echoctf / echoctf.red Goto Github PK

Resend a verification email whenever a user changes their email. Ensure that when this happens, mail verification links respect active,status fields for the user.

Make use of product specific twitter meta tags for user profiles eg twitter:data1, twitter:user:id etc

• print current time on findingsd when in debug mode
• Enable pflogd on pflog1 so that we can have a log of these packets

Counters for total users, online, users on VPN on dashboard. This is an early solution for a better infrastructure status page later on

• Player::model()->count()
• Player::model()->online()->count()
• Player::model()->on_vpn()->count()

create restapi and possibly pui challenge submission.

The challenge submissions bust be yml or json structured with the following format
proposed challenge yml/json structure

---
author: 1 # Your profile id
name: "This is the challenge name"
category: Tutorial # Free form
difficulty: easy # Free form
player_type: offense # offense or defense
filename: challenge1.zip # Optional filename that comes with the challenge
description: "<p>Description of the challenge allows limited html</p>"
questions:
  - {
       name: "1st question name"
       description: "1st question description"
       points: 100
       code: "answer1"
       weight: 0
    }
  - {
       name: "2nd question name"
       description: "2nd question description"
       points: 100
       code: "answer2"
       weight: 1
    }

Add network table and target_network junction. Make sure we display this on pUI instead of target->net

On profile tweet icon add headshots and other bragging related data

• Create a _terms_and_conditions.php view to be used as renderPartial
• Change profile label to "I accept the echoCTF RED Terms and Conditions"
• Make the Terms and Conditions link popup that will render the Terms and Conditions view
• Add Terms and Conditions checkbox with link popup on registration page
• Decide on static or sysconfig key for page content

Update vpn up/down script to update mysql table player_last instead of memcached ovpn:id key.
This should include updates of on_vpn=NOW(), vpn_local_address=INET_ATON($local_IP), vpn_remote_address=INET_ATON($remote_ip) WHERE id=$cn

The script should keep on checking if the ovpn:id key is set to deny secondary logins, however the key will be populated by mysql triggers instead of nc

• Add on target/view
• Add as modal dialog on dashboard

The link may have more details on making this happen
https://forum.yiiframework.com/t/add-login-form-to-a-dropdownlist-in-the-menu/72091/3

This should be executed by cron initially

Include notification action for scheduling tasks

• Change controller names across mUI from PlayertreasureController into PlayerTreasureController.
• This will require changing the main menu links from module/playertreasure to module/player-treasure
• The views folders will also need to be renamed from views/playertreasure to views/player-treasure

• Label for GDPR checkbox I accept the privacy policy of echoCTF Red.
• Create a _privacy_policy.php view
• Make privacy policy link popup that renders the view
• Decide on static content or sysconfig key

Allow users to request hints for a target with "penalty".

The process will be in the form of

1. user clicks on request for hint of target
2. modal dialog appears for the user to attach his/her question
3. Moderators receive the hint request and attach an answer and points that will be deducted and optional assign a treasure that this hint is related to.
4. Participant receives a notification and is informed that seeing the hint will deduct the points from the treasure associated with the hint

On target headshots row include the number of hints received for the target by the headshot user

Using #33 & #34 generate badges for the targets. This will allow us to embed images into misc post such as

<img src="https://echoctf.red/target/10/badge"/>

Create triggers for DELETE/UPDATE on player_ssl to add OLD certificate details on revoked_ssl table.

The details we are interested of monitoring are the ones needed for the generation of the OpenVPN auto configuration.

CRL List generation will need to consult this table on VPN servers.

Implement the operation to move a target from one network (eg AAnet) to another (eg CVEnet)

Certain rules need to be followed for this transfer

• Change ip, net, docker server of target
• Re-populate targets pf table
• Re-populate match findings for pf
• Delete existing container from old docker server
• Spin container with new details

Checkout http://bootstraptour.com/api/ and see into ways to include it for a welcome tutorial to new users

Construct a proper robots.txt file. Look into possible yii1.x models that may handle this.

Implement a proper sitemap.xml for crawlers

• https://forum.yiiframework.com/t/yiic-sitemap-generation/14437/6
• https://support.google.com/webmasters/answer/183668?hl=en

Add Experience Levels based on points

• migration with fields (id,name, description, icon, min_points, max_points)
• Display Experience level on profile based on a query similar to select * from experience WHERE points between min_points and max_points or SELECT * from experience where points >= min_points limit 1
• Create Gameplay or Settings sub model & CRUD for experience
• On pUI profile show Experience levels

Create target vs profile_id view. Link the target/view on profile/id page to the versus page. This page will be similar to the current target view for logged in users, but instead of displaying the current profile we will load the details of the profile given on the versus link.

The links will be in the form of target/11/versus/31337 and will show the current progress for the particular player on the target.

