Skip to content
This repository has been archived by the owner on Mar 3, 2020. It is now read-only.

Commit

Permalink
Merge of /master into /dev - Baseline for Development (#509)
Browse files Browse the repository at this point in the history 
* add hindi translation

* added hindi translation

* Update lang_hi.php

* Error Checking During Build Tests (#452)

* Error Checking During Build Tests

* Execute hh_client during build tests.

* Currently the PHP built-in getimagesizefromstring function is not in the HHVM upstream hhi, and therefore generates an error.  In the future, once getimagesizefromstring is added upstream, we should use the hh_client exit status.

* * Readded execute permissions to the script.

* HHVM/Hack Typing Error Fixes (#450)

* HHVM/Hack Typing Error Fixes

* Fixed a few HHVM/Hack typing and strict compliance issues.

* This is necessary before hh_client can run and be enforced during the build process. (See comments on #435)

* * Updated formatting.

* Require bxslider version 4.2.6 (Fixes #455) (#458)

* This resolves a current build error #455.

* bxslider was updated from 4.2.6 to 4.2.7 on February 14th.  Previously FBCTF allowed for a near match to 4.2.6.  However, FBCTF fails to build with 4.2.7.  During the installation, process grunt failed to build the browserify javascript.

* Fixed Syntax Errors in Hindi Language (Fixes Build Errors) (#460)

* Fixed minor syntax error due to character encoding.

* This will ensure the project builds (no Hack errors).

* Automated Game Start and Stop (#449)

* Automated Game Start and Stop

* Games will automatically start and stop at their scheduled times.  Administrators can still manually start or stop a game regardless of the configured schedule.

* Both Control::genAutoBegin() and Control::genAutoEnd() were added to check the current time against the scheduled start or stop time and perform the relevant action (Control::genBegin or Control::getEnd).

* Control::genAutoRun() checks the current game status and determine if the game should be starting or ending, calling the appropriate function (Control::genAutoBegin or Control::getAutoEnd) and is exclusively used in the new autorun.php script.

* Control::genRunAutoRunScript() runs the new autorun.php script, ensuring the script is not already running before starting a new copy.

* The Router class was updated to include a call to Control::genRunAutoRunScript(), this ensures the script is always running.  This script status check, and execution when needed, only takes place on a full page load.

* The autorun.php script runs Control::genAutoRun() and sleeps up to 30 seconds.

* If the game is scheduled to start or stop within 30 seconds, the script will sleep for the necessary amount of time.

* Games will always start with at most a 29-second difference from the scheduled time.  This discrepancy can only take place if the schedule is changed within 30 seconds of the previously scheduled time.  Otherwise, the execution will happen at the scheduled time.

* This automation is self-contained and requires no additional dependencies or external services (like cron, etc.).

* * Allow administrators to define the cycle time (in seconds) for the autorun process.  This time will be used for the sliding sleep.

* * Added sanitization to the autorun script path/file.

* Attachments and Links Import/Export, Database Restore, and Control Cleanup (#451)

* Attachments and Links Import/Export, Database Restore, and Control Cleanup

* Attachments can now be exported and imported.  On export, attachments are downloaded into a Tar Gzip and securely extracted on import.

* Links and Attachments data is now provided within the Levels export.  Users must import both the Level data and the Attachment files to restore the levels with attachments.

* A database restore option has been added which utilizes the backed up database content.  This overwrites all data in the database.

* The Control page has been reorganized to align the various functionality better.

* Memcached flushing has been added to all relevant data imports.

* Error handling has been added to the various import functions.

* * Removed getter function for the Attachment constant.

* Switched double quotes with single quotes.

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Live Sync API (#459)

* Live Sync API

* Introducing the Live Sync API.

* The Live Sync API allows administrators to import game activity in near-real-time.  Users can link their accounts on one or more FBCTF platform instances and their scores will be automatically imported into the systems that have been linked.

