Add challenge solution code for CTFs

[bkimminich]

As a CTF-player
I want to see a unique code per challenge upon solving it
so that I can enter this code on the CTF server.

---

see also: #166

[bkimminich]

Back to "Working" because code was accidentally not pushed to develop yet.

[bkimminich]

Additional TODOs:

• add the name field of the challenge to the notifications emitted via Socket.IO. They are not needed by the application itself, but would help an external websocket listener (e.g. a tool that sets up a CTF - see CTF-mode #166 (comment) - to get the valid codes per challenge, e.g. if it ran the end-to-end tests during environment setup.
• add a new category field to each challenge based on the ebook chapters in part II - see CTF-mode #166 (comment)

[tghosth]

I would suggest not making the first change but instead modifying the /Challenges API call which returns a list of all solved challenges and making it return the flag field for completed challenges (and also adding the category field.)

From a user perspective this is better as you can then show the flag for completed challenges on the scoreboard in case someone misses the notification.

From a CTF setup perspective this is better as after running the end to end tests it is then one API call to pull all the setup data without getting bogged down in socket.io ;)

[bkimminich]

If your setup script would be able to do SHA-1 of the challenge.name with the same key the app uses, then it could just calculate the flags on its own. If someone really wants to cheat, they'd look in the source code anyway and find the key - so no benefit in trying to obscure or overengineer (with socket.io) it artificially. How about this:

1. The flag HMAC key is extracted into /ctf.key within the juice-shop repo
2. The CTFd setup script loads all challenges via the existing API (including category) from a local instance it would have to launch https://localhost:3000/api/Challenges (or the official demo instance on https://juice-shop.herokuapp.com/api/Challenges or while in unreleased from https://juice-shop-staging.herokuapp.com/api/Challenges)
3. The script loads the ctf.key from its local juice-shop folder (or from GitHub)
4. The script calculates the flag HMAC for each challenge on its own like the juice-shop does:

var jsSHA = require('jssha')
var key = ... // get from ctf.key file
function toHmac(text) {
  var shaObj = new jsSHA('SHA-1', 'TEXT')
  shaObj.setHMACKey(theSecretKey, 'TEXT')
  shaObj.update(text)
  return shaObj.getHMAC('HEX')
}
var flag = toHmac(challenge.name)

[bkimminich]

• https://juice-shop-staging.herokuapp.com/api/Challenges (or a local installation of develop) already have the category field in the JSON response
• ctf.key is available on develop as well: https://github.com/bkimminich/juice-shop/blob/develop/ctf.key

[tghosth]

Hi @bkimminich, thanks doing those updates.

What is the solution if a user misses their flag notification, presumably they just need to be told to save and restore their progress and then the flag notifications will all be shown again?

[lock]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.