opentoallctf / ota-challenge-bot Goto Github PK

How should we package the bot? Use Docker? Setup a python server?

Used the command !addctf tw2017.

Which produced the following error message :

2017-09-01 14:39:29,675 - botserver            - Received bot command : addctf tw2017 (C0JQ9NVAA)
2017-09-01 14:39:29,675 - handler_factory      - Processing message: addctf tw2017 from C0JQ9NVAA (U1EUDSN5S)
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/src/server/botserver.py", line 164, in run
    self.slack_client.rtm_read())
  File "/src/server/botserver.py", line 116, in parseSlackMessage
    return (output['text'][1:].strip().lower(), output['channel'], output['user'])
KeyError: 'user'

Would be cool to have something like :

!addirc  <irc_channel>

This would create a read-only slack channel bridged with the CTF's IRC channel.
It'll be helpful if any announcements are shared on IRC.

We should replace Pickle with an actual database such as Redis.

Any suggestions on what to use?

When deleting a CTF channel, if there are remaining CHALLENGE channels, the script will crash.

add ctf, add challenge, etc are all imperative (e.g. 'do this'). solved is past tense.

At the very least we should add an alias, i think.

A solved challenge should be announced in the main channel of the CTF, not the channel where the solve command was issued.

The status display is too large and messy IMO.

I suggest the following :

============= TWCTF2017 =============
> Solved
🎉 0xc5c2c3c4c9c3 (Solved by : vakzz)
🎉 ascii_art_maker (Solved by : kileak)
🎉 freshen_uploader (Solved by : corb3nik, kileak)
> Unsolved
[1 active] led : grazfather
[1 active] pdromes_pair_chal : _root
[2 active] super_sec_storage : corb3nik, vakzz

I'm taking into consideration that we will make channels private.

Also we don't need the "active" section for solved challenges.

In the event of a typo, members should be able to rename ctfs/challenges and their corresponding channel.

Maybe it only happens because I am using my own API key, maybe only I see it.

literally just add parse="full" to the api call, I think.

When announcing a solved challenge through the solve command, a member should be able to mention which teammates helped the solve.

Something like this :

@ota_bot solve "web 300" @grazfather
ota_bot : *web 300* : @corb3nik solved "web 300" with the help of @grazfather.

I propose adding a !ctf archiveall command to archive all challenge channels once the CTF is over.
The main CTF channel would remain intact.

This will be great to keep the slack clean, instead of running /archive on each channel manually.

For future commands which require administration privileges, I suggest that the application uses player objects instead of user_id's directly.

Player objects would have the is_admin attribute :

class Player:
    """
    An object representation of a CTF player.
    """

    def __init__(self, user_id, is_admin):
        """
        user_id : The slack ID of a user
        is_admin : Is the user an administrator

        """
        self.user_id = user_id
        self.is_admin = is_admin

The help command would also show the appropriate menus based on the is_admin object.

Add a welcome message that can be brought up with some short command. Simply to cut down on all the explaining we sometimes need to do for new members.

New guy: Hey I'm new here bla bla bla
Me: Welcome!
Me: !intro
Bot: Welcome to OTA! Make sure to check out our category specific channels #pwn, #web...

Add a ping command to check if the bot is working or not.

@ota_bot ping
ota_bot : I'm here!

CHALLENGE channel "purposes" should contain the solver if there is one. This way if the bot crashes, we won't lose that information.

![command_name] seems more appropriate than @ota_bot [command_name].

When adding a new CTF, a new email should be created that can be used to register for the CTF.

Something like [email protected]

These emails would then get dump in the channel for everyone working on the CTF to see.

OTA bot crashed for some reason.

I have not investigated yet, so here is the error trace :