* The primary use-case revolves around event aggregation across multiple FBCTF instances.  Event organizers can now separate FBCTF instances and combine scores into one global scoreboard.

* The Live Sync API will import Levels, Categories, Scoring Events, and Hint Usage.  Scores are automatically calculated, and bonuses are updated to ensure accurate scoring across linked FBCTF instances.

* Administrators determine which systems, if any, are linked.

* Users must link their account in order for their activity to be synced.

* The UI/UX of FBCTF has been updated to include a mechanism for users to configure their Live Sync credentials.

* Users cannot obtain hints or capture levels on the importing system.

* The API is JSON based and the schema is generalized so that it can leveraged by other platforms or external processes.  So data can be synced from non-FBCTF platforms.

* The importing script will automatically handle country conflicts (if two systems have the same country selected for a level).

* USER GUIDE (Documentation):

  * Users must first have an account on all FBCTF instances they wish to link.

  * The user must then login and access the game board.

  * From the navigation menu, the user should select "Account."

  * The user must then set a Live Sync username and password.  The Live Sync username and password must not be their login credentials.  In fact, users are prohibited from using their account password as their Live Sync password.

  * The user would repeat the above steps for each FBCTF instance they wish to link.  The Live Sync credentials must be the same on each FBCTF instance or their accounts will not be linked.

* ADMIN GUIDE (Documentation):

  * The admin is free to sync as many platforms as their desire.  Additionally the admin may import from as many API sources as their desire.

  * The admin will need to launch the "live import" script, on any importing systems, from the command-line:

    * `hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php <Space Delimited URLs to API Endpoints> <Sleep Between Cycles> <Disable SSL Certificate Verification> <Show Debug Messages>`

    * Disabling of the SSL Verification and Debugging are both optional.  The URL(s) and Sleep time are required arguments.

    * EXAMPLE:  `hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php "https://10.10.10.101/data/livesync.php https://10.10.10.102/data/livesync.php https://10.10.10.103/other/platform/api" 300 true true`

* API SCHEMA (JSON):

  * JSON:

[{"active":true,"type":"flag","title":"Example Level 1","description":"This is the first example level.","entity_iso_code":"TJ","category":"None","points":100,"bonus":30,"bonus_dec":10,"penalty":10,"teams":{"fbctf:user1:$2y$12$a1T4KyqqxADi3YIJ7M2sf.VoSHz6qMBx.zrxAIvZnD8de95EsLeny":{"timestamp":"2017-02-17 02:20:22","capture":true,"hint":false}}}]

  * Explained (Formatted output for readability - the actually data must be in valid JSON format):

    [0] => Array
        (
            [active] => 1						// Level Status (Enabled/Disabled)
            [type] => flag						// Level Type (Flag or Quiz)
            [title] => Example Level 1				// Level Name
            [description] => This is the first example level.	// Level Description
            [entity_iso_code] => US					// Country Code (Mapping)
            [category] => None						// Level Category
            [points] => 100						// Points
            [bonus] => 30						// Bonus Points
            [bonus_dec] => 10						// Bonus Point Decrement
            [penalty] => 0						// Hint Cost
            [teams] => Array
                (
                    [fbctf:user3:$2y$12$GIR7V0Q2OMDv8cTTOnzKVpGYgR4.pWTsPRHtZ3yenKZ9JxOabx4m2] => Array	// Live Sync Type, Live Sync Username, Live Sync Key (Hash)
                        (
                            [timestamp] => 2017-02-17 01:09:24						// Activity Timestamp
                            [capture] => 1									// Capture Status
                            [hint] => 									// Hint Used
                        )

                )

        )

  * Example (Formatted output for readability - the actually data must be in valid JSON format):

Array
(
    [0] => Array
        (
            [active] => 1
            [type] => flag
            [title] => Example Level 1
            [description] => This is the first example level.
            [entity_iso_code] => US
            [category] => None
            [points] => 100
            [bonus] => 30
            [bonus_dec] => 10
            [penalty] => 0
            [teams] => Array
                (
                )

