def gen_flag(db, challenge_id, content='flag', type='static', data=None, **kwargs):
flag = Flags(challenge_id=challenge_id, content=content, type=type, **kwargs)
if data:
flag.data = data
db.session.add(flag)
db.session.commit()
return flag
def update_flags(flags, chal_dbobj):
from CTFd.models import db, Flags
events = []
db_flag_objects = {flag.content:flag for flag in Flags.query.filter_by(challenge_id=chal_dbobj.id).all()}
chal_flags = {flag['flag']:flag for flag in flags}
tags_db = set(db_flag_objects.keys())
tags_in = set(chal_flags.keys())
new_flags = tags_in - tags_db
del_flags = tags_db - tags_in
upd_flags = tags_in & tags_db
for flag in new_flags:
fl_obj = chal_flags[flag]
fl_type = fl_obj['type']
fl_data = 'case_insensitive' if fl_obj.get('case_insensitive') else None
flag_db = Flags(challenge_id=chal_dbobj.id, content=flag, type=fl_type, data=fl_data)
db.session.add(flag_db)
events.append(Event(Event.Type.info,
f"Challenge {chal_dbobj.name}: Adding new flag {flag}"))
for flag in del_flags:
db.session.delete(db_flag_objects[flag])
events.append(Event(Event.Type.warn,
f"Challenge {chal_dbobj.name}: Deleting flag {flag}"))
for flag in upd_flags:
fl_obj = chal_flags[flag]
flag_db = db_flag_objects[flag]
flag_db.type = fl_obj['type']
flag_db.data = 'case_insensitive' if fl_obj.get('case_insensitive') else None
return events
def load_challenges_csv(dict_reader):
schema = ChallengeSchema()
errors = []
for i, line in enumerate(dict_reader):
# Throw away fields that we can't trust if provided
_ = line.pop("id", None)
_ = line.pop("requirements", None)
flags = line.pop("flags", None)
tags = line.pop("tags", None)
hints = line.pop("hints", None)
challenge_type = line.pop("type", "standard")
# Load in custom type_data
type_data = json.loads(line.pop("type_data", "{}") or "{}")
line.update(type_data)
response = schema.load(line)
if response.errors:
errors.append((i + 1, response.errors))
continue
ChallengeClass = get_chal_class(challenge_type)
challenge = ChallengeClass.challenge_model(**line)
db.session.add(challenge)
db.session.commit()
if flags:
flags = [flag.strip() for flag in flags.split(",")]
for flag in flags:
f = Flags(type="static", challenge_id=challenge.id, content=flag,)
db.session.add(f)
db.session.commit()
if tags:
tags = [tag.strip() for tag in tags.split(",")]
for tag in tags:
t = Tags(challenge_id=challenge.id, value=tag,)
db.session.add(t)
db.session.commit()
if hints:
hints = [hint.strip() for hint in hints.split(",")]
for hint in hints:
h = Hints(challenge_id=challenge.id, content=hint,)
db.session.add(h)
db.session.commit()
if errors:
return errors
return True
def load_challenges_csv(dict_reader):
for line in dict_reader:
flags = line.pop("flags", None)
tags = line.pop("tags", None)
hints = line.pop("hints", None)
challenge_type = line.pop("type", "standard")
# Load in custom type_data
type_data = json.loads(line.pop("type_data", "{}") or "{}")
line.update(type_data)
ChallengeClass = get_chal_class(challenge_type)
challenge = ChallengeClass.challenge_model(**line)
db.session.add(challenge)
db.session.commit()
if flags:
flags = [flag.strip() for flag in flags.split(",")]
for flag in flags:
f = Flags(
type="static",
challenge_id=challenge.id,
content=flag,
)
db.session.add(f)
db.session.commit()
if tags:
tags = [tag.strip() for tag in tags.split(",")]
for tag in tags:
t = Tags(
challenge_id=challenge.id,
value=tag,
)
db.session.add(t)
db.session.commit()
if hints:
hints = [hint.strip() for hint in hints.split(",")]
