ecchilds
commented
3 years ago On November 26, 2018, a commonly used NPM package, event-stream, was altered to contain malicious code. This code, which had been uploaded to one the packages dependencies, flatmap-stream, was designed to siphon bitcoins from user's wallets. Though event-stream later wrote out the offending package, this raises an interesting point for a vector of supply chain attack.
For a CTF level built around this exploit, the flag would be the section of code siphoning bitcoins. For this, we would need a web app/server running off of javascript or python. This would be run on the user's local machine, and it would be their job to find which dependency is the source of the bitcoin siphoning code. For portability, this website would be contained in a docker image; python maintains it's own docker base image that we could use, while lts-alpine is a common image used for javascript.
To prevent putting malicious code out there, we would either need a library stored on NPM or Pypi that does not actually siphon bitcoins, but looks like it does to the user, or we would need our own private repo that the web app accesses. In the latter case, this could be accomplished by hosting the code on a private gitlab server. Since code pulled from git will look distinctly different from code pulled from an official library, every dependency used by the web app could be a forked version of an actual package, hosted on the gitlab server. Otherwise, there would be no challenge to the CTF.
To find the malicious code, the user could look at version histories of the dependencies, or at the web app's actual javascript/python code. To make things easier, there could be an extra stage near the beginning of the level, where the user sets up some kind of code to check for bitcoin stealers in there website. There are countless codebases designed to scan for cryptominers we could base this off of, including Firefox's own script blockers.
jake-bickle
Try to come up with high level structure for CTF level