        )

    [1] => Array
        (
            [active] => 1
            [type] => flag
            [title] => Example Level 2
            [description] => This is the second example level.
            [entity_iso_code] => OM
            [category] => None
            [points] => 100
            [bonus] => 30
            [bonus_dec] => 10
            [penalty] => 0
            [teams] => Array
                (
                    [fbctf:user1:$2y$12$n.VmlNNwxmZ/OkGGuhVhFeX0VExAgjoaYzyetLCIemSXN/yxWXLyO] => Array
                        (
                            [timestamp] => 2017-02-17 01:01:49
                            [capture] => 1
                            [hint] => 1
                        )

                    [fbctf:user2:$2y$12$GIDv8cR7V0nzKVpQ2OMTTOGYgR4.pWTxOPRH9abtsJZ3yenKZx4m2] => Array
                        (
                            [timestamp] => 2017-02-17 01:21:13
                            [capture] => 1
                            [hint] => 1
                        )

                )

        )

    [2] => Array
        (
            [active] => 1
            [type] => flag
            [title] => Example Level 3
            [description] => This is the third example level.
            [entity_iso_code] => MA
            [category] => None
            [points] => 100
            [bonus] => 30
            [bonus_dec] => 10
            [penalty] => 0
            [teams] => Array
                (
                    [fbctf:user2:$2y$12$GIDv8cR7VpQ2OM0nzKVTTOGYgR4.pWTxOabtsPRH9JZ3yenKZx4m2] => Array
                        (
                            [timestamp] => 2017-02-17 01:18:45
                            [capture] => 1
                            [hint] =>
                        )

                    [fbctf:user1:$2y$12$n.VmlNNwxmZ/OkGGuhVhFeXYzExAg0VoajyetLCIemSXN/yxWXLyO] => Array
                        (
                            [timestamp] => 2017-02-17 01:01:41
                            [capture] => 1
                            [hint] =>
                        )

                )

        )

    [3] => Array
        (
            [active] => 1
            [type] => flag
            [title] => Example Level 4
            [description] => This is the second example level.
            [entity_iso_code] => RO
            [category] => None
            [points] => 100
            [bonus] => 30
            [bonus_dec] => 10
            [penalty] => 0
            [teams] => Array
                (
                    [fbctf:user3:$2y$12$GIDv8cR7V02OnzKVpQMTTOGYgR4.pWTsPOabtZRH9Jx3yenKZx4m2] => Array
                        (
                            [timestamp] => 2017-02-17 01:09:24
                            [capture] => 1
                            [hint] =>
                        )

                )

        )

)

* TO DO (Enhancements):

  * Implemented alternative Live Sync key/authentication mechanisms, such as: Facebook Login, OAuth, etc.

  * Improve the processing of Bases/Progressive scoring.

  * Integrate password strength enforcement for the Live Sync credentials.

* * Added unit tests for Live Sync to TeamTest

* * Updated unit tests for the Live Sync API.

* Added Google OAuth to Live Sync API

* Google OAuth can now be used with the Live Sync when the exporting system provides the "google_oauth" type and provides the email address of the user in base64 encoded form.

* Added Google OAuth UI/UX.  If enabled, this allows a user to link their Google account to their FBCTF account using Google OAuth.  The user simply navigates to the account page and clicks the "Link Your Google Account" button and completes the sign-in/authorization process.

* Administrators must enable Google OAuth.  When disabled the option does not appear for the users.  To enable Google OAuth the administrator must first create a Google API account and then place the API secrets file on the system (in a non-web directory).  The administrator would then set the full path to the API secrets file in the settings.ini file, within the GOOGLE_OAUTH_FILE field.

* The Live Sync API has been updated to handle the "google_oauth" type case.

* The liveimport.php script has been updated to set default values for some of the API fields.  The following fields are mandatory:

  * title

  * description

  * points

  * teams

* The live import code has also been updated to ensure duplicate levels, when using a combination of non-defined and defined countries, are not generated.

