Skip to content

A flag submitter service with distributed attackers for attack/defense CTF games.

License

Notifications You must be signed in to change notification settings

CybSec-NITW/CTFsubmitter

 
 

Repository files navigation

CTF submitter

While playing ruCTFe 2015 some of our "attack" scripts didn't work as expected, flooding the game infrastructure with invalid flags (sorry guys!). We decided then to write a centralized "flag submit" service with a rest api which would act as a filter and be able to tell us if some of the attack scripts are submitting too many invalid flags. In the end it worked out pretty well! :)

Please keep in mind that this code was written in a hurry, planning to use it locally during ctfs: don't expect it to be (perfect || secure || bug free). If you find a bug, add a new feature please contribute with a pull request. If you like it or use it feel free to drop us a line ;)

stats screenshot

Submitter service

This webservice is responsible for receiving flags, and storing them togheter with statistics inside the DB. Please start this one first to setup the database the first time. The service is based on bottle.py and we used cherrypy for our deploy:

python submitter.py

You will also need an instance of the "worker" which will submit the flags to the game infrastructure:

python worker.py

Requirements

  • bottle
  • pymongo>=3.0

for RuCTFe:

  • pwntools

for iCTF:

  • ictf

It was tested with mongodb 2.6.x

nginx

It is advisable to put an nginx in front of the submitter service, look at nginx_submitter.conf for an example config.

Stats service

you will need another virtualenv since right now motor doesn't wrap pymongo 3

python stats.py

Requirements

  • tornado
  • motor

TODO

  • cleanup and "plugin" handling
  • complete service/team statistics
  • management script
  • tests
  • better log message handling
  • better handling of exceptions
  • blacklist ip/user temporarily if too many wrong flags are submitted
  • rewrite the stats frontend since it's just plain jquery
  • reorganize the code base, and allow the stats service and logger to use a different backend other than mongodb
  • add cold restart button in case of failures of the service
  • add a raw socket interface to submit flags
  • possibly add authentication to use the service not only locally

About

A flag submitter service with distributed attackers for attack/defense CTF games.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 51.3%
  • CSS 20.6%
  • JavaScript 10.9%
  • HTML 8.4%
  • Go 7.0%
  • C 1.6%
  • Shell 0.2%