What is EasyCTF?
EasyCTF is a new, relatively easy (as in no having to use
nmap to find the different ports, no requirement for ssh connections, etc.) cybersecurity CTF challenge system created by me (AmazingMech2418) which will test competitors' knowledge on various cybersecurity concepts from XSS to command injection to cryptography to steganography to even maybe some basic buffer overflow exploitations!
EasyCTF will allow you to train your penetration testing skills so you can make more secure websites and applications yourself!
Important: Absolutely under no circumstances should you ever use the techniques you may discover while completing these challenges on a website/server/application that you do not have permission to penetration test. That is considered illegal hacking and is a crime. If you have explicit permission to break the security of a website/server/application, it is considered ethical hacking or penetration testing, but breaking the security of any such program without permission is illegal.
How It Will Work
EasyCTF will begin some time this summer (exact date to be determined) and everyone who signed up via this repl or the comments if it will not save for whatever reason will be pinged in a post for CTF 1. The CTF 1 post will also include a website to get you competition identification code, a randomly generated number to correspond with your username for identification purposes in flag submissions. To get your competition identification code, you must use Repl Auth on the website since it will be directly correlated with your username. Users who do not sign up before CTF 1 will still be able to complete some of the challenges (not the backdoor development challenge which will be one of the last ones only for the top 10 at that point) but will not receive any points and will not be placed on the leaderboard. Additionally, you must use Repl Auth to get any hints you may need. However, each hint will drop your score for the challenge by 1 (you start with 10 points).
EasyCTF will also include series of challenges with similar topics. For example, the first challenge series will be the XSS series. However, not all challenges will be in a series. However, series are meant to be completed in order, so if you fail to complete a challenge in a series, you will not receive points for completing later challenges in the series, although you should feel welcome to complete them anyways to learn. You can even move on if you have used all 10 possible hints to where it basically tells you the answer, but you cannot if you do not complete the challenge.
Some challenges will require interaction from a user on the website such as for XSS-based cookie transmission. In these challenges, you will simply click a button on the challenge website that will ping a bot user (will be either in Python or Node.js) to log in to the vulnerable website and do whatever is needed.
How to Sign Up
To sign up for EasyCTF, just go to the repl linked to this post and answer the questions. Also, please post a comment saying you are signing up. Technical difficulties such as random server shutdowns (have been happening too often lately) can cause updates to the signups.txt file to not be saved.
You can also sign up to be a maintainer/host via the comments section of this post. Maintainers/hosts will have the opportunity to create challenges and challenge series and will have access to the EasyCTF main APIs. Maintainers/hosts will also be able to complete challenges created by other maintainers/hosts, but will not receive points as they will not be entered into the competition. If you sign up as a competitor and a maintainer, you must decide which you'd rather be. If you do decide to become a maintainer/host, you must follow a few rules:
- All repls containing flags must either be private or have the key stored in the .env file in order to prevent users from seeing it in the source code.
- No files may be downloaded due to security reasons.
- The flag must be accessible in some way.
- Hints must be created to gradually guide users to getting the answer. There must be 10 hints where the tenth essentially gives the answer.
- The post must still follow Repl.it guidelines and any failure to follow them will result in punishment as decided by the Repl.it moderators.
Do not click on any downloaded files from any website or repl related to EasyCTF. Some will be designed for XSS vulnerabilities and may be exploited to download viruses to your computer. Luckily, a virus cannot be directly executed on a secure browser, so you should be safe as long as you do not click on any downloaded files and delete any files downloaded immediately.
Do not try to complete these challenges using Internet Explorer or any other outdated or unsecure web browsers. Internet Explorer contains ActiveX controls which could give a simple XSS vulnerability the control to modify your file system or run terminal commands to modify your system. Google Chrome is highly recommended, but Chromium and Firefox will work as well. I do not know enough about Edge or Safari, so use them at your own risk.
Absolutely under no circumstances should you use the skills you are training with EasyCTF on a website/server/application without explicit permission to do so. It is considered illegal hacking.
This idea is inspired by https://repl.it/talk/share/Calculator-CTF/30418 by @sugarfi and https://repl.it/talk/share/website-hacking-game/22467 by @MrEconomical .
If you have any questions, please post them in the comments. If there are any questions you may have that will likely be widely asked, they will be added to the post and you will be given credit.
Finally, good luck to all future competitors of EasyCTF!