ctfd / ctfd Goto Github PK
View Code? Open in Web Editor NEWCTFs as you need them
Home Page: https://ctfd.io
License: Apache License 2.0
CTFs as you need them
Home Page: https://ctfd.io
License: Apache License 2.0
Just started experiencing this issue.
Two machines start out identical (download Kali amd64 image). Machine A logs into an account, for some reason when Machine B goes to the web portal it is now logged into that account aswell. What is even more odd is when Machine B logs out, it does not log out Machine A.
I've reproduced this issue three times from the latest build.
Forgot password function not working. This is config file:
ADMINS = ['xxxxxxxx']
CTF_NAME = 'KMA'
MAIL_SERVER = 'smtp.googlemail.com'
MAIL_PORT = 465
MAIL_USE_TLS = False
MAIL_USE_SSL = True
MAIL_USERNAME = 'xxxxxxxxx'
MAIL_PASSWORD = 'yyyyyyyyy'
What wrong? And how to fix it?
Tks!
The default Foundation look is pretty drab. A design overhaul would be great.
When using Chrome (Version 46.0.2490.80 m) on Windows and logged in as an admin user, editing groups' information does not work and gives that group admin privileges. Also, when un-clicking the admin checkbox, a team still has their admin privileges. So once a group has admin it cannot be taken away through the web GUI.
Part of the issue seems to start at around line 340 in the admin.py file. The issue of not being able to demote admins may be somewhere else.
Too many gunicorn workers. Need some way to share the secret key amongst workers or have less workers.
CTFd needs documentation covering:
It doesn't appear as though pages can be easily deleted once they've been added through the Admin portal.
Download database for safe keeping/analysis/whatever
Problems:
Stack trace reveals details about implementation of source on this error.
Database Connections not closed which could result in AppDos.
Fix suggestion:
It may be good to return an error to the user before sending it to passlib.
when I compose challenge title with apostrophe(') there was some problem.
every registered challenge layout broke down.
I registered the user "๐ฉ". The user is successfully created, but there is an error:
UnicodeEncodeError
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: ordinal not in range(128)
CTFd/auth.py, line 94, in register
Also, the user cannot login:
UnicodeEncodeError
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: ordinal not in range(128)
CTFd/auth.py, line 114, in login
Both errors are in logging statements
I don't know if this was intentional, but 'prepare.sh' is non executable.
So, I would suggest to either make it executable or change the doc to say
sh prepare.sh
to install dependencies using apt.Version 0.4.0 of c3.js pulled from cloudflare in scoreboard.html breaks the scoreboard with this error (as taken from Chrome Dev Tools):
Failed to execute 'querySelectorAll' on 'Element': '.c3-selected-circles-[0]-TEAM_NAME' is not a valid selector.
The issue in c3.js for this exact problem is here: c3js/c3#711
The fix for me was pulling the latest c3.js, version 0.4.1 from Github and updating the references in scoreboard.html.
OK, so if i have 3 teams on the system, and the last team i created have 25 points for a challenge.
If i delete that team, then immediately create a new team....that new team gets the same 25 points and same challenge solve, as the team i deleted.
I guess this is related to teams getting created in order (e.g 1,2,3)...then if i delete team 3, it "frees up" that number for a new team to be created in that spot...but theres already solves against that spot.
:)
Thanks by the way, i love CTFd, planning to use it for a CTF in Australia in 6 weeks time.
It seems that after deploying the server using a fresh clone and default settings that uploading a file results in the file being uploaded properly, but when going to access the file by the embedded link in the challenge text, the URL generates as:
http://ctfdomain:4000//file.ext
and clicking on this link returns a 404 and the "Whoops, looks like we can't find that. Sorry about that" page.
It would be nice to have more control over the teams as the admin user. There doesn't appear to be a streamlined way to remove teams from the scoreboard or start/stop self-registration.
CTFd used to store every request made to it and was able to calculate hits based off of that. That caused the database to balloon to an unnecessary size and was thus removed. The statistics entry hasn't.
Remove it or update it. Might be best to store the value for hits in Config.
No reason to run a mail server for CTFd. Also helps people who really don't want to deal with mailservers send email anyway.
Do you have any documentation for deploying CTFd with a MySQL database vs SQLite?
Should be a simple modification to the SQL query in this view:
https://github.com/isislab/CTFd/blob/master/CTFd/challenges.py#L98-L104
Pulled down the repo and ran the commands as given on the README.md on a clean install of Ubuntu 14.04 and am given a KeyError after running the setup.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1836, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1473, in full_dispatch_request
rv = self.preprocess_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1666, in preprocess_request
rv = func()
File "/opt/ctfd/CTFd/views.py", line 32, in csrf
if session['nonce'] != request.form.get('nonce'):
File "/usr/local/lib/python2.7/dist-packages/werkzeug/local.py", line 368, in <lambda>
__getitem__ = lambda x, i: x._get_current_object()[i]
KeyError: 'nonce'
It may not be good to trust remote_addr although it is mostly used for logging solves/logins.
https://github.com/isislab/CTFd/blob/7d766372df4b29a454727699ded6681235d6fb4e/CTFd/challenges.py#L132
https://github.com/isislab/CTFd/blob/7d766372df4b29a454727699ded6681235d6fb4e/CTFd/challenges.py#L141
https://github.com/isislab/CTFd/blob/f335dd71f29438fa797f7c9e96bb24ac302009cb/CTFd/views.py#L22-L23
Put a spinner when challenges are loading
Users should be able to specify their own CSS.