* The project now requires google/apiclient ^2.0 from composer.  Updated composer.json and composer.lock to define the new dependencies.

* Minor formatting updates.

* * Ensure mandatory fields are set, gracefully skip when they are not.

* Refined Live Import CLI Options and Updated Google OAuth Data

* The live sync import script (livesync.php) now utilizes `getopts()` to provide more user-friendly option input to the command-line script.  The script will provide a help message upon usage without the required field(s).  Here is the help message text:

```
Usage:
  hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php
    --url <Sync URL> [Switched allowed multiple times.  Optionally provide custom HTTP headers after URL, pipe delimited]
    --sleep <Time to Sleep Between Cycles> [Default: 300]
    --disable-ssl-verification [Optional: Disables SSL Certification Verification]
    --debug [Optional: Enables Debug Output]
```

* Custom HTTP Headers are now supported via the `url` CLI argument, using a pipe (`|`) delimiter.  Multiple headers may be provided by the user.

* Users of the live sync import script (livesync.php) must provide at minimum the `url` argument.  Multiple URLs are allowed in order to import from more than one host.  Additionally, users may specify custom HTTP headers as necessary per-URL.

* The `sleep`, `disable-ssl-verification`, and `debug` arguments are optional.  By default the script will sleep for 300 seconds between imports; this may be changed with the `sleep` option.  By default the script will enforce SSL security and verification, however there are times when this may need to be disabled.  SSL Verification can be disabled with the `disable-ssl-verification` option.  The `debug` option provides a detailed output of the scripts activity; unless `debug` is used, the script will provide no output unless an error is encountered.

* Here are some example usages of the liveimport.php script:

  * Single URL, 30 second cycles:

`hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php --url "https://10.10.10.101/data/livesync.php" --sleep 30`

  * Multiple URLs, 90 second cycles, Disable SSL Verification:

`hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php --disable-ssl-verification --url "https://10.10.10.101/data/livesync.php" --url "https://10.10.10.103/data/livesync.php" --sleep 90`

  * Multiple URLs, One Custom HTTP Header, Debug Enabled:

`hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php --debug --url "https://10.10.10.101/data/livesync.php" --url "https://10.10.10.102/data/livesync.php|X-API-KEY: f4f0d2154f338fd8edb38fc3839f22dd"`

* The live sync import script (livesync.php) now performs XSSI filtering on the returned JSON and logs an error message if the JSON data is missing or malformed.

* Inverse conditions within the live sync import script (livesync.php) have been reformatted to provide clearer readability.

* The Google OAuth Live Sync key has been switched from the user's email address to their Google Profile ID.  This value does not need to be encoded.

* Minor Updates

* Added a specific redirect URL for the Google OAuth process.  This will ensure the user is redirected back to the same (sub)domain they came from.  This is primarily useful if the FBCTF instance is accessible from multiple domains or subdomains (like www).  The redirect URL must still be authorized in the Google API settings/console.

* Added a date/time output for the debug mode of the live import script.

* Set the modal title to a static value.

* I think its bad (#446)

* Fix fail error

* Order by name in category list

The category filter in gameboard aren't ordered alphabetically

* Autofocus in team name

* Fail

* Fix Fail autofocus

* Fix error with autofocus

* Not very good

For security reasons, I think it's not very good insert the admin id by default at session table

* Update SessionTest.php

* Updated LiveSync Security (#494)

* Updated LiveSync Security

* Live Sync API is now disabled by default.

* Admins can enable or disable the Live Sync API from the Administration Configuration page.

* Live Sync API now has an optional 'Auth Key.'  When the auth key is set, anyone attempting to pull from the API must supply the auth key value in their request.  Without the auth key, no data is provided by the Live Sync API endpoint.

