These problems were originally designed as part of a Women's CTF hosted by the Plaid Parliament of Pwning and Carnegie Mellon's Information Networking Institute. The project was intended for absolute beginners, although a basic amount of programming or networking knowledge helps.
Topics covered in this CTF include SQL injection, cross site scripting, client side authentication, and server-side logic errors.
Accompanying the problems are the following slides. In addition, there is a small application (/intro) that is designed to be played along with the presentation.
All of the problems are designed to be run inside of docker, although they can be run locally. To run the problems inside of docker, you will need the docker daemon and docker-compose. Once you have them both installed, run
makedocker-compose up -d
This will start all of the problems with ports exposed to the local machine.
Starting the problems will not start any kind of problem management interface. Although this is not included within the scope of this project, we recommend using the Pico platform for competition and problem management.
Once you've built and started the problems, the problems will be found on the following ports
| Problem Name | Port |
|---|---|
| Intro | 8000 |
| Postable | 7070 |
| Trackr | 7654 |
| We Rate Birds | 9630 |
| Can I Have Flag | 5454 |
| BagelShop | 7007 |
| Word-Lock | 1337 |
| JsSafe | 2266 |
Most of these problems are not really designed to be scalable. The exceptions to these are the XSS bots used for both Postable and Trackr. To scale one of these XSS bots, run docker-compose up -d --scale $PROBLEM=$N $PROBLEM, where $PROBLEM is either csp-bot or trackr-bot, and N can be any integer.
Most problems don't have solve scripts, although a couple of them (such as canihaveflag) do.
All problems were designed and written by Zach Wade (@zwade) and Carolina Zarate (@zaratec).
The competition was sponsored by the Plaid Parliament of Pwning and CMU Information Networking Institute.
This project is intended to be used as a standalone, complete repository. If you have issues with it or bug fixes, feel free to issue a PR and we will get them merged in. If you have additional problems that you would like added, let us know and we can see if it's appropriate.