There is a new TryHackMe ‘room’ (I still hate that term) called Plotted-TMS. This post is sort of about that, but not really. First, let’s get the Plotted-TMS bit out of the way. I have had a quick look at it but it’s under-provisioned on the free tier so it starts out painfully slow and quickly gets worse. Once it became unresponsive twice (i.e. the original instance and a reboot), I stopped persisting with it - not that it is really the point. What I did see was that the website was running an Online Traffic Management System with source code taken from sourcecodetester.

And, I noticed the author was someone called oretnom23.

Now, I’ve seen code from this person(?) before, although I don’t remember exactly where - but it was definitely in a CTF from one of the platforms I use - THM, VulnHub, maybe HackMyVM.

So it got me wondering, who is this person and why are they churning out vulnerable webapps?

On sourcecodetester, oretnom23 has nine pages of ‘activity’, most of which is some sort of PHP/MySQL ‘system’. Here are some examples:

Simple Online Leave Management System
Simple Realtime Quiz System
Lot Reservation Management System
Seat Reservation System for Movie Theater
Computer and Mobile Repair Shop Management System
Simple Online Food Ordering System

There are dozens of these things, all uploaded relatively recently and many with the same upload date. On their github there are 40 repos of the same flavour, mostly dating from early 2021. Hey, the pandemic gave us some spare time, right?

I assume most of these suffer from some sort of SQLi and/or file upload vulnerability, which is why they are fodder for CTFs. But why? WHY?

Is oretnom23 building a portfolio to show off their dev skills, but ignoring good security practices?

Is oretnom23 building deliberately vulnerable webapps for CTF practice?

Is oretnom23 building deliberately vulnerable webapps for some other reason, such as trying to create CVEs? Try googling ‘oretnom23 exploit-db’ and watch the shite pile up:

Online Railway Reservation System 1.0 - Exploit-DB › exploitsBlock this site
10 Jan 2022 — #Exploit Title: Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated) #Date: 07/01/2022 #Exploit Author: Zachary ...

Church Management System 1.0 - 'search' SQL Injection ... › exploitsBlock this site
20 Sept 2021 — ... Vendor: oretnom23 # Version: v1.0 # Tested on: Linux, Apache, Mysql # Exploit Description: Church Management System 1.0 suffers from an ...

Online Learning System 2.0 - Remote Code Execution (RCE) › exploitsBlock this site
16 Nov 2021 — ... Remote Code Execution (RCE) # Date: 15/11/2021 # Exploit Author: djebbaranon # Vendor Homepage: # Software ...

Laundry Booking Management System 1.0 - Exploit-DB › exploitsBlock this site
30 Nov 2021 — Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE) # Date: 29/11/2021 # Exploit Author: Pablo Santiago ...

Online Motorcycle (Bike) Rental System 1.0 - Exploit-DB › exploitsBlock this site
19 Oct 2021 — ... Mysql # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Online Motorcycle (Bike) Rental System is vulnerable to a Blind ...

Library Management System 1.0 - Blind Time-Based SQL ... › exploitsBlock this site
17 Sept 2021 — ... .com/sites/default/files/download/oretnom23/ ... SQL Injection Vulnerability allowing remote attackers to dump the ...

Hospitals Patient Records Management System 1.0 - 'id' SQL ... › exploitsBlock this site
5 Jan 2022 — Exploit Title: Hospitalss Patient Records Management System 1.0 ... .com/sites/default/files/download/oretnom23/ # Version: v1.0 ...

# etc, etc

Is oretnom23 even a real person, or are these almost carbon copy webapps somehow generated procedurally?

And an even better question, why the hell does anyone think these make good CTF challenges? They are (deliberately or negligently) vulnerable but not apparently described as vulnerable so I guess that’s a thing….but they’re ALL THE SAME.

I understand it’s not necessarily easy to come up with new stuff. But hooboy anybody making a CTF like this should add a disclaimer on the front that it’s more of the same old stuff from old mate oretnom23. And then I’d know not to waste my time.