Share your repls and programming experiences

← Back to all posts
Introducing EasyCTF - A Cybersecurity "Capture the Flag" Competition
AmazingMech2418 (938)

What is EasyCTF?

EasyCTF is a new, relatively easy (as in no having to use nmap to find the different ports, no requirement for ssh connections, etc.) cybersecurity CTF challenge system created by me (AmazingMech2418) which will test competitors' knowledge on various cybersecurity concepts from XSS to command injection to cryptography to steganography to even maybe some basic buffer overflow exploitations!

EasyCTF will allow you to train your penetration testing skills so you can make more secure websites and applications yourself!

Important: Absolutely under no circumstances should you ever use the techniques you may discover while completing these challenges on a website/server/application that you do not have permission to penetration test. That is considered illegal hacking and is a crime. If you have explicit permission to break the security of a website/server/application, it is considered ethical hacking or penetration testing, but breaking the security of any such program without permission is illegal.

How It Will Work

EasyCTF will begin some time this summer (exact date to be determined) and everyone who signed up via this repl or the comments if it will not save for whatever reason will be pinged in a post for CTF 1. The CTF 1 post will also include a website to get you competition identification code, a randomly generated number to correspond with your username for identification purposes in flag submissions. To get your competition identification code, you must use Repl Auth on the website since it will be directly correlated with your username. Users who do not sign up before CTF 1 will still be able to complete some of the challenges (not the backdoor development challenge which will be one of the last ones only for the top 10 at that point) but will not receive any points and will not be placed on the leaderboard. Additionally, you must use Repl Auth to get any hints you may need. However, each hint will drop your score for the challenge by 1 (you start with 10 points).

Challenge Series

EasyCTF will also include series of challenges with similar topics. For example, the first challenge series will be the XSS series. However, not all challenges will be in a series. However, series are meant to be completed in order, so if you fail to complete a challenge in a series, you will not receive points for completing later challenges in the series, although you should feel welcome to complete them anyways to learn. You can even move on if you have used all 10 possible hints to where it basically tells you the answer, but you cannot if you do not complete the challenge.

User-Required Challenges

Some challenges will require interaction from a user on the website such as for XSS-based cookie transmission. In these challenges, you will simply click a button on the challenge website that will ping a bot user (will be either in Python or Node.js) to log in to the vulnerable website and do whatever is needed.

How to Sign Up

To sign up for EasyCTF, just go to the repl linked to this post and answer the questions. Also, please post a comment saying you are signing up. Technical difficulties such as random server shutdowns (have been happening too often lately) can cause updates to the signups.txt file to not be saved.

Maintainers/Hosts

You can also sign up to be a maintainer/host via the comments section of this post. Maintainers/hosts will have the opportunity to create challenges and challenge series and will have access to the EasyCTF main APIs. Maintainers/hosts will also be able to complete challenges created by other maintainers/hosts, but will not receive points as they will not be entered into the competition. If you sign up as a competitor and a maintainer, you must decide which you'd rather be. If you do decide to become a maintainer/host, you must follow a few rules:

  • All repls containing flags must either be private or have the key stored in the .env file in order to prevent users from seeing it in the source code.
  • No files may be downloaded due to security reasons.
  • The flag must be accessible in some way.
  • Hints must be created to gradually guide users to getting the answer. There must be 10 hints where the tenth essentially gives the answer.
  • The post must still follow Repl.it guidelines and any failure to follow them will result in punishment as decided by the Repl.it moderators.

Important Notes

Do not click on any downloaded files from any website or repl related to EasyCTF. Some will be designed for XSS vulnerabilities and may be exploited to download viruses to your computer. Luckily, a virus cannot be directly executed on a secure browser, so you should be safe as long as you do not click on any downloaded files and delete any files downloaded immediately.

Do not try to complete these challenges using Internet Explorer or any other outdated or unsecure web browsers. Internet Explorer contains ActiveX controls which could give a simple XSS vulnerability the control to modify your file system or run terminal commands to modify your system. Google Chrome is highly recommended, but Chromium and Firefox will work as well. I do not know enough about Edge or Safari, so use them at your own risk.

Absolutely under no circumstances should you use the skills you are training with EasyCTF on a website/server/application without explicit permission to do so. It is considered illegal hacking.

Credits

This idea is inspired by https://repl.it/talk/share/Calculator-CTF/30418 by @sugarfi and https://repl.it/talk/share/website-hacking-game/22467 by @MrEconomical .

If you have any questions, please post them in the comments. If there are any questions you may have that will likely be widely asked, they will be added to the post and you will be given credit.

Finally, good luck to all future competitors of EasyCTF!

Commentshotnewtop
Lord_Poseidon (159)

To be a maintainer or a participant, that is the question.

AmazingMech2418 (938)

@Lord_Poseidon Whatever you choose... However, if you signed up as a participant, please let me know since the server didn't save yesterday. It is an issue with Repl.it that they should be trying to fix soon.

Codemonkey51 (884)

Could I try to be a maintainer

AmazingMech2418 (938)

@Codemonkey51 Do you know if you or someone else signed up the account "foo"? There was another account that was not an actual Repl.it account that I deleted from the list.

Codemonkey51 (884)

Umm I signed up with codemonkey51 @AmazingMech2418

AmazingMech2418 (938)

@Codemonkey51 It doesn't look like you actually signed up for the competition, which is fine since you are already a maintainer. By the way, someone put their email... What do people not understand about it having to be your Repl.it username, case-sensitive?

