def post(self):
data = request.form or request.get_json()
challenge_type = data["type"]
challenge_class = get_chal_class(challenge_type)
challenge = challenge_class.create(request)
response = challenge_class.read(challenge)
return {"success": True, "data": response}
def challenges_detail(challenge_id):
challenges = dict(
Challenges.query.with_entities(Challenges.id, Challenges.name).all())
challenge = Challenges.query.filter_by(id=challenge_id).first_or_404()
solves = (Solves.query.filter_by(challenge_id=challenge.id).order_by(
Solves.date.asc()).all())
flags = Flags.query.filter_by(challenge_id=challenge.id).all()
challenge_class = get_chal_class(challenge.type)
with open(
os.path.join(app.root_path,
challenge_class.templates["update"].lstrip("/")),
"rb",
) as update:
tpl = update.read()
if six.PY3 and isinstance(tpl, binary_type):
tpl = tpl.decode("utf-8")
update_j2 = render_template_string(tpl, challenge=challenge)
update_script = url_for(
"views.static_html",
route=challenge_class.scripts["update"].lstrip("/"))
return render_template(
"admin/challenges/challenge.html",
update_template=update_j2,
update_script=update_script,
challenge=challenge,
challenges=challenges,
solves=solves,
flags=flags,
)
def get(self):
# This can return None (unauth) if visibility is set to public
user = get_current_user()
challenges = (Challenges.query.filter(
and_(Challenges.state != "hidden",
Challenges.state != "locked")).order_by(
Challenges.value).all())
if user:
solve_ids = (Solves.query.with_entities(
Solves.challenge_id).filter_by(
account_id=user.account_id).order_by(
Solves.challenge_id.asc()).all())
solve_ids = set([value for value, in solve_ids])
# TODO: Convert this into a re-useable decorator
if is_admin():
pass
else:
if config.is_teams_mode() and get_current_team() is None:
abort(403)
else:
solve_ids = set()
response = []
tag_schema = TagSchema(view="user", many=True)
for challenge in challenges:
if challenge.requirements:
requirements = challenge.requirements.get("prerequisites", [])
anonymize = challenge.requirements.get("anonymize")
prereqs = set(requirements)
if solve_ids >= prereqs:
pass
else:
if anonymize:
response.append({
"id": challenge.id,
"type": "hidden",
"name": "???",
"value": 0,
"category": "???",
"tags": [],
"template": "",
"script": "",
})
# Fallthrough to continue
continue
challenge_type = get_chal_class(challenge.type)
response.append({
"id": challenge.id,
"type": challenge_type.name,
"name": challenge.name,
"value": challenge.value,
"category": challenge.category,
"tags": tag_schema.dump(challenge.tags).data,
"template": challenge_type.templates["view"],
"script": challenge_type.scripts["view"],
})
db.session.close()
return {"success": True, "data": response}
def post(self):
if authed() is False:
return {
"success": True,
"data": {
"status": "authentication_required"
}
}, 403
if request.content_type != "application/json":
request_data = request.form
else:
request_data = request.get_json()
challenge_id = request_data.get("challenge_id")
if current_user.is_admin():
preview = request.args.get("preview", False)
if preview:
challenge = Challenges.query.filter_by(
id=challenge_id).first_or_404()
chal_class = get_chal_class(challenge.type)
status, message = chal_class.attempt(challenge, request)
return {
"success": True,
"data": {
"status": "correct" if status else "incorrect",
"message": message,
},
}
if ctf_paused():
return (
{
"success": True,
"data": {
"status": "paused",
"message": "{} is paused".format(config.ctf_name()),
},
},
403,
)
user = get_current_user()
team = get_current_team()
# TODO: Convert this into a re-useable decorator
if config.is_teams_mode() and team is None:
abort(403)
fails = Fails.query.filter_by(account_id=user.account_id,
challenge_id=challenge_id).count()
challenge = Challenges.query.filter_by(id=challenge_id).first_or_404()
if challenge.state == "hidden":
abort(404)
if challenge.state == "locked":
abort(403)
if challenge.requirements:
requirements = challenge.requirements.get("prerequisites", [])
solve_ids = (Solves.query.with_entities(
Solves.challenge_id).filter_by(
account_id=user.account_id).order_by(
Solves.challenge_id.asc()).all())
solve_ids = set([solve_id for solve_id, in solve_ids])
prereqs = set(requirements)
if solve_ids >= prereqs:
pass
else:
abort(403)
chal_class = get_chal_class(challenge.type)
# Anti-bruteforce / submitting Flags too quickly
kpm = current_user.get_wrong_submissions_per_minute(user.account_id)
if kpm > 10:
if ctftime():
chal_class.fail(user=user,
team=team,
challenge=challenge,
request=request)
log(
"submissions",
"[{date}] {name} submitted {submission} on {challenge_id} with kpm {kpm} [TOO FAST]",
submission=request_data["submission"].encode("utf-8"),
challenge_id=challenge_id,
kpm=kpm,
)
# Submitting too fast
return (
{
"success": True,
"data": {
"status": "ratelimited",
"message":
"You're submitting flags too fast. Slow down.",
},
},
429,
)
solves = Solves.query.filter_by(account_id=user.account_id,
challenge_id=challenge_id).first()
# Challenge not solved yet
if not solves:
# Hit max attempts
max_tries = challenge.max_attempts
if max_tries and fails >= max_tries > 0:
return (
{
"success": True,
"data": {
"status": "incorrect",
"message": "You have 0 tries remaining",
},
},
403,
)
status, message = chal_class.attempt(challenge, request)
if status: # The challenge plugin says the input is right
if ctftime() or current_user.is_admin():
chal_class.solve(user=user,
team=team,
challenge=challenge,
request=request)
clear_standings()
log(
"submissions",
"[{date}] {name} submitted {submission} on {challenge_id} with kpm {kpm} [CORRECT]",
submission=request_data["submission"].encode("utf-8"),
challenge_id=challenge_id,
kpm=kpm,
)
return {
"success": True,
"data": {
"status": "correct",
"message": message
},
}
else: # The challenge plugin says the input is wrong
if ctftime() or current_user.is_admin():
chal_class.fail(user=user,
team=team,
challenge=challenge,
request=request)
clear_standings()
log(
"submissions",
"[{date}] {name} submitted {submission} on {challenge_id} with kpm {kpm} [WRONG]",
submission=request_data["submission"].encode("utf-8"),
challenge_id=challenge_id,
kpm=kpm,
)
if max_tries:
# Off by one since fails has changed since it was gotten
attempts_left = max_tries - fails - 1
tries_str = "tries"
if attempts_left == 1:
tries_str = "try"
# Add a punctuation mark if there isn't one
if message[-1] not in "!().;?[]{}":
message = message + "."
