’s my admin account, now I know what the username was, it was one of the three I thought it would be. And there’s a column called “type” which seems to be either “user” or “admin” … The password column is encrypted, so that doesn’t help me.
So I register a new user in the web UI, give it a password, then go back to check my users table. Sure enough, there’s now an admin and a user. Let’s fix that.
update users set type=’admin’;
This would have been more finetuned had more users existed, but in my case there were no regular users but the one I created.
Back to the web UI, login as my new user, and sure enough, I have full admin rights. I don’t know what I was thinking or what I was drinking when I set that up the first time, but tragedy has been averted yet again.
And yes, I could have just rebuilt it, but all the flags for the vulnerable VMs are stored in it.