On mui next to the image name on target/view add the ability to pull the image into the docker. This will help in spinning the target faster for the first time since the image will already be there.

Create a widget that will merge two or more images into a single image. Optionally should allow for local caching and updating of the generated image.

https://stackoverflow.com/questions/3876299/merging-two-images-with-php/3876446#3876446
https://sumankc.com/2016/01/30/merge-multiple-images-and-text-to-create-single-image-php-gd-library/

Create a yii2 based project to act as our initial public JSON/REST API.

Start with the ability to claim flags through the API

Make mUI acitivity/stream similar to pUI

implement question_tasks table to include requirements / tasks that are also required to complete the challenge.

This way we can implement challenges that in order to complete a question you will also have to perform certain actions eg, finding, treasure etc.

EXAMPLE
A question has requirement to find the open port of a target as well as claim a flag

Problem
A user (./0xRar) reported he received a finding for a host he didnt scan. He was working on krusty and received a finding for moleman. Upon inspection it appeared that the system (moleman) had attempted to connect to the users VPN IP and the finding came from his system sending a response.

This was due to the fact that a user added a wrong IP on the form of moleman.

Solution

• Make match finding rules to only work on initial connection attempts. This way we can at least limit the amount of times this can happen.
• Update instructions to include information to users on protecting their systems and only allowing connection back from system they allow manualy

Problem
It was been observed that when users first join the platform test all the available links they can click in order to figure out what each does. Unavoidably they will click on the restart button for a target.

• This leads to systems restarting randomly
• Users loosing their restart requests for the day early on which then limits the available restarts when they start playing the same day

We need to avoid unnecessary restarts so we need to limit the restarts only to cases that this is needed.

Solutions
Allow restarts by users who:

• have connected on the VPN before (at least once)
• are currently connected to the VPN
• have progress on a target (eg have finding or treasure)

Vote Allow restarts by users who:

ensure all IP storage database fields are unsigned

Introduce the ability to upload or link existing avatars to the user profiles (eg link avatars from github/twitter etc).

Requirements:

• Images must be validated (<=1mb, png/jpg)
• All images must be re-created and scaled through appropriate libraries (ie, gd, cimg etc)
• All images must remain "hidden" until a moderator approves the images
• All image filenames will be converted to profile_id.png
• Scaled images with any side smaller than 300 must be centered accordingly on a 300x300 frame. This will allow us to have consistent sizes for avatars.

This may be an overkill but lets make it so that we keep each vote as a separate table.

This will allow us to display the ratings of each user as extra details on target/view as well as the average rating on dashboard/index

Furthermore, on profile/me & profile/index we can display the the vote of the profile owner on the target list

Create images to be used as target avatars. The images must be transparent and should mesh correctly with our logo when merged together.

Update target with required and suggested experience levels

• Add suggested minimum experience level for targets (suggested_xp) through migration
• Add required minimum experience level for targets (required_xp) through migrations

• Add difficulty field on target (migration)
• Add field on mUI modules/gameplay/views/target index, view, update, form.php
• Add difficulty on Target model of pUI
• Add difficulty view on dashboard/index & target/view

Look into browser based desktop push notifications for users who choose to.
This will allow us to send

• notifications
• hints
• user own activity stream entries
• activity stream entries for all users

Modify triggers to include ability to be disabled on request, this way we will be able to import data from other instances without invoking them. This will also allow us to perform operations without TRIGGERS from the mui

Make hints link to the appropriate target

Add a parent_id column to question in order to be able to implement challenges that do not reveal the next step unless you complete the one required by parent_id

Create a smart tweet widget to include on our targets, stream msgs, profile

We need to be able to generate the following get parameters

url: absolute url
text: the message with correct references for platform (`@echoCTF`) and user if exists `@userhandle`
related: list of handles

<a href="https://twitter.com/intent/tweet?url=http%3a%2f%2fwww.tomtunguz.com%2fimportance-and-mystery-demand-generation%2f&text=Why%20Demand%20Generation%20Can%20Be%20So%20Challenging%20For%20Startups%20via%20@ttunguz&related=ttunguz">Share this post</a>

Add current user ranking on profile pages (profile/me & profile/index)

When new users activate their accounts give them a hint and a notification to get them started.

Add tweet action for target on profile/me and target/view using the widget from #31

The notifications body needs to become visible to users

Update frontend\models\Player model to include player headshot calculations

• Add description for email opt-in checkbox
  Check this if you would like to receive mail notifications from the platform. We will not use your email address to send you unsolicited emails.
• Change label to I want to receive emails from echoCTF RED

• Make target/view publicly accessible (with limited details).
• Include appropriate meta tags for twitter "product" display
• Create dynamic logo generation for each target (split into #33, #34, #35)
• Create dynamic badge image generation for each target (split into #33, #34, #35)
• Create our own custom tweet button and add on page (split into #31 and #32)