Capture the Flag (CTF) in computer security is an exercise in which "flags" are secretly hidden in purposefully-vulnerable programs or websites. Competitors steal flags either from other competitors (attack/defence-style CTFs) or from the organizers (jeopardy-style challenges). Several variations exist, including hiding flags in hardware devices. Competitions exist both online and in-person, and can be advanced or entry-level.
Security CTFs are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world.
Classic CTF activities include reverse-engineering, packet sniffing, protocol analysis, system administration, programming, cryptanalysis, and writing exploits, among others. In an attack/defence style competition, each team is given a machine (or a small network) to defend—typically on an isolated competition network. Teams are scored on both their success in defending their assigned machine(s) and on their success in attacking the other team's machines. A variation from classic flag-stealing is to "plant" own flags on opponent's machines.
In order to host the CCTF properly in a web server the following requirements should be satisfied.
-
Install 64 bit server version of Ubuntu OS.
-
Apache server should be installed and it should be in a running stage.
-
SSH service should be in a running stage.
-
PHP, phpMyAdmin, MySQL and MariaDB should also need to be installed.
-
Python3 should be installed.
-
64 bit CPU architecture
-
8GB RAM
-
500GB Hard-disk
-
Internet connectivity with low latency
After log in you can view the Dashboard page. In Dashboard page you can view who has solved which problem along with ranks. You can also view the count of the following:
- Verified Users
- Pending Users
- Challenges in the competition
- Categories in the competition
In the Leaderboard tab you can view the rank of the users' along with other details such as:
- Name of the user
- Score of the user
- Number of challenges solved
- Time of last submit
The 3rd tab is the Challenges tab where you can view the currently added challenges in the competition and add any CTF challenges by clicking on the ADD button.
The next tab is the Categories tab where you can view the current categories and add new category to the competition.
The next tab is the Visitors tab where you can get any sort of queries or messages from the participants.
Lastly we have Sudo Zone tab where other sub-tabs are also present like Key Generate , Permission , Settings , and Home.
Key Generate
When a participant forgets his/her password, they may reset their password using a unique key generated by an admin.
To generate the key the admin needs to visit this Key Generate tab and enter the email of the respective participant. Then admin can provide the key to the participant.
Permissions
When a participant registers for the competition he/she needs to be authenticated by an admin to play the competition. The admin may provide the authentication from the permissions tab. If a participant is found to use unfair means, his/her account may be deactivated from the permissions tab.
Settings
The admin may change his/her name and password from the settings tab.
Home
The home tab brings you out of the Sudo Zone.
The very 1st step you need to do is visit the CTF URL page and click on Let's Go button.
Then you will have to register yourself by clicking on the Sign Up tab.
After registration you need to wait till the admin has verified your account and given you access to login.
After your account is verified you may login to the website and start playing the competition.
The home page may look something like this. Here you will find all the questions.
You can submit the flag in the dialog of the question itself.
You can view your current score, number of challenges solved, your rank and the remaining time in the left-hand side of the panel.
You may check your rank from the Leaderboard tab.
You can change your name and password from the Settings tab.
You can send us a message using the Contact Us page.
If somehow you forget your password you need to click on the Forgot password option in the login page and contact the admin and wait till the admin has given the one-time secret key from his/her end. Then you need to enter the email-ID and the secret-key provided by admin and click submit button. After that you can easily reset your password and login.
- Enter the command to download
install.sh
wget https://raw.githubusercontent.com/ISS-CDACK/CCTF/main/install.sh
- Open the
install.shin a text editor and modify mysql_root_password, phpmyadmin_db_password, phpmyadmin_instance_username, phpmyadmin_instance_password, code_username, code_user_pass, admin_username, admin_password, secure_host, ctf_db_name, and port_number variables according to your needs - Make
install.shexecutable
sudo chmod +x install.sh
- Run the script
sudo ./install.sh
- Installation Complete🎉🎉
- Check for Root User
Ensure that you are logged in as the root user or have sudo privileges.
whoami- Install Required Software Update the package lists and install Git, Apache2, MariaDB, and PHP.
sudo apt update
sudo apt install git apache2 mariadb-server mariadb-client php php-common php-mysql php-gmp php-curl php-intl php-mbstring php-xmlrpc php-gd php-xml php-cli php-zip -y- Configure MySQL Secure the MySQL installation with the provided root password.
sudo mysql_secure_installation- Install phpMyAdmin Install and configure phpMyAdmin.
sudo apt install -y phpmyadminEdit /etc/apache2/conf-available/phpmyadmin.conf to include AllowOverride All within the <Directory /usr/share/phpmyadmin> block. 5. Create phpMyAdmin Authentication Create .htaccess and .htpasswd files for phpMyAdmin authentication.
