mcpa-stlouis / hack-the-arch Goto Github PK

View Code? Open in Web Editor NEW

66.0 9.0 29.0 3.58 MB

Welcome to HackTheArch! A free open source scoring server for cyber Capture the Flag competitions!

Home Page: https://hackthearch.herokuapp.com

License: MIT License

Ruby 60.91% JavaScript 0.50% CoffeeScript 3.41% HTML 26.74% Dockerfile 0.94% Shell 1.19% Go 2.44% HCL 0.36% SCSS 3.52%

ctf-scoreboard ctf-framework ctf-platform ctf-events

hack-the-arch's Introduction

HackTheArch

This is a scoring server built using Ruby on Rails by the Military Cyber Professionals Association (MCPA). It is free to use and extend under the MIT license (see LICENSE file). The goal of this project is to provide a standard generic scoring server that provides an easy way to add and modify problems and track statistics of a Cyber Capture the Flag event. While it's not recommended, this server can be hosted with your challenges but we do recommend sand-boxing your challenges so they do not affect the scoring server.

Want to see it in action? Live Demo hosted here and screenshots here!

What's different about HackTheArch?

We created this application after using the PicoCTF platform for our annual CTF. It was okay, but we found it lacking some features that we wanted. We wanted a way to be able to offer competitors hints for a cost, and we also wanted a way to create and modify problems from a web interface. We looked around and didn't see any others that met our requirements. CTFd: at the time, had no web admin interface for creating challenges. Root The Box: We didn't like all the extra stuff with the bank accounts and it just seemed too complex for our needs. So we decided to roll our own scoring server and now you can benefit from our hard work! This application implements an optional dynamic hint system which will deduct points for requesting hints and also implements a web interface for creating and modifying hints and challenges. We hope you enjoy this application and are open to feedback so let us know what you like, hate, would like to see added, etc...

Requirements

Ruby version 3.1
Activation and password reset e-mails depend on Heroku SendGrid add-on configuration (this feature can be optionally disabled or easily modified to be used with other mailers)
To store challenge pictures in the production environment, you'll need to modify 'config/initializers/carrier_wave.rb' to work with your cloud storage solution
See Gemfile for further requirements

Deployment Options

Manual Deployment

To manually deploy HackTheArch, be sure to download the latest stable release here, or checkout the 'master' branch. For the latest features and a less-stable version, checkout the 'dev' branch.

Docker

A Dockerfile is included along with a docker-compose.yml for deploying a containerized version of HackTheArch. More detailed instructions can be found in: the Docker README.

Heroku

A few things must be configured to deploy to Heroku:
1. Create a HOST environment variable that contains the url for your app (e.g., HOST=hackthearch.herokuapp.com).
2. For mailer support, add the sendgrid addon before deploying (heroku addons:create sendgrid:starter). More info on Sendgrid here.
3. For live streaming (submissions, chat, etc...), add the Redis To Go addon.

Notes

All deployments of HackTheArch require some a way to send account activation e-mails (or alternatively activation e-mails can be disabled in the admin console). With Heroku, you can use the Sendgrid plugin, otherwise, you'll need to configure the mailer options in config/environments/production.rb.
To initialize the database, run: bundle exec rails db:seed. After initialization, the admin login credentials will be: [email protected] : password
Important: It is highly advised that you immediately change the admin credentials post-deployment
- While any user may be made an admin, it can only be done manually in the database. This is to prevent privilege escalation through the web interface.

More configuration details on our project wiki.

Contribute and Contact

Want to help?