* When using the Auth Key, it must be added as a parameter to the URL value in the `liveimport` script: ```?auth=XXXXX_```

  * Example (with an auth key of `1234567890`:

  * `hhvm -vRepo.Central.Path=/var/run/hhvm/.hhvm.hhbc_liveimport /var/www/fbctf/src/scripts/liveimport.php --url 'https://10.10.10.101/data/livesync.php?auth=1234567890'`

  * Note:  When using the Auth Key you should use a secure key.

* The `livesync` API endpoint will provide error messages if the API is disabled, the key is missing or invalid, or if any general error is encountered.

* The `liveimport` script will check for errors and display those in the output if any are encountered.

* Updated LiveSync Security

* Combined Awaitables throughout LiveSync endpoint.

* Used hash_equals() for API key verification, mitigating timing attacks on the key.# Please enter the commit message for your changes. Lines starting

* Temp fix for issue 499 & 500.  Forcing Grunt to continue as it is not correctly detecting node_modules in the folder (#502)

* Merge Deconflict of /dev and /master (#503)

* Registration enforcing strong passwords (#442)

* Password types in admin

* Fully functional password complexity enforcement for registration

* lowercase word in text

* Adding test for password types regex and fixing all errors for hh_client

* Updating outdated schema for tests

* Custom branding for icon and text (#448)

* Custom branding for icon and text

* Replace async calls branding xhp by attributes

* Use genRenderBranding in genRenderMobilePage and combine awaitables
  • Loading branch information
@justinwray @gsingh93
justinwray authored and gsingh93 committed Jun 5, 2017
1 parent 081062c commit 25c1748
Show file tree
Hide file tree
Showing 36 changed files with 3,691 additions and 297 deletions.
165 changes: 9 additions & 156 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,164 +12,17 @@ The Facebook CTF is a platform to host Jeopardy and “King of the Hill” style
* Follow setup instructions below to spin up platform infrastructure.
* Enter challenges into admin page
* Have participants register as teams
* If running a closed competition:
* In the admin page, generate and export tokens to be shared with approved teams, then point participants towards the registration page
* If running an open competition:
* Point participants towards the registration page
* Enjoy!
* Note: We're hiring! If you're interested in the remote eng lead position, apply [here](http://pro.applytojob.com/apply/Qe1YmW/CTF-Engineering-Lead)!

# Installation

The Facebook CTF platform can be provisioned in development or production environments. Note that the *only* supported system is 64 bit Ubuntu 14.04. Ubuntu 16.04 is not supported at this time, nor is 32 bit. We will accept PRs to support other platforms, but we will not officially support those platforms if there are any issues.

### Development

While it is possible to do development on a physical Ubuntu machine (and possibly other Linux distros as well), we highly recommend doing all development on a Vagrant VM. First, install [VirtualBox](https://www.virtualbox.org/wiki/Downloads) and [Vagrant](https://www.vagrantup.com/downloads.html). Then run:

```bash
git clone https://github.com/facebook/fbctf
cd fbctf
vagrant up
```

This will create a local virtual machine with Ubuntu 14.04 using Vagrant and VirtualBox as the provider. The provisioning script will install all necessary software to the platform locally, using self-signed certificates. The platform will be available on [https://10.10.10.5](https://10.10.10.5) by default. You can find any error logs in `/var/log/hhvm/error.log`. If you would like to change this IP address, you can find the configuration for it in the `Vagrantfile`.

Once the VM has started, go to the URL/IP of the server (10.10.10.5 in the default case). Click the "Login" link at the top right, enter the 'admin' as the team name and 'password' as the password (without quotes). You will be redirected to the administration page. At the bottom of the navigation bar on the left, there will be a link to go to the gameboard.