sudo nano /usr/share/phpmyadmin/.htaccessAdd the following content:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-userCreate a user
sudo htpasswd -bc /etc/phpmyadmin/.htpasswd <username> Replace with the desired username. 6. Change phpMyAdmin Port Create a new Apache Virtual Host configuration file for phpMyAdmin with the desired port number.
sudo nano /etc/apache2/sites-available/phpmyadmin.confAdd the following content:
Listen <port_number>
<VirtualHost *:<port_number>>
ServerName localhost
DocumentRoot /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks
DirectoryIndex index.php
AllowOverride All
Require all granted
</Directory>
Include /etc/phpmyadmin/apache.conf
ErrorLog ${APACHE_LOG_DIR}/phpmyadmin.error.log
CustomLog ${APACHE_LOG_DIR}/phpmyadmin.access.log combined
</VirtualHost>Replace <port_number> with the desired port number. 8. Enable and Reload Apache Enable the new phpMyAdmin site and reload Apache.
sudo a2ensite phpmyadmin.conf
sudo systemctl reload apache2- Configure MySQL Database Log in to MySQL and create a database for CTF, add users, and change the root password.
sudo mysql -u root -pCREATE DATABASE `CDAC-K_CTF` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
GRANT ALL ON `CDAC-K_CTF`.* TO '<admin_username>'@'<secure_host>' IDENTIFIED BY '<admin_password>';
GRANT SELECT, INSERT, UPDATE ON `CDAC-K_CTF`.* TO '<code_username>'@'localhost' IDENTIFIED BY '<code_user_pass>';
ALTER USER 'root'@'localhost' IDENTIFIED BY '<mysql_root_password>';
FLUSH PRIVILEGES;- Clone and Configure CTF Application Clone the CTF repository and configure the config.php file.
git clone https://github.com/ISS-CDACK/CCTF.git
sudo cp -r CCTF/. /var/www/html/
sudo rm -rf CCTF/Edit /var/www/html/CCTF/config.php to update database credentials. 11. Finalize Apache Configuration Enable mod_rewrite and restart Apache.
sudo a2enmod rewrite
sudo service apache2 restart- Set Permissions
sudo chmod 644 /etc/phpmyadmin/.htaccess /etc/phpmyadmin/.htpasswd
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R g+w /var/www/htmlThere is a scoreboard in the index page which shows the leaderboard without logging in.
The start time and end time of the competition can be configured. To configure it manually go to /includes/comp_time.php and change the start and end time variables by providing the UNIX timestamp respectively.
Alternatively you can also run the following pyhon3 code in using sudo privileges which will take user input and update the timestamp automatically.
Note: The /includes/comp_time.php should be kept inside /var/www/html directory.
#!/usr/bin/python3
import os, sys
def check\_privileges():
if not os.environ.get("SUDO\_UID") and os.geteuid() != 0:
sys.exit("The Code Must be run as root")
check\_privileges()
print('NB: Put Date In 24 Hour Format Only')
print('\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n')
start\_timestamp = ''
end\_timestamp = ''
from datetime import datetime
import math
def make\_timestamp(get\_time):
date\_time = datetime.strptime(get\_time, '%d.%m.%Y %H:%M:%S')
ts = date\_time.timestamp()
# \* 1000
floor\_value = math.floor(ts)
return floor\_value
start\_input\_date = input('Enter Ctf Start Date with time in this format ("23.02.2012 09:12:00") : ')
try:
start\_timestamp = str(make\_timestamp(start\_input\_date))
except Exception as e:
sys.exit("Wrong Ctf Start time Value")
end\_input\_date = input('Enter Ctf End Date with time in this format ("23.02.2012 09:12:00") : ')
try:
end\_timestamp = str(make\_timestamp(end\_input\_date))
except Exception as e:
sys.exit("Wrong Ctf End time Value")
content = "\<?php\n$ctf\_start\_time = "+start\_timestamp+";\n$ctf\_end\_time = "+end\_timestamp+";\n?\>"
f = open("/var/www/html/includes/comp\_time.php", "w")
f.write(content)
f.close()
print('CTF Start And Ending Time Update Successful')
There is a PHP file named showtime.php which shows the time remaining of the competition.
RIGHT CLICK is by default prohibited for making the competition more challenging.
The following links can be useful.
https://ubuntu.com/download/server
https://magefan.com/blog/install-local-lamp-server-for-ubuntu
https://magefan.com/blog/how-to-install-phpmyadmin
https://www.digitalocean.com/community/tutorials/how-to-install-mariadb-on-ubuntu-20-04