icectf / coldcore Goto Github PK

View Code? Open in Web Editor NEW

66.0 6.0 20.0 295 KB

A CTF platform used in IceCTF 2016

Home Page: http://icec.tf

License: Other

Python 48.63% JavaScript 12.06% CSS 2.10% HTML 37.21%

ctf-platform ctf python ctf-scoreboard coldcore icectf platform competition

coldcore's Introduction

ColdCore

This is the platform for IceCTF. It is based off of the platform for TJCTF, TJCSec/ctf-platform, although with hefty changes.

Installation

Install dependencies with pip3 install -r requirements.txt.

Edit config.py to your liking. The variable names should be fairly self-explanatory.

You're going to want to create a file called secrets. It will look like this:

mailgun_url: https://api.mailgun.net/v3/tjctf.org
mailgun_key: key-asdflkjasdhflkjsdahflkhsdaklfjhasd
recaptcha_key: asdlkfjhasdlkjfhlsdakjfh
recaptcha_secret: sdakjfhsdalkfjhsdalkfjh
key: this can be anything you want, it is your flask secret_key
shell_host: shell
shell_username: shellaccounts
shell_privkey: path to private key used to log in

For production, create a file called database as well, with the settings

host: localhost
database: ctf
user: user
password: password

Then initiate the database with ./ctftool database create-tables.

To run the server with production settings, set the environment variable PRODUCTION=1 before running the server.

You can create some problem YAML files that look like this:

name: Problem Name
alias: problem alias
author: ME!
category: Binary
description: binary binary binary binary. i love binary
points: 250
flag: "flag{whatever}"

Then add them with ./ctftool challenges add problem.yml and it'll get put in the database.

Run python3 app.py and you have a server running. You probably want to deploy it with gunicorn or similar, long-term.

ctftool

You can run ./ctftool challenges scan ../ctf-problems/ and get a fully populated database with information from all the problem.yml files, and automatically generated static file names, and automatic substitutions for static file links in problem.yml. More documentation on this to come soon.

Contributing

There are some missing features in the platform, and if you would like to contribute, feel free to send pull requests!

If you find any issues or would like to send a feature request feel free to create an issue.

coldcore's People

Contributors

Stargazers

Watchers

Forkers

ruiiiijiiiiang osdlabs achuu tpltnt noraj xdfcfc0xa johnhammond reznov11 8l4nk wilborleon qasem5252 5l1v3r1 l3m0nade tradent hackthings rakhithjk mywolve

coldcore's Issues

Redesign layout

Improve caching

After the rewrite the system is not very resistant to caching, and should make use of that to save time. Look into adding a decorator similar to picoCTF.

AttributeError : with pycountry

Did someone already have this issue:

$ python3 app.py
Traceback (most recent call last):
  File "app.py", line 9, in <module>
    from utils import misc, select
  File "/home/shark/Dev/ColdCore/utils/select.py", line 24, in <module>
    Countries = [(country.alpha3, country.name) for country in pycountry.countries]
  File "/home/shark/Dev/ColdCore/utils/select.py", line 24, in <listcomp>
    Countries = [(country.alpha3, country.name) for country in pycountry.countries]
  File "/usr/lib/python3.6/site-packages/pycountry/db.py", line 22, in __getattr__
    raise AttributeError
AttributeError

/usr/lib/python3.6/site-packages/pycountry/db.py:

[...]
    def __getattr__(self, key):
        if key not in self._fields:
            raise AttributeError
        return self._fields[key]
[...]

Improve design

There are some things left to be desired in the design of the platform. The page should perhaps feel more dynamic and present information better. The scoreboard looks pretty strange as well.

Add neccessary information to registration

We need to be more careful about what we collect from our users this time.

We need to collect emails, school affiliation, T-shirt sizes(and gender?).

Of course some of this info is not neccessary for ineligible users, so should be grayed out?

System should update cache on startup

Currently the system assumes the solves are valid in the cache, when restarted the system should recompute this.

