It doesn't appear as though pages can be easily deleted once they've been added through the Admin portal.

I attached challenge binary and tried to download it but I got this message

# client
Whoops, looks like we can't find that.
Sorry about that

# server
[pid: 2443|app: 0|req: 42/42] 39.124.110.87 () {36 vars in 1338 bytes} [Tue Sep 22 20:54:50 2015] GET /static/uploads/c9cccd1c00fc948e5f76acba9813878e/prob1 => generated 2939 bytes in 11 msecs (HTTP/1.1 404) 3 headers in 203 bytes (1 switches on core 0)

I ran server by this command 'uwsgi --http-socket :31337 -w "CTFd:create_app()"'
what is the matter?!?!
there is no downloadable attached file for any challenge. :(

example: put this as a challenge description

👌👀👌👀👌👀👌👀👌👀 good shit go౦ԁ sHit👌 thats ✔ some good👌👌shit right👌👌th 👌 ere👌👌👌 right✔there ✔✔if i do ƽaү so my selｆ 💯 i say so 💯 thats what im talking about right there right there (chorus: ʳᶦᵍʰᵗ ᵗʰᵉʳᵉ) mMMMMᎷМ💯 👌👌 👌НO0ОଠＯOOＯOОଠଠOoooᵒᵒᵒᵒᵒᵒᵒᵒᵒ👌 👌👌 👌 💯 👌 👀 👀 👀 👌👌Good shit

expected:
ctfd has cool emojis.

actual:
a bunch of question marks.

Pulled down the repo and ran the commands as given on the README.md on a clean install of Ubuntu 14.04 and am given a KeyError after running the setup.

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1820, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1403, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1473, in full_dispatch_request
    rv = self.preprocess_request()
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1666, in preprocess_request
    rv = func()
  File "/opt/ctfd/CTFd/views.py", line 32, in csrf
    if session['nonce'] != request.form.get('nonce'):
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/local.py", line 368, in <lambda>
    __getitem__ = lambda x, i: x._get_current_object()[i]
KeyError: 'nonce'

No reason to run a mail server for CTFd. Also helps people who really don't want to deal with mailservers send email anyway.

http://www.mailgun.com

It seems that after deploying the server using a fresh clone and default settings that uploading a file results in the file being uploaded properly, but when going to access the file by the embedded link in the challenge text, the URL generates as:
http://ctfdomain:4000//file.ext

and clicking on this link returns a 404 and the "Whoops, looks like we can't find that. Sorry about that" page.

UTC is hard, try to make it easier on people.

I don't believe there is a callable function that is compatible with Gunicorn or uWSGI. I am launching uwsgi via the following command:

uwsgi --http-socket :80 -w CTFd:create_app

Then I navigate to http://127.0.0.1 and get the following error:

 File "./CTFd/__init__.py", line 20, in create_app
    SQLALCHEMY_DATABASE_URI = 'mysql://'+username+':'+password+'@localhost:3306/' + subdomain + '_ctfd',
TypeError: cannot concatenate 'str' and 'builtin_function_or_method' objects

Everything works fine when letting Flasks internal handler serve http.

It would be nice to have more control over the teams as the admin user. There doesn't appear to be a streamlined way to remove teams from the scoreboard or start/stop self-registration.

I don't know if this was intentional, but 'prepare.sh' is non executable.

So, I would suggest to either make it executable or change the doc to say

1. sh prepare.sh to install dependencies using apt.