for hint in hints:
h = Hints(
challenge_id=challenge.id,
content=hint,
)
db.session.add(h)
db.session.commit()
return True
with app.app_context():
db = app.db
# Generating Challenges
print("GENERATING CHALLENGES")
for x in range(CHAL_AMOUNT):
word = gen_word()
chal = Challenges(
name=word,
description=gen_sentence(),
value=gen_value(),
category=gen_category(),
)
db.session.add(chal)
db.session.commit()
f = Flags(challenge_id=x + 1, content=word, type="static")
db.session.add(f)
db.session.commit()
# Generating Files
print("GENERATING FILES")
AMT_CHALS_WITH_FILES = int(CHAL_AMOUNT * (3.0 / 4.0))
for x in range(AMT_CHALS_WITH_FILES):
chal = random.randint(1, CHAL_AMOUNT)
filename = gen_file()
md5hash = hashlib.md5(filename.encode("utf-8")).hexdigest()
chal_file = ChallengeFiles(challenge_id=chal,
location=md5hash + "/" + filename)
db.session.add(chal_file)
db.session.commit()
def import_challenges(in_file,
dst_attachments,
exit_on_error=True,
move=False):
from CTFd.models import db, Challenges, Flags, Tags, Hints, ChallengeFiles
chals = []
with open(in_file, 'r') as in_stream:
chals = yaml.safe_load_all(in_stream)
for chal in chals:
skip = False
for req_field in REQ_FIELDS:
if req_field not in chal:
if exit_on_error:
raise MissingFieldError(req_field)
else:
print("Skipping challenge: Missing field '{}'".format(
req_field))
skip = True
break
if skip:
continue
for flag in chal['flags']:
if 'flag' not in flag:
if exit_on_error:
raise MissingFieldError('flag')
else:
print("Skipping flag: Missing field 'flag'")
continue
flag['flag'] = flag['flag'].strip()
if 'type' not in flag:
flag['type'] = "static"
if 'data' not in flag:
flag['data'] = ""
if 'files' in chal:
norm_files = []
for file in chal['files']:
# make sure we have only relative paths in the yaml file
file = os.path.normpath("/" + file).lstrip('/')
# skip files that do not exists
if not os.path.exists(
os.path.join(os.path.dirname(in_file), file)):
print(
"Skipping file '{}' in challenge '{}': File not found"
.format(file, chal['name'].strip()))
continue
else:
norm_files.append(file)
chal['files'] = norm_files
for hint in chal['hints']:
if 'type' not in hint:
hint['type'] = "standard"
# Check what type the challenge is and create a DB object of the appropriate type.
if chal['type'] == 'dynamic':
# Lazy load the DynamicChallenge plugin on encountering a challenge of that type.
try:
from CTFd.plugins.dynamic_challenges import DynamicChallenge
except ImportError as err:
print("Failed to import plugin for challenge type {}: {}".
format(chal['type'], err))
continue
initial = int(chal['value'])
if 'initial' in chal:
initial = int(chal['initial'])
minimum = 0
if 'minimum' in chal:
minimum = int(chal['minimum'])
decay = 0
if 'decay' in chal:
decay = int(chal['decay'])
chal_dbobj = DynamicChallenge(
name=chal['name'].strip(),
description=chal['description'].strip(),
value=int(chal['value']),
category=chal['category'].strip(),
initial=initial,
decay=decay,
minimum=minimum)
elif chal['type'] == 'naumachia':
# Lazy load the Naumachia plugin on encountering a challenge of that type.
try:
# Here we use a fixed name, which is the repository name, even though it does
# not conform to a proper Python package name. Users may install the package
# using any file name they want, but this version of thsi plugin does not
# support it.
naumachia_plugin = importlib.import_module(
'.ctfd-naumachia-plugin', package="CTFd.plugins")
except ImportError as err:
print("Failed to import plugin for challenge type {}: {}".
