abs0lut3pwn4g3 / rtb-ctf-framework Goto Github PK

Describe the solution you'd like
When user visits scoreboard, points for all users are calculated (most are already in cache) and shown in one long single list. We should change this to a paginated view; 20 users should be shown on a page at one time with "prev", "next" buttons.

Additional context

• Flask-SQLAlchemy provides a pagination API but we might need to implement our own since we cache the list of users.
• We can also consider not caching the list of all users to allow us to use the inbuilt pagination API. But we need to think about speed and performance.
• Main problem: The scoreboard should still be ordered by descending points along with ranks shown.

isAdmin Column in Users table and Admin views for managing the CTF realtime

Freezing scoreboard once the CTF is ended. According to the running time provided in config.py

Idea: might be possible using datetime module

Prerequisite:
Issue #28. (Closed and PR Merged)

What's required:
Support for n number of boxes

Additional Context:

1. Create a Many to Many Relationship between Score and Machine.
2. Display the list of all available boxes in an accordion view.
3. Changes in /validateUser(Root)Hash and related forms.
4. Changes in route management.

PS:
Will need to make changes everywhere in the codebase and do rigorous testing.

Adding a /notification(.html) route for real time updates from CTF organizers.

Idea: notifications table/model, admin view for same, admin can easily manage notifications

• Level Settings - 1, verbose, everything
• IPs, location, timestamps(first view, each submission)
• each flag submission (correct or wrong) along with user's IP and time it was submitted on.
• rate limiting on register and flag submission routes.
• more ideas welcome..

Need to implement db relationship between User and Score tables. Right now, the tables are independent but referenced using user.id so deleting one row from any table can cause chaos.

Am getting a SyntaxError when I execute run.py . What could I be missing?

Traceback (most recent call last):
  File "run.py", line 4, in <module>
    app = create_app()
  File "/home/binaryhunters/exploits/RTB-CTF-Framework/src/FlaskRTBCTF/__init__.py", line 30, in create_app
    from FlaskRTBCTF.users.routes import users
  File "/home/binaryhunters/exploits/RTB-CTF-Framework/src/FlaskRTBCTF/users/routes.py", line 4, in <module>
    from FlaskRTBCTF.models import User, Score
  File "/home/binaryhunters/exploits/RTB-CTF-Framework/src/FlaskRTBCTF/models.py", line 33
    return f"User('{self.username}', '{self.email}')"

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory:

• https://inventory.rawsec.ml/ctf_platforms.html#RootTheBox%20CTF%20Framework

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool and improve its referencing.

Badges

The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make our open project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care. Else you can close this issue.

Describe the solution you'd like
Badges that could be added to this project.
Recommend or add new badges to this project's README.

Additional context
This issue is a collaborative one. Anyone having recommendations for useful badges, DM me on the GSSoC slack server. If I see it fit, just make a PR adding it and it will be merged.

Hello!
I just got to know about GirlScript Summer of Code, then I realised it was too late to register.
I found your repo from their project site and would love to contribute. Flask is my core skill. Let me know with whatever I can help with.

Is your feature request related to a problem? Please describe.
This is feature which help new contributor to understand how they can contribute project and how we can help this project more effect and do understand what this project really is and how we can get started. Let's get started with making this project more better 👍

Describe the solution you'd like
Build a Document CONTRIBUTE.md that help everyone to understand what this project is and how the collaborator get started with this and understand what the current project status and Where they need to take.

Describe the solution you'd like
Write Unit tests for the flask app.

Additional context
Reference: https://flask.palletsprojects.com/en/1.1.x/testing/
This issue ranges from a medium to hard. Final score/level would depend on how many tests you write.

Minimum Required Tests:

• database connection
• logging in / logging out
• flags submission
• /admin route is not exposed

Describe the bug
Improve Code Quality of Project

Expected behavior
Atleast bring it up to B

Additional context
Research on how to improve code quality and improve it too.

PS: If you feel any alert in the LGTM report is of breaking nature, DM me about it on slack.

What's required:
Rating system -> Average Box rating - input, calculate, output.

Conditions:

1. A user can only rate the machine once he/she has submitted both the flags for it.

How:
We can have a Rating model representing a one-to-many relationship between 1 machine and N users ratings.

Readme can be updated with details of mentors,admins,slack channels and details of gssoc. Please assign me this issue.

What's required:
Moving the sidebar displaying organization details to a footer element.

