About the CTF club Project

This site is Macarthur Inbody's CS50W Final Project/Capstone Assignment. All code is 100% my own/handwritten that appears in the github repo. It was made with the technologies/frameworks listed below. It is all hosted on the Google Compute Engine server that I manage.

Contact Information

• LinkedIn My Linked in Profile
• Github Profile My github Profile
• Personal Page(needs updating)Personal Home Page
• This project's source code repo Django AutoCTF

Major Features

1. Programmatically generated flags

   All flags are generated on the fly via algorithms stored on the server.

2. Full 2FA via TOTP

   • A full generator/verifier for 2FA is setup so that anyone can utilize any authenticator app to enable 2FA with the site.

3. Almost entirely refreshless for almost all user actions.

   • Almost all views let the user submit theri data w/o requiring a full page refresh. They are also given feedback via alert messages telling them what happened.

4. A simple Captcha

   • There is a simple 2 step captcha system in place. The user has to solve a simple math problem for one.
   • the other one requries them to look at an image of 6 characters and type out which ones match the color they are said to find. To help them see the color it is shown to them as the word that is also colored the same as the required characters. It uses ZBase32 alphabet for ease of use by normal users.

5. Almost entirely MVC

   • There are models for all database contains for the data and people interact with it via views. No raw SQL appears anywhere in the project.

6. Leaderboard

   • All users are ranked when you view the leaderboard. It shows the user's name and a link to their profile. They are just ranked by points.

7. User Control Panel

   • The user is able to update their password and also enable TFA.
   • Further the same route is re-used when the person goes to a user's profile. The username that's selected shows their points and also a link to their solves.

8. Solves Page

   • If the user is viewing their own solves. Then they can see the challenge modal and also the flags that they solved.
   • If the user is viewing someone else's solves then it's simply shown a list with the challenge name, category and points shown.

9. All views are protected against CSRF

   • All views require a CSRF token, and all cookies can only be sent via HTTPs by the browser.

10. Passwords are scored via ZXCVBN

    • All passwords are scored using the ZXCVBN framework to prevent users from using weak passwords.

11. All passwords are hashed with the Scrypt algorithm.

    • I wrote a custom PasswordHasher class for Django so that I could utilize Scrypt.

12. Ratelimiting

    • Admin view is protected against spammers/bruteforcers. As they'll be blocked if they are rate limited.
    • The login view is also rate-limited. If any IP address or attempts against any username are above the rate then the person has to solve a captcha before they'll be allowed to login.
    • If a user is submitting too many attempts at solving a challenge they'll be rate limited and given the message

13. UX Features

    • The modal dialogs that make up the majority of the user interface are all stackable.
    • The whole site is mobile-responsive.

14. Math involved for Generators

    • Constrained Knapsack Problem(Algorithms)
    • Number Theory(Fermat's Factorization Method applied to RSA), Modular Multiplicative Inverses, Bezout's coeffecients, Using Carmachieal's Totient function, etc.
    • Group/Set Theory/Discrete Math. RSA, Hastaad Broadcast Attack via the Chinese Remainder Theorem.
    • Minor Linear Algebra(Hill Cipher)

Challenge Generators

For the papers that'll help you understand how to take on the Hill Cipher, and RSA challenges use the section Papers Each challenge has it's type and the challenge name listed after a "--".

1. Hill Cipher -- Master of Hill Climbing

   • The hill cipher works with matrices and requires the user to utilize linear algebra and it's operations on matrices to decrypt the messages and also calculate the key via the calculation of inverse matrices. There are 2 variants of this challenge. Both require the person to decrypt a message encrypted with the hill cipher. Variety 1 gives them the key, and variety 2 requires them to calculate the key based upon a KPA against the message via a provided crib.

2. Affine Cipher -- A-fine Cipher

   • This cipher is just a 2 step Ceaser Cipher. And thus isn't all that difficult. The 2 variants are the same as the Hill cipher.

3. RSA Decryption -- Really Simple Algorithm

   • This flag simply requires the person to decrypt an RSA encrypted message after being provided the key and ciphertext.

4. RSA Near Primes Attack Utilizing Fermat's Factorization method -- The Frenchman's Revenge

   • This flag requires the person to factor an RSA key so that they can then decrypt the message given to them.

5. RSA - Hastaad Broadcast Attack with Chinese Remainder Theorem -- Leftover Chinese Food and Broadcast Reruns

   • This flag requires the user to decrypt a message using the Hastaad Broadcast attack. This attack works when there is the same message repeatedly sent w/o any padding, and it is sent e times where e is the exponent value.

6. RSA - Common Modulus Attack -- It's all the same.

   • This attack against RSA works because the same message is sent more than once with the same modulus, thus an attacker can calculate the relationship between the values and get back the plaintext integer.

7. RSA - Bling signature Attack -- Signature Forgery

   • This attack requires the person to carry out a signature forgery. To make sure that the challenge isn't too hard they are given teh blinding factor r and just have to calculate the unblinded message and forge the singature.

8. Programming/Algorithms - Unbound Knapsack Problem -- Master Hacker

   • This problem requires the person to calculate the maximum value of all items that they can fit in their flash drive(knapsack). They also have to return the name of the highest valued item, and the number of items they can get. It is a relatively complex algorithms problem. They are given a testcase to test their program against to confirm they are on the right track.

9. Programming FizzBuzz -- The Cola and the Bee

   • This is literally just a fizzbuzz challenge. The testcase is a super simplified version of the algorithm so they can check their program for correctness before saying the challenge is bugged.

The papers that'll help with solving the crypto challenges.

1. RSA Paper

   • RSA Paper From beginning to Practical Attacks
   • This paper goes over all of RSA from the beginning fundamentals to real-world attacks laid out in these challenges and includes real-world attacks. It is wrote(sans the proofs section) in such a way that anyone can undrestand the attacks. It assumes no mathemtical experience beyond being able to do basic arithematic and knowing what a modulus is.

2. Hill Cipher Paper

   • Hill Cipher Paper from intros to calculating the decryption key.
   • This paper goes over the Hill cipher and also how to calculate the decryption key in such a way that the person isn't required to have already taken linear algebra.

Project Details

1. Languages

   • Python,JavaScript/EcmaScript,CSS, HTML5, SQL,Django Templating Language

2. Backend Frameworks/Libraries

   • Django 3.0, Sympy, PyCryptoDome, Django-ratelimit-backend, Django-ratelimit, QRCode, PyTOTP,PyMemCached

3. Frontend Frameworks

   • BootStrap5, jQuery, BootSwatch

4. Server Software

   • Nginx, PostgresSQL, Debian GNU/Linux, Memcached