Want to add a new feature or fix a bug? Check out a branch and submit working code with tests via pull request to merge into the 'dev' branch.
Check out the slack channel for more.
Test coverage would be a good place to start: here

Contact

Paul Jordan @ paullj1[at]gmail[dot]com
Raymond Evans @ REvans[at]CyDefe[dot]com

Acknowledgements

Base code derived from the Rails Tutorial by Michael Hartl

hack-the-arch's People

Contributors

Stargazers

Watchers

hack-the-arch's Issues

Hints can only be a max of 1000 points

hack-the-arch/app/models/hint.rb
validates :points, presence: true, inclusion: { in: 0..1000 }

I'm editing it for my CTF (Since our points per challenge are maxing out at 25k) -- The error message it returns is completely unhelpful as well with (Points is not in the list)

Install on other platforms

Team,

Is is possible to get this as a docker bundle, or install directions for standard linux, like ubunutu? (but complete instructions)

Thanks,
Eric

[Question] Maximum number of submissions per team

In the Scoring menu (admin view), Maximum number of submissions per team value is per challenge or for all the CTF duration?

Hints Display overflow and spam

If you enter a very long hint it causes the hint display box to not expand correctly or wrap the text.
also noticed that hint_table is included more then once on the page, I'm up to about 120 challenges and its not uncommon for the entire page to start hard locking in chrome or firefox as a admin.

Simple Content Editor for the static pages

Mostly for the newbies or quick CTFs, it's hard to edit the static pages of a CTF as it requires editing the templates on the backend.

Better install instructions

It is possible to provide a more detailed install guide (in README or docs/wiki).

As this one I wrote on another project https://github.com/mitre-cyber-academy/ctf-scoreboard/blob/d59eced1dbf6830015c35687667afb89a54eba7e/README.md

I'll maybe PR when I'll have time.

[Question] Use bracket based handicap system

I understand that bracket is a category of players like Professional or Student.

But in the General tabs of the Settings page (admin panel), what is the Use bracket based handicap system and how does it works?

Topics

You may want to add some topics to hack-the-arch repository like:

ctf-framework
ctf-platform

ctf-scoreboard

This will increase the searchability and accessibility of the repository. A lot of repository are hard to fidn today.

See https://help.github.com/articles/about-topics/

Email + Sendgrid

To help with Docker Deployments, I suggest switching to the REST API for Sendgrid, and just calling for the API Key, Interfacing with Sendgrid's API is pretty stupid easy

Most providers block all the ports you would use for the SMTP versions of sendgrid

Functionality of Brackets

I sent the devs an email, but I thought it would be proper to open a ticket on the repo as well.

Currently our CTF platform is Mellivora that has been slightly modified to utilize the User Types functionality to only display Challenges based on the User Type. I wonder if HTA has this capability, or if it would be easily implemented. I have very little Ruby experience, otherwise I would do it myself. Any insight is appreciated.

Fail to buid json gem

I often have this json build error:

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    current directory: /tmp/bundler20170506-4135-1362aq7json-1.8.3/gems/json-1.8.3/ext/json/ext/generator
/usr/bin/ruby -r ./siteconf20170506-4135-1ccu47r.rb extconf.rb
creating Makefile

current directory: /tmp/bundler20170506-4135-1362aq7json-1.8.3/gems/json-1.8.3/ext/json/ext/generator
make "DESTDIR=" clean

current directory: /tmp/bundler20170506-4135-1362aq7json-1.8.3/gems/json-1.8.3/ext/json/ext/generator
make "DESTDIR="
compiling generator.c
generator.c: In function ‘generate_json’:
generator.c:861:25: error: ‘rb_cFixnum’ undeclared (first use in this function)
     } else if (klass == rb_cFixnum) {
                         ^~~~~~~~~~
generator.c:861:25: note: each undeclared identifier is reported only once for each function it appears in
generator.c:863:25: error: ‘rb_cBignum’ undeclared (first use in this function)
     } else if (klass == rb_cBignum) {
                         ^~~~~~~~~~
make: *** [Makefile:242: generator.o] Error 1

make failed, exit code 2

Gem files will remain installed in /tmp/bundler20170506-4135-1362aq7json-1.8.3/gems/json-1.8.3 for inspection.
Results logged to /tmp/bundler20170506-4135-1362aq7json-1.8.3/extensions/x86_64-linux/2.4.0/json-1.8.3/gem_make.out

An error occurred while installing json (1.8.3), and Bundler cannot continue.
Make sure that `gem install json -v '1.8.3'` succeeds before bundling.

