I always liked games. In my last projects, I looked desperately for some gamification for developers. I am providing the training regarding the SSDLC and its always hard to teach different vulnerabilities and their impact. It's not easy to connect architects and developers together. The best ways are to get our hands dirty. The solution cames very unexpectedly.
OWASP Juice Shop and Facebook capture the flag are providing a very strong combination of predefined vulnerabilities with extensibility to code bashing.
So let's start our journey to setting up funny hacking gamification capture the flag platform.
To learn OWASP TOP 10 we will build together the platform with Capture the flag portal and vulnerable app called Juice Shop. Vulnerable e-shop contains around 90 different challenges of increasing the level of difficulty.
Every vulnerability challenge exploited is rewarded by achievement. Integration with CTF is done via flag hashes. On the other side, there is a Facebook open-source based world domination CTF platform. Teams are conquering the countries based on quizzes and capturing the flags via finding vulnerabilities. You copy-paste the flag hash into CTF platform and capture selected country containing the challenge. The captured country gives you score points. The amount of score points depends on the difficulty of the challenge.
The Team which gets the most points wins the game in the given time period. Happy threat hunting and don't forget the main price - chocolate.
Installing the OWASP juice shop. You can install juice shop on windows )very easy) or ubuntu as a recommended option for real geeks. The installation of Node.js for Windows is very easy, so I don't see any reason for an explanation.
For Windows, you need to open the command line and:
- Install git bash
git clone https://github.com/bkimminich/juice-shop.git> In our working directory
- Open the juice-shop directory
- Open the browser and hit localhost:3000
For Linux you need to open the command line and (tested on Ubuntu 18.04.2 LTS):
- Download packaged Juice shop (https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2)
- Unpack and cd into the unpacked folder
- Alternatively (not recommended doesn't work well):
sudo apt install curl
curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
sudo apt install node.js
- Open the
npm install(for alternative) / run
npm startfor packaged.
- Open the browser and hit localhost:3000
Now we are done with juice shop ready to roll It contains epic challenges of different levels for newbies and hardcore non-sleepers.
The game is ready but not fully, we need to smuggle inside the platform our CTF flags and then import them into FBCTF. Long fun to play the games? No worries, the fun will come soon.
You need to set up the environment variables. After setup please restart your machine and set up the env variables under root or administrator access.
- Set up the NODE_ENV variable
set NODE_ENV=ctfin Windows
export NODE_ENV=ctfin Linux
- Restart your machine
- Open cmd or terminal
Generate the data via guide mentioned here: Guide from author
I recommend following setup:
ctfFramework: FBCTF juiceShopUrl: https://juice-shop.herokuapp.com ctfKey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key countryMapping: https://raw.githubusercontent.com/bkimminich/juice-shop/master/config/fbctf.yml insertHints: none insertHintUrls: none
I failed many times in installation. If you are not sure to check the official guide on Github. Please, the password for admin will appear in the command line during the installation process co be careful and check the cmd output. CTF framework need to be installed on Ubuntu 16.04.
Installing the FBCTF:
sudo apt-get update sudo apt-get install git git clone https://github.com/facebook/fbctf cd fbctf ./extra/provision.sh -m prod -s $PWD source ./extra/lib.sh set_password [new_password] ctf ctf fbctf $PWD
Import the JSON with data:
- Goto Localhost
- Login into admin
- Go to controls and select import full game.
- Choose the *.json data file generated by juice-shop-ctf
- Looks amazing!
- For more look into Admin guide
Don't forget to create the teams, set up the timer and select the authentication method. Feel free to customize your logo.
All the tribute to the authors of open source, I had lots of struggles during the installation process. I hope that we will meet in one of the sessions together and train how to hack some vulnerable apps. Enjoy your hacking.
If you are interested to meet me in my training session you can sign up for training in ICTpro School HERE