2017-12-12 18:43:25,524 - botserver            - Web socket error. Executing reconnect...
Traceback (most recent call last):
  File "/home/otabot/code/OTA-Challenge-Bot/server/botserver.py", line 118, in run
    message = self.slack_wrapper.read()
  File "/home/otabot/code/OTA-Challenge-Bot/util/slack_wrapper.py", line 28, in read
    return self.client.rtm_read()
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/slackclient/client.py", line 128, in rtm_read
    json_data = self.server.websocket_safe_read()
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/slackclient/server.py", line 186, in websocket_safe_read
    data += "{0}\n".format(self.websocket.recv())
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_core.py", line 293, in recv
    opcode, data = self.recv_data()
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_core.py", line 310, in recv_data
    opcode, frame = self.recv_data_frame(control_frame)
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_core.py", line 323, in recv_data_frame
    frame = self.recv_frame()
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_core.py", line 357, in recv_frame
    return self.frame_buffer.recv_frame()
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_abnf.py", line 340, in recv_frame
    self.recv_header()
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_abnf.py", line 288, in recv_header
    header = self.recv_strict(2)
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_abnf.py", line 375, in recv_strict
    bytes_ = self.recv(min(16384, shortage))
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_core.py", line 427, in _recv
    return recv(self.sock, bufsize)
  File "/home/otabot/code/OTA-Challenge-Bot/venv/lib/python3.5/site-packages/websocket/_socket.py", line 93, in recv
    "Connection is already closed.")
websocket._exceptions.WebSocketConnectionClosedException: Connection is already closed.
2017-12-12 18:43:25,677 - botserver            - Connection failed. Invalid slack token or bot id?
2017-12-12 18:43:25,677 - botserver            - Shutdown complete...
2017-12-12 18:43:25,678 - consolethread        - Shutting down
2017-12-12 18:43:25,678 - run                  - Server has shut down. Quit

The bot should send its help menu to the user by direct message, in order to prevent spamming on public channels.

It'd be nice if there were a way to mark a challenge as solved without claiming you solved it. Maybe an admin command such as:

!solveas oreos auir

Or maybe a more general admin only command:

!as oreos !solved

same reason as solved -> solve

Just saw someone mix it up.

Right now, we are running on a detached tmux session to manage the bot.

Ideally, we'd have something like server ota_bot start to manage it.

Makes it easy to find and join the channels

Either specify on channel creation, or add a command to add them later on after channel creation.

Solving in ctf challenges works pretty well now, without having to specify the challenge anymore.

Though, specifying additional team members won't work together with this for now, because it interprets the additional members as challenge name.

!solved vakzz

This challenge does not exist.

• Might have to check if the current channel is a challenge channel, and then skip the challenge argument for this.

Gives the appearance of it not working.

Currently, if you do @ota_bot solved <challenge_name> in a CHALLENGE channel, it will not figure out which CTF channel it belongs to.

Still seems to happen

kileak [8:21 PM] 
!addchallenge s_crypto

*============= ASIS-F2017 =============*
* > Unsolved*
[2 active] *mrs_hudson* : kіlеɑk, dоws
[5 active] *dig* : rооt__, dɑnіі, hоshеrmɑn1965, ɑpоcɑlypsе, dоws
[4 active] *s_crypto* : kіlеɑk, dɑnіі, dоws, hоshеrmɑn1965
[2 active] *mary* : kіlеɑk, dоws```

Like

!addchallenge mycroft pwn

[2 active] *mycroft* (pwn) : xyz1, xyz2

• We need to check for # in challenge names (if people try to add a challenge and pass the channel name instead, the channel won't be created, but the challenge will, thus it's kinda broken)

To keep track of solvers, I suggest creating a Github project page.

Upon solve/archive, the bot would push a new blog post on the Project Page with the current solvers per challenge.

That info would then be available online for everyone :)

• On adding a new ctf add (optional) parameters for start and end date
• Start/End should be shown on status command
• Reminder at start "CTF xyz has started"
• Reminder at end "CTF xyz has finished"
• Maybe a countdown to inform people when a ctf will end

It's not a link since it's a private channel.

Maybe consider changing the string.
"New challenge created in private channel (!workon to join)" or similar.

Currently ota_bot always appears offline, should be possible https://api.slack.com/docs/presence-and-status#bot_presence

When running the command :

!solved web300 @kileak

The bot will store the slack IDs :

@here *web300* : corb3nik has solved the "web300" challenge (together with @u415mede0).

Something like this https://stackoverflow.com/questions/11349183/how-to-wrap-every-method-of-a-class

but our wrapper would be like

def wrapper(method):
    @wraps(method)
    def wrapped(*args, **kwargs):
        client = args[0] # Take out 'self'
        try:
            return method(*args, **kwargs)
        except websocket._exceptions.WebSocketConnectionClosedException:
            # Somehow replace the client's connection
            return method(*args, **kwargs)
    return wrapped

eg !ctf addchallenge graz in #corb-test1 should reply with something like

Challenge added: #corb-test1-graz

string.format is preferred. More powerful and easier to use.

!solve doesn't prevent adding the same member twice :

!solved web300 kileak kileak2

Result :

@here *web400* : corb3nik has solved the "web400" challenge (together with kileak, kileak).