Mildly annoying to keep being redirected to the homepage.
I got this when playing video from the web :
Exception happened during processing of request from ('202.46.129.12', 38485)
Traceback (most recent call last):
File "/usr/lib64/python2.7/SocketServer.py", line 295, in _handle_request_noblock
self.process_request(request, client_address)
File "/usr/lib64/python2.7/SocketServer.py", line 321, in process_request
self.finish_request(request, client_address)
File "/usr/lib64/python2.7/SocketServer.py", line 334, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib64/python2.7/SocketServer.py", line 651, in init
self.finish()
File "/usr/lib64/python2.7/SocketServer.py", line 710, in finish
self.wfile.close()
File "/usr/lib64/python2.7/socket.py", line 279, in close
self.flush()
File "/usr/lib64/python2.7/socket.py", line 303, in flush
self._sock.sendall(view[write_offset:write_offset+buffer_size])
error: [Errno 32] Broken pipe
A docker container would make deployment easier
UTC is hard, try to make it easier on people.
This is supported in the backend but there's no way to to do it from the front end.
Static asset libraries such as jQuery, font-awesome, etc. are served from various CDNs on the internet. While convenient, this can cause problems for CTFs with no or unreliable internet access, in addition to being a security risk for XSS attacks if a CDN gets compromised.
Ideally, CTFd would include these files under /static and serve them up itself (or via a reverse proxy web server if desired).
$ grep -ER '"(https?:)?//[^"]+"' . | grep -E '<link|<script'
./CTFd/templates/admin/base.html: <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/normalize.min.css" />
./CTFd/templates/admin/base.html: <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/foundation.min.css" />
./CTFd/templates/admin/base.html: <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css">
./CTFd/templates/admin/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/admin/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/jquery.js"></script>
./CTFd/templates/admin/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/modernizr.js"></script>
./CTFd/templates/admin/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/marked/0.3.2/marked.min.js"></script>
./CTFd/templates/admin/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation.min.js"></script>
./CTFd/templates/admin/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation/foundation.topbar.min.js"></script>
./CTFd/templates/admin/editor.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.css">
./CTFd/templates/admin/editor.html:<script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.min.js"></script>
./CTFd/templates/admin/graphs.html: <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.4.13/d3.min.js"></script>
./CTFd/templates/admin/graphs.html: <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.js"></script>
./CTFd/templates/admin/pages.html:<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.min.js"></script>
./CTFd/templates/admin/pages.html:<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/theme-github.js"></script>
./CTFd/templates/admin/pages.html:<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/mode-css.js"></script>
./CTFd/templates/admin/team.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/admin/team.html: <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/admin/team.html: <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.4.13/d3.min.js"></script>
./CTFd/templates/admin/team.html: <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.js"></script>
./CTFd/templates/admin/teams.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/base.html: <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/normalize.min.css" />
./CTFd/templates/base.html: <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/foundation.min.css" />
./CTFd/templates/base.html: <link rel="stylesheet" href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" />
./CTFd/templates/base.html: <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/8.3/styles/railscasts.min.css">
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/jquery.js"></script>
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/modernizr.js"></script>
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/marked/0.3.2/marked.min.js"></script>
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/8.4/highlight.min.js"></script>
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation.min.js"></script>
./CTFd/templates/base.html: <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation/foundation.topbar.min.js"></script>
./CTFd/templates/chals.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/chals.html: <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/chals.html: <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/chals.html: <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/profile.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/profile.html: <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/profile.html: <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/scoreboard.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/scoreboard.html: <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/scoreboard.html: <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/scoreboard.html: <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/setup.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.css">
./CTFd/templates/setup.html:<script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.min.js"></script>
./CTFd/templates/team.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.css">
./CTFd/templates/team.html: <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/team.html: <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/teams.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
Additionally there seems to be multiple versions of certain assets being used from different templates.
It would be a nice feature if the scoreboard page could include some javascript to automatically refresh the data at a standard interval.
After 10 challenges are present, the challenge page won't allow any competitor to click any available links to submit flags. Additionally, several challenges are no longer being displayed all together. However, after deleting the 10th entry from the challenge table in the SQLite database everything goes back to normal.
Any idea on why this may be occurring?
hello ,
whan i tring to enter the admin panel i got fhis error can you help me to reslove it ?
thnak you !!!