For now HTA seems to specific to your need only and seems not mature enough to be production ready as CTFd or RootTheBox.

Maybe this CTF platform is good but I can't say as I never managed to install it. Install this platform seems to require good knowledge about ruby / rake debugging.

Subtract score for incorrect answers

Request for new feature: In the scoring configuration, add another section that you can define a penalty for wrong answers.

Order of Challenges

This is annoying... I swear its pure random.

Static pages in app/views/static_pages/ are not updating

I was trying to edit some of the static pages for the project and the project is not updating the pages with the changes I have made. I have tried clearing my browser cache, using a different computer to view the changes, restarting the Docker application I am using, restarting the server, comparing output of erb -x file.html.erb and what I see on the website (the erb -x file.html.erb command actually is reflecting the changes I made), and editing my .env file in accordance to this article:
config.cache_classes = false
config.action_controller.consider_all_requests_local = true
config.action_controller.perform_caching = false

I haven't changed any of the settings short of the ones above.
Here are some of the settings that I am using to run the application:
Docker image - run with docker-compose up
Environment: production
Version 3.11.3 (ruby 2.5.1-p57), codename: Love Song

Would anyone have an idea of what I'm missing?

[Request] hack-the-arch working with other databases

Is it possible to make hack-the-arch working with other databases (than postgresql) like mariadb?

[v2.0.1] puma 3.4.0 fails to build on ruby 2.3.1

On last release (v2.0.1) using ruby 2.3.1 puma 3.4.0 fails to build:

gem install puma -v '3.4.0'
Building native extensions.  This could take a while...
ERROR:  Error installing puma:
	ERROR: Failed to build gem native extension.

    current directory: /home/shark/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/ext/puma_http11
/home/shark/.rvm/rubies/ruby-2.3.1/bin/ruby -r ./siteconf20170923-23774-1dauaqn.rb extconf.rb
checking for BIO_read() in -lcrypto... yes
checking for SSL_CTX_new() in -lssl... yes
checking for openssl/bio.h... yes
creating Makefile

current directory: /home/shark/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/ext/puma_http11
make "DESTDIR=" clean

current directory: /home/shark/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/ext/puma_http11
make "DESTDIR="
compiling puma_http11.c
compiling mini_ssl.c
mini_ssl.c: In function ‘get_dh1024’:
mini_ssl.c:90:5: error: dereferencing pointer to incomplete type ‘DH {aka struct dh_st}’
   dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
     ^~
mini_ssl.c: In function ‘engine_init_server’:
mini_ssl.c:161:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
   DH *dh = get_dh1024();
   ^~
mini_ssl.c:165:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
   EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
   ^~~~~~
mini_ssl.c: In function ‘engine_init_client’:
mini_ssl.c:192:3: warning: ‘DTLSv1_method’ is deprecated [-Wdeprecated-declarations]
   conn->ctx = SSL_CTX_new(DTLSv1_method());
   ^~~~
In file included from /usr/include/openssl/ct.h:13:0,
                 from /usr/include/openssl/ssl.h:61,
                 from mini_ssl.c:15:
/usr/include/openssl/ssl.h:1630:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_method(void)) /* DTLSv1.0 */
 ^
make: *** [Makefile:239: mini_ssl.o] Error 1

make failed, exit code 2

Gem files will remain installed in /home/shark/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0 for inspection.
Results logged to /home/shark/.rvm/gems/ruby-2.3.1/extensions/x86_64-linux/2.3.0/puma-3.4.0/gem_make.out

Docker Install issues

On the docker install, I couldn't get this to run.
docker-compose run web rails db:migrate
It says:
ERROR: Cannot start service web: oci runtime error: container_linux.go:262: starting container process caused "exec: "rails": executable file not found in $PATH"

I'd try a normal install, but I don't see good instructions for it if you're not looking to deploy this publicly on Heroku. This is my first time trying to use Ruby.. Seems way more complicated than Python, Node, or anything else... banging my head trying to get hack-the-arch running.

