This plugin for CTFd will allow your competing teams/users to start dockerized images for presented challenges. It adds a challenge type "docker" that can be assigned a specific docker image/tag. A few notable requirements:
- Docker Config must be set first. You can access this via
/admin/docker_config
. Currently supported config is pure http (no encryption/authentication) or full TLS with client certificate validation. Configuration information for TLS can be found here: https://docs.docker.com/engine/security/https/. - This plugin is written so that challenges are stored by tags. For example, StormCTF stores all docker challenges for InfoSeCon2019 in the
stormctf/infosecon2019
repository. A challenge example would bestormctf/infosecon2019:arbit
. This is how you would call the challenge when creating a new challenge.
- It is unknown if using the same tag twice will cause issues. This plugin was written to avoid this issue, but it has not been fully tested.
- As with all plugins, please security test your Scoreboard before launching the CTF. This plugin has been tested and vetted in the StormCTF environment, but yours may vary.
- In 2.3.3 a CTFd Configuration change is REQUIRED. Specifically, CTFd/CTFd#1370. You will need to replace the function
get_configurable_plugins
with the one in the solution. This allowsconfig.json
to be a list, which allows multiple Menu items per plugin for the Plugins dropdown. You may want to change any other plugins you install to accommodate this. It's as simple as enclosing the curly braces with square braces. Example below.
# Original config.json
{
"name": "Another Plugin",
"route": "/admin/plugin/route"
}
# Modified config.json
[{
"name": "Another Plugin",
"route": "/admin/plugin/route"
}]
NOTE: The above config.json modification only applies to OTHER plugins installed.
Requires flask_wtf
pip install flask_wtf
- Allows players to create their own docker container for docker challenges.
- 5 minute revert timer.
- 2 hour stale container nuke.
- Status panel for Admins to manage docker containers currently active.
- Support for client side validation TLS docker api connections (HIGHLY RECOMMENDED).
- Docker container kill on solve.
- (Mostly) Seamless integration with CTFd.
- Work with CTFd plugin
dynamic_challenges
. - Provide a quick way to apply TLS to your Docker Daemon.
- Untested: Should be able to seamlessly integrate with other challenge types.
- Make the above required code change in CTFd 2.3.3 (
get_configurable_plugins
). - Drop the folder
docker_challenges
intoCTFd/CTFd/plugins
(Exactly this name). - Restart CTFd.
- Navigate to
/admin/docker_config
. Add your configuration information. Click Submit. - Add your required repositories for this CTF. You can select multiple by holding CTRL when clicking. Click Submit.
- Click Challenges, Select
docker
for challenge type. Create a challenge as normal, but select the correct docker tag for this challenge. - Double check the front end shows "Start Docker Instance" on the challenge.
- Confirm users are able to start/revert and access docker challenges.
- Host an awesome CTF!
Please do not use raw HTTP Docker Daemon. Attackers can take advantage to gain access to your server via pulling images & running arbitrary command. You can look at the SECURE_DOCKER_TLS file for more information on how to secure your Docker Daemon.
When creating new challenges, you can use docker_dynamic
as the type of the challenges.
Works with 3.2.1
- Updated the entire plugin to work with the new CTFd.
- https://github.com/offsecginger (Twitter: @offsec_ginger)
- Jaime Geiger (For Original Plugin assistance) (Twitter: @jgeigerm)
- @underrobyn (For his awesome refactored code)
- @AlexisAhmed (For his
secure-docker-daemon.sh
script)