Language: English | Русский
Exploit farm for attack-defense CTF competitions
Read the FAQ if you want to know what are attack-defense CTFs, what features this farm has and why it has the architecture described below.
-
An exploit is a script that steals flags from some service of other teams. It is written by a participant during the competition and should accept the victim's host (IP address or domain) as the first command-line argument, attack them and print flags to stdout.
-
A farm client is a tool that periodically runs exploits to attack other teams and looks after their work. It is being run by a participant on their laptop after they've written an exploit.
The client is a one-file script start_sploit.py from this repository.
-
A farm server is a tool that collects flags from farm clients, sends them to the checksystem, monitors the usage of quotas and shows the stats about the accepted and rejected flags. It is being configured and run by a team's admin at the start of the competition. After that, team members can use its web interface (see the screenshot above) to watch the exploits' results and stats.
The server is a Flask web service from the server directory of this repository.
The arrows display the flow of the flags
See the list here.
-
The Bay's farm is a simpler farm whose architecture and some implementation details were adopted in this project. It uses the same exploit format and also divided into a client (start_sploit.py) and a server (start_posting.py). However, it requires them to be run on the same computer (see the FAQ on why it's bad), and the server doesn't have a web interface.
-
The Andrew Gein's farm solves the issue of a large number of processes (in case of a large number of teams) using asyncio.
Copyright © 2017–2018 Aleksandr Borzunov ("Destructive Voice" team)
Inspired by the Bay's farm.