Slctf: Serverless CTF

slctf is a proof of concept that certain parts of a CTF(capture the flag) cyber security tournament can be done without a server. I used React to build it and DOMPurify to prevent XSS. The CTF file is loaded from a json file specified in the url then rendered. It works by hashing your answer with SHA256/512(configurable through ctf file). If any questions depend on another question, when the required question is solved the appropriate questions will automatically be decrypted with AES512

Demo: https://sticky-sweet-universe.glitch.me/?source=/demo.json

For those who are stuck on the second questions think of atob
In addition if you want to prevent cheating, make everyone submit their flags through a google form right after they submit them and check their times.

If you need to generate the AES string for a challenge the depends on another challenge being solved you can use this code snippet in a console window on the ctf page

CryptoJS.AES.encrypt(JSON.stringify(questionData),"answertodependent").toString();
5 Likes

;-;

I like this, but make a full on ctf that isn’t serverless, and i’ll be ur first player.

Besides a login system and scoreboard, the only hard part would be creating a virtual linux system inside a glitch container. To do this you can create an installation of a junest jail which has multiple methods of operation which you only need to find one of that works. The only issue is that the memory would be shared with the server and a hacker could overwrite the memory of the server but I haven’t really read up about linux memory security. Then you just setup a WeTTY session and proxy it

I feel like I just wrote glitch’s container system but on low memory

Heroku might be better for the virtual linux servers

mate, just use azure… i mean, half of us on the forums got github student…

free credit for azure. =P

Lol, I’m still waiting on my application and possibly one of my school screenshots failed to upload. And school emails are used only internally so we can’t get emails from other domains

junest seems nice, maybe try it on gitpod @javaarchive

EDIT: just tested- after a bit of work i got a fully opeerational root container

2 Likes

yeah I tested it on another server, I just couldn’t remeber something good to try to install besides neofetch and lynx