Add a status/health check on problems and make an overview page

Improve staging

Stages are pretty limited as is. It should be possible to disable them completely, and it should be possible to limit the rollout of certain stages, for example you only see a certain stage once you solve x amounts of problems, get x points, after the competition has been running for x hours, etc..

This should probably employ some caching, computing points is expensive.

Table challenge missing

I'm not in production (didn't put PRODUCTION=1) so the app must use dev.db SQLite databse.

But peewee found that there is no such table: challenge.

$ ./ctftool challenges add problem.yml
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/peewee.py", line 3768, in execute_sql
    cursor.execute(sql, params or ())
sqlite3.OperationalError: no such table: challenge

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./ctftool", line 248, in <module>
    main()
  File "./ctftool", line 244, in main
    args.func(args)
  File "./ctftool", line 140, in add_challenge
    chal = Challenge.create(**yaml.load(f))
  File "/usr/lib/python3.6/site-packages/peewee.py", line 4915, in create
    inst.save(force_insert=True)
  File "/usr/lib/python3.6/site-packages/peewee.py", line 5108, in save
    pk_from_cursor = self.insert(**field_dict).execute()
  File "/usr/lib/python3.6/site-packages/peewee.py", line 3526, in execute
    cursor = self._execute()
  File "/usr/lib/python3.6/site-packages/peewee.py", line 2912, in _execute
    return self.database.execute_sql(sql, params, self.require_commit)
  File "/usr/lib/python3.6/site-packages/peewee.py", line 3775, in execute_sql
    self.commit()
  File "/usr/lib/python3.6/site-packages/peewee.py", line 3598, in __exit__
    reraise(new_type, new_type(*exc_args), traceback)
  File "/usr/lib/python3.6/site-packages/peewee.py", line 135, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib/python3.6/site-packages/peewee.py", line 3768, in execute_sql
    cursor.execute(sql, params or ())
peewee.OperationalError: no such table: challenge

Am I missing something?

Test mode

Is there some default accounts to test the app? Like an admin account? Is that possible to disable recaptcha in test mode (I didn't see anything in config.py)?

add tags to the github repo

You may want to add tags to the github repo: ctf, python, ctf-platform, ctf-scoreboard, etc..

This will give your repo more visibility.

Replace chat client

https://thelounge.github.io/

Improve admin system

The admin system as it is is terrible. Admins should get better notifications, and also better methods of searching teams. Maybe look into caching the dashboard, as for last IceCTF it took almost 10 seconds to load by the end. Paginate the teams and add a filter

AttributeError: 'module' object has no attribute 'set_complex'

Something is wrong with this code. Every time it shows a different error.

from flask import Blueprint, render_template

from utils import cache

import data
import config

scoreboard = Blueprint("scoreboard", __name__, template_folder="../templates/scoreboard")


@scoreboard.route('/scoreboard/')
def index():
    scoreboard_data = cache.get_complex("scoreboard")
    graphdata = cache.get_complex("graph")
    if scoreboard_data is None or graphdata is None:
        if config.immediate_scoreboard:
            scoreboard_data = data.scoreboard.calculate_scores()
            graphdata = data.scoreboard.calculate_graph(scoreboard_data)
            data.scoreboard.set_complex("scoreboard", data, 120)
            data.scoreboard.set_complex("graph", graphdata, 120)
        else:
            return "CTF hasn't started!"

    return render_template("scoreboard.html", data=scoreboard_data, graphdata=graphdata)

Improve problems and add staging

It should be possible to define a group of problems, and also define for some problem a set of problems/groups for which some percentage must be solved before having the option of viewing this one. This functionality comes from picoCTF.

Fix dates

The dates (7 hours ago) in the platform are really weird and do not seem to depend on the user's timezone. This should probably be fixed.

Attach a problem to a ticket

So we can assign people on tickets more easily.

Scoreboard should be ordered by total time, not just most recently solved problem

The idea of most recently solved makes things less competitive, with no penalties really for not solving the easy problems early. It is fairer to break ties by total time.