Codemonkey51 (884)

Lol idk I was pretty sure I did /shrug but ye, also if I did compete I'd probably do very bad. @AmazingMech2418

AmazingMech2418 (938)

@Codemonkey51 So far, @foo and @adityaru are the only ones who signed up. (sorry for the pings if you didn't want them)

sugarfi (581)

Nice, glad to see someone did something with my idea of a CTF. Could I be a maintainer?

AmazingMech2418 (938)

@sugarfi Thank you! You can be a maintainer. I actually kind of expected you to ask since you already made your CTF project.

AmazingMech2418 (938)

@TheForArkLD This is a competition that will use an API so that I'm not the only one who can create a challenge.

AmazingMech2418 (938)

@TheForArkLD Do you think you might want to join EasyCTF? So far, we have 3 maintainers including myself, but zero competitors.

TheForArkLD (734)

When I can edit this repl

AmazingMech2418 (938)

@TheForArkLD By adding you, I meant to the list...

TheForArkLD (734)

@AmazingMech2418 News, StackLangSharp updated.

How to use

  1. Make bash repl
  2. Type it
wget https://repl.it/@theforarkld/StackLangSharp.zip -O sls.zip
unzip sls.zip -C sls.exe
TheForArkLD (734)

@AmazingMech2418 If you can do it then, try it :)

AmazingMech2418 (938)

@TheForArkLD By the way, EXE doesn't work on Bash repls...

TheForArkLD (734)

@AmazingMech2418 Ofc use mono lol

mono sls.exe --h
TheForArkLD (734)

@AmazingMech2418 note repl version is glitching

Warhawk947 (527)

Can you un-sign up?

AmazingMech2418 (938)

@Warhawk947 I could just manually remove you. However, you can still just give it a try if you want. It's not like signing up is a full-on commitment; it is just a fun competition.

AmazingMech2418 (938)

@Warhawk947 So, do you think you might want to still do it or not?

AmazingMech2418 (938)

@IreTheKID @abc3354 @MrEconomical @Zuhdi28 @wulv @AgastyaSandhuja @TheForArkLD @StudentFires @Lord_Poseidon Did any of you sign up? Apparently, the server went down yesterday and didn't save any of the contents of the signups.txt file. There are still two participants in there, but I remember there being a third that is no longer there. If any of you signed up, please let me know and I will manually add you into the file. I'm sorry for any inconvenience.

AmazingMech2418 (938)

@Zuhdi28 Okay. I just went based off of the people who either upvoted or commented since I know they saw the repl during around the time the bug occurred.

TheForArkLD (734)

@AmazingMech2418 nope I sign up now
Oops type miss sorry

[deleted]

@AmazingMech2418 no i saw it now

abc3354 (223)

@AmazingMech2418 yeah I signed up yesterday
this is the problem with using replit as a database
the filesystem is not stable yet and you can loose the signup file

AmazingMech2418 (938)

@TheForArkLD I do not see your name in the list. Did you sign up?

AmazingMech2418 (938)

@abc3354 I can see you in the list now.

wulv (55)

@AmazingMech2418 I did, but I think my name is on the list

AmazingMech2418 (938)

@wulv Your name is on the list now.

[deleted]

@IreTheKID, please continue working on repl customs

IreTheKID (247)

@FunnyLamma yeah, version 2 is taking a long time... Its a lotta fun though! :)

xxpertHacker (476)

Hmm... interesting, what if I use TOR browser, it's pretty modern?

AmazingMech2418 (938)

@StudentFires Yes. TOR is fine. I'm pretty sure it is based on Firefox.

AmazingMech2418 (938)

@foo Please verify that you signed up for this competition. I am not completely sure given that your username followed another that is not an actual Repl.it user and "foo" is a common fake variable name in examples that someone might just put to test the system. If it was you, I will keep you in the sign up list. If it was not you, I will go ahead and delete your username from the sign up list.

AmazingMech2418 (938)

While this repl is in Node.js, challenges will be in various languages from Node.js to Python to even C/C++. EasyCTF will likely remain in the more mainstream languages, however, but if you have a suggestion for a language for a challenge or challenge series to be in, feel free to let me know here in the comments!

xxpertHacker (476)

@AmazingMech2418 Well... since it is a very modern language, and is very helpful in hacking the internet, (BitCoin mining, for example), how about... WebAssembly?

AmazingMech2418 (938)

@StudentFires Well, do you know any vulnerabilities in WebAssembly? I think it might be vulnerable to buffer overflow, but I'm not sure.

xxpertHacker (476)

@AmazingMech2418 I think it can throw an error if the JS doesn't allocate enough memory for the WASM and the WASM requests too much.

AmazingMech2418 (938)

@StudentFires That's an error, not a vulnerability. By vulnerability, I mean something that could potentially give a user access to something the user wouldn't normally have access to. Like XSS or directory transversal or something.

xxpertHacker (476)

@AmazingMech2418

I think it might be vulnerable to buffer overflow.

That wouldn't have given any special access to the host's computer. I know the differences. WASM can't allow access to the host's memory.

AmazingMech2418 (938)

@StudentFires Buffer overflow can allow someone to manually change a variable using an input...

xxpertHacker (476)

@AmazingMech2418 WASM's memory system disallows this. Like I said.

AmazingMech2418 (938)

@StudentFires Even if you compile C to WASM? C is vulnerable to buffer overflows, so would C compiled into WASM be as well?

xxpertHacker (476)

@AmazingMech2418 It's from source code to WASM, not binary -> binary.