Suggestion: Custom flags

[jimender2]

I think that having a way to specify specific flags would be a nice feature especially when I am doing this in a middle or high school where I want to be able to remember the flags easier or relate them to what we are learning. Also, custom lengths for flags would be nice. Sometimes I just want to have 5 character flags as opposed to the really long ones that are the default.

[bkimminich]

Hi @jimender2! Can you help me understand your use case for shorter flags correctly? Also why this would be something particularly useful for middle/high school course?

The intended flow is to Ctrl-C them from the notification in Juice Shop and Ctrl-V them as the solution for a corresponding challenge in CTFd or FBCTF.

Does your CTF setup prevent that from being done somehow?

[jimender2]

So an example I have is if I am doing a CTF with the kids, they have to type it all out because of copy and pasting being really hard on a chromebook (it is hard to get middle schoolers and even high schoolers to right stuff highlighted) or other device that is really slow. Additionally, if I want to do a themed CTF (like relating to that school) I would want the ability to do a little bit different of a flag like CTF{goPirates} or Pirates{hackingIsFun}. The kids tend to respond better to things that relate to them easier rather than just a string of letters/numbers. Additionally, I tend to lead the students through one or two different flags and having a flag that I can remember would be easier, especially if I can show them and/or have my team show them.

[J12934]

That’s really cool that you are using it like this! The flags are currently generated that way to be cryptografically secure, but this probably doesn’t matter too much for your use case.

Also allowing static flags would require some changes but I think it should be not too bad. We could add this as a config option similar to how to configure the country assignment we use for FBCTF.

[jimender2]

That would be awesome. If it is possible, please add in a dictionary generator too so that if I want just a random flag that is easy to remember, it would three or four words from a dictionary (like CTF{batterycorrecthorsestaple} etc.).

[bkimminich]

I just discussed with @wurstbrot and we concluded that it would be much nicer to implement an "auto-send" feature to propagate flags to the central CTF server. That's a bigger topic, but would need changes on Juice Shop instead of this tool. Sending flags manually would still be possible as a fallback, but shouldn't be customizable on top then.

Juice Shop could have a config property for "auto-submit" that could be ctfd2, ctfd1, fbctf or off. It would also need an environment variable CTF_SERVER_URL for the score server. Then flags could be automatically sent, as long as the CTF servers we currently offer support submissions via API.

[J12934]

I just discussed with @wurstbrot and we concluded that it would be much nicer to implement an "auto-send" feature to propagate flags to the central CTF server. That's a bigger topic, but would need changes on Juice Shop instead of this tool. Sending flags manually would still be possible as a fallback, but shouldn't be customizable on top then.

Juice Shop could have a config property for "auto-submit" that could be ctfd2, ctfd1, fbctf or off. It would also need an environment variable CTF_SERVER_URL for the score server. Then flags could be automatically sent, as long as the CTF servers we currently offer support submissions via AP

I think the hardest part of a auto-submit system would be: how to figure out which user of the ctf system is using this JuiceShop instance. Without that information the flags couldn’t get submitted, as they ctf tool would not know which user has submitted it. This would most likely require the users full credentials / some sort of api key to access the endpoints.

[bkimminich]

We just discussed that as well... 😁

Adding CTF_SERVER_USER and CTF_SERVER_PASSWORD environment vars could do that transparently and if they are not set, the user would have to put them into a config form on the internal Score Board maybe?

[bkimminich]

Just as an update, CTFd will add API endpoint for submitting flags in the future. Didn't check yet if FBCTF had it already or at least plans to add it.

[jimender2]

Perfect. I appreciate that.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. :heart: Thank you for your contributions to OWASP Juice Shop!

[jimender2]

Are you waiting for CTFd to update first before working more on this?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. :heart: Thank you for your contributions to OWASP Juice Shop!

[bkimminich]

I focused on the main app recently and didn't check if auto submission was already in CTFd by now.

If someone wants to pick up this as a research task, please feel free to.

We could consider a middle ground alternative also: When using the fbctf.yml config, a country flag and optionally name is displayed alongside the flag code. We could add an option to juice-shop-ctf-cli to accept the country name as a flag code as well.

That way it becomes more easily typeable for @jimender2's students but without us spending effort to add full custom flag codes when we ultimately would prefer auto submission.

Opinions?

[J12934]

I plan to add a simple scoreboard into JuicyCTF

The scoreboard would automatically import the progress of every Juice Shop instance it is running.

[bkimminich]

Okaay, that would make a CTFd unnecessary as long as you don't really want a competitive event. Cool!

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. :heart: Thank you for your contributions to OWASP Juice Shop!