Contribution improvments

Link to slack channel is good but we need an invitation to join, so please add a link for invitation in teh README and in the Wiki.

Also I wanted to add some infos on the Wiki but it is read only. I took some screenshots of the app and wanted to put them on the wiki (and add a link on the README). Because some screenshot are always a good thing for a project and people can't view the admin panel on teh demo site (without installing).

So can you add me in the project that I can edit wiki ?

Puma - Infinite restart

I wasn't able to access to localhost:3000 so I checked the docker web container and see puma is infinitely restarting.

Docker-compose logs:

web_1  | [1] Puma starting in cluster mode...
web_1  | [1] * Version 3.4.0 (ruby 2.3.1-p112), codename: Owl Bowl Brawl
web_1  | [1] * Min threads: 5, max threads: 5
web_1  | [1] * Environment: production
web_1  | [1] * Process workers: 2
web_1  | [1] * Preloading application
web_1  | [1] * Inherited ssl://0.0.0.0:3000?key=certs/server.key&cert=certs/server.crt
web_1  | [1] Use Ctrl-C to stop
web_1  | [1] - Worker 0 (pid: 1738) booted, phase: 0
web_1  | [1] - Worker 1 (pid: 1740) booted, phase: 0
web_1  | [1] - Gracefully shutting down workers...
web_1  | [1] * Restarting...
web_1  | [1] Puma starting in cluster mode...
web_1  | [1] * Version 3.4.0 (ruby 2.3.1-p112), codename: Owl Bowl Brawl
web_1  | [1] * Min threads: 5, max threads: 5
web_1  | [1] * Environment: production
web_1  | [1] * Process workers: 2
web_1  | [1] * Preloading application
web_1  | [1] * Inherited ssl://0.0.0.0:3000?key=certs/server.key&cert=certs/server.crt
web_1  | [1] Use Ctrl-C to stop
web_1  | [1] - Worker 0 (pid: 1768) booted, phase: 0
web_1  | [1] - Worker 1 (pid: 1773) booted, phase: 0
web_1  | [1] - Gracefully shutting down workers...
web_1  | [1] * Restarting...
web_1  | [1] Puma starting in cluster mode...

CTFd has an admin interface

CTFd has had an admin interface for quite some time now :)

[Request] Category managment

When an admin create a problem/challenge, there is a field Category.

This field allow a string value. But it could be nice to add a Category menu where admin is able to add or edit categories. And so in the create a problem page the Category field wan be a drop down menu with existing categories.

Let Encrypt for SSL and Docker

Just another suggestion, Built-In lets encrypt, just set the hostname in the .env and a flag to turn on lets encrypt

acme.sh is a pretty good base for this.

docker-compose error

Seems there is an error or a step is missing in DOCKER_README.md ?

docker-compose up -d
Creating network "hackthearch201_default" with the default driver
Creating volume "hackthearch201_hta" with default driver
Creating volume "hackthearch201_redis" with default driver
Creating volume "hackthearch201_postgres" with default driver
Pulling rd (redis:3.2)...
ERROR: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

If I directly access https://registry-1.docker.io/v2/ it says I need to be authenticated, why?

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

Ruby version

Is it possible to make hack-the-arch working on Ruby 2.3.1+ and not only ruby 2.3.3 (ex: ruby 2.4.0)?