127.0.0.1 - - [18/Jan/2015 05:14:57] "GET /admin?debugger=yes&cmd=source&frm=183375244&s=9F9dMGJKfplO4hV1xNaN HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "POST /admin HTTP/1.1" 500 -
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/root/Desktop/CTFd-master/test/CTFd/CTFd/admin.py", line 26, in admin
session.regenerate() # NO SESSION FIXATION FOR YOU
File "/usr/share/pyshared/werkzeug/local.py", line 336, in getattr
return getattr(self._get_current_object(), name)
AttributeError: 'FileSystemSession' object has no attribute 'regenerate'
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=style.css HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=jquery.js HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=debugger.js HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=console.png HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=source.png HTTP/1.1" 200 -
Kind of silly that this isn't already implemented.
Delete challenges and delete all solves associated with that challenge.
example: put this as a challenge description
๐๐๐๐๐๐๐๐๐๐ good shit goเฑฆิ sHit๐ thats โ some good๐๐shit right๐๐th ๐ ere๐๐๐ rightโthere โโif i doโฦฝaาฏ soโmy sel๏ฝ ๐ฏ i say so ๐ฏ thats what im talking about right there right there (chorus: สณแถฆแตสฐแต แตสฐแตสณแต) mMMMMแทะ๐ฏ ๐๐ ๐ะO0ะเฌ ๏ผฏOO๏ผฏOะเฌ เฌ Ooooแตแตแตแตแตแตแตแตแต๐ ๐๐ ๐ ๐ฏ ๐ ๐ ๐ ๐ ๐๐Good shit
expected:
ctfd has cool emojis.
actual:
a bunch of question marks.
Code that handles submission appears to only call .strip().lower()
on the flag/key from the submitting user and NOT on the flag/key from the database when doing the comparison. This causes any flag/key submissions with uppercase letters to spuriously fail.
https://github.com/isislab/CTFd/blob/master/CTFd/challenges.py#L141:
...
key = str(request.form['key'].strip().lower())
keys = json.loads(chal.flags)
for x in keys:
if x['type'] == 0: #static key
print(x['flag'], key.strip().lower())
if x['flag'] == key.strip().lower():
solve = Solves(chalid=chalid, teamid=session['id'], ip=request.remote_addr, flag=key)
...
No need to:
https://github.com/CTFd/CTFd/tree/34_reduce_auth_restrictions
Most textareas on CTFd are rendered to users as Markdown. Should put a preview tab or something.
CTFd/views.py uses bcrypt_sha256
but never imports it from passlib
. A NameError
exception will be raised e.g. whenever a user tries to update his account information.
I'm gonna be using CTFd for a CTF on a local network, but there will be no internet access available on the network. (People might have their own via tethering etc)
I've noticed when accessing CTFd without an internet connect, the layout is missing parts etc. Is this due to some of the css files based online?
e.g -
See below screenshots of with/without internet access
Am i able to download the required css files, and host locally, then modify the html pages in /templates to point to their new location, should that work nicer without any available internet?
Decouple front end and backend to improve themes and customization
Improve models to include the successful key
Add support for CTFTime's JSON scoreboard feed
Websockets (I don't think this should ever become a direct part of CTFd. I think running a seperate server makes more sense...)
Deploy challenges using CTFd
HighCharts (This is dictated by the theme now. I'm happy with Plotly and anyone can use a theme with whatever graphing logic they wish)
By running CTFd with 4 gunicorn workers (I suspect its just running it with more than 1), when trying to log in as the admin user it keeps returning me back to the login view.
The specific gunicorn command I am running it with is:
gunicorn --bind 0.0.0.0:8000 --pid /home/ctfd/gunicorn.pid -w 4 "CTFd:create_app()"
The title explains it all.
Possibly handle this better by indicating in the UI that the field is required and if it doesn't validate then ask the user to fill it in again.
I don't believe there is a callable function that is compatible with Gunicorn or uWSGI. I am launching uwsgi via the following command:
uwsgi --http-socket :80 -w CTFd:create_app
Then I navigate to http://127.0.0.1 and get the following error:
File "./CTFd/__init__.py", line 20, in create_app
SQLALCHEMY_DATABASE_URI = 'mysql://'+username+':'+password+'@localhost:3306/' + subdomain + '_ctfd',
TypeError: cannot concatenate 'str' and 'builtin_function_or_method' objects
Everything works fine when letting Flasks internal handler serve http.
I attached challenge binary and tried to download it but I got this message
# client
Whoops, looks like we can't find that.
Sorry about that
# server
[pid: 2443|app: 0|req: 42/42] 39.124.110.87 () {36 vars in 1338 bytes} [Tue Sep 22 20:54:50 2015] GET /static/uploads/c9cccd1c00fc948e5f76acba9813878e/prob1 => generated 2939 bytes in 11 msecs (HTTP/1.1 404) 3 headers in 203 bytes (1 switches on core 0)
I ran server by this command 'uwsgi --http-socket :31337 -w "CTFd:create_app()"'
what is the matter?!?!
there is no downloadable attached file for any challenge. :(
Interface to delete solves
I'm not sure how the Start Date/End Date functions work.
I've tried a few date/time formats And as soon as i enter something and click "Update" they disappear.
How can i tell if they have applied?
Is that any chance of a "Start CTF" and "Stop CTF" buttons in the Admin console? So we could do it manually.
Cheers
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.