format(chal['type'], err))
continue
naumachia_name = chal.get('naumachia_name', "").strip(),
chal_dbobj = naumachia_plugin.NaumachiaChallengeModel(
name=chal['name'].strip(),
naumachia_name=chal['naumachia_name'],
description=chal['description'].strip(),
value=int(chal['value']),
category=chal['category'].strip(),
)
else:
# We ignore traling and leading whitespace when importing challenges
chal_dbobj = Challenges(
name=chal['name'].strip(),
description=chal['description'].strip(),
value=int(chal['value']),
category=chal['category'].strip())
chal_dbobj.state = 'visible'
if 'hidden' in chal and chal['hidden']:
if bool(chal['hidden']):
chal_dbobj.state = 'hidden'
chal_dbobj.max_attempts = 0
if 'max_attempts' in chal and chal['max_attempts']:
chal_dbobj.max_attempts = chal['max_attempts']
chal_dbobj.type = 'standard'
if 'type' in chal and chal['type']:
chal_dbobj.type = chal['type']
matching_chals = Challenges.query.filter_by(
name=chal_dbobj.name,
description=chal_dbobj.description,
value=chal_dbobj.value,
category=chal_dbobj.category,
state=chal_dbobj.state,
type=chal_dbobj.type).all()
for match in matching_chals:
if 'tags' in chal:
tags_db = [
tag.tag
for tag in Tags.query.add_columns('tag').filter_by(
challenge_id=match.id).all()
]
if all([tag not in tags_db for tag in chal['tags']]):
continue
if 'files' in chal:
files_db = [
f.location for f in ChallengeFiles.query.add_columns(
'location').filter_by(challenge_id=match.id).all()
]
if len(files_db) != len(chal['files']):
continue
hashes = []
for file_db in files_db:
with open(os.path.join(dst_attachments, file_db),
'rb') as f:
hash = hashlib.md5(f.read()).digest()
hashes.append(hash)
mismatch = False
for file in chal['files']:
filepath = os.path.join(os.path.dirname(in_file), file)
with open(filepath, 'rb') as f:
hash = hashlib.md5(f.read()).digest()
if hash in hashes:
hashes.remove(hash)
else:
mismatch = True
break
if mismatch:
continue
flags_db = Flags.query.filter_by(challenge_id=match.id).all()
for flag in chal['flags']:
for flag_db in flags_db:
if flag['flag'] != flag_db.content:
continue
if flag['type'] != flag_db.type:
continue
skip = True
break
if skip:
print("Skipping '{}': Duplicate challenge found in DB".format(
chal['name'].encode('utf8')))
continue
print("Adding {}".format(chal['name'].encode('utf8')))
db.session.add(chal_dbobj)
db.session.commit()
if 'tags' in chal:
for tag in chal['tags']:
tag_dbobj = Tags(chal_dbobj.id, tag)
db.session.add(tag_dbobj)
for flag in chal['flags']:
flag_db = Flags(challenge_id=chal_dbobj.id,
content=flag['flag'],
type=flag['type'],
data=flag['data'])
db.session.add(flag_db)
for hint in chal['hints']:
hint_db = Hints(challenge_id=chal_dbobj.id,
content=hint['hint'],
type=hint['type'],
cost=int(hint['cost']))
db.session.add(hint_db)
if 'files' in chal:
for file in chal['files']:
filename = os.path.basename(file)
dst_filename = secure_filename(filename)
dst_dir = None
while not dst_dir or os.path.exists(dst_dir):
md5hash = hashlib.md5(os.urandom(64)).hexdigest()
dst_dir = os.path.join(dst_attachments, md5hash)
os.makedirs(dst_dir)
dstpath = os.path.join(dst_dir, dst_filename)
srcpath = os.path.join(os.path.dirname(in_file), file)
if move:
shutil.move(srcpath, dstpath)
else:
shutil.copy(srcpath, dstpath)
file_dbobj = ChallengeFiles(challenge_id=chal_dbobj.id,
location=os.path.relpath(
dstpath,
start=dst_attachments))
db.session.add(file_dbobj)
db.session.commit()
db.session.close()
def import_challenges(in_file,
dst_attachments,
exit_on_error=True,
move=False):
from CTFd.models import db, Challenges, Flags, Tags, ChallengeFiles
from CTFd.utils import uploads
chals = []
with open(in_file, 'r') as in_stream:
chals = yaml.safe_load_all(in_stream)
for chal in chals:
skip = False
for req_field in REQ_FIELDS:
if req_field not in chal:
if exit_on_error:
