Slctf: Serverless CTF

The Gallery
1

slctf is a proof of concept that certain parts of a CTF(capture the flag) cyber security tournament can be done without a server. I used React to build it and DOMPurify to prevent XSS. The CTF file is loaded from a json file specified in the url then rendered. It works by hashing your answer with SHA256/512(configurable through ctf file). If any questions depend on another question, when the required question is solved the appropriate questions will automatically be decrypted with AES512

Demo: https://sticky-sweet-universe.glitch.me/?source=/demo.json

For those who are stuck on the second questions think of atob
In addition if you want to prevent cheating, make everyone submit their flags through a google form right after they submit them and check their times.

If you need to generate the AES string for a challenge the depends on another challenge being solved you can use this code snippet in a console window on the ctf page

CryptoJS.AES.encrypt(JSON.stringify(questionData),"answertodependent").toString();
5 Likes
2

;-;

I like this, but make a full on ctf that isn’t serverless, and i’ll be ur first player.

3

Besides a login system and scoreboard, the only hard part would be creating a virtual linux system inside a glitch container. To do this you can create an installation of a junest jail which has multiple methods of operation which you only need to find one of that works. The only issue is that the memory would be shared with the server and a hacker could overwrite the memory of the server but I haven’t really read up about linux memory security. Then you just setup a WeTTY session and proxy it

I feel like I just wrote glitch’s container system but on low memory

Heroku might be better for the virtual linux servers

4

mate, just use azure… i mean, half of us on the forums got github student…

5

free credit for azure. =P

6

Lol, I’m still waiting on my application and possibly one of my school screenshots failed to upload. And school emails are used only internally so we can’t get emails from other domains

7

junest seems nice, maybe try it on gitpod @javaarchive

EDIT: just tested- after a bit of work i got a fully opeerational root container

2 Likes
8

yeah I tested it on another server, I just couldn’t remeber something good to try to install besides neofetch and lynx

9

congratulations on predicting my life 2.5 years ahead :slight_smile:

it turns out I eventually got into ctf and found a couple of people who were interested and so we ended up deciding to host one ourselves after getting sufficient funds to do so

so yea this project was a bit of precursor to an actual ctf. for the past few months i’ve actually been tinkering with some ctf stuffs, so whatever you see here you should expect something maybe 10x the quality of in the next few weeks :slight_smile:

1 Like
10

holy cow this goes back…
and I guess i did lol

also year I still stalk, just didnt notice this till now xD