RTB import

[eljeffeg]

I'd be very interested in adding JuiceShop support for RootTheBox. Would I start by creating a generator js file? I expect this would create an file that would be read by the CTF import, which in our case is an xml file. Is that how it works?

Also would be good if you happen to have a sample export that I can use as a guideline.

[bkimminich]

You find the existing generators for FBCTF and CTFd in https://github.com/bkimminich/juice-shop-ctf/tree/master/lib/generators. The challenges are pulled from the Juice Shop API in JSON format and then passed into each generator - it should be easy for you to use them to create your XML based format.

Do you have an XML sample from RTB available maybe? Then I could give you some advice on what to map to which fields, if you want.

[eljeffeg]

Excellent - Thanks. I plan to use JuiceShop myself soon, so I thought it would be great to just add that support in. I can include any changes in our v3.3 release.

Here is a sample - happy to answer any questions about it. Most fields are optional, but I tried to give a variety. example.txt

RTB supports Flag Types: Static, Regex, Datetime, Multiple Choice, File - w/options for case sensitivity. Optionally, flags can be dependent on other flags for unlock. Supports Penalties, Hints (flag and section), Level Bonuses, Dynamic Scoring, Categories, and Capture Dialog. The penalties are a global setting though - a percentage of the flag value - but just in case JuiceShop has such options that can be exported.

Some terminology to note that's a little different in RTB due to its origins. More info describing it.

• Corporations (Groups)
• Boxes (Sections)
• Flags (Questions)

[eljeffeg]

Making good progress on this and should have it completed soon. Couple questions.

1. Should the Hint Text and Hint URL be treated as two different hints (each with their own unlock / cost) or should the URL be appended to the Text as granting a single hint? It looks like FBCTB treats it all as a single hint, but CTFd doesn't appear to.
2. The difficulty - is the scale 1-6 or is that defined by the managed instance of JuiceShop. I'm wondering if it would be nice to use the difficulty to create Levels. Maybe split it up into 2 or 3 levels based on difficulty (1/2/3, 4/5/6). Guess it depends on how many categories / flags we'd have at each difficulty level - which I can evaluate if this idea makes sense. Guess I could offer it as a selection in the tool.
3. I'd like to add a description of the categories (XSS, XXE, Injection, etc). Is that anything included in JuiceShop that could be returned?

[bkimminich]

1. CTFd supports multiple hints per challenge while FBCTF doesn't. If RTB can handle multiple ones, it'd be nice to have them separate. Otherwise the FBCTF-way is the fallback. The CLI questions should remain as they are and work similar to the CTF/FBCTF mode - whichever it will be.
2. Juice Shop has challenge difficulty ranging from ⭐ to ⭐⭐⭐⭐⭐⭐ and they shouldn't be grouped in my opinion but all be a level of their own to keep consistency and clarity intact.
3. Not yet, but I was planning to have something like that. Today the category is a String property of the challenge and they're just thrown into a set and displayed as toggle buttons on the Score Board. Adding descriptions in the same denormalized way, would be kind of odd. So I'm thinking of adding another table or some other API endpoint to retrieve those. Could include links to OWASP Top 10 etc. as well. But, this is not even a GitHub ticket yet, so you might want to go ahead w/o descriptions for now.

[bkimminich]

• Corporations (Groups)
• Boxes (Sections)
• Flags (Questions)

So, does that map to the Juice Shop like this?

• Corporations = Difficulty Levels 1-6
• Boxes = Categories
• Flags = Challenges

[eljeffeg]

RTB has Levels as well. Corporations would be used if perhaps a competing JuiceShop were online, with its own levels, boxes, flags.

Otherwise, you have boxes and flags correct.

[eljeffeg]

Categories will also be used secondarily in the skills graph.

[bkimminich]

So, a Box is a category but also has a category and in the Juice Shop case it's both identical?

All in all sounds like a good mapping! Looking forward to receiving your PR!

[eljeffeg]

I'm using the JuiceShop category as both a flag category (skill graph) and as a box name. The box name doesn't have to be a category, could be Fruit Juice, Veggie Juice, & Jungle Juice. But a box is a collection of flags and it seems to make sense in this application to use the flag categories to separate the flags into these sections.

My only concern with having the 6 levels is having few flags in a box at that level. So, a box with 1 flag might just be weird from an organization standpoint (like a folder with one file in it), but it's doable.

In addition to the flags, bonus points can be added for completing a level, completing a box. The
progressing levels can also be locked and set to unlock after a certain percentage of the prior level is complete. For example, Level 2 is locked until 35% of Level 1 is completed. Not sure what the best way to implement these additional options, so if you have suggestions, I'm open. The manager could change them later - just looking for the best way to set things up by default.

We'd have something like this:

Level 1
-- Cat 1
---- Challenge 1
---- Challenge 2
-- Cat 2
---- Challenge 3
---- Challenge 4
Level 2
-- Cat 1
---- Challenge 5
---- Challenge 6

Here is an example of some boxes from a Infinity Wars theme CTF, where the sections were base on the gems. When the player would complete a box, they would get a communication message from Rocket Racoon congratulating them on the victory.

[bkimminich]

• In the Juice Shop all challenges of all difficulties are always "on", so I'd not recommend to use locked levels at all...
• Levels are at the top always or could you drop them entirely even? You could go with this then:

Cat 1
-- Challenge 1
-- Challenge 2
Cat 2
-- Challenge 3
-- Challenge 4
Cat 3
-- Challenge 5
-- Challenge 6

and let the difficulty just be reflected by the point value of each challenge. In CTFd it's the same way.

[bkimminich]

Btw, here are some images that you might find useful, but I've got no idea if those could be included in the config as base64 blobs or anything... :-D

https://github.com/wurstbrot/security-pins/tree/master/juice-shop-challenge-pins/Pins/PNG

[eljeffeg]

Levels are optional - That works as well and currently how I have it set up.
Also, will it be a problem if I add a couple more requirements to juice-shop-ctf?
So far, I'm needing to add:

• turndown (converts html syntax to markdown)
• xmlbuilder (builds the xml doc)

[bkimminich]

Add whatever you need... 👍

[eljeffeg]

Thanks for pointing out the pins. I think the category ones will be particularly useful as I can use them as the Box images as opposed to the default ones included in RTB. I do think I can include them base64 encoded in the export. Do you have those category images without the stars? If I'm not using levels, the stars don't make much sense.

[eljeffeg]

Disregard.. I see the SVG - perfect.

[bkimminich]

There are some generic ones https://github.com/wurstbrot/security-pins/tree/master/SVG as well, but not for all Juice Shop categories... So maybe that's something for your v2 of your generator?

[eljeffeg]

I'd like to also use a graphic that displays to the right of the scoreboard, so something tall. Do you have any of the graphics used in your banners? Or perhaps something else that you think would look good? I'll size it to about 500x1000.

[bkimminich]

Yeah, you could either use the banner (https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop/banners) or the mobile wallpaper (https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/wallpapers/JuiceShop_Wallpaper_750x1348.jpg) if you don't actually want all the text there.

[bkimminich]

Merged to master, will be released with v7.0.0!

@jeffg2k Please mail me your post address and I'll happily send a nice swag pack your way for this awesome contribution!