How:
Make changes in the layout.html file.
A simple and neat dark template would do.

Is your feature request related to a problem?
For private usage like universities or organizations it could be hard ask to everyone to perform registration.

Describe the solution you'd like
Could be awesome add the possibility to disable registration and add only ldap log-in using accounts available on university or organization infrastructure.

what I am thinking is that we can assign a user its own hash when the user logs in.
Also, that will be already entered in the user hash input field and the root field can be used as default that can be predefined, In that case, the time to create a hash will be less and also the user can have a better experience with the use of the application.

Is your feature request related to a problem? Please describe.
No CODE_OF_CONDUCT.md file is present.

Describe the solution you'd like
@eshaan7 As a GSSOC participant I would like to add a CODE_OF_CONDUCT.md file in this project. Using this as a reference.

Additional context

Screenshots

Describe the solution you'd like
A Challenges page to display list of challenges with certain fields (mentioned below). Similar to the Machines page.

• Database fields: Title, Description, URL, hash
• UserChallenge Model depicting a many to many relationship b/w User model and Challenge model with fields: user_id:int, challenge_id:int, done:bool
• WTForm class for creating/editing these challenges.

Hash should be provided to user at the time of user .
Also the root hash should be already inserted there so that the extra efforts are reduced.
root hash has to be predefined there already
and if the condition meets then boom the box is available
and what one can do is choose which box is required or can have a random generation of box for every user
and the difficulty can also be chosen by the user. In that a single table can be managed for hash box type and difficulty level

Currently, we just call the same clear cache helper functions from different places like admin view, template views.

It would be a better approach to connect to the SQLAlchemy signals (for example, an on_update) to dispatch such cache clear methods.

Describe the solution you'd like
The "admin controls" are, at the moment, limited to just performing CRUD database operations along with some searching and filter options.
These are inbuilt in Flask-admin. We should add some more features such as:

• charts to visualize data

• CKeditor for description field in Challenge and Notification models.

• Alerts for some of the logging techniques we already use.

• export data as CSV (Reference)

• GUI control of config.py CTF settings

• One may go through flask-admin documentation and suggest new ideas.

• Ideas can be taken from here as well.

Note:
If you are a GSSoC participant, please note that the difficulty level of this would vary depending on how many features you add (Medium to Hard).

Describe the solution you'd like
GitHub Actions for the Project

Additional context
Recommend and add new GitHub actions, which this project can leverage use of.

References:

1. smaranjitghose/girlscript_chennai_website#160
2. https://github.com/smaranjitghose/girlscript_chennai_website/issues/122

The Rules on the homepage are static thus not changeable. We should use a column in the Settings model:Settings.rules for storing this and then use the {% for...%} construct in the HTML.

Before the CTF's start time users should not be able to either,

• view challenges/machine information
• submit flag/hash for challenges/machines

This can be made configurable by adding a column to the Settings.model.

What's required::
Adding a Deploy to Heroku button.

How:
https://devcenter.heroku.com/articles/heroku-button

Describe the solution you'd like
Integrate Flask-migrate for easier database migrations.

Additional Context:
Should test it thoroughly.
Should only be used in development environment.

Adding a linting/formatting spec for incoming PRs.

@eshaan7 I am a GSSOC participant and I would like to add an issue template folder with bug_report_template.md, feature_request_template.md and pull_request_template.md

Screenshots

Bug report

Feature request

Pull request

Describe the solution you'd like
GUI control of config.py CTF settings

Additional context
The user should be able to change the CTF settings from the "admin control" panel. At the moment these configurations are stored as static python dictionaries in the config.py file, this must be changed into SQLAlchemy Models. Then, register admin views for the newly created models so they can be accessed from the "admin control" panel.

This is related to #36.

Describe the solution you'd like
Integrate Flask-Profiler and Flask-DebugToolbar for development environment.

Additional context
Inside the config.py, we should create a new DevConfig for development environment along with a development.txt to maintain developer dependencies.

Currently, the machine details are stored in a JSON object (box) in config.py file.

What's required:
Need to shift this into a Machine model in the SQL database (via SQLAlchemy model)
This will also enable support for multiple machines as described in issue #17.
Afterwards, we can create a rating system as described in issue #14.

Dark theme for admin controls.
Related to Issues: #55, #36.
Tip: (maybe) need to download templates from the flask-admin repo, make changes, and extend them