It may not be good to trust remote_addr although it is mostly used for logging solves/logins.

https://github.com/isislab/CTFd/blob/7d766372df4b29a454727699ded6681235d6fb4e/CTFd/challenges.py#L132
https://github.com/isislab/CTFd/blob/7d766372df4b29a454727699ded6681235d6fb4e/CTFd/challenges.py#L141
https://github.com/isislab/CTFd/blob/f335dd71f29438fa797f7c9e96bb24ac302009cb/CTFd/views.py#L22-L23

I got this when playing video from the web :

202.46.129.12 - - [14/Oct/2015 22:35:24] "GET /static/uploads/d6dc1856f5c7b822ef04f2a64eb40d1d/Its_been_camouflaged_70_years_ago.webm HTTP/1.0" 200 -

Exception happened during processing of request from ('202.46.129.12', 38485)
Traceback (most recent call last):
File "/usr/lib64/python2.7/SocketServer.py", line 295, in _handle_request_noblock
self.process_request(request, client_address)
File "/usr/lib64/python2.7/SocketServer.py", line 321, in process_request
self.finish_request(request, client_address)
File "/usr/lib64/python2.7/SocketServer.py", line 334, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib64/python2.7/SocketServer.py", line 651, in init
self.finish()
File "/usr/lib64/python2.7/SocketServer.py", line 710, in finish
self.wfile.close()
File "/usr/lib64/python2.7/socket.py", line 279, in close
self.flush()
File "/usr/lib64/python2.7/socket.py", line 303, in flush
self._sock.sendall(view[write_offset:write_offset+buffer_size])
error: [Errno 32] Broken pipe

When using Chrome (Version 46.0.2490.80 m) on Windows and logged in as an admin user, editing groups' information does not work and gives that group admin privileges. Also, when un-clicking the admin checkbox, a team still has their admin privileges. So once a group has admin it cannot be taken away through the web GUI.

Part of the issue seems to start at around line 340 in the admin.py file. The issue of not being able to demote admins may be somewhere else.

I registered the user "💩". The user is successfully created, but there is an error:

UnicodeEncodeError
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: ordinal not in range(128)
CTFd/auth.py, line 94, in register

Also, the user cannot login:

UnicodeEncodeError
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: ordinal not in range(128)
CTFd/auth.py, line 114, in login

Both errors are in logging statements

hello ,
whan i tring to enter the admin panel i got fhis error can you help me to reslove it ?
thnak you !!!

127.0.0.1 - - [18/Jan/2015 05:14:57] "GET /admin?debugger=yes&cmd=source&frm=183375244&s=9F9dMGJKfplO4hV1xNaN HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "POST /admin HTTP/1.1" 500 -
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/root/Desktop/CTFd-master/test/CTFd/CTFd/admin.py", line 26, in admin
session.regenerate() # NO SESSION FIXATION FOR YOU
File "/usr/share/pyshared/werkzeug/local.py", line 336, in getattr
return getattr(self._get_current_object(), name)
AttributeError: 'FileSystemSession' object has no attribute 'regenerate'
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=style.css HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=jquery.js HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=debugger.js HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=console.png HTTP/1.1" 200 -
127.0.0.1 - - [18/Jan/2015 05:14:59] "GET /admin?debugger=yes&cmd=resource&f=source.png HTTP/1.1" 200 -

Problems:

Stack trace reveals details about implementation of source on this error.
Database Connections not closed which could result in AppDos.

Fix suggestion:
It may be good to return an error to the user before sending it to passlib.

After 10 challenges are present, the challenge page won't allow any competitor to click any available links to submit flags. Additionally, several challenges are no longer being displayed all together. However, after deleting the 10th entry from the challenge table in the SQLite database everything goes back to normal.

Any idea on why this may be occurring?

https://ctftime.org/json-scoreboard-feed

CTFd needs documentation covering:

1. Deployment options
2. Admin panel breakdown
3. Creating challenges

Mildly annoying to keep being redirected to the homepage.

Code that handles submission appears to only call .strip().lower() on the flag/key from the submitting user and NOT on the flag/key from the database when doing the comparison. This causes any flag/key submissions with uppercase letters to spuriously fail.

https://github.com/isislab/CTFd/blob/master/CTFd/challenges.py#L141:

...
            key = str(request.form['key'].strip().lower())
            keys = json.loads(chal.flags)
            for x in keys:
                if x['type'] == 0: #static key
                    print(x['flag'], key.strip().lower())
                    if x['flag'] == key.strip().lower():
                        solve = Solves(chalid=chalid, teamid=session['id'], ip=request.remote_addr, flag=key)
...