return {
"success": True,
"data": {
"status":
"incorrect",
"message":
"{} You have {} {} remaining.".format(
message, attempts_left, tries_str),
},
}
else:
return {
"success": True,
"data": {
"status": "incorrect",
"message": message
},
}
# Challenge already solved
else:
log(
"submissions",
"[{date}] {name} submitted {submission} on {challenge_id} with kpm {kpm} [ALREADY SOLVED]",
submission=request_data["submission"].encode("utf-8"),
challenge_id=challenge_id,
kpm=kpm,
)
return {
"success": True,
"data": {
"status": "already_solved",
"message": "You already solved this",
},
}
def delete(self, challenge_id):
challenge = Challenges.query.filter_by(id=challenge_id).first_or_404()
chal_class = get_chal_class(challenge.type)
chal_class.delete(challenge)
return {"success": True}
def patch(self, challenge_id):
challenge = Challenges.query.filter_by(id=challenge_id).first_or_404()
challenge_class = get_chal_class(challenge.type)
challenge = challenge_class.update(challenge, request)
response = challenge_class.read(challenge)
return {"success": True, "data": response}
def get(self, challenge_id):
if is_admin():
chal = Challenges.query.filter(
Challenges.id == challenge_id).first_or_404()
else:
chal = Challenges.query.filter(
Challenges.id == challenge_id,
and_(Challenges.state != "hidden",
Challenges.state != "locked"),
).first_or_404()
chal_class = get_chal_class(chal.type)
if chal.requirements:
requirements = chal.requirements.get("prerequisites", [])
anonymize = chal.requirements.get("anonymize")
if challenges_visible():
user = get_current_user()
if user:
solve_ids = (Solves.query.with_entities(
Solves.challenge_id).filter_by(
account_id=user.account_id).order_by(
Solves.challenge_id.asc()).all())
else:
# We need to handle the case where a user is viewing challenges anonymously
solve_ids = []
solve_ids = set([value for value, in solve_ids])
prereqs = set(requirements)
if solve_ids >= prereqs or is_admin():
pass
else:
if anonymize:
return {
"success": True,
"data": {
"id": chal.id,
"type": "hidden",
"name": "???",
"value": 0,
"category": "???",
"tags": [],
"template": "",
"script": "",
},
}
abort(403)
else:
abort(403)
tags = [
tag["value"]
for tag in TagSchema("user", many=True).dump(chal.tags).data
]
unlocked_hints = set()
hints = []
if authed():
user = get_current_user()
team = get_current_team()
# TODO: Convert this into a re-useable decorator
if is_admin():
pass
else:
if config.is_teams_mode() and team is None:
abort(403)
unlocked_hints = set([
u.target for u in HintUnlocks.query.filter_by(
type="hints", account_id=user.account_id)
])
files = []
for f in chal.files:
token = {
"user_id": user.id,
"team_id": team.id if team else None,
"file_id": f.id,
}
files.append(
url_for("views.files",
path=f.location,
token=serialize(token)))
else:
files = [
url_for("views.files", path=f.location) for f in chal.files
]
for hint in Hints.query.filter_by(challenge_id=chal.id).all():
if hint.id in unlocked_hints or ctf_ended():
hints.append({
"id": hint.id,
"cost": hint.cost,
"content": hint.content
})
else:
hints.append({"id": hint.id, "cost": hint.cost})
response = chal_class.read(challenge=chal)
Model = get_model()
if scores_visible() is True and accounts_visible() is True:
solves = Solves.query.join(Model,
Solves.account_id == Model.id).filter(
Solves.challenge_id == chal.id,
Model.banned == False,
Model.hidden == False,
)
# Only show solves that happened before freeze time if configured
freeze = get_config("freeze")
if not is_admin() and freeze:
solves = solves.filter(Solves.date < unix_time_to_utc(freeze))
solves = solves.count()
response["solves"] = solves
else:
response["solves"] = None
response["files"] = files
response["tags"] = tags
response["hints"] = hints
db.session.close()
return {"success": True, "data": response}