search

google / kctf

kCTF is a Kubernetes-based infrastructure for CTF competitions. For documentation, see
https://google.github.io/kctf/
Apache License 2.0
656 stars 73 forks source link

Add pow support for web challenges #32

Open sirdarckcat opened 4 years ago

sirdarckcat commented 4 years ago

It's highly likely that someone running dirbuster on a .php file will cause issues, so we should add pow to web challenges too.

this can be done by wrapping the call to nsjail: https://github.com/google/kctf/blob/00ca1395f0e2492d6b7710c9db97bfb2ecf01bc5/samples/apache-php/challenge/files/cgi-bin/nsjail-php-cgi#L3

so that it checks:

  1. If pow is enabled
  2. if enabled, then check KCTF_POW cookie has a valid signed timestamp within tolerance
  3. if cookie invalid, redirect to /.__kctf__/pow?continue=$path

and add /.__kctf__/pow that:

  1. asks the user for a pow challenge
  2. if the challenge is valid, set KCTF_POW cookie with a valid signed current timestamp
  3. redirect user to ?continue param
sirdarckcat commented 3 years ago

cookies might be annoying, though.. perhaps we can drop this from Beta while we look at what people end up using in practice