Put a spinner when challenges are loading

Kind of silly that this isn't already implemented.

Delete challenges and delete all solves associated with that challenge.

Version 0.4.0 of c3.js pulled from cloudflare in scoreboard.html breaks the scoreboard with this error (as taken from Chrome Dev Tools):

Failed to execute 'querySelectorAll' on 'Element': '.c3-selected-circles-[0]-TEAM_NAME' is not a valid selector.

The issue in c3.js for this exact problem is here: c3js/c3#711

The fix for me was pulling the latest c3.js, version 0.4.1 from Github and updating the references in scoreboard.html.

No need to:

• Login after register
• Require only email for password reset
• Not notify user of password reset failure
• Login should take team name or email address

https://github.com/CTFd/CTFd/tree/34_reduce_auth_restrictions

Static asset libraries such as jQuery, font-awesome, etc. are served from various CDNs on the internet. While convenient, this can cause problems for CTFs with no or unreliable internet access, in addition to being a security risk for XSS attacks if a CDN gets compromised.

Ideally, CTFd would include these files under /static and serve them up itself (or via a reverse proxy web server if desired).

$ grep -ER '"(https?:)?//[^"]+"' . | grep -E '<link|<script'
./CTFd/templates/admin/base.html:    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/normalize.min.css" />
./CTFd/templates/admin/base.html:    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/foundation.min.css" />
./CTFd/templates/admin/base.html:    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css">
./CTFd/templates/admin/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/admin/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/jquery.js"></script>
./CTFd/templates/admin/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/modernizr.js"></script>
./CTFd/templates/admin/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/marked/0.3.2/marked.min.js"></script>
./CTFd/templates/admin/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation.min.js"></script>
./CTFd/templates/admin/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation/foundation.topbar.min.js"></script>
./CTFd/templates/admin/editor.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.css">
./CTFd/templates/admin/editor.html:<script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.min.js"></script>
./CTFd/templates/admin/graphs.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.4.13/d3.min.js"></script>
./CTFd/templates/admin/graphs.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.js"></script>
./CTFd/templates/admin/pages.html:<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.min.js"></script>
./CTFd/templates/admin/pages.html:<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/theme-github.js"></script>
./CTFd/templates/admin/pages.html:<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/mode-css.js"></script>
./CTFd/templates/admin/team.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/admin/team.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/admin/team.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.4.13/d3.min.js"></script>
./CTFd/templates/admin/team.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.js"></script>
./CTFd/templates/admin/teams.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/base.html:    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/normalize.min.css" />
./CTFd/templates/base.html:    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/foundation.min.css" />
./CTFd/templates/base.html:    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" />
./CTFd/templates/base.html:    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/8.3/styles/railscasts.min.css">
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/jquery.js"></script>
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/vendor/modernizr.js"></script>
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/marked/0.3.2/marked.min.js"></script>
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/8.4/highlight.min.js"></script>
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation.min.js"></script>
./CTFd/templates/base.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/js/foundation/foundation.topbar.min.js"></script>
./CTFd/templates/chals.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/chals.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/chals.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/chals.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/profile.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/profile.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/profile.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/scoreboard.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">
./CTFd/templates/scoreboard.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
./CTFd/templates/scoreboard.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/scoreboard.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/setup.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.css">
./CTFd/templates/setup.html:<script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.min.js"></script>
./CTFd/templates/team.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.css">
./CTFd/templates/team.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/d3/3.5.9/d3.min.js"></script>
./CTFd/templates/team.html:    <script src="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.10/c3.min.js"></script>
./CTFd/templates/teams.html:<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/c3/0.4.0/c3.min.css">

Additionally there seems to be multiple versions of certain assets being used from different templates.

The title explains it all.

Possibly handle this better by indicating in the UI that the field is required and if it doesn't validate then ask the user to fill it in again.