To login to the Vagrant VM, navigate to the fbctf folder and run:

```
vagrant ssh
```

If you are using a non-English locale on the host system, you will run into problems during the installation. The easiest solution is to run vagrant with a default English locale:

```bash
LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 vagrant up
```

Note that if you don't want to use the Vagrant VM (not recommended), you can provision in dev mode manually. To do so, run the following commands:

```
sudo apt-get update
sudo apt-get install git
git clone https://github.com/facebook/fbctf
cd fbctf
./extra/provision.sh -m dev -s $PWD
```

### Production
Please note that your machine needs to have at least 2GB of RAM, otherwise the composer part of the installation will fail.
The target system needs to be 64 bit Ubuntu 14.04. Run the following commands:

```bash
sudo apt-get update
sudo apt-get install git
git clone https://github.com/facebook/fbctf
cd fbctf
./extra/provision.sh -m prod -s $PWD
```

*Note*: Because this is a production environment, the password will be randomly generated when the provision script finishes. This ensures that you can't forget to change the default password after provisioning. Make sure to watch the very end of the provision script, as the password will be printed out. It will not be stored elsewhere, so either keep track of it or change it. In order to change the password, run the following command:

```
source ./extra/lib.sh
set_password new_password ctf ctf fbctf $PWD
```

This will set the password to 'new_password', assuming the database user/password is ctf/ctf and the database name is fbctf (these are the defaults).

By default, the provision script will place the code in the `/var/www/fbctf` directory, install all dependencies, and start the server. In order to run in production mode, we require that you use SSL. You can choose between generating new self-signed, using your own or generate valid SSL certificates using [Let's Encrypt](https://letsencrypt.org/). The provisioning script uses [certbot](https://certbot.eff.org/) to assist with the generation of valid SSL certificates.

#### Production Certificates

As mentioned above, there are three different type of certificates that the provision script will use:

1. Self-signed certificate (```-c self```):
It is the same type of certificate that the development mode provisioning. Both the CRT and the key files will be generated and the command could be:

```
./extra/provision.sh -m prod -c self -s $PWD
```

2. Use of own certificate (```-c own```):
If we already have a valid SSL certificate for our domain and want to use it. If the path for both CRT and key files is not provided, it will be prompted. Example command:

```
./extra/provision.sh -m prod -c own -k /path/to/my.key -C /path/to/cert.crt -s $PWD
```

3. Generate new certificate using Let's Encrypt (```-c certbot```):
A new valid SSL certificate will be generated using [certbot](https://certbot.eff.org/). There are few needed parameters that if not provided, will be prompted:

```
./extra/provision.sh -m prod -c certbot -D test.mydomain.com -e myemail@mydomain.com -s $PWD
```
Note that certbot will run a challenge-response to validate the server so it will need Internet access.
For more information, see the [Admin Guide](https://github.com/facebook/fbctf/wiki/Admin-Guide)

Once you've provisioned the VM, go to the URL/IP of the server. Click the "Login" link at the top right, enter the admin credentials, and you'll be redirected to the admin page. Enter the credentials you received at the end of the provision script to log in.


#### Optional installation

If you are going to be modifying files outside of the Vagrant VM, you will need to synchronize the files using [Unison](https://www.cis.upenn.edu/~bcpierce/unison/download.html) (bi-directional file sync over SSH). Once Unison is installed, you can sync your local repo with the VM with the following command from the root of the repository (outside the VM):

`./extra/unison.sh $PWD`

Note that the unison script will not sync NPM dependencies, so if you ever need to run `npm install`, you should always run it on the VM itself.

This step is not necessary if all development is done on the VM.


#### Keep code updated

If you are already running the fbctf platform and want to keep the code updated, there is an easy way to do that with the provision script.
For example, the following command will run in a production environment and it will pull master from Github and get it ready to run, from the folder ```/var/www/fbctf```:

```
./extra/provision.sh -m prod -U -s $PWD -d /var/www/fbctf
```


# Using Docker

[Dockerfile](Dockerfile) is provided, you can use docker to deploy fbctf to both development and production.

### Development

This build command will provision fbctf in dev mode in docker:

`docker build --build-arg MODE=dev -t="fbctf_in_dev" .` (don't forget the dot at the end)


Run command:

`docker run -p 80:80 -p 443:443 fbctf_in_dev`

Once you've started the container, go to the URL/IP of the server. Click the "Login" link at the top right, enter the default admin credentials, and you'll be redirected to the admin page.