raise MissingFieldError(req_field)
else:
print "Skipping challenge: Missing field '{}'".format(
req_field)
skip = True
break
if skip:
continue
for flag in chal['flags']:
if 'flag' not in flag:
if exit_on_error:
raise MissingFieldError('flag')
else:
print "Skipping flag: Missing field 'flag'"
continue
flag['flag'] = flag['flag'].strip()
if 'type' not in flag:
flag['type'] = "static"
matching_chal = Challenges.query.filter_by(
name=chal['name'].strip()).first()
if matching_chal:
print "Updating {}: Duplicate challenge found in DB (id: {})".format(
chal['name'].encode('utf8'), matching_chal.id)
Tags.query.filter_by(challenge_id=matching_chal.id).delete()
ChallengeFiles.query.filter_by(
challenge_id=matching_chal.id).delete()
Flags.query.filter_by(challenge_id=matching_chal.id).delete()
#Hints.query.filter_by(challenge_id=matching_chal.id).delete()
matching_chal.name = chal['name'].strip()
matching_chal.description = chal['description'].strip()
matching_chal.category = chal['category'].strip()
if chal.get('type', 'standard') == 'standard':
matching_chal.value = chal['value']
db.session.commit()
chal_dbobj = matching_chal
else:
print "Adding {}".format(chal['name'].encode('utf8'))
chal_type = chal.get('type', 'standard')
if chal_type == 'standard':
# We ignore traling and leading whitespace when importing challenges
chal_dbobj = Challenges(
name=chal['name'].strip(),
description=chal['description'].strip(),
value=chal['value'],
category=chal['category'].strip(),
)
elif chal_type == 'dynamic':
from CTFd.plugins.dynamic_challenges import DynamicChallenge
# We ignore traling and leading whitespace when importing challenges
chal_dbobj = DynamicChallenge(
name=chal['name'].strip(),
description=chal['description'].strip(),
category=chal['category'].strip(),
value=int(chal['value']),
minimum=int(chal['minimum']),
decay=int(chal['decay']),
)
else:
raise ValueError('Unknown type of challenge')
db.session.add(chal_dbobj)
db.session.commit()
for tag in chal.get('tags', []):
tag_dbobj = Tags(challenge_id=chal_dbobj.id, value=tag)
db.session.add(tag_dbobj)
for flag in chal['flags']:
flag_db = Flags(challenge_id=chal_dbobj.id,
content=flag['flag'],
type=flag['type'])
db.session.add(flag_db)
prerequisites = set()
for prerequisite in chal.get('prerequisites', []):
prerequisites.update([
c.id for c in Challenges.query.filter_by(
name=prerequisite).all()
])
chal_dbobj.requirements = {'prerequisites': list(prerequisites)}
if 'files' in chal:
from io import FileIO
for filename in chal['files']:
# upload_file takes a werkzeug.FileStorage object, but we can get close enough
# with a file object with a filename property added
filepath = os.path.join(os.path.dirname(in_file), filename)
with FileIO(filepath, mode='rb') as f:
f.filename = os.path.basename(f.name)
uploads.upload_file(file=f,
challenge=chal_dbobj.id,
type='challenge')
db.session.commit()
db.session.close()
def import_challenges(in_file, dst_attachments, move=False):
from CTFd.models import db, Challenges, Flags, Tags, ChallengeFiles, Hints
from CTFd.utils import uploads
from CTFd.plugins.dynamic_challenges import DynamicChallenge, DynamicValueChallenge
with open(in_file, "r") as in_stream:
data = list(yaml.safe_load_all(in_stream))
if len(data) == 0 or data[0] is None or "challs" not in data[
0] or data[0]["challs"] is None:
raise ValueError("Invalid YAML format. Missing field 'challs'.")
for chal in data[0]["challs"]:
for req_field in REQ_FIELDS:
if req_field not in chal:
raise ValueError(
"Invalid YAML format. Missing field '{0}'.".format(
req_field))
if chal.get("type", "standard") == "dynamic":
for req_field in ["minimum", "decay"]:
if req_field not in chal:
raise ValueError(
"Invalid YAML format. Missing field '{0}'.".format(
req_field))
if chal["flags"] is None:
raise ValueError("Invalid YAML format. Missing field 'flag'.")