Decouple front end and backend to improve themes and customization

Improve models to include the successful key

Add support for CTFTime's JSON scoreboard feed

Websockets (I don't think this should ever become a direct part of CTFd. I think running a seperate server makes more sense...)

Deploy challenges using CTFd

HighCharts (This is dictated by the theme now. I'm happy with Plotly and anyone can use a theme with whatever graphing logic they wish)

By running CTFd with 4 gunicorn workers (I suspect its just running it with more than 1), when trying to log in as the admin user it keeps returning me back to the login view.

The specific gunicorn command I am running it with is:
gunicorn --bind 0.0.0.0:8000 --pid /home/ctfd/gunicorn.pid -w 4 "CTFd:create_app()"

Interface to delete solves

CTFd used to store every request made to it and was able to calculate hits based off of that. That caused the database to balloon to an unnecessary size and was thus removed. The statistics entry hasn't.

Remove it or update it. Might be best to store the value for hits in Config.

Most textareas on CTFd are rendered to users as Markdown. Should put a preview tab or something.

Too many gunicorn workers. Need some way to share the secret key amongst workers or have less workers.

OK, so if i have 3 teams on the system, and the last team i created have 25 points for a challenge.
If i delete that team, then immediately create a new team....that new team gets the same 25 points and same challenge solve, as the team i deleted.

I guess this is related to teams getting created in order (e.g 1,2,3)...then if i delete team 3, it "frees up" that number for a new team to be created in that spot...but theres already solves against that spot.

:)

Thanks by the way, i love CTFd, planning to use it for a CTF in Australia in 6 weeks time.

Just started experiencing this issue.

Two machines start out identical (download Kali amd64 image). Machine A logs into an account, for some reason when Machine B goes to the web portal it is now logged into that account aswell. What is even more odd is when Machine B logs out, it does not log out Machine A.

I've reproduced this issue three times from the latest build.

Forgot password function not working. This is config file:
ADMINS = ['xxxxxxxx']

EMAIL (if not using Mailgun)

CTF_NAME = 'KMA'
MAIL_SERVER = 'smtp.googlemail.com'
MAIL_PORT = 465
MAIL_USE_TLS = False
MAIL_USE_SSL = True
MAIL_USERNAME = 'xxxxxxxxx'
MAIL_PASSWORD = 'yyyyyyyyy'

What wrong? And how to fix it?
Tks!

This is supported in the backend but there's no way to to do it from the front end.

Do you have any documentation for deploying CTFd with a MySQL database vs SQLite?

The default Foundation look is pretty drab. A design overhaul would be great.

Download database for safe keeping/analysis/whatever

Should be a simple modification to the SQL query in this view:

https://github.com/isislab/CTFd/blob/master/CTFd/challenges.py#L98-L104

A docker container would make deployment easier

when I compose challenge title with apostrophe(') there was some problem.
every registered challenge layout broke down.

CTFd/views.py uses bcrypt_sha256 but never imports it from passlib. A NameError exception will be raised e.g. whenever a user tries to update his account information.

I'm not sure how the Start Date/End Date functions work.

I've tried a few date/time formats And as soon as i enter something and click "Update" they disappear.

How can i tell if they have applied?

Is that any chance of a "Start CTF" and "Stop CTF" buttons in the Admin console? So we could do it manually.

Cheers

I'm gonna be using CTFd for a CTF on a local network, but there will be no internet access available on the network. (People might have their own via tethering etc)

I've noticed when accessing CTFd without an internet connect, the layout is missing parts etc. Is this due to some of the css files based online?

e.g -

See below screenshots of with/without internet access

Am i able to download the required css files, and host locally, then modify the html pages in /templates to point to their new location, should that work nicer without any available internet?

http://imgur.com/It3tCxd

compliation fails due to lack of <ffi.h>

I'm not sure how to fix

Users should be able to specify their own CSS.

It would be a nice feature if the scoreboard page could include some javascript to automatically refresh the data at a standard interval.