### Production
Please note that your machine needs to have at least 2GB of RAM, otherwise the composer part of the installation will fail.
This build command will provision fbctf in prod mode in docker. Once you've started the container, Let's Encrypt will take YOUR_DOMAIN to obtain a trusted certificate at zero cost:

`docker build --build-arg MODE=prod --build-arg DOMAIN=test.mydomain.com --build-arg EMAIL=myemail@mydomain.com --build-arg TYPE=certbot -t="fbctf_in_prod" .` (don't forget the dot at the end)

Run command:

`docker run -p 80:80 -p 443:443 -v /etc/letsencrypt:/etc/letsencrypt fbctf_in_prod`

*Note 1: Because this is a production environment, the password will be randomly generated when the provision script finishes. Make sure to watch the very end of the provision script while the image is building, as the password will be printed out. It will not be stored elsewhere, so either keep track of it or change it. In order to change the password, run the following command in container:*

```
set_password new_password ctf ctf fbctf /root
```
# Installation

*This will set the password to 'new_password', assuming the database user/password is ctf/ctf and the database name is fbctf (these are the defaults).*
The FBCTF platform was designed with flexibility in mind, allowing for different types of installations depending on the needs of the end user. The FBCTF platform can be installed either in Development Mode, or Production Mode. Development is for development, and Production is intended for live events utilizing the FBCTF platform.

*Note 2: You'll have to mount /etc/letsencrypt as a volume to persist the certs. ex: `docker run -v /etc/letsencrypt:/etc/letsencrypt ...`*
[Development Installation Guide](https://github.com/facebook/fbctf/wiki/Installation-Guide,-Development)

You can go to the URL/IP of the server, click the "Login" link at the top right, enter the admin credentials, and you'll be redirected to the admin page.
[Production Installation Guide](https://github.com/facebook/fbctf/wiki/Installation-Guide,-Production)

## Reporting an Issue

Expand All @@ -179,14 +32,14 @@ If you have issues installing the platform, please provide the entire output of

## Contribute

You’ve used it, now you want to make it better? Awesome! Pull requests are welcome! Click [here] (https://github.com/facebook/fbctf/blob/master/CONTRIBUTING.md) to find out how to contribute.
You’ve used it, now you want to make it better? Awesome! Pull requests are welcome! Click [here](https://github.com/facebook/fbctf/blob/master/CONTRIBUTING.md) to find out how to contribute.

Facebook also has [bug bounty program] (https://www.facebook.com/whitehat/) that includes FBCTF. If you find a security vulnerability in the platform, please submit it via the process outlined on that page and do not file a public issue.
Facebook also has [bug bounty program](https://www.facebook.com/whitehat/) that includes FBCTF. If you find a security vulnerability in the platform, please submit it via the process outlined on that page and do not file a public issue.

## Have more questions?

Check out the [wiki pages] (https://github.com/facebook/fbctf/wiki) attached to this repo.
Check out the [wiki pages](https://github.com/facebook/fbctf/wiki) attached to this repo.

## License

This source code is licensed under the Creative Commons Attribution-NonCommercial 4.0 International license found in the LICENSE file in the root directory of this source tree.
This source code is licensed under the Creative Commons Attribution-NonCommercial 4.0 International license. View the license [here](https://github.com/facebook/fbctf/blob/master/LICENSE).
3 changes: 2 additions & 1 deletion composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
"description": "Facebook CTF platform",
"license": "CC-BY-NC-4.0",
"require": {
"facebook/xhp-lib": "2.x"
"facebook/xhp-lib": "2.x",
"google/apiclient": "^2.0"
},
"require-dev": {
"phpunit/dbunit": "^2.0",
Expand Down

0 comments on commit 25c1748

Please sign in to comment.