for flag in chal["flags"]:
if "flag" not in flag:
raise ValueError(
"Invalid YAML format. Missing field 'flag'.")
flag["flag"] = flag["flag"].strip()
if "type" not in flag:
flag["type"] = "static"
matching_chal = Challenges.query.filter_by(
name=chal["name"].strip()).first()
if matching_chal:
print(("Updating {}: Duplicate challenge "
"found in DB (id: {})").format(
chal["name"].encode("utf8"), matching_chal.id))
Tags.query.filter_by(challenge_id=matching_chal.id).delete()
ChallengeFiles.query.filter_by(
challenge_id=matching_chal.id).delete()
Flags.query.filter_by(challenge_id=matching_chal.id).delete()
Hints.query.filter_by(challenge_id=matching_chal.id).delete()
matching_chal.name = chal["name"].strip()
matching_chal.description = chal["description"].strip()
matching_chal.category = chal["category"].strip()
if chal.get("type", "standard") == "standard":
matching_chal.value = chal["value"]
if chal.get("type", "standard") == "dynamic":
matching_chal.minimum = chal["minimum"]
matching_chal.decay = chal["decay"]
matching_chal.initial = chal["value"]
DynamicValueChallenge.calculate_value(matching_chal)
db.session.commit()
chal_dbobj = matching_chal
else:
print("Adding {}".format(chal["name"].encode("utf8")))
chal_type = chal.get("type", "standard")
if chal_type == "standard":
# We ignore traling and leading whitespace when
# importing challenges
chal_dbobj = Challenges(
name=chal["name"].strip(),
description=chal["description"].strip(),
value=chal["value"],
category=chal["category"].strip(),
)
elif chal_type == "dynamic":
# We ignore traling and leading whitespace when
# importing challenges
chal_dbobj = DynamicChallenge(
name=chal["name"].strip(),
description=chal["description"].strip(),
category=chal["category"].strip(),
value=int(chal["value"]),
minimum=int(chal["minimum"]),
decay=int(chal["decay"]),
)
else:
raise ValueError("Unknown type of challenge")
db.session.add(chal_dbobj)
db.session.commit()
for tag in chal.get("tags", []):
tag_dbobj = Tags(challenge_id=chal_dbobj.id, value=tag)
db.session.add(tag_dbobj)
for flag in chal["flags"]:
flag_db = Flags(challenge_id=chal_dbobj.id,
content=flag["flag"],
type=flag["type"])
db.session.add(flag_db)
for hint in chal.get("hints", []):
hint_dbobj = Hints(challenge_id=chal_dbobj.id,
content=hint["content"],
cost=hint["cost"])
db.session.add(hint_dbobj)
chal_dbobj.state = "hidden" if (
"hidden" in chal and chal["hidden"] == True) else "visible"
chal_dbobj.max_attempts = chal[
"max_attempts"] if "max_attempts" in chal else 0
if "files" in chal:
from io import FileIO
for filename in chal["files"]:
try:
# upload_file takes a werkzeug.FileStorage object, but we
# can get close enough with a file object with a
# filename property added
filepath = os.path.join(os.path.dirname(in_file),
filename)
with FileIO(filepath, mode="rb") as f:
f.filename = os.path.basename(f.name)
uploads.upload_file(file=f,
challenge=chal_dbobj.id,
type="challenge")
except FileNotFoundError:
raise ValueError(
"Unable to import challenges. Missing file: " +
filename)
db.session.commit()
# update challenge prerequisites after all the challenges were created
with open(in_file, "r") as in_stream:
data = list(yaml.safe_load_all(in_stream))
for chal in data[0]["challs"]:
chal_dbobj = Challenges.query.filter_by(
name=chal["name"].strip()).first()
prerequisites = set()
for prerequisite in chal.get("prerequisites", []):
prerequisites.update([
c.id for c in Challenges.query.filter_by(
name=prerequisite).all()
])
chal_dbobj.requirements = {"prerequisites": list(prerequisites)}
db.session.commit()
db.session.close()
def as_static(self):
return Flags(content=self.value)