Hackitect series vol.3 - Building Capture the flag for developers

sottlmarek

Marek Šottl

Posted on July 21, 2019

Hackitect series vol.3 - Building Capture the flag for developers

Starting the game

I always liked games. In my last projects, I looked desperately for some gamification for developers. I am providing the training regarding the SSDLC and its always hard to teach different vulnerabilities and their impact. It's not easy to connect architects and developers together. The best ways are to get our hands dirty. The solution cames very unexpectedly.
OWASP Juice Shop and Facebook capture the flag are providing a very strong combination of predefined vulnerabilities with extensibility to code bashing.

So let's start our journey to setting up funny hacking gamification capture the flag platform.

How it works

To learn OWASP TOP 10 we will build together the platform with Capture the flag portal and vulnerable app called Juice Shop. Vulnerable e-shop contains around 90 different challenges of increasing the level of difficulty.
Every vulnerability challenge exploited is rewarded by achievement. Integration with CTF is done via flag hashes. On the other side, there is a Facebook open-source based world domination CTF platform. Teams are conquering the countries based on quizzes and capturing the flags via finding vulnerabilities. You copy-paste the flag hash into CTF platform and capture selected country containing the challenge. The captured country gives you score points. The amount of score points depends on the difficulty of the challenge.
The Team which gets the most points wins the game in the given time period. Happy threat hunting and don't forget the main price - chocolate.

First step

Installing the OWASP juice shop. You can install juice shop on windows )very easy) or ubuntu as a recommended option for real geeks. The installation of Node.js for Windows is very easy, so I don't see any reason for an explanation.

For Windows, you need to open the command line and:

  1. Install git bash
  2. git clone https://github.com/bkimminich/juice-shop.git > In our working directory
  3. Open the juice-shop directory
  4. npm install
  5. npm start
  6. Open the browser and hit localhost:3000

For Linux you need to open the command line and (tested on Ubuntu 18.04.2 LTS):

  1. Download packaged Juice shop (https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2)
  2. Unpack and cd into the unpacked folder
  3. Alternatively (not recommended doesn't work well): sudo apt install curl curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash - sudo apt install node.js
  4. Open the juice-shop directory
  5. npm install (for alternative) / run npm start for packaged.
  6. Open the browser and hit localhost:3000

Now we are done with juice shop ready to roll It contains epic challenges of different levels for newbies and hardcore non-sleepers.

IT will look like this:

The game is ready but not fully, we need to smuggle inside the platform our CTF flags and then import them into FBCTF. Long fun to play the games? No worries, the fun will come soon.

Second step - setup the environment

You need to set up the environment variables. After setup please restart your machine and set up the env variables under root or administrator access.

  1. Set up the NODE_ENV variable set NODE_ENV=ctf in Windows export NODE_ENV=ctf in Linux
  2. Restart your machine
  3. Open cmd or terminal npm start

Third step - generate the data for FBCTF

Generate the data via guide mentioned here: Guide from author

I recommend following setup:

ctfFramework: FBCTF
juiceShopUrl: https://juice-shop.herokuapp.com
ctfKey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key 
countryMapping: https://raw.githubusercontent.com/bkimminich/juice-shop/master/config/fbctf.yml 
insertHints: none
insertHintUrls: none 
Enter fullscreen mode Exit fullscreen mode

Fourth step - Set UP & Import info FBCTF

I failed many times in installation. If you are not sure to check the official guide on Github. Please, the password for admin will appear in the command line during the installation process co be careful and check the cmd output. CTF framework need to be installed on Ubuntu 16.04.

Installing the FBCTF:

sudo apt-get update
sudo apt-get install git
git clone https://github.com/facebook/fbctf
cd fbctf
./extra/provision.sh -m prod -s $PWD
source ./extra/lib.sh
set_password [new_password] ctf ctf fbctf $PWD
Enter fullscreen mode Exit fullscreen mode

Import the JSON with data:

  1. Goto Localhost
  2. Login into admin
  3. Go to controls and select import full game.
  4. Choose the *.json data file generated by juice-shop-ctf
  5. Looks amazing!
  6. For more look into Admin guide


Don't forget to create the teams, set up the timer and select the authentication method. Feel free to customize your logo.

All the tribute to the authors of open source, I had lots of struggles during the installation process. I hope that we will meet in one of the sessions together and train how to hack some vulnerable apps. Enjoy your hacking.

If you are interested to meet me in my training session you can sign up for training in ICTpro School HERE

💖 💪 🙅 🚩
sottlmarek
Marek Šottl

Posted on July 21, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related