Feature: ability for admin to send e-mail to signed up users

Should have a form in the settings page that allows the admin to send an e-mail to all active users. Form should have two text areas:

Subject:
Message:

E-mail should prepend the subject with "[competition_name] ".

how can I run it on http

how can I run it on http?

puma fails to start with default configuration

puma fails to start with default configuration:

$ ./start_local
(in /home/noraj/hack-the-arch-2.0.1)
/home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/dsl.rb:26:in `read': No such file or directory @ rb_sysopen - config/puma.rb (Errno::ENOENT)
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/dsl.rb:26:in `_load_from'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/dsl.rb:9:in `load'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/configuration.rb:204:in `block in load'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/configuration.rb:201:in `each'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/configuration.rb:201:in `load'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/launcher.rb:62:in `initialize'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/cli.rb:65:in `new'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/lib/puma/cli.rb:65:in `initialize'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/bin/puma:8:in `new'
	from /home/noraj/.rvm/gems/ruby-2.3.1/gems/puma-3.4.0/bin/puma:8:in `<top (required)>'
	from /home/noraj/.rvm/gems/ruby-2.3.1/bin/puma:22:in `load'
	from /home/noraj/.rvm/gems/ruby-2.3.1/bin/puma:22:in `<main>'
	from /home/noraj/.rvm/gems/ruby-2.3.1/bin/ruby_executable_hooks:15:in `eval'
	from /home/noraj/.rvm/gems/ruby-2.3.1/bin/ruby_executable_hooks:15:in `<main>'

Setting Admins within the control panel

Right now to set an admin you have to do it within the database, this is not ideal as you might want more than one admin able to add challenges in or manage users / teams.

Installation not clear enought

Is it possible to create a clear installation guide because the README lacks the following points:

pacman -S postgresql or whatever but postgresql installed needed
gem install bundler
blundle install
rails db:migrate before bundle exec rake db:seed

Then we it's not clear that we need to go in OfflineSetup and launch start_local.

Update to a more recent version of ruby

After install ruby 2.3.1(used in release v 2.0.1) with rvm I get the following warning:

Install of ruby-2.3.1 - #complete 
Please be aware that you just installed a ruby that requires 2 patches just to be compiled on an up to date linux system.
This may have known and unaccounted for security vulnerabilities.
Please consider upgrading to ruby-2.4.2 which will have all of the latest security patches.

MITRE CTF Scoreboard & multi-category challenge/tags support

I know you tried, picoCTF, CTFd, and RootTheBox, but did you tried another ruby CTF framework named MITRE CTF Scoreboard? https://github.com/mitre-cyber-academy/ctf-scoreboard

It is great and the administration interface is especially well, maybe you will find nice ideas, features or piece of code here.

Also I trying to work with them to implement a multi-category challenge / tags support system. (see
mitre-cyber-academy/ctf-scoreboard#122). I would be great if HTA have an alternative scoreboard view too.

#!/bin/bash

# https://cloud.google.com/storage/docs/json_api/v1/buckets
export GOOGLE_BUCKET=GOOGLE_BUCKET_NAME
export GOOGLE_ACCESS_KEY=GOOGLE_BUCKET_ACCESS_KEY
export GOOGLE_SECRET_KEY=GOOGLE_BUCKET_SECRET_KEY

# https://stripe.com
export STRIPE_PUBLISHABLE_KEY=YOUR_STRIPE_PUBLISHABLE_KEY
export STRIPE_SECRET_KEY=YOUR_STRIPE_SECRET_KEY

# https://sendgrid.com
export SENDGRID_PASSWORD=YOUR_SENDGRID_PASSWORD
export SENDGRID_USERNAME=YOUR_SENDGRID_USERNAME

export DATABASE_URL=YOUR_POSTGRESQL_URL # postgres://user@address/database 
export SECRET_KEY_BASE= # Use `bundle exec rake secret` to generate a secure secret key.

export RAILS_ENV=production
export RACK_ENV=production
export RAILS_SERVE_STATIC_FILES=enabled
export LANG=en_US.UTF-8
export PORT=80 # For non-SSL connections (will automatically force SSL if used)

key=/path/to/server/key
cert=/path/to/server/cert

rake assets:precompile 
bundle exec puma -C config/puma.rb -b 'ssl://0.0.0.0:443?key='$key'&cert='$cert