Add SSH account creation

SSH accounts need to be created automatically for the shell server.

This can be done by just having a daemon that runs and creates accounts in batch. This is the approach taken by picoctf.

CSS problem without CDN

In config.py if I change cdn = True to cdn = False there is no more CSS.

In fact:

/static/materialize.min.css
/static/icons.css
/static/vis.min.css

are not found.

CSS should be loaded but is not in the repository with other static contents.

$ grep -r materialize ./
./templates/admin/ticket_detail.html:        <textarea id="comment" name="comment" class="materialize-textarea"></textarea>
./templates/admin/base.html:        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.1/css/materialize.min.css" />
./templates/admin/base.html:        <link rel="stylesheet" type="text/css" href="{{ url_for('static', filename='materialize.min.css') }}" />
./templates/admin/base.html:        <script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.1/js/materialize.min.js"></script>
./templates/admin/base.html:        <script src="{{ url_for('static', filename='materialize.min.js') }}"></script>
./templates/tickets/ticket_detail.html:        <textarea id="comment" name="comment" class="materialize-textarea"></textarea>
./templates/tickets/open_ticket.html:        <textarea required id="description" name="description" class="materialize-textarea"></textarea>
./templates/base.html:        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.1/css/materialize.min.css" />
./templates/base.html:        <link rel="stylesheet" type="text/css" href="{{ url_for('static', filename='materialize.min.css') }}" />
./templates/base.html:        <script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.1/js/materialize.min.js"></script>
./templates/base.html:        <script src="{{ url_for('static', filename='materialize.min.js') }}"></script>

$ grep -r vis.min.css ./
./templates/admin/base.html:        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/vis/4.9.0/vis.min.css" />
./templates/admin/base.html:        <link rel="stylesheet" type="text/css" href="{{ url_for('static', filename='vis.min.css') }}" />
./templates/base.html:        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/vis/4.9.0/vis.min.css" />
./templates/base.html:        <link rel="stylesheet" type="text/css" href="{{ url_for('static', filename='vis.min.css') }}" />

So you may add them in static/css.

Also I find weird the difference between CDN mode:

        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.1/css/materialize.min.css" />
        <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/vis/4.9.0/vis.min.css" />
        <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet" />
        

        <link rel="stylesheet" type="text/css" href="/static/css/main.css" />

and without CDN:

        <link rel="stylesheet" type="text/css" href="/static/materialize.min.css" />
        <link rel="stylesheet" type="text/css" href="/static/icons.css" />
        <link rel="stylesheet" type="text/css" href="/static/css/flag-icon.min.css" />
        <link rel="stylesheet" type="text/css" href="/static/vis.min.css" />
        

        <link rel="stylesheet" type="text/css" href="/static/css/main.css" />

There should be icons.css and flag-icon.min.css in CDN mode and the Material Icons familly when without CDN. Why are they not the same ?

AttributeError: 'module' object has no attribute 'delete_instance'

raceback (most recent call last): File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 2000, in __call__ return self.wsgi_app(environ, start_response) File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1991, in wsgi_app response = self.make_response(self.handle_exception(e)) File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1567, in handle_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python3.4/dist-packages/flask/_compat.py", line 33, in reraise raise value File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1988, in wsgi_app response = self.full_dispatch_request() File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1641, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1544, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python3.4/dist-packages/flask/_compat.py", line 33, in reraise raise value File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1639, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.4/dist-packages/flask/app.py", line 1625, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/home/rajat/Downloads/ColdCore/utils/ratelimit.py", line 57, in rate_limited return f(*args, **kwargs) File "/home/rajat/Downloads/ColdCore/routes/users.py", line 92, in register team.delete_instance() AttributeError: 'module' object has no attribute 'delete_instance'

No simple support for Redis password?

Unless I am not seeing it, I do not see anything in the configuration files or settings to supply a password for connecting to the Redis cache server.

I'll try and mock up some code to add